IPhone to pfsense 2.3 not working



  • Hi everyone,

    sorry I am a complete newbie at pfsense and am unable to establish a IPSEC VPN from my iphone on 9.3.1 to my new pfsense installation (2.3.r.20160409.2309_1) on a APU2c4.

    I followed the instruction from here: https://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To  , but some of the settings mentioned there are no longer available in 2.3 and sadly following as close as possible to these instructions just wasn't working.

    Has anyone had success with the latest iOS (I note that Diffie-Hellman group 14 is now supported in iOS and perhaps some other stuff was dropped ???). It could be the new 2.3 version of pfsense too of course or it most likely just me.

    Any help / instructions would be appreciated.

    I enclose my log entries below. I replaced my pfsense machine IP address with 'MYIP' below. The remote access was using the data services from my phone.

    Thanks

    Apr 10 16:04:47  charon  05[IKE] <2> IKE_SA (unnamed)[2] state change: CONNECTING => DESTROYING 
    Apr 10 16:04:47  charon  05[NET] <2> sending packet: from MYIP [500] to 85.255.233.207[50694] (56 bytes) 
    Apr 10 16:04:47  charon  05[ENC] <2> generating INFORMATIONAL_V1 request 1932288567 [ N(AUTH_FAILED) ] 
    Apr 10 16:04:47  charon  05[IKE] <2> activating INFORMATIONAL task 
    Apr 10 16:04:47  charon  05[IKE] <2> activating new tasks 
    Apr 10 16:04:47  charon  05[IKE] <2> queueing INFORMATIONAL task 
    Apr 10 16:04:47  charon  05[IKE] <2> Aggressive Mode PSK disabled for security reasons 
    Apr 10 16:04:47  charon  05[CFG] <2> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 
    Apr 10 16:04:47  charon  05[CFG] <2> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 
    Apr 10 16:04:47  charon  05[CFG] <2> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024 
    Apr 10 16:04:47  charon  05[CFG] <2> proposal matches 
    Apr 10 16:04:47  charon  05[CFG] <2> selecting proposal: 
    Apr 10 16:04:47  charon  05[CFG] <2> no acceptable ENCRYPTION_ALGORITHM found 
    Apr 10 16:04:47  charon  05[CFG] <2> selecting proposal: 
    Apr 10 16:04:47  charon  05[CFG] <2> no acceptable ENCRYPTION_ALGORITHM found 
    Apr 10 16:04:47  charon  05[CFG] <2> selecting proposal: 
    Apr 10 16:04:47  charon  05[IKE] <2> IKE_SA (unnamed)[2] state change: CREATED => CONNECTING 
    Apr 10 16:04:47  charon  05[IKE] <2> 85.255.233.207 is initiating a Aggressive Mode IKE_SA 
    Apr 10 16:04:47  charon  05[IKE] <2> received DPD vendor ID 
    Apr 10 16:04:47  charon  05[IKE] <2> received Cisco Unity vendor ID 
    Apr 10 16:04:47  charon  05[IKE] <2> received XAuth vendor ID 
    Apr 10 16:04:47  charon  05[IKE] <2> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID 
    Apr 10 16:04:47  charon  05[IKE] <2> received draft-ietf-ipsec-nat-t-ike-02 vendor ID 
    Apr 10 16:04:47  charon  05[IKE] <2> received draft-ietf-ipsec-nat-t-ike-03 vendor ID 
    Apr 10 16:04:47  charon  05[IKE] <2> received draft-ietf-ipsec-nat-t-ike-04 vendor ID 
    Apr 10 16:04:47  charon  05[IKE] <2> received draft-ietf-ipsec-nat-t-ike-05 vendor ID 
    Apr 10 16:04:47  charon  05[IKE] <2> received draft-ietf-ipsec-nat-t-ike-06 vendor ID 
    Apr 10 16:04:47  charon  05[IKE] <2> received draft-ietf-ipsec-nat-t-ike-07 vendor ID 
    Apr 10 16:04:47  charon  05[IKE] <2> received draft-ietf-ipsec-nat-t-ike-08 vendor ID 
    Apr 10 16:04:47  charon  05[IKE] <2> received draft-ietf-ipsec-nat-t-ike vendor ID 
    Apr 10 16:04:47  charon  05[IKE] <2> received NAT-T (RFC 3947) vendor ID 
    Apr 10 16:04:47  charon  05[IKE] <2> received FRAGMENTATION vendor ID 
    Apr 10 16:04:47  charon  05[CFG] <2> found matching ike config: MYIP…%any with prio 1048 
    Apr 10 16:04:47  charon  05[CFG] <2> candidate: MYIP…%any, prio 1048 
    Apr 10 16:04:47  charon  05[CFG] <2> looking for an ike config for MYIP…85.255.233.207 
    Apr 10 16:04:47  charon  05[ENC] <2> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ] 
    Apr 10 16:04:47  charon  05[NET] <2> received packet: from 85.255.233.207[50694] to MYIP[500] (786 bytes) 
    Apr 10 16:04:47  charon  05[IKE] <1> IKE_SA (unnamed)[1] state change: CONNECTING => DESTROYING 
    Apr 10 16:04:47  charon  05[NET] <1> sending packet: from MYIP [500] to 85.255.233.207[50694] (56 bytes) 
    Apr 10 16:04:47  charon  05[ENC] <1> generating INFORMATIONAL_V1 request 4190151276 [ N(NO_PROP) ] 
    Apr 10 16:04:47  charon  05[IKE] <1> activating INFORMATIONAL task 
    Apr 10 16:04:47  charon  05[IKE] <1> activating new tasks 
    Apr 10 16:04:47  charon  05[IKE] <1> queueing INFORMATIONAL task 
    Apr 10 16:04:47  charon  05[IKE] <1> no proposal found 
    Apr 10 16:04:47  charon  05[CFG] <1> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 
    Apr 10 16:04:47  charon  05[CFG] <1> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048 
    Apr 10 16:04:47  charon  05[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found 
    Apr 10 16:04:47  charon  05[CFG] <1> selecting proposal: 
    Apr 10 16:04:47  charon  05[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found 
    Apr 10 16:04:47  charon  05[CFG] <1> selecting proposal: 
    Apr 10 16:04:47  charon  05[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found 
    Apr 10 16:04:47  charon  05[CFG] <1> selecting proposal: 
    Apr 10 16:04:47  charon  05[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found 
    Apr 10 16:04:47  charon  05[CFG] <1> selecting proposal: 
    Apr 10 16:04:47  charon  05[IKE] <1> IKE_SA (unnamed)[1] state change: CREATED => CONNECTING 
    Apr 10 16:04:47  charon  05[IKE] <1> 85.255.233.207 is initiating a Aggressive Mode IKE_SA 
    Apr 10 16:04:47  charon  05[IKE] <1> received DPD vendor ID 
    Apr 10 16:04:47  charon  05[IKE] <1> received Cisco Unity vendor ID 
    Apr 10 16:04:47  charon  05[IKE] <1> received XAuth vendor ID 
    Apr 10 16:04:47  charon  05[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID 
    Apr 10 16:04:47  charon  05[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02 vendor ID 
    Apr 10 16:04:47  charon  05[IKE] <1> received draft-ietf-ipsec-nat-t-ike-03 vendor ID 
    Apr 10 16:04:47  charon  05[IKE] <1> received draft-ietf-ipsec-nat-t-ike-04 vendor ID 
    Apr 10 16:04:47  charon  05[IKE] <1> received draft-ietf-ipsec-nat-t-ike-05 vendor ID 
    Apr 10 16:04:47  charon  05[IKE] <1> received draft-ietf-ipsec-nat-t-ike-06 vendor ID 
    Apr 10 16:04:47  charon  05[IKE] <1> received draft-ietf-ipsec-nat-t-ike-07 vendor ID 
    Apr 10 16:04:47  charon  05[IKE] <1> received draft-ietf-ipsec-nat-t-ike-08 vendor ID 
    Apr 10 16:04:47  charon  05[IKE] <1> received draft-ietf-ipsec-nat-t-ike vendor ID 
    Apr 10 16:04:47  charon  05[IKE] <1> received NAT-T (RFC 3947) vendor ID 
    Apr 10 16:04:47  charon  05[IKE] <1> received FRAGMENTATION vendor ID 
    Apr 10 16:04:47  charon  05[CFG] <1> found matching ike config: MYIP…%any with prio 1048 
    Apr 10 16:04:47  charon  05[CFG] <1> candidate: MYIP…%any, prio 1048 
    Apr 10 16:04:47  charon  05[CFG] <1> looking for an ike config for MYIP…85.255.233.207 
    Apr 10 16:04:47  charon  05[ENC] <1> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ] 
    Apr 10 16:04:47  charon  05[NET] <1> received packet: from 85.255.233.207[50694] to MYIP [500] (786 bytes)



