Discussion:
pfSense 2.0 IPsec on Mac OS X 10.6
Paul Mather
2011-04-11 15:19:11 UTC
Permalink
I believe my previous message on this topic (http://www.mail-archive.com/support-***@public.gmane.org/msg21912.html) may have been a victim of tl;dr. So, in hope of better success, I will restate my problem in a more positive light:

Has anyone managed to get IPsec for mobile clients working with pfSense 2.0 and Mac OS X 10.6? If so, which client are you using on the Mac OS X side? Is anything special needed on the pfSense side?

I have tried both the built-in Cisco IPSec client and also IPSecuritas on Mac OS X, with mixed results. Usually the IPsec VPN will only work via NAT-T. For the non-NAT-T case, the VPN doesn't appear to be able to route traffic, and just keeps accumulating SAD entries and losing SPD entries on the pfSense side.

I haven't tried L2TP---can anyone report success using the built-in L2TP client in Mac OS X 10.5 onwards?

(I have tried updating my pfSense installation via the 2.0 nightly builds, but to no avail. It still doesn't work.)

Any help is gratefully appreciated.

Cheers,

Paul.


---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscribe-***@public.gmane.org
For additional commands, e-mail: support-help-***@public.gmane.org

Commercial support available - https://portal.pfsense.org
Mike McLaughlin
2011-04-11 15:32:05 UTC
Permalink
I'm very happily using OpenVPN with Viscosity and TunnelBlick (clients) on
many Mac 10.5-10.7 machines. I'm currently using 1.2.3 at the perimeter and
a 2.0 box to manage my certs (which I hope to roll over to the perimeter box
once we upgrade for the sake of being able to download the pre-loaded
installers in 2.0). The only issues I've hit at all are related to the
crappy Samba implementation in 10.6 and below. The test 10.7 machines are a
dream.

The users love how transparent and easy the VPN is.

Mike McLaughlin
Post by Paul Mather
I believe my previous message on this topic (
been a victim of tl;dr. So, in hope of better success, I will restate my
Has anyone managed to get IPsec for mobile clients working with pfSense 2.0
and Mac OS X 10.6? If so, which client are you using on the Mac OS X side?
Is anything special needed on the pfSense side?
I have tried both the built-in Cisco IPSec client and also IPSecuritas on
Mac OS X, with mixed results. Usually the IPsec VPN will only work via
NAT-T. For the non-NAT-T case, the VPN doesn't appear to be able to route
traffic, and just keeps accumulating SAD entries and losing SPD entries on
the pfSense side.
I haven't tried L2TP---can anyone report success using the built-in L2TP
client in Mac OS X 10.5 onwards?
(I have tried updating my pfSense installation via the 2.0 nightly builds,
but to no avail. It still doesn't work.)
Any help is gratefully appreciated.
Cheers,
Paul.
---------------------------------------------------------------------
Commercial support available - https://portal.pfsense.org
Vick Khera
2011-04-11 16:19:12 UTC
Permalink
Post by Paul Mather
Has anyone managed to get IPsec for mobile clients working with pfSense 2.0
and Mac OS X 10.6? If so, which client are you using on the Mac OS X side?
Is anything special needed on the pfSense side?
I *used* to use IPsecuritas but it was alway finicky. I finally made the
switch for all of the roaming clients to OpenVPN using Tunnelblick and
everything has been much, much more stable. I still use IPsec for my fixed
end-point tunnels between offices, and that works solidly. All such
endpoints are pfSense.

Unless you have some hard requirement to use IPSec for your mobile clients,
give OpenVPN a try.
bsd
2011-04-11 20:02:38 UTC
Permalink
Install the open VPN client package on 2.0 - two clicks and you're done !
Viscosity is your best bet.

So straightforward, your grandma could do It.

;-)
Post by Paul Mather
Has anyone managed to get IPsec for mobile clients working with pfSense 2.0 and Mac OS X 10.6? If so, which client are you using on the Mac OS X side? Is anything special needed on the pfSense side?
I *used* to use IPsecuritas but it was alway finicky. I finally made the switch for all of the roaming clients to OpenVPN using Tunnelblick and everything has been much, much more stable. I still use IPsec for my fixed end-point tunnels between offices, and that works solidly. All such endpoints are pfSense.
Unless you have some hard requirement to use IPSec for your mobile clients, give OpenVPN a try.
––––––––––––––––––––––––––––––––––––––––––––––
---------> Grégory Bernard Director <---------
---------------> www.osnet.eu <---------------
--> Your provider of OpenSource appliances <--
––––––––––––––––––––––––––––––––––––––––––––––
OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO


---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscribe-***@public.gmane.org
For additional commands, e-mail: support-help-***@public.gmane.org

Commercial support available - https://portal.pfsense.org
RB
2011-04-11 20:07:00 UTC
Permalink
I'm actually pretty interested in the fact that on the surface it
looks like 2.0 can support the OS X 10.6 native Cisco VPN client out
of the box. Has anyone had any success doing so? OpenVPN and
Viscosity/Tunnelblick are nice, but not having to pay $9/client and
not installing additional software is even more so.

Going to try testing this week.


RB
Post by bsd
Install the open VPN client package on 2.0 - two clicks and you're done !
Viscosity is your best bet.
So straightforward, your grandma could do It.
;-)
Has anyone managed to get IPsec for mobile clients working with pfSense 2.0 and Mac OS X 10.6?  If so, which client are you using on the Mac OS X side?  Is anything special needed on the pfSense side?
I *used* to use IPsecuritas but it was alway finicky.  I finally made the switch for all of the roaming clients to OpenVPN using Tunnelblick and everything has been much, much more stable.  I still use IPsec for my fixed end-point tunnels between offices, and that works solidly.  All such endpoints are pfSense.
Unless you have some hard requirement to use IPSec for your mobile clients, give OpenVPN a try.
––––––––––––––––––––––––––––––––––––––––––––––
---------> Grégory Bernard Director <---------
---------------> www.osnet.eu <---------------
--> Your provider of OpenSource appliances <--
––––––––––––––––––––––––––––––––––––––––––––––
OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO
---------------------------------------------------------------------
Commercial support available - https://portal.pfsense.org
---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscribe-***@public.gmane.org
For additional commands, e-mail: support-help-***@public.gmane.org

Commercial support available - https://portal.pfsense.org
Paul Mather
2011-04-12 14:57:37 UTC
Permalink
Post by RB
I'm actually pretty interested in the fact that on the surface it
looks like 2.0 can support the OS X 10.6 native Cisco VPN client out
of the box. Has anyone had any success doing so? OpenVPN and
Viscosity/Tunnelblick are nice, but not having to pay $9/client and
not installing additional software is even more so.
The latter aspect is what motivates me to try and get IPsec working fully. :-)

I have had some success with the built-in Cisco IPSec client, with problems documented here: http://www.mail-archive.com/support-***@public.gmane.org/msg21912.html. I am using Mutual PSK + Xauth with AES-256 and SHA-1 in my Phase 1 proposal. I have two Phase 2 entries: one for each private network behind the pfSense gateway. In the mode-cfg section of the Mobile Clients section I provide a private DNS default domain and DNS server to clients. This split DNS appears to work well. I've been able to connect from Mac OS X 10.6 systems and iPhones/iPod Touches.

Unfortunately, the setup only appears to work properly when clients are connecting from behind a NAT (i.e., when IPsec NAT-T is being used). I'm new to pfSense, so I'm not sure whether the problem lies with my configuration or with the Mac OS X client side. :-(
Post by RB
Going to try testing this week.
I'd be very interested in hearing if you manage to get non NAT-T connections working.

Cheers,

Paul.



---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscribe-***@public.gmane.org
For additional commands, e-mail: support-help-***@public.gmane.org

Commercial support available - https://portal.pfsense.org
Paul Mather
2011-04-11 20:46:19 UTC
Permalink
Post by Paul Mather
Has anyone managed to get IPsec for mobile clients working with pfSense 2.0 and Mac OS X 10.6? If so, which client are you using on the Mac OS X side? Is anything special needed on the pfSense side?
I *used* to use IPsecuritas but it was alway finicky. I finally made the switch for all of the roaming clients to OpenVPN using Tunnelblick and everything has been much, much more stable. I still use IPsec for my fixed end-point tunnels between offices, and that works solidly. All such endpoints are pfSense.
Unless you have some hard requirement to use IPSec for your mobile clients, give OpenVPN a try.
Funnily enough, I had tried OpenVPN in this environment quite a while ago (not with pfSense, though) but gave up because I couldn't get Tunnelblick working smoothly. I don't remember exactly what problems I was having, but I think routing and private DNS resolution seem to ring a bell. Has the Tunnelblick client improved in the last two years or so?

I figured folks would suggest using OpenVPN instead of IPsec. :-) I had hoped to avoid doing that because I want to minimise the amount of third-party client software I need to deploy. Plus, I don't know how well-supported OpenVPN is on devices such as the iPad and iPhone. But, in the absence of "it works for me" responses for IPsec on Mac OS X, I may just have to try it. :-)

Cheers,

Paul.
Seth Mos
2011-04-12 06:10:08 UTC
Permalink
Post by Paul Mather
Funnily enough, I had tried OpenVPN in this environment quite a while
ago (not with pfSense, though) but gave up because I couldn't get
Tunnelblick working smoothly. I don't remember exactly what problems I
was having, but I think routing and private DNS resolution seem to ring
a bell. Has the Tunnelblick client improved in the last two years or so?
Viscosity works really well for me. No issues resuming from sleeping or
hibernating either. Split DNS works fine too.
Post by Paul Mather
I figured folks would suggest using OpenVPN instead of IPsec. :-) I had
hoped to avoid doing that because I want to minimise the amount of
third-party client software I need to deploy. Plus, I don't know how
well-supported OpenVPN is on devices such as the iPad and iPhone. But,
There is no support for OpenVPN on the idevices. Blame apple for not
including tun tap support in their ios. My suggestion would be to
contact Apple on getting that supported.

Regards,

Seth

---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscribe-***@public.gmane.org
For additional commands, e-mail: support-help-***@public.gmane.org

Commercial support available - https://portal.pfsense.org
Vick Khera
2011-04-12 15:21:11 UTC
Permalink
Post by Paul Mather
Plus, I don't know how well-supported OpenVPN is on devices such as the
iPad and iPhone. But, in the absence of "it works for me" responses for
IPsec on Mac OS X, I may just have to try it. :-)
iOS does not have OpenVPN built in. I never looked to see if some app
provides it, but I highly doubt it.

IPsec has been known to work with IPsecuritas. It is just hit-or miss. For
us, it worked for some people but not others, and pretty much everyone here
was using Comcast as their ISP (including the main office). I think we
determined that consumer-grade Verizon DSL was blocking IPsec for some
bizarre reason, but my memory is fuzzy on the specifics.
Vick Khera
2011-04-12 15:22:15 UTC
Permalink
Post by Vick Khera
iOS does not have OpenVPN built in. I never looked to see if some app
provides it, but I highly doubt it.
one more point... the only VPN we've ever succeeded with iOS devices is the
PPTP client, but that's just not a very secure thing. I don't think the
Cisco client works with pfSense IPSec server.
Fuchs, Martin
2011-04-12 18:04:43 UTC
Permalink
I have IPSec from my iPhone To pfsense here...
Have a look at the Forums. It took some Time but now it works...

Am 12.04.2011 um 17:24 schrieb "Vick Khera" <vivek-***@public.gmane.org<mailto:***@khera.org>>:

On Tue, Apr 12, 2011 at 11:21 AM, Vick Khera <<mailto:vivek-***@public.gmane.org>***@khera.org<mailto:vivek-***@public.gmane.org>> wrote:
iOS does not have OpenVPN built in. I never looked to see if some app provides it, but I highly doubt it.

one more point... the only VPN we've ever succeeded with iOS devices is the PPTP client, but that's just not a very secure thing. I don't think the Cisco client works with pfSense IPSec server.
Vick Khera
2011-04-12 19:17:00 UTC
Permalink
On Tue, Apr 12, 2011 at 2:04 PM, Fuchs, Martin <
Post by Fuchs, Martin
I have IPSec from my iPhone To pfsense here...
Have a look at the Forums. It took some Time but now it works...
I found in the forum that it requires pfSense 2.0. Does that still stand
true?

And do you configure it via pfSense GUI or a manual hack to the racoon
config file?

I don't find a definitive answer on the forum at all, just a bunch of try
this try that and speculation followed by a bunch of "doesn't work for me"
and "works for me, sorta".

The closest I've found is
http://forum.pfsense.org/index.php/topic,24752.msg130558/topicseen.html#msg130558

Is that the current "state of the art" for iPhone -> pfSense VPN? It seems
to be in conflict with how I want mobile client settings for my "road
warrior" network VPNs, such as my home office. Ie, I do not want to have a
virtual address pool for those connections.
Paul Mather
2011-04-12 19:44:38 UTC
Permalink
Post by Fuchs, Martin
I have IPSec from my iPhone To pfsense here...
Have a look at the Forums. It took some Time but now it works...
I found in the forum that it requires pfSense 2.0. Does that still stand true?
And do you configure it via pfSense GUI or a manual hack to the racoon config file?
I don't find a definitive answer on the forum at all, just a bunch of try this try that and speculation followed by a bunch of "doesn't work for me" and "works for me, sorta".
The closest I've found is http://forum.pfsense.org/index.php/topic,24752.msg130558/topicseen.html#msg130558
Is that the current "state of the art" for iPhone -> pfSense VPN? It seems to be in conflict with how I want mobile client settings for my "road warrior" network VPNs, such as my home office. Ie, I do not want to have a virtual address pool for those connections.
I have used pfSense 2.0 to set up up an IPsec VPN usable from an iPod Touch, which I believe uses the same client as the iPhone and iPad. I used pretty much the setup from the link you give above. In my case, my Phase 2 has "Local Network" of type "Network" and the address is that of my pfSense LAN (whereas the forum post uses Local Network Type "None"). (I actually have two Phase 2 entries, the one just described and another that is the same except the address is 10.0.0.0/24, to allow VPN access to that private network reachable from the pfSense LAN.)

I did all configuration via the pfSense GUI. The setup routes all traffic for the network behind the pfSense gateway (172.23.23.0/24 and 10.0.0.0/24) over the IPsec VPN; other traffic goes out as per normal. Split DNS works, and private DNS hostnames are resolved correctly.

The VPN works fine when NAT-T is in use. (The same config doesn't work for my office Mac, which is not behind a NAT.)

I also tried the L2TP server in pfSense 2.0 today with the Mac OS X L2TP VPN client but couldn't even get it to connect. :-(

Cheers,

Paul.



---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscribe-***@public.gmane.org
For additional commands, e-mail: support-help-***@public.gmane.org

Commercial support available - https://portal.pfsense.org
Fuchs, Martin
2011-04-12 20:32:00 UTC
Permalink
That's strange, my config works with NAT-T too, but i never had problems with non-natted, natted or any other network.
Post by Paul Mather
Post by Fuchs, Martin
I have IPSec from my iPhone To pfsense here...
Have a look at the Forums. It took some Time but now it works...
I found in the forum that it requires pfSense 2.0. Does that still stand true?
And do you configure it via pfSense GUI or a manual hack to the racoon config file?
I don't find a definitive answer on the forum at all, just a bunch of try this try that and speculation followed by a bunch of "doesn't work for me" and "works for me, sorta".
The closest I've found is http://forum.pfsense.org/index.php/topic,24752.msg130558/topicseen.html#msg130558
Is that the current "state of the art" for iPhone -> pfSense VPN? It seems to be in conflict with how I want mobile client settings for my "road warrior" network VPNs, such as my home office. Ie, I do not want to have a virtual address pool for those connections.
I have used pfSense 2.0 to set up up an IPsec VPN usable from an iPod Touch, which I believe uses the same client as the iPhone and iPad. I used pretty much the setup from the link you give above. In my case, my Phase 2 has "Local Network" of type "Network" and the address is that of my pfSense LAN (whereas the forum post uses Local Network Type "None"). (I actually have two Phase 2 entries, the one just described and another that is the same except the address is 10.0.0.0/24, to allow VPN access to that private network reachable from the pfSense LAN.)
I did all configuration via the pfSense GUI. The setup routes all traffic for the network behind the pfSense gateway (172.23.23.0/24 and 10.0.0.0/24) over the IPsec VPN; other traffic goes out as per normal. Split DNS works, and private DNS hostnames are resolved correctly.
The VPN works fine when NAT-T is in use. (The same config doesn't work for my office Mac, which is not behind a NAT.)
I also tried the L2TP server in pfSense 2.0 today with the Mac OS X L2TP VPN client but couldn't even get it to connect. :-(
Cheers,
Paul.
---------------------------------------------------------------------
Commercial support available - https://portal.pfsense.org
---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscribe-***@public.gmane.org
For additional commands, e-mail: support-help-***@public.gmane.org

Commercial support available - https://portal.pfsense.org

Fuchs, Martin
2011-04-12 19:45:59 UTC
Permalink
I use 2.0 and configure via GUI only, no hacks.
The only Problem is the users privilege as a local user - Admin works for me so far, but a ticket is already opened. The local user is for xauth.

Am 12.04.2011 um 21:18 schrieb "Vick Khera" <vivek-***@public.gmane.org<mailto:***@khera.org>>:

On Tue, Apr 12, 2011 at 2:04 PM, Fuchs, Martin <<mailto:***@trendchiller.com>martin.fuchs-***@public.gmane.org<mailto:***@trendchiller.com>> wrote:
I have IPSec from my iPhone To pfsense here...
Have a look at the Forums. It took some Time but now it works...

I found in the forum that it requires pfSense 2.0. Does that still stand true?

And do you configure it via pfSense GUI or a manual hack to the racoon config file?

I don't find a definitive answer on the forum at all, just a bunch of try this try that and speculation followed by a bunch of "doesn't work for me" and "works for me, sorta".

The closest I've found is <http://forum.pfsense.org/index.php/topic,24752.msg130558/topicseen.html#msg130558> http://forum.pfsense.org/index.php/topic,24752.msg130558/topicseen.html#msg130558

Is that the current "state of the art" for iPhone -> pfSense VPN? It seems to be in conflict with how I want mobile client settings for my "road warrior" network VPNs, such as my home office. Ie, I do not want to have a virtual address pool for those connections.
Tom Müller-Kortkamp
2011-04-12 15:27:30 UTC
Permalink
Post by Paul Mather
Plus, I don't know how well-supported OpenVPN is on devices such as the iPad and iPhone. But, in the absence of "it works for me" responses for IPsec on Mac OS X, I may just have to try it. :-)
iOS does not have OpenVPN built in. I never looked to see if some app provides it, but I highly doubt it.
IPsec has been known to work with IPsecuritas. It is just hit-or miss. For us, it worked for some people but not others, and pretty much everyone here was using Comcast as their ISP (including the main office). I think we determined that consumer-grade Verizon DSL was blocking IPsec for some bizarre reason, but my memory is fuzzy on the specifics.
OpenVPN will not be available in appstore as it is GPL and this licence is not compatible with iOS (see the discussion about vlc in iOS). So maybe thats why nobody is willing to migrate it to iOS.

---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscribe-***@public.gmane.org
For additional commands, e-mail: support-help-***@public.gmane.org

Commercial support available - https://portal.pfsense.org
J. Echter
2011-04-12 17:22:33 UTC
Permalink
Post by Vick Khera
Post by Paul Mather
Plus, I don't know how well-supported OpenVPN is on devices such as the
iPad and iPhone. But, in the absence of "it works for me" responses for
IPsec on Mac OS X, I may just have to try it. :-)
iOS does not have OpenVPN built in. I never looked to see if some app
provides it, but I highly doubt it.
IPsec has been known to work with IPsecuritas. It is just hit-or miss. For
us, it worked for some people but not others, and pretty much everyone here
was using Comcast as their ISP (including the main office). I think we
determined that consumer-grade Verizon DSL was blocking IPsec for some
bizarre reason, but my memory is fuzzy on the specifics.
for a jailbreaked iPhone you can have a OpenVPN client. i don't know if
there's one for a non jailbreaked.

---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscribe-***@public.gmane.org
For additional commands, e-mail: support-help-***@public.gmane.org

Commercial support available - https://portal.pfsense.org
Loading...