Re: [pfSense] iphone roaming client stopped routing

[Vick Khera]

On Wed, Jul 1, 2015 at 12:25 PM, Vick Khera vi...@khera.org wrote:

 With pfSense 2.2.3, the iPhone connects to the pfSense firewall to
 negotiate the VPN. The status seems to be normal and as far as I can tell
 all the IPSec bits are in order. Nothing unexpected in the logs. SAD and
 SPD look fine to me.


For the list archives: there is a bug in 2.2.3 using AES-256 encryption
with hardware accelerated crypto via AES-NI kernel module. Disabling the
latter (and rebooting) solves the problem. 2.2.4 will fix this, hopefully
soon.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] iphone roaming client stopped routing

[Vick Khera]

For years I've had the iPhone roaming client IPSec configuration (using the
Cisco IPSec built-in client for iPhone). It has always worked great. I set
it up using the instructions on the pfSense forums.

With pfSense 2.2.3, the iPhone connects to the pfSense firewall to
negotiate the VPN. The status seems to be normal and as far as I can tell
all the IPSec bits are in order. Nothing unexpected in the logs. SAD and
SPD look fine to me.

However, no packets are routing. I cannot access *any* resource inside or
outside the VPN from my device. Normally all traffic is sent to the VPN
server in this configuration.

Clearly something changed with the roaming client use case with the recent
updates to IPSec.

Has anyone else noticed this on the upgrade? What's the fix?


SPD:
SourceDestinationDirectionProtocolTunnel endpoints192.168.101.10.0.0.0/0[image:
direction]ESP70.192.205.232 - X.Y.208.2120.0.0.0/0192.168.101.1[image:
direction]ESPX.Y.208.212 - 70.192.205.232
SAD:
SourceDestinationProtocolSPIEnc. alg.Auth. alg.DataX.Y.208.21270.192.205.232
ESP096c1f12rijndael-cbchmac-sha10 B
70.192.205.232X.Y.208.212ESPc61812ferijndael-cbchmac-sha10 B

Overview status:
DescriptionLocal IDLocal IPRemote IDRemote IPRoleReauthAlgoStatusX.Y.208.212
X.Y.208.212
Port: 4500 NAT-T XAuth: user1
70.192.205.232
Port: 7009 IKEv1
responder 7 hours AES_CBC:256
HMAC_SHA1_96:0
PRF_HMAC_SHA1
MODP_1024
established
2 minutes ago [image: Disconnect]
https://ashburn-fw-a.kcilink.com/diag_ipsec.php?act=ikedisconnectikeid=5[image:
Disconnect]
https://ashburn-fw-a.kcilink.com/diag_ipsec.php?act=ikedisconnectikeid=5ikesaid=125
Local subnetsLocal SPI(s)Remote subnetsTimesAlgoStats0.0.0.0/0
Local: c61812fe
Remote: 96c1f12 192.168.101.1/32
Rekey: 42 minutes
Life: 57 minutes
Install: 2 minutes AES_CBC:256
HMAC_SHA1_96:0
IPComp: none Bytes-In: 0
Packets-In: 0 : 126
Bytes-Out: 0
Packets-Out: 0 : 0 [image: Disconnect]
https://ashburn-fw-a.kcilink.com/diag_ipsec.php?act=childdisconnectikeid=5ikesaid=7
 iPhone Roaming Clients X.Y.208.212 X.Y.208.212 iphoneUnknown
Awaiting connections



The configs are as follows:

Tunnel Phase1:
 Key exchange: V1
 IPv4
 Authentication: Mutual PSK + Xauth
 Mode: Aggressive
 Identifyer: My IP address
 Peer Identifier: Distinguished name, iphone
 PSK: 64-byte hex value
 Encryption: AES-256, SHA1
 DH Key group: 2
 NAT Traversal: auto
 DPD: 10seconds/5 tries

Phase2:
 Mode: tunnel IPv4
 Local Network: Type: address, Address blank
 NAT Type: none
 Protocol: ESP
 Algorithms: AES-256, SHA1
 PFS key group: off

On the mobile client tab:
 Authentication: Local Database, system
 Virtual address pool: 192.168.101.0/24
 Network list: unchecked
 Save Xauth PW: allowed
 DNS Domain: int.kcilink.com
 DNS Servers: 192.168.97.97; 8.8.4.4
 other options off.

On the iphone:
 server: DNS name of my pfsense WAN interface
 account/password: properly set
 no certificate
 Group name: iphone (matches Peer Identifier above)
 Secret: (matches PSK 64-byte key above)
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold