Re: [pfSense] pfsense, IPSec, and Mac OS X
On Aug 22, 2014, at 11:38 AM, Paul Galati wrote: > thanks for your reply. I have looked at that page already to verify my > initial settings were correct, and they are. It is the final tweak that I am > trying to locate. I just don’t understand why simply turning NAT-T on or off > would completely eliminate the login prompt. In my setup (OS X 10.9 with IPSec client using XAuth PSK) I don't have to enter a login or password or shared secret because that's already in the OS X IPSec VPN configuration in Network Preferences. The only time I am prompted to enter the password is after about an hour, presumably when the IPSec lifetime has expired on the client side. When I connect from the Mac, all I get is a popup saying "VPN Connection" and buttons with "Disconnect" and "OK". For me, enabling or disabling NAT-T is the difference between traffic routing out of the pfSense box or not, i.e., the VPN working or not working. Cheers, Paul. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense, IPSec, and Mac OS X
Bruce, thanks for your reply. I have looked at that page already to verify my initial settings were correct, and they are. It is the final tweak that I am trying to locate. I just don’t understand why simply turning NAT-T on or off would completely eliminate the login prompt. Paul Galati paulgal...@gmail.com On Aug 22, 2014, at 11:26 AM, Bruce A. Mah wrote: > If memory serves me right, Paul Galati wrote: > >> Anybody on the list using Mac OS X 10.6 or later and the built in >> Cisco IPSec Client connecting to pfSense with any reliability? > > I've had this working (with at least Mac OS 10.8 and 10.9 and iOS 6 and > 7, with their built-in IPsec clients) on pfSense 2.1.x, following a > modified version of these instructions: > > https://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0 > > Unfortunately it's been quite awhile since I set this up, and I don't > remember the changes I had to make for newer versions of pfSense (they > weren't major however, and mostly had to do with UI changes in pfSense > rather than IPsec functionality). > > Once I flailed around with the initial setup, it Just Works (tm). > > Hope this helps, > > Bruce. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense, IPSec, and Mac OS X
If memory serves me right, Paul Galati wrote: > Anybody on the list using Mac OS X 10.6 or later and the built in > Cisco IPSec Client connecting to pfSense with any reliability? I've had this working (with at least Mac OS 10.8 and 10.9 and iOS 6 and 7, with their built-in IPsec clients) on pfSense 2.1.x, following a modified version of these instructions: https://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0 Unfortunately it's been quite awhile since I set this up, and I don't remember the changes I had to make for newer versions of pfSense (they weren't major however, and mostly had to do with UI changes in pfSense rather than IPsec functionality). Once I flailed around with the initial setup, it Just Works (tm). Hope this helps, Bruce. signature.asc Description: OpenPGP digital signature ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense, IPSec, and Mac OS X
Bryan, Setting everything up like you have documented, great directions btw, did not change my end result. If I disable NAT-T, I am prompted for a password every time and it does connect but fails to route anywhere. If I enable NAT-T, it works as advertised IF I somehow get prompted for a password. I never know when I will get a prompt for a password. I can’t find a relationship or reason as to why it works or not even when I did not make any changes for several days. I am now investigating the certificate part of your documentation to see if that makes any difference on the Mac OS X side. Not really planning to do VPN on the phone, yet. Thanks for your help. If that doesn’t work, I guess the next step would be to try a software openvpn client. Paul Galati paulgal...@gmail.com On Aug 20, 2014, at 1:59 PM, Bryan D. wrote: > I've not used the OS X client, but (just having had a quick look at it), it > appears to be similar to the iOS client (same code base?). As such, some of > the information on a large posting I did about setting up IPSec VPN may help > (http://www.derman.com/blogs/Setting-Up-iOS-OnDemand-VPN). > > Specifically, there's some info on preventing the Xauth password from being > prompted for during each connection -- see in section 2.b) Connection > behavior on http://www.derman.com/blogs/iOS-IPSec-VPN-OnDemand-Setup. > > It's quite possible that using the indicated strategies (i.e., using the > Apple Configurator and manually editing the profile XML) would also work with > OS X. If you try it and it does, please post a comment on the site (and > elsewhere?) so others can also benefit. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense, IPSec, and Mac OS X
Bryan and all, Thanks for the info. I will look into this and see if I can provide some useful info to share. Paul Galati paulgal...@gmail.com On Aug 20, 2014, at 1:59 PM, Bryan D. wrote: > I've not used the OS X client, but (just having had a quick look at it), it > appears to be similar to the iOS client (same code base?). As such, some of > the information on a large posting I did about setting up IPSec VPN may help > (http://www.derman.com/blogs/Setting-Up-iOS-OnDemand-VPN). > > Specifically, there's some info on preventing the Xauth password from being > prompted for during each connection -- see in section 2.b) Connection > behavior on http://www.derman.com/blogs/iOS-IPSec-VPN-OnDemand-Setup. > > It's quite possible that using the indicated strategies (i.e., using the > Apple Configurator and manually editing the profile XML) would also work with > OS X. If you try it and it does, please post a comment on the site (and > elsewhere?) so others can also benefit. > > Bryan D. > http://www.derman.com/ ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense, IPSec, and Mac OS X