  • I would suggest deploying with 2.2.6.  2.3 is RC and if this is your first go at try that first.  Also post screenshots masking private info of course



  • Apr 10 16:04:47  charon  05[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found 
    Apr 10 16:04:47  charon  05[CFG] <1> selecting proposal: 
    Apr 10 16:04:47  charon  05[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found 
    Apr 10 16:04:47  charon  05[CFG] <1> selecting proposal: 
    Apr 10 16:04:47  charon  05[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found 
    Apr 10 16:04:47  charon  05[CFG] <1> selecting proposal: 
    Apr 10 16:04:47  charon  05[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found 
    Apr 10 16:04:47  charon  05[CFG] <1> selecting proposal: 
    Apr 10 16:04:47  charon  05[IKE] <1> IKE_SA (unnamed)[1] state change: CREATED => CONNECTING 
    Apr 10 16:04:47  charon  05[IKE] <1> 85.255.233.207 is initiating a Aggressive Mode IKE_SA

    This is your problem, possibly a phase 2 issue? See here for further information https://doc.pfsense.org/index.php/IPsec_Troubleshooting.



  • For 2.3 I would use this….

    I have this working on 2.2.6 in many environments and it works perfect!

    https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2



  • Thanks to both of you, I'll go back to 2.2.6 and start from there. I was hoping I could avoid the certificate route, but if it works - that would be great!



  • I like the cert route as it adds another layer of security.  It means without the cert you cannot connect via vpn.  Unless the person is highly technical they are not going to know how to export a copy of the cert to provide someone else with access from another device.



  • @JustMe:

    I'll go back to 2.2.6 and start from there.

    No point, your config doesn't match and isn't going to match on any other versions. That works fine in 2.3.

    Check the "received proposals" and "configured proposals" log lines, you have nothing in common between the client and server. The client wants AES 256, and you only have AES 128 configured. Switch it to AES 256.



  • Follow the instructions provided by kavara with IKEv2 via EAP-MSCHAPv2. IKEv2 is not only more secure than IKEv1 but much quicker in establishing a connection. Just send the certificate you downloaded from pfSense via E-Mail to your iPhone and click on it in the E-Mail to install, that`s all.