On Aug 19, 2014, at 5:19 PM, Paul Galati <[email protected]> wrote:
> Anybody on the list using Mac OS X 10.6 or later and the built in Cisco IPSec > Client connecting to pfSense with any reliability? I am having a heck of a > time getting the expected result. I have a couple users that want to connect > via IPSec and use the CUPC client to make phone calls. When I initially > setup the server and client according to different how-to’s on the web, I was > able to connect and reach the internet as well as the internal networks and > make phone calls. Later that same day without changing a single piece of > configuration, I am unable to connect because the negotiation failed. It > continues to not respond for many hours but at some point starts to respond > again. I have not been able to formulate proof of reason. If I simply turn > off NAT-T in Phase 1, I am able to connect every time I have tried BUT, I am > not able to reach anything on the remote side despite receiving a valid IP > address from the mobile client config. I believe I have the appropriate > config in the rules for IPSec and LAN but I am not having much luck. > > Anybody have any insight that might be useful for me? I'm not sure if I have any insight, but I've been using Mac OS X 10.6 and later to connect to pfSense via the built-in IPSec client. The main issue I found is that I couldn't get any traffic to flow unless I enabled NAT-T. Without NAT-T enabled, the client would connect fine but no packets would reach it from the pfSense gateway. With NAT-T, traffic would reach the client. I posted about the issue to this list a few years ago (https://www.mail-archive.com/[email protected]/msg21912.html) but got no response. My "solution" was just to force NAT-T for all connections, whether the client required it or not (i.e., set "NAT Traversal" to "force" in the Phase 1 settings). The other thing I've noticed with the built-in client is that enabling "Save Xauth Password" in the mode-cfg section of "Mobile Clients" does not appear to have any effect. The Mac client will still prompt the user to re-enter the password after an hour. Also, I've not had success in lengthening the lifetime between these prompts to re-enter the password, but, to be honest, I've not done much experimentation. Cheers, Paul. _______________________________________________ List mailing list [email protected] https://lists.pfsense.org/mailman/listinfo/list
