Netgate SG-1000 microFirewall

Author Topic: IPSEC from Antroid ICS through pfsense ipsec packets routing unexpected manner  (Read 1596 times)

0 Members and 1 Guest are viewing this topic.

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4995
  • Karma: +199/-43
  • Debugging...
    • View Profile
Hi all.

I have fooled with ipsec vpn to pfsense router with limited success. 

Here is the deal.  On a cellphone using Android Ice Cream Sandwich on the built in IPsec Xauth PSK:

It authenticates and connects.

If I open the phone browser and google "whats my IP"
Then check my IP, it will give me the IP of my cell phone provider.
Its accessing the internet as if not using a vpn.

Now.  If on the very same browser, I give it the IP of a server of a machine running on my LAN it will access that server on the LAN behind the pfsense router.  So, those packets are tunnelled correctly.

Any idea what is causing this split routing?

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4995
  • Karma: +199/-43
  • Debugging...
    • View Profile
OK - To me it seems that ipsec on an android device, particularly using the VPN that comes pre-installed is somewhat of a mystery to most.  So, since I bothered to solve my own problem and now have ICS Android working on my Android to my pfsense seemingly as well as my openvpn without any split tunneling or weirdness, I will share my experience and my deviations from previously posted how-too.

This is not for point to point.  Point to point is talked to death.

Not much different in what I've done compared to what is ALL OVER THE INTERNET, but it seems to matter alot.


Click "enable IPsec box

Interface - WAN
Description - A name you like
Authentication method - Mutual PSK + Xauth
Negotiation Method - aggressive
My identifier - Dynamic DNS -   (I chose dynamic because my home router uses dynamic DNS - My IP my work fine)
Peer identifier -   (make up a address if needed, but don't leave blank.  Its important)
Pre-Shared Key - Make one up. I'll use kilrapplease Make it abit long but memorable.  (This is the ONLY pre-shared key that will go into your phone)
Policy Generation - Unique
Proposal Checking - obey
Encryption algorithm - AES 128
Hash algorithm - SHA1
DH key group - 2
Lifetime - 86400
NAT Traversal - Enable
Dead Peer Detection - Enable DPD
Delay between requesting peer acknowledgement - 10
Number of consecutive failures allowed before disconnect - 5


Under Mobile Clients
click  Enable IPsec Mobile Client Support box
User Authentication - system
Group Authentication - system
Virtual Address Pool - click  Provide a virtual IP address to clients
network - / 24   (pick a address range not in use on pfsense, I suggest a /24)
click Provide a list of accessible networks to clients
click Save Xauth Password (probably makes no difference, but why not)
DNS Default Domain - click Provide a default domain name to clients
enter a domain name like - totallyipsecdomain  (just make up 1 thats not in use on your pfsense)
DNS Servers - (I would enter 2)
               (this one is dyndns)
                         (this one is google)     Its probably better to run your own dns server if you know how.
WINS Servers - All blank and unchecked.
Phase2 PFS Group - unchecked
Login Banner - Welcome - You are now connected to my sick little world  (Or something else you like.  These pop up if you are using iphone)


Phase II mobile client
Mode - tunnel
Local Network - LAN Subnet (or whatever subnet you want to reach.  Hopefully its one you use daily and has good firewall rules that work)
Description - myphase2 (or some name you makeup)
Protocol - ESP
Encryption algorithms - AES / 128 / auto     (make sure the others are unchecked)
Hash algorithms - SHA1 (uncheck MD5)
PFS key group - off     (this will break your vpn if you turn it on and its not a option in your client)
Lifetime - 28800
Automatically ping host - leave empty   (I'm wondering why I'd want to ping anything?  I cant see the results on my phone)

Now, here is where the stuff I've read online sore of gets confusing/wrong.

For this to work, you need to create/use a user on pfsense.
Go to system > usermanager
Create a new user (unless there is already a user there you plan to use)
Give the user a username and a password and write those down. Ill use guyone and passwd4guy1
Give user a full name, leave expiration date blank, create a user cert if you like (useful for openvpn)
IPsec Pre-Shared Key - enter a pre-shared key here.  just make up something a bit long  - YOU WILL NOT BE USING THIS ANYWHERE but its required.

*********************You might need ************************
In pfsense you might need to make a MANUAL entry in firewall > NAT > Outbound If you use Manual outbound NAT, like me.
Too allow the IPsec domain you made up ( / 24 in this example) to see the web, you need to add an outbound NAT entry.
Interface - WAN
protocol - any
Source - Network
   / 24 (the number you made up anyway)
Source port - leave empty
Destination - any
address - leave alone
destination  - leave blank
translation - Interface Adress
port - leave blank
Static port (I checked it to make it play nicer with MY SIP servers, but blank is fine usually)
No XMLRPC Sync - unchecked
Description  - Rulle to pass IPsec (word it how you like)
****Remember, this rule might not be necessary if you use automatic outbound NAT (which I do not)***

Next firewall rule isn't optional.

Firewall > Rules > IPsec
add new rule

Action - pass
Interface - IPsec
Protocol - any
Source - any
Destination - any
Description - Allow all from IPsec (word however you like)

Go to status > Filter reload
Click home menu for pfsense again.  We should be done on the router.

******   The rest of this happens on your phone, tablet or whatever*****

Now - grab your android phone, on cellular data please or network outside your own.
Doing this on the same lan as your server won't prove anything and will likely cause conflict.

On my ICS android phone its settings > vpn > more > vpn > addVPN

select IPsec Xauth
Server address = your DNS domain or pfsense's public IP (I entered my dynamic dns name here)
for IPsec Identifier = use the email looking address you made up (I used

IPsec pre-shared key (This is the one we made up while configuring the tunnel, not the one when we made the user / password.)
I used kilrapplease

For DNS search domain (I left blank)

DNS Servers - (I entered     If there is one you prefer, use that)

****MEGA Important****
Forwarding routes - Set this to   (if you don't your routing will be split.  Half the time it will go around your VPN)

Now connect to your VPN.
Use the username for the user we created on pfsense and the password.  (I used guyone and passwd4guy1)
If you have the option and you want, click the "save account info button", else you have to enter the username/passwd each time.
Press connect.

If your phone is anything like mine, you should have a working pfsense IPsec Tunnel VPN without flakey hit and miss routing now.
I verified this by going to to ensure its showing as my home server IP and I went to one of my servers behind my pfsense using only its private IP address.  Both worked as expected...   FINALLY.

I will add a section about the iphone after I catch some ZZZZZZzzzzs.

« Last Edit: July 08, 2013, 04:44:26 am by kejianshi »