FEC Onlineservices
 
IPSec connection between Apple iPhone and bintec R3000
This FAQ describes the configuration of an IPSec connection between an Apple iPhone and a bintec R3000 router using the Setup Tool.

1. Scenario:


2. Requirements:
  • the bintec router R3000 is accessible over the internet (e.g., yourname.dyndns.org)
  • on bintec R3000 the running system software version has to be 7.8.7 or higher 
  • on Apple iPhone the running system software version has to be 2.0 or higher

  • 3. Configuration of the bintec R3000
    The following two screenshots show successfully tested example settings for phase 1 and phase 2:

    R3000 Setup Tool                       Funkwerk Enterprise Communications GmbH
    [IPSEC][PEERS][EDIT][SPECIAL][PHASE1][EDIT]                              r3000
    _______________________________________________________________________________

       Description (Idx 1) :    *autogenerated*
       Proposal              :  19 (AES/MD5)
       Lifetime Policy       :  Use default lifetime settings

       Group                 :  2 (1024 bit MODP)
       Authentication Method :  Pre Shared Keys
       Mode                  :  aggressive
       Alive Check           :  Dead-Peer-Detection (DPD)
       Block Time            :  30
       Local ID              :  vpn
       Local Certificate     :  none
       CA Certificates       :
       Nat-Traversal         :  enabled

       View Proposals >

                             SAVE                          CANCEL
    _______________________________________________________________________________
    Setttings for phase 1:
    Please keep in mind not all ciphers and hash proposals are supported by the Apple iPhone. Successfully tested are e.g., the following combinations: AES/MD5, AES/SHA1, DES/MD5, DES3/MD5

    R3000 Setup Tool                       Funkwerk Enterprise Communications GmbH
    [IPSEC][PEERS][EDIT][SPECIAL][PHASE2][EDIT]                              r3000
    _______________________________________________________________________________

       Description (Idx 1) :    *autogenerated*

       Proposal              :  20 (ESP(All/All) no Comp)
       Lifetime Policy       :  Use default lifetime settings

       Use PFS               :  none
       Alive Check           :  none
       Propagate PMTU        :  yes

       View Proposals >

     
     
                             SAVE                          CANCEL
    _______________________________________________________________________________
    Settings for phase 2:
    Please keep in mind the Apple iPhone does not support AH, only ESP is supported.
     
    You have to create as usual a new IPSec Peer. Furthermore you have to create and choose a Xauth profile. Please choose in the Peer specific Settings > XAUTH Profile:  edit > ADD

    R3000 Setup Tool                       Funkwerk Enterprise Communications GmbH
    [IPSEC][PEERS][EDIT][SPECIAL][XAUTH][EDIT]                               r3000
    _______________________________________________________________________________

       Index                  : 1
       Description            : xauth4iphone
       Role                   : server
       Mode                   : local

       UserListGroupId        : 1

       View UserList >
     

                             SAVE                          CANCEL
    _______________________________________________________________________________
    Choose "View UserList" and "ADD" to create a new user.

    R3000 Setup Tool                       Funkwerk Enterprise Communications GmbH
    [IPSEC][PEERS][EDIT][SPECIAL][XAUTH][EDIT][ULIST][EDIT]                  r3000
    _______________________________________________________________________________


       Name      : iