For years I've had the iPhone roaming client IPSec configuration (using the Cisco IPSec built-in client for iPhone). It has always worked great. I set it up using the instructions on the pfSense forums.
With pfSense 2.2.3, the iPhone connects to the pfSense firewall to negotiate the VPN. The status seems to be normal and as far as I can tell all the IPSec bits are in order. Nothing unexpected in the logs. SAD and SPD look fine to me. However, no packets are routing. I cannot access *any* resource inside or outside the VPN from my device. Normally all traffic is sent to the VPN server in this configuration. Clearly something changed with the roaming client use case with the recent updates to IPSec. Has anyone else noticed this on the upgrade? What's the fix? SPD: SourceDestinationDirectionProtocolTunnel endpoints192.168.101.10.0.0.0/0[image: direction]ESP70.192.205.232 -> X.Y.208.2120.0.0.0/0192.168.101.1[image: direction]ESPX.Y.208.212 -> 70.192.205.232 SAD: SourceDestinationProtocolSPIEnc. alg.Auth. alg.DataX.Y.208.21270.192.205.232 ESP096c1f12rijndael-cbchmac-sha10 B 70.192.205.232X.Y.208.212ESPc61812ferijndael-cbchmac-sha10 B Overview status: DescriptionLocal IDLocal IPRemote IDRemote IPRoleReauthAlgoStatusX.Y.208.212 X.Y.208.212 Port: 4500 NAT-T XAuth: user1 70.192.205.232 Port: 7009 IKEv1 responder 7 hours AES_CBC:256 HMAC_SHA1_96:0 PRF_HMAC_SHA1 MODP_1024 established 2 minutes ago [image: Disconnect] <https://ashburn-fw-a.kcilink.com/diag_ipsec.php?act=ikedisconnect&ikeid=5>[image: Disconnect] <https://ashburn-fw-a.kcilink.com/diag_ipsec.php?act=ikedisconnect&ikeid=5&ikesaid=125> Local subnetsLocal SPI(s)Remote subnetsTimesAlgoStats0.0.0.0/0 Local: c61812fe Remote: 96c1f12 192.168.101.1/32 Rekey: 42 minutes Life: 57 minutes Install: 2 minutes AES_CBC:256 HMAC_SHA1_96:0 IPComp: none Bytes-In: 0 Packets-In: 0 : 126 Bytes-Out: 0 Packets-Out: 0 : 0 [image: Disconnect] <https://ashburn-fw-a.kcilink.com/diag_ipsec.php?act=childdisconnect&ikeid=5&ikesaid=7> iPhone Roaming Clients X.Y.208.212 X.Y.208.212 iphoneUnknown Awaiting connections The configs are as follows: Tunnel Phase1: Key exchange: V1 IPv4 Authentication: Mutual PSK + Xauth Mode: Aggressive Identifyer: My IP address Peer Identifier: Distinguished name, iphone PSK: <64-byte hex value> Encryption: AES-256, SHA1 DH Key group: 2 NAT Traversal: auto DPD: 10seconds/5 tries Phase2: Mode: tunnel IPv4 Local Network: Type: address, Address <blank> NAT Type: <none> Protocol: ESP Algorithms: AES-256, SHA1 PFS key group: off On the mobile client tab: Authentication: Local Database, system Virtual address pool: 192.168.101.0/24 Network list: unchecked Save Xauth PW: allowed DNS Domain: int.kcilink.com DNS Servers: 192.168.97.97; 8.8.4.4 other options off. On the iphone: server: DNS name of my pfsense WAN interface account/password: properly set no certificate Group name: iphone (matches Peer Identifier above) Secret: (matches PSK 64-byte key above) _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold