Netgate m1n1wall

Author Topic: iPAD IPSec VPN  (Read 16722 times)

0 Members and 1 Guest are viewing this topic.

Offline dweimer

  • Newbie
  • *
  • Posts: 11
    • View Profile
iPAD IPSec VPN
« on: August 23, 2011, 11:11:24 am »
I have created an IPSec mobile client tunnel for use with my iPAD, to my pfSesnse 2.0 RC3 system, the tunnel connects and passes traffic just fine.  However it doesn't appear to be passing the DNS information to the iPAD, I can connect if I know the IP Address of an internal server a packet capture on the IPSec interface shows no attempt if accessing an internal DNS domain name of a DNS lookup.  Is this an unfortunate limitation of the iPAD's (most likely iPhone as well) Cisco IPSec VPN implementation.  Or is there possibly an issue with pfSense sending out the DNS information?  I do have 2 internal servers setup to be sent to the clients.  Under the iPAD VPN status it just shows the connect time, the external IP of the pfSense box, and ther internal IP assigned to the client.  Unfortunately I have no other way that I know of to troubleshoot from the iPAD.
Has anyone ran into this?  Or have any ideas about where I should look for the problem?

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 14934
    • View Profile
Re: iPAD IPSec VPN
« Reply #1 on: August 23, 2011, 01:09:57 pm »
So you do have checked "Provide a DNS server list to clients" under "Client Configuration" on the Mobile clients tab under VPN > IPsec? And you have a proper DNS server in there?

I just received an iPod touch so I'll be looking at the IPsec setup here in the very near future. It's also possible that iOS just doesn't support DNS in that way, but it's hard to say unless someone else has seen that happen before.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline TwigsUSAN

  • Newbie
  • *
  • Posts: 11
    • View Profile
Re: iPAD IPSec VPN
« Reply #2 on: August 23, 2011, 04:05:55 pm »
Are you trying to do DNS dips for items internal to the network or just regular web surfing?  If it's regular web surfing while still connected, try turning off send all traffic.

Offline dweimer

  • Newbie
  • *
  • Posts: 11
    • View Profile
Re: iPAD IPSec VPN
« Reply #3 on: August 24, 2011, 06:25:39 pm »
Yes I do have the box checked to provide the list of DNS servers to clients, and 2 internal servers.  So yes its internal DNS that's not working, external DNS for websites continues to work on the iPAD, which tells me that its not trying to use the DNS servers I have told it to use via the IPSec configuration.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 14934
    • View Profile
Re: iPAD IPSec VPN
« Reply #4 on: August 25, 2011, 11:32:33 am »
I setup a VPN for my iPod Touch and it took the DNS and was respecting the value passed to the client. I did a tcpdump on the IPsec interface as I surfed the web over the VPN and I watched it make DNS requests to the DNS server I specified (not the one it obtained from DHCP) and it was working great.

iOS 4.3.5 if that makes a difference.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline bdgarcia

  • Newbie
  • *
  • Posts: 2
    • View Profile
Re: iPAD IPSec VPN
« Reply #5 on: August 27, 2011, 03:51:07 pm »
I am beating my head against the wall trying to get an IPSec tunnel up between my iPad and pfsense.   I have tried many options and I continue to fail at Phase 1.   Can anyone point me to a proven recipe?

Below is what I get in the system log:


Aug 27 15:47:29 racoon: [Self]: INFO: respond new phase 1 negotiation: 65.87.63.24[500]<=>166.249.128.173[44895]
Aug 27 15:47:29 racoon: INFO: begin Identity Protection mode.
Aug 27 15:47:29 racoon: INFO: received Vendor ID: RFC 3947
Aug 27 15:47:29 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Aug 27 15:47:29 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Aug 27 15:47:29 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Aug 27 15:47:29 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Aug 27 15:47:29 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Aug 27 15:47:29 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Aug 27 15:47:29 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Aug 27 15:47:29 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Aug 27 15:47:29 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Aug 27 15:47:29 racoon: INFO: received Vendor ID: CISCO-UNITY
Aug 27 15:47:29 racoon: INFO: received Vendor ID: DPD
Aug 27 15:47:29 racoon: [166.249.128.173] INFO: Selected NAT-T version: RFC 3947
Aug 27 15:47:29 racoon: ERROR: no suitable proposal found.
Aug 27 15:47:29 racoon: [166.249.128.173] ERROR: failed to get valid proposal.
Aug 27 15:47:29 racoon: [166.249.128.173] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
Aug 27 15:47:29 racoon: [166.249.128.173] ERROR: phase1 negotiation failed.
 
I have included a copy of my phase 1 setup below.

Thank you
Bryan



« Last Edit: August 27, 2011, 03:56:21 pm by bdgarcia »

Offline bdgarcia

  • Newbie
  • *
  • Posts: 2
    • View Profile
Re: iPAD IPSec VPN
« Reply #6 on: August 27, 2011, 05:05:30 pm »
I got it working.

All of the information can be gathered from these two posts:

http://forum.pfsense.org/index.php/topic,24752.msg130558/topicseen.html#msg130558

http://forum.pfsense.org/index.php/topic,32319.0.html

From the post above, it appears you need to put the users in the admin group, which is less than ideal.  You do not need to do this, you simply need to create a group with access to the IPSec XAuth Dialin and put the users in that group as shown below:

« Last Edit: August 27, 2011, 05:19:00 pm by bdgarcia »

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 14934
    • View Profile
Re: iPAD IPSec VPN
« Reply #7 on: August 27, 2011, 09:33:38 pm »
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline mikesamo

  • Full Member
  • ***
  • Posts: 225
    • View Profile
Re: iPAD IPSec VPN
« Reply #8 on: August 31, 2011, 08:39:13 pm »
Working well for me too with iPad and iPod toutch using the doc in wiki
But there is no option on iOS to get all traffic routed to the VPN ;(
« Last Edit: August 31, 2011, 08:41:25 pm by mikesamo »

Offline Metu69salemi

  • Hero Member
  • *****
  • Posts: 1564
    • View Profile
Re: iPAD IPSec VPN
« Reply #9 on: August 31, 2011, 11:03:53 pm »
Even if vpn server says tunnel everything through vpn connection?
so the route would be 0.0.0.0 0.0.0.0 vpn-gateway on the machine itself