Help with IPSEC setup mobile client IOS



  • Setup an IPSEC server loosely based on this old doc: https://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To

    This is an iPhone 5 running latest iOS 8.x
    pfsense: 2.2.2 nanobsd

    additional info:
    Server running Phase 1 AES 128, SHA 1, DH Key group 2, aggressive

    Looks like something is failing. Can someone make suggestions?
    I get a server not responding message from iphone

    Aug 18 12:23:49 charon: 09[IKE] <18> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Aug 18 12:23:49 charon: 09[IKE] <18> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Aug 18 12:23:49 charon: 09[IKE] <18> received XAuth vendor ID
    Aug 18 12:23:49 charon: 09[IKE] <18> received XAuth vendor ID
    Aug 18 12:23:49 charon: 09[IKE] <18> received Cisco Unity vendor ID
    Aug 18 12:23:49 charon: 09[IKE] <18> received Cisco Unity vendor ID
    Aug 18 12:23:49 charon: 09[IKE] <18> received DPD vendor ID
    Aug 18 12:23:49 charon: 09[IKE] <18> received DPD vendor ID
    Aug 18 12:23:49 charon: 09[IKE] <18> y.y.y.y is initiating a Aggressive Mode IKE_SA
    Aug 18 12:23:49 charon: 09[IKE] <18> y.y.y.y is initiating a Aggressive Mode IKE_SA
    Aug 18 12:23:49 charon: 09[IKE] <18> Aggressive Mode PSK disabled for security reasons
    Aug 18 12:23:49 charon: 09[IKE] <18> Aggressive Mode PSK disabled for security reasons
    Aug 18 12:23:49 charon: 09[ENC] <18> generating INFORMATIONAL_V1 request 397799797 [ N(AUTH_FAILED) ]
    Aug 18 12:23:49 charon: 09[NET] <18> sending packet: from x.x.x.x[500] to y.y.y.y[43504] (56 bytes)
    Aug 18 12:23:52 charon: 09[NET] <19> received packet: from y.y.y.y[43504] to x.x.x.x[500] (774 bytes)
    Aug 18 12:23:52 charon: 09[ENC] <19> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
    Aug 18 12:23:52 charon: 09[IKE] <19> received FRAGMENTATION vendor ID
    Aug 18 12:23:52 charon: 09[IKE] <19> received FRAGMENTATION vendor ID
    Aug 18 12:23:52 charon: 09[IKE] <19> received NAT-T (RFC 3947) vendor ID
    Aug 18 12:23:52 charon: 09[IKE] <19> received NAT-T (RFC 3947) vendor ID
    Aug 18 12:23:52 charon: 09[IKE] <19> received draft-ietf-ipsec-nat-t-ike vendor ID
    Aug 18 12:23:52 charon: 09[IKE] <19> received draft-ietf-ipsec-nat-t-ike vendor ID
    Aug 18 12:23:52 charon: 09[IKE] <19> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    Aug 18 12:23:52 charon: 09[IKE] <19> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    Aug 18 12:23:52 charon: 09[IKE] <19> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Aug 18 12:23:52 charon: 09[IKE] <19> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Aug 18 12:23:52 charon: 09[IKE] <19> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    Aug 18 12:23:52 charon: 09[IKE] <19> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    Aug 18 12:23:52 charon: 09[IKE] <19> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    Aug 18 12:23:52 charon: 09[IKE] <19> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    Aug 18 12:23:52 charon: 09[IKE] <19> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Aug 18 12:23:52 charon: 09[IKE] <19> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Aug 18 12:23:52 charon: 09[IKE] <19> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Aug 18 12:23:52 charon: 09[IKE] <19> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Aug 18 12:23:52 charon: 09[IKE] <19> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Aug 18 12:23:52 charon: 09[IKE] <19> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Aug 18 12:23:52 charon: 09[IKE] <19> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Aug 18 12:23:52 charon: 09[IKE] <19> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Aug 18 12:23:52 charon: 09[IKE] <19> received XAuth vendor ID
    Aug 18 12:23:52 charon: 09[IKE] <19> received XAuth vendor ID
    Aug 18 12:23:52 charon: 09[IKE] <19> received Cisco Unity vendor ID
    Aug 18 12:23:52 charon: 09[IKE] <19> received Cisco Unity vendor ID
    Aug 18 12:23:52 charon: 09[IKE] <19> received DPD vendor ID
    Aug 18 12:23:52 charon: 09[IKE] <19> received DPD vendor ID
    Aug 18 12:23:52 charon: 09[IKE] <19> y.y.y.y is initiating a Aggressive Mode IKE_SA
    Aug 18 12:23:52 charon: 09[IKE] <19> y.y.y.y is initiating a Aggressive Mode IKE_SA
    Aug 18 12:23:52 charon: 09[IKE] <19> Aggressive Mode PSK disabled for security reasons
    Aug 18 12:23:52 charon: 09[IKE] <19> Aggressive Mode PSK disabled for security reasons
    Aug 18 12:23:52 charon: 09[ENC] <19> generating INFORMATIONAL_V1 request 3832594222 [ N(AUTH_FAILED) ]
    Aug 18 12:23:52 charon: 09[NET] <19> sending packet: from x.x.x.x[500] to y.y.y.y[43504] (56 bytes)



  • @gazoo:

    Server running Phase 1 AES 128, SHA 1, DH Key group 2, aggressive

    I haven't looked at the article you reference, but one thing I would note is that aggressive mode with PSK isn't considered secure, and if you look at the error messages you can see that the connection fails because this combination has been disabled for this reason.

    My recommendation would be: Main, AES 256, SHA1, DH group 5 (1536 bit)



  • that's the iphone doing aggressive, i've got the server set for main. I think this just won't work - something's changed after 2.2. I heard that in 2.1 this worked.



  • It definitely works in 2.2.2:

    https://forum.pfsense.org/index.php?topic=92197.msg518104#msg518104

    I have since moved to certificates, but PSK was well tested with 2.2.2. I know of no reason that that configuration would not still work with 2.2.4 as well. [N.B. with 2.2.4 you need to change the Peer Identifier to Any]

    The only thing that I know of that worked in 2.2.2, and does not work in 2.2.4, is the mixed IKEv1 and IKEv2 configuration. As you are using IKEv1 only, this shouldn't matter.



  • @gazoo:

    that's the iphone doing aggressive, i've got the server set for main.

    Your server needs to match your client.

    P1: IKEv1 aggressive, mutual PSK + XAuth, local ID IP address, peer ID user DN, AES256 SHA1 DH group 2.
    P2: Tunnel mode, local network 0.0.0.0/0, AES256 SHA1 no PFS


Log in to reply