On 2014-Aug-20, at 6:13 AM, Paul Mather wrote: > > > The other thing I've noticed with the built-in client is that enabling > "Save Xauth Password" in the mode-cfg section of "Mobile Clients" does > not appear to have any effect. The Mac client will still prompt the > user to re-enter the password after an hour. Also, I've not had > success in lengthening the lifetime between these prompts to re-enter > the password, but, to be honest, I've not done much experimentation. I've not used the OS X client, but (just having had a quick look at it), it appears to be similar to the iOS client (same code base?). As such, some of the information on a large posting I did about setting up IPSec VPN may help (http://www.derman.com/blogs/Setting-Up-iOS-OnDemand-VPN). Specifically, there's some info on preventing the Xauth password from being prompted for during each connection -- see in section 2.b) Connection behavior on http://www.derman.com/blogs/iOS-IPSec-VPN-OnDemand-Setup. It's quite possible that using the indicated strategies (i.e., using the Apple Configurator and manually editing the profile XML) would also work with OS X. If you try it and it does, please post a comment on the site (and elsewhere?) so others can also benefit. Bryan D. http://www.derman.com/ ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense, IPSec, and Mac OS X
On Aug 19, 2014, at 5:19 PM, Paul Galati wrote: > Anybody on the list using Mac OS X 10.6 or later and the built in Cisco IPSec > Client connecting to pfSense with any reliability? I am having a heck of a > time getting the expected result. I have a couple users that want to connect > via IPSec and use the CUPC client to make phone calls. When I initially > setup the server and client according to different how-to’s on the web, I was > able to connect and reach the internet as well as the internal networks and > make phone calls. Later that same day without changing a single piece of > configuration, I am unable to connect because the negotiation failed. It > continues to not respond for many hours but at some point starts to respond > again. I have not been able to formulate proof of reason. If I simply turn > off NAT-T in Phase 1, I am able to connect every time I have tried BUT, I am > not able to reach anything on the remote side despite receiving a valid IP > address from the mobile client config. I believe I have the appropriate > config in the rules for IPSec and LAN but I am not having much luck. > > Anybody have any insight that might be useful for me? I'm not sure if I have any insight, but I've been using Mac OS X 10.6 and later to connect to pfSense via the built-in IPSec client. The main issue I found is that I couldn't get any traffic to flow unless I enabled NAT-T. Without NAT-T enabled, the client would connect fine but no packets would reach it from the pfSense gateway. With NAT-T, traffic would reach the client. I posted about the issue to this list a few years ago (https://www.mail-archive.com/support@pfsense.com/msg21912.html) but got no response. My "solution" was just to force NAT-T for all connections, whether the client required it or not (i.e., set "NAT Traversal" to "force" in the Phase 1 settings). The other thing I've noticed with the built-in client is that enabling "Save Xauth Password" in the mode-cfg section of "Mobile Clients" does not appear to have any effect. The Mac client will still prompt the user to re-enter the password after an hour. Also, I've not had success in lengthening the lifetime between these prompts to re-enter the password, but, to be honest, I've not done much experimentation. Cheers, Paul. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense, IPSec, and Mac OS X
The only config that reaches the internet is having NAT-T on but trying to connect to ipsec initially is the problem. With NAT-T off it connects every time but cannot reach anything. > On Aug 19, 2014, at 7:06 PM, Ryan Coleman wrote: > > I had been before I was relieved of my duties 8 months ago. It does work but > I have little to suggest to you at ht moment. > > > >> On Aug 19, 2014, at 16:19, Paul Galati wrote: >> >> Anybody on the list using Mac OS X 10.6 or later and the built in Cisco >> IPSec Client connecting to pfSense with any reliability? I am having a heck >> of a time getting the expected result. I have a couple users that want to >> connect via IPSec and use the CUPC client to make phone calls. When I >> initially setup the server and client according to different how-to’s on the >> web, I was able to connect and reach the internet as well as the internal >> networks and make phone calls. Later that same day without changing a >> single piece of configuration, I am unable to connect because the >> negotiation failed. It continues to not respond for many hours but at some >> point starts to respond again. I have not been able to formulate proof of >> reason. If I simply turn off NAT-T in Phase 1, I am able to connect every >> time I have tried BUT, I am not able to reach anything on the remote side >> despite receiving a valid IP address from the mobile client config. I >> believe I have the appropriate config in the rules for IPSec and LAN but I >> am not having much luck. >> >> Anybody have any insight that might be useful for me? >> >> I have some openVPN questions too but that will wait until IPSec is done. >> >> Thanks, >> Paul >> >> >> >> ___ >> List mailing list >> List@lists.pfsense.org >> https://lists.pfsense.org/mailman/listinfo/list > > ___ > List mailing list > List@lists.pfsense.org > https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense, IPSec, and Mac OS X
I had been before I was relieved of my duties 8 months ago. It does work but I have little to suggest to you at ht moment. On Aug 19, 2014, at 16:19, Paul Galati wrote: > Anybody on the list using Mac OS X 10.6 or later and the built in Cisco IPSec > Client connecting to pfSense with any reliability? I am having a heck of a > time getting the expected result. I have a couple users that want to connect > via IPSec and use the CUPC client to make phone calls. When I initially > setup the server and client according to different how-to’s on the web, I was > able to connect and reach the internet as well as the internal networks and > make phone calls. Later that same day without changing a single piece of > configuration, I am unable to connect because the negotiation failed. It > continues to not respond for many hours but at some point starts to respond > again. I have not been able to formulate proof of reason. If I simply turn > off NAT-T in Phase 1, I am able to connect every time I have tried BUT, I am > not able to reach anything on the remote side despite receiving a valid IP > address from the mobile client config. I believe I have the appropriate > config in the rules for IPSec and LAN but I am not having much luck. > > Anybody have any insight that might be useful for me? > > I have some openVPN questions too but that will wait until IPSec is done. > > Thanks, > Paul > > > > ___ > List mailing list > List@lists.pfsense.org > https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list