On Aug 19, 2014, at 5:19 PM, Paul Galati <[email protected]> wrote:

> Anybody on the list using Mac OS X 10.6 or later and the built in Cisco IPSec 
> Client connecting to pfSense with any reliability?  I am having a heck of a 
> time getting the expected result.  I have a couple users that want to connect 
> via IPSec and use the CUPC client to make phone calls.  When I initially 
> setup the server and client according to different how-to’s on the web, I was 
> able to connect and reach the internet as well as the internal networks and 
> make phone calls.  Later that same day without changing a single piece of 
> configuration, I am unable to connect because the negotiation failed.  It 
> continues to not respond for many hours but at some point starts to respond 
> again.  I have not been able to formulate proof of reason.  If I simply turn 
> off NAT-T in Phase 1, I am able to connect every time I have tried BUT, I am 
> not able to reach anything on the remote side despite receiving a valid IP 
> address from the mobile client config. I believe I have the appropriate 
> config in the rules for IPSec and LAN but I am not having much luck.
> 
> Anybody have any insight that might be useful for me?


I'm not sure if I have any insight, but I've been using Mac OS X 10.6 
and later to connect to pfSense via the built-in IPSec client.  The 
main issue I found is that I couldn't get any traffic to flow unless I 
enabled NAT-T.  Without NAT-T enabled, the client would connect fine 
but no packets would reach it from the pfSense gateway.  With NAT-T, 
traffic would reach the client.  I posted about the issue to this list 
a few years ago 
(https://www.mail-archive.com/[email protected]/msg21912.html) but 
got no response.  My "solution" was just to force NAT-T for all 
connections, whether the client required it or not (i.e., set "NAT 
Traversal" to "force" in the Phase 1 settings).

The other thing I've noticed with the built-in client is that enabling 
"Save Xauth Password" in the mode-cfg section of "Mobile Clients" does 
not appear to have any effect.  The Mac client will still prompt the 
user to re-enter the password after an hour.  Also, I've not had 
success in lengthening the lifetime between these prompts to re-enter 
the password, but, to be honest, I've not done much experimentation.

Cheers,

Paul.

_______________________________________________
List mailing list
[email protected]
https://lists.pfsense.org/mailman/listinfo/list

Reply via email to