OPNsense Forum
Archive => 15.7 Legacy Series => Topic started by: Exitcomestothis on November 04, 2015, 05:55:21 am
-
Hi Everyone, I'm a recent new user to OPNSense, and am having trouble with IPSec VPN with iphone (iPhone 6S, 9.1). I can connect to the VPN just fine from my mobile device, and can pass trafficto and from the wan interface, but no access to my local network from the iPhone. I can see in the firewall logs that the traffic from the iPhone is being allowed to pass through the firewall and onto the device I'm trying to access on my Lan, but I'm never able to successfully access it. I've tried to access a web server (pt80), my security cameras, FreeNAS server, Windows RDP, all without success. I'm also unable to ping any of the devices using HE tools when connected over the VPN.
I've tried toying around with many many different settings from the PFSense forums (that's how I got IPSec setup) but haven't been able to master this one last piece. I've been using Mikrotik PPTP VPN for sometime with great success, but am wanting to move over to OPNSense ASAP.
My configuration is below for the IPSec section, as well as firewall settings. Most everything is default settings, with the exception of IPSec.
Anyone see anything I'm doing wrong?
System Info
OPNsense 15.7.17-amd64
FreeBSD 10.1-RELEASE-p19
OpenSSL 1.0.2d 9 Jul 2015
Intel(R) Atom(TM) CPU D510 @ 1.66GHz
4 CPUs: 1 package(s) x 2 core(s) x 2 HTT threads
4gb Ram
Mobile Clients
User authentication: Local Database
Group Authentication: System
Virtual Address Pool:
Provide A virtual IP: Checked
192.168.1.176
/29
DNS Servers: Checked
8.8.8.8
8.8.4.4
Tunnel Phase1
Key Exchange: V1
IP: IPV4
Interface: WAN
Authentication Method: Mutual PSK+Xauth
Negotiation Mode: Aggressive
My Identifier: My IP Address
Peer Identifier: Distinguished Name
VPNUsers
Pre-Shared Key: password123
Encryption algorithm: AES
256
Hash Algorith: SHA1
DH Key Group: 2 (1024)
Lifetime: 86400
Disable Rekey: Checked
Disable Reauth: Checked
NAT Traversal: Enable
Dead Peer Detection: Not Checked
Phase 2
Mode: Tunnel IPv4
Type: Address
0.0.0.0
/0
Nat/Binat: None
Address: Left blank
/128
Protocol: ESP
Encryption: Checked: AES, 256
Hash Algs: SHA1
PFS Keygroup: OFF
Lifetime: 28800
Auto Ping Host: Left blank
Firewall->NAT->Outbound
Automatic outbound NAT: Checked
WAN 127.0.0.0/8 192.168.1.0/24 192.168.1.176/29 * * 500 WAN address * YES Auto created rule for ISAKMP
WAN 127.0.0.0/8 192.168.1.0/24 192.168.1.176/29 * * * WAN address * NO Auto created rule
Firewall->Rules->Lan
* * * LAN Address 443/80 * Anti-Lockout Rule
IPv4 * LAN net * * * * Default allow LAN to any rule
IPv6 * LAN net * * * * Default allow LAN IPv6 to any rule
IPv4 IGMP 0.0.0.0 * 224.0.0.1 * * Easy Rule: Passed from Firewall Log View
Firewall->Rules-IPSec
IPv4 * * * * * WANGW
IPv4 TCP * * * * WANGW
IPv4 * * * * * *
-
Hi,
Just some questions to pinpoint your issue a bit better.
1) Does you ipsec phase2 tunnel get up? (diag_ipsec.php childsa)
2) Can you ping the lan address of the OPNsense box?
3) Are your clients routed through the OPNsense machine?
Cheers,
Ad
-
1) Yes, IPsec tunnel gets up and running, output below.
0.0.0.0/32
Local : c9f0f0f2
Remote : a54458 192.168.1.177/32
2) I'm unable to ping the ip of the firewall, however in previous testing configs, I was able to ping and access ONLY the firewall IP, but nothing else.
3) For the clients I'm trying to get access to over IPsec, yes, they are routed through the firewall.
Another interesting point, not sure if this is relevant, but the IPSec IP isn't listed in the arp tables? But the hosts I'm trying to remotely access are listed in the ARP.
-
It's normal that the arp table doesn't show your client's ipsec ip.
You could try to tcpdump your ipsec interface and look what traffic is coming in/out, you could use diag_packet_capture.php or the console (tcpdump) todo so.
-
So I did the packet capture from the webGUI, and this is the output. I tried to ping one device that's connected to the LAN of the firewall, but it didn't go through. I then tried to access a webserver on the LAN as well, same result. Both devices are connected directly to the firewall through an unmanaged switch.
I then did a couple google searches, you can see the DNS requests going out, and the responses coming in.
As a recap, I'm connecting from my iPhone 6S (ios 9.1), using IPsec (ipsec only, no l2tp), and cant access any IP's on the lan side.
This test below was done running the latest version below
OPNsense 15.7.18-amd64
FreeBSD 10.1-RELEASE-p19
OpenSSL 1.0.2d 9 Jul 2015
Packet capture output:
21:23:37.543970 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177 > 192.168.1.153: ICMP echo request, id 24849, seq 0, length 64
21:23:38.479224 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177 > 192.168.1.153: ICMP echo request, id 24849, seq 1, length 64
21:23:39.438091 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177 > 192.168.1.153: ICMP echo request, id 24849, seq 2, length 64
21:23:40.435898 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177 > 192.168.1.153: ICMP echo request, id 24849, seq 3, length 64
21:23:46.413437 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177 > 192.168.1.119: ICMP echo request, id 24849, seq 0, length 64
21:23:47.423047 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177 > 192.168.1.119: ICMP echo request, id 24849, seq 1, length 64
21:23:48.419183 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177 > 192.168.1.119: ICMP echo request, id 24849, seq 2, length 64
21:23:49.434800 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177 > 192.168.1.119: ICMP echo request, id 24849, seq 3, length 64
21:23:53.494128 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.51236 > 8.8.8.8.53: UDP, length 32
21:23:53.496303 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.62494 > 8.8.8.8.53: UDP, length 32
21:23:53.497258 (authentic,confidential): SPI 0x01e4b418: IP 8.8.8.8.53 > 192.168.1.177.62494: UDP, length 127
21:23:53.594870 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65296 > 173.230.157.140.80: tcp 0
21:23:53.596114 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65297 > 173.230.157.140.80: tcp 0
21:23:53.632589 (authentic,confidential): SPI 0x01e4b418: IP 173.230.157.140.80 > 192.168.1.177.65296: tcp 0
21:23:53.633716 (authentic,confidential): SPI 0x01e4b418: IP 173.230.157.140.80 > 192.168.1.177.65297: tcp 0
21:23:53.712337 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65296 > 173.230.157.140.80: tcp 0
21:23:53.715098 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65297 > 173.230.157.140.80: tcp 0
21:23:53.722356 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65297 > 173.230.157.140.80: tcp 218
21:23:53.726853 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65296 > 173.230.157.140.80: tcp 226
21:23:53.750818 (authentic,confidential): SPI 0x01e4b418: IP 8.8.8.8.53 > 192.168.1.177.51236: UDP, length 96
21:23:53.760171 (authentic,confidential): SPI 0x01e4b418: IP 173.230.157.140.80 > 192.168.1.177.65297: tcp 0
21:23:53.760604 (authentic,confidential): SPI 0x01e4b418: IP 173.230.157.140.80 > 192.168.1.177.65297: tcp 1067
21:23:53.763941 (authentic,confidential): SPI 0x01e4b418: IP 173.230.157.140.80 > 192.168.1.177.65296: tcp 0
21:23:53.764337 (authentic,confidential): SPI 0x01e4b418: IP 173.230.157.140.80 > 192.168.1.177.65296: tcp 624
21:23:53.834188 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65297 > 173.230.157.140.80: tcp 0
21:23:53.858116 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65296 > 173.230.157.140.80: tcp 0
21:23:54.435795 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.51025 > 8.8.8.8.53: UDP, length 23
21:23:54.436969 (authentic,confidential): SPI 0x01e4b418: IP 8.8.8.8.53 > 192.168.1.177.51025: UDP, length 98
21:23:55.662871 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65296 > 173.230.157.140.80: tcp 0
21:23:55.665150 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65297 > 173.230.157.140.80: tcp 0
21:23:55.700209 (authentic,confidential): SPI 0x01e4b418: IP 173.230.157.140.80 > 192.168.1.177.65296: tcp 0
21:23:55.703009 (authentic,confidential): SPI 0x01e4b418: IP 173.230.157.140.80 > 192.168.1.177.65297: tcp 0
21:23:55.772687 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65296 > 173.230.157.140.80: tcp 0
21:23:55.776141 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65297 > 173.230.157.140.80: tcp 0
21:23:59.631207 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65298 > 192.168.1.119.80: tcp 0
21:23:59.739209 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65299 > 17.158.36.8.443: tcp 0
21:23:59.776705 (authentic,confidential): SPI 0x01e4b418: IP 17.158.36.8.443 > 192.168.1.177.65299: tcp 0
21:23:59.848066 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65299 > 17.158.36.8.443: tcp 0
21:23:59.858993 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65299 > 17.158.36.8.443: tcp 246
21:23:59.896954 (authentic,confidential): SPI 0x01e4b418: IP 17.158.36.8.443 > 192.168.1.177.65299: tcp 1212
21:23:59.897167 (authentic,confidential): SPI 0x01e4b418: IP 17.158.36.8.443 > 192.168.1.177.65299: tcp 1212
21:23:59.897340 (authentic,confidential): SPI 0x01e4b418: IP 17.158.36.8.443 > 192.168.1.177.65299: tcp 177
21:23:59.985952 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65299 > 17.158.36.8.443: tcp 0
21:23:59.987012 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65299 > 17.158.36.8.443: tcp 0
21:23:59.987047 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65299 > 17.158.36.8.443: tcp 0
21:23:59.992988 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65299 > 17.158.36.8.443: tcp 0
21:23:59.997028 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65299 > 17.158.36.8.443: tcp 267
21:23:59.997063 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65299 > 17.158.36.8.443: tcp 6
21:23:59.998010 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65299 > 17.158.36.8.443: tcp 37
21:24:00.034190 (authentic,confidential): SPI 0x01e4b418: IP 17.158.36.8.443 > 192.168.1.177.65299: tcp 0
21:24:00.034392 (authentic,confidential): SPI 0x01e4b418: IP 17.158.36.8.443 > 192.168.1.177.65299: tcp 0
21:24:00.034950 (authentic,confidential): SPI 0x01e4b418: IP 17.158.36.8.443 > 192.168.1.177.65299: tcp 0
21:24:00.037704 (authentic,confidential): SPI 0x01e4b418: IP 17.158.36.8.443 > 192.168.1.177.65299: tcp 43
21:24:00.037950 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.56862 > 8.8.8.8.53: UDP, length 59
21:24:00.064279 (authentic,confidential): SPI 0x01e4b418: IP 8.8.8.8.53 > 192.168.1.177.56862: UDP, length 125
21:24:00.115003 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65299 > 17.158.36.8.443: tcp 0
21:24:00.135639 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65299 > 17.158.36.8.443: tcp 840
21:24:00.147248 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65299 > 17.158.36.8.443: tcp 365
21:24:00.173971 (authentic,confidential): SPI 0x01e4b418: IP 17.158.36.8.443 > 192.168.1.177.65299: tcp 0
21:24:00.184683 (authentic,confidential): SPI 0x01e4b418: IP 17.158.36.8.443 > 192.168.1.177.65299: tcp 0
21:24:00.192976 (authentic,confidential): SPI 0x01e4b418: IP 17.158.36.8.443 > 192.168.1.177.65299: tcp 393
21:24:00.193073 (authentic,confidential): SPI 0x01e4b418: IP 17.158.36.8.443 > 192.168.1.177.65299: tcp 36
21:24:00.193133 (authentic,confidential): SPI 0x01e4b418: IP 17.158.36.8.443 > 192.168.1.177.65299: tcp 370
21:24:00.193226 (authentic,confidential): SPI 0x01e4b418: IP 17.158.36.8.443 > 192.168.1.177.65299: tcp 26
21:24:00.264288 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65299 > 17.158.36.8.443: tcp 0
21:24:00.265993 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65299 > 17.158.36.8.443: tcp 0
21:24:00.266028 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65299 > 17.158.36.8.443: tcp 0
21:24:00.266988 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65299 > 17.158.36.8.443: tcp 0
21:24:00.273220 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65299 > 17.158.36.8.443: tcp 0
21:24:00.310309 (authentic,confidential): SPI 0x01e4b418: IP 17.158.36.8.443 > 192.168.1.177.65299: tcp 0
21:24:00.391480 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65299 > 17.158.36.8.443: tcp 0
21:24:00.657016 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65298 > 192.168.1.119.80: tcp 0
21:24:01.661813 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65298 > 192.168.1.119.80: tcp 0
21:24:02.651330 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65298 > 192.168.1.119.80: tcp 0
21:24:03.670322 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65298 > 192.168.1.119.80: tcp 0
21:24:04.667380 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65298 > 192.168.1.119.80: tcp 0
21:24:06.653990 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65298 > 192.168.1.119.80: tcp 0
21:24:10.656360 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65298 > 192.168.1.119.80: tcp 0
21:24:14.794968 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.50052 > 8.8.8.8.53: UDP, length 37
21:24:14.795728 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.52367 > 8.8.8.8.53: UDP, length 37
21:24:14.796257 (authentic,confidential): SPI 0x01e4b418: IP 8.8.8.8.53 > 192.168.1.177.50052: UDP, length 161
21:24:14.796647 (authentic,confidential): SPI 0x01e4b418: IP 8.8.8.8.53 > 192.168.1.177.52367: UDP, length 309
21:24:14.875133 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177 > 8.8.8.8: ICMP 192.168.1.177 udp port 52367 unreachable, length 36
21:24:15.215363 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.51823 > 8.8.8.8.53: UDP, length 38
21:24:15.216562 (authentic,confidential): SPI 0x01e4b418: IP 8.8.8.8.53 > 192.168.1.177.51823: UDP, length 286
21:24:15.295094 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65301 > 173.194.33.132.443: tcp 0
21:24:15.319663 (authentic,confidential): SPI 0x01e4b418: IP 173.194.33.132.443 > 192.168.1.177.65301: tcp 0
21:24:15.394181 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65301 > 173.194.33.132.443: tcp 0
21:24:15.402994 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65301 > 173.194.33.132.443: tcp 517
21:24:15.428044 (authentic,confidential): SPI 0x01e4b418: IP 173.194.33.132.443 > 192.168.1.177.65301: tcp 0
21:24:15.428592 (authentic,confidential): SPI 0x01e4b418: IP 173.194.33.132.443 > 192.168.1.177.65301: tcp 640
21:24:15.508361 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65301 > 173.194.33.132.443: tcp 0
21:24:15.511593 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65301 > 173.194.33.132.443: tcp 0
21:24:15.520079 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65302 > 173.194.33.132.443: tcp 0
21:24:15.535717 (authentic,confidential): SPI 0x01e4b418: IP 173.194.33.132.443 > 192.168.1.177.65301: tcp 0
21:24:15.543745 (authentic,confidential): SPI 0x01e4b418: IP 173.194.33.132.443 > 192.168.1.177.65302: tcp 0
21:24:15.606061 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65301 > 173.194.33.132.443: tcp 0
21:24:15.606862 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65302 > 173.194.33.132.443: tcp 0
21:24:15.617144 (authentic,confidential): SPI 0xc51166db: IP 192.168.1.177.65302 > 173.194.33.132.443: tcp 517
21:24:15.642009 (authentic,confidential): SPI 0x01e4b418: IP 173.194.33.132.443 > 192.168.1.177.65302: tcp 0
-
Can you try setting the pool to a range not within your lan?
The overlap is probably causing your issue here. (it can't route back)
-
I adjusted IPSec-> Mobile Clients->Virtual Address Pool to
192.168.26.176 /29
After I did this, I applied settings, and restarted the IPSec service, but was unable to pass any traffic to the internet or the local network, so I decided to restart the firewall. After restarting, I was able to pass traffic to the net, and was able to gain a little bit more access to the LAN, but not full access. I can ping the mobile device's IP (192.168.26.177) from my desktop that's connected directly to the firewall, but can't ping or access anything on my desktop (192.168.1.153).
I also added a firewall rule allowing traffic to the lan from the IP range above (26.177 /29), rebooted, but still nothing. I can see in the firewall log the ICMP traffic being passed to my .153 desktop, but it seems there's something else blocking it.
Here's the packet capture from when I try to ping my .153 desktop from my phone, as well as some internet traffic.
13:37:20.055820 (authentic,confidential): SPI 0xccc5b496: IP 192.168.26.177 > 192.168.1.153: ICMP echo request, id 15890, seq 0, length 64
13:37:20.948034 (authentic,confidential): SPI 0xccc5b496: IP 192.168.26.177 > 192.168.1.153: ICMP echo request, id 15890, seq 1, length 64
13:37:22.063328 (authentic,confidential): SPI 0xccc5b496: IP 192.168.26.177 > 192.168.1.153: ICMP echo request, id 15890, seq 2, length 64
13:37:22.993088 (authentic,confidential): SPI 0xccc5b496: IP 192.168.26.177 > 192.168.1.153: ICMP echo request, id 15890, seq 3, length 64
13:37:23.982940 (authentic,confidential): SPI 0xccc5b496: IP 192.168.26.177 > 192.168.1.153: ICMP echo request, id 15890, seq 4, length 64
13:42:28.183834 (authentic,confidential): SPI 0x09b0e024: IP 173.194.33.147.443 > 192.168.26.177.50479: tcp 1228
13:42:28.184027 (authentic,confidential): SPI 0x09b0e024: IP 173.194.33.147.443 > 192.168.26.177.50479: tcp 1228
13:42:28.184213 (authentic,confidential): SPI 0x09b0e024: IP 173.194.33.147.443 > 192.168.26.177.50479: tcp 1228
13:42:28.184414 (authentic,confidential): SPI 0x09b0e024: IP 173.194.33.147.443 > 192.168.26.177.50479: tcp 1228
13:42:28.184709 (authentic,confidential): SPI 0x09b0e024: IP 173.194.33.147.443 > 192.168.26.177.50479: tcp 1228
13:42:28.185000 (authentic,confidential): SPI 0x09b0e024: IP 173.194.33.147.443 > 192.168.26.177.50479: tcp 1228
13:42:28.185183 (authentic,confidential): SPI 0x09b0e024: IP 173.194.33.147.443 > 192.168.26.177.50479: tcp 1005
13:42:28.223450 (authentic,confidential): SPI 0xc4fbdb08: IP 192.168.26.177.50479 > 173.194.33.147.443: tcp 0
13:42:28.245074 (authentic,confidential): SPI 0xc4fbdb08: IP 192.168.26.177.50479 > 173.194.33.147.443: tcp 0
13:42:28.248288 (authentic,confidential): SPI 0xc4fbdb08: IP 192.168.26.177.50479 > 173.194.33.147.443: tcp 0
13:42:28.250033 (authentic,confidential): SPI 0xc4fbdb08: IP 192.168.26.177.50479 > 173.194.33.147.443: tcp 113
13:42:28.274024 (authentic,confidential): SPI 0x09b0e024: IP 173.194.33.147.443 > 192.168.26.177.50479: tcp 0
13:42:28.281975 (authentic,confidential): SPI 0x09b0e024: IP 173.194.33.147.443 > 192.168.26.177.50479: tcp 163
13:42:28.282054 (authentic,confidential): SPI 0x09b0e024: IP 173.194.33.147.443 > 192.168.26.177.50479: tcp 38
13:42:28.282117 (authentic,confidential): SPI 0x09b0e024: IP 173.194.33.147.443 > 192.168.26.177.50479: tcp 46
-
Sometimes a reload of ipsec isn't enough, I've seen that before, strongswan tries to keep the sessions and apparently doesn't always reload the settings in full. stopping/starting should give you the same result as a reboot.
Don't know where your traffic gets lost, but I would try to look on the next interface (LAN) if the ping request leaves there. If it does, it could also be your windows firewall blocking.
-
I did a packet capture of the LAN interface while trying to access devices on my LAN. The firewall shows the traffic being passed, but the packet capture for the LAN interface doesn't show any requests or anything from the address that's assigned to my IPsec connection.
I'm going to go through and fully delete all the IPsec configurations, and restart from scratch.
Thanks for all your assistance so far.
Packet Capture from LAN
21:35:59.397529 IP 192.168.1.153.61170 > 192.168.1.96.443: tcp 0
21:35:59.397591 IP 192.168.1.96.443 > 192.168.1.153.61170: tcp 34
21:35:59.438984 ARP, Request who-has 192.168.1.120 tell 0.0.0.0, length 46
21:35:59.597521 IP 192.168.1.153.61170 > 192.168.1.96.443: tcp 0
21:36:00.940335 ARP, Request who-has 192.168.1.120 tell 0.0.0.0, length 46
21:36:02.441775 ARP, Request who-has 192.168.1.120 tell 0.0.0.0, length 46
21:36:02.637665 ARP, Request who-has 192.168.1.106 tell 192.168.1.106, length 46
21:36:02.641786 ARP, Request who-has 192.168.1.153 tell 192.168.1.106, length 46
21:36:04.943889 ARP, Request who-has 192.168.1.120 tell 0.0.0.0, length 46
21:36:06.444606 ARP, Request who-has 192.168.1.120 tell 0.0.0.0, length 46
21:36:07.945512 ARP, Request who-has 192.168.1.120 tell 0.0.0.0, length 46
21:36:09.398074 IP 192.168.1.153.61170 > 192.168.1.96.443: tcp 1
21:36:09.398130 IP 192.168.1.96.443 > 192.168.1.153.61170: tcp 0
21:36:09.446652 ARP, Request who-has 192.168.1.120 tell 0.0.0.0, length 46
21:36:10.947949 ARP, Request who-has 192.168.1.120 tell 0.0.0.0, length 46
21:36:12.449287 ARP, Request who-has 192.168.1.120 tell 0.0.0.0, length 46
-
I finally was able to gain LAN access from the outside using IPsec. The issue was a routing error from another device on my network.
Everything is working great so far, with the exception of when the iPhone goes to sleep, the VPN connection is disconnected. This is only specific to IPsec, because I can connect to my other VPN server using PPTP (hence why I'm wanting to move to IPsec) and the connection will stay on even when the phone goes to sleep.
I've set the option "automatically ping host" in phase 2 to ping the dns server on my network, but the connection still drops.