For years I've had the iPhone roaming client IPSec configuration (using the
Cisco IPSec built-in client for iPhone). It has always worked great. I set
it up using the instructions on the pfSense forums.
With pfSense 2.2.3, the iPhone connects to the pfSense firewall to
negotiate the VPN. The status seems to be normal and as far as I can tell
all the IPSec bits are in order. Nothing unexpected in the logs. SAD and
SPD look fine to me.
However, no packets are routing. I cannot access *any* resource inside or
outside the VPN from my device. Normally all traffic is sent to the VPN
server in this configuration.
Clearly something changed with the roaming client use case with the recent
updates to IPSec.
Has anyone else noticed this on the upgrade? What's the fix?
SPD:
SourceDestinationDirectionProtocolTunnel endpoints192.168.101.10.0.0.0/0[image:
direction]ESP70.192.205.232 - X.Y.208.2120.0.0.0/0192.168.101.1[image:
direction]ESPX.Y.208.212 - 70.192.205.232
SAD:
SourceDestinationProtocolSPIEnc. alg.Auth. alg.DataX.Y.208.21270.192.205.232
ESP096c1f12rijndael-cbchmac-sha10 B
70.192.205.232X.Y.208.212ESPc61812ferijndael-cbchmac-sha10 B
Overview status:
DescriptionLocal IDLocal IPRemote IDRemote IPRoleReauthAlgoStatusX.Y.208.212
X.Y.208.212
Port: 4500 NAT-T XAuth: user1
70.192.205.232
Port: 7009 IKEv1
responder 7 hours AES_CBC:256
HMAC_SHA1_96:0
PRF_HMAC_SHA1
MODP_1024
established
2 minutes ago [image: Disconnect]
https://ashburn-fw-a.kcilink.com/diag_ipsec.php?act=ikedisconnectikeid=5[image:
Disconnect]
https://ashburn-fw-a.kcilink.com/diag_ipsec.php?act=ikedisconnectikeid=5ikesaid=125
Local subnetsLocal SPI(s)Remote subnetsTimesAlgoStats0.0.0.0/0
Local: c61812fe
Remote: 96c1f12 192.168.101.1/32
Rekey: 42 minutes
Life: 57 minutes
Install: 2 minutes AES_CBC:256
HMAC_SHA1_96:0
IPComp: none Bytes-In: 0
Packets-In: 0 : 126
Bytes-Out: 0
Packets-Out: 0 : 0 [image: Disconnect]
https://ashburn-fw-a.kcilink.com/diag_ipsec.php?act=childdisconnectikeid=5ikesaid=7
iPhone Roaming Clients X.Y.208.212 X.Y.208.212 iphoneUnknown
Awaiting connections
The configs are as follows:
Tunnel Phase1:
Key exchange: V1
IPv4
Authentication: Mutual PSK + Xauth
Mode: Aggressive
Identifyer: My IP address
Peer Identifier: Distinguished name, iphone
PSK: 64-byte hex value
Encryption: AES-256, SHA1
DH Key group: 2
NAT Traversal: auto
DPD: 10seconds/5 tries
Phase2:
Mode: tunnel IPv4
Local Network: Type: address, Address blank
NAT Type: none
Protocol: ESP
Algorithms: AES-256, SHA1
PFS key group: off
On the mobile client tab:
Authentication: Local Database, system
Virtual address pool: 192.168.101.0/24
Network list: unchecked
Save Xauth PW: allowed
DNS Domain: int.kcilink.com
DNS Servers: 192.168.97.97; 8.8.4.4
other options off.
On the iphone:
server: DNS name of my pfsense WAN interface
account/password: properly set
no certificate
Group name: iphone (matches Peer Identifier above)
Secret: (matches PSK 64-byte key above)
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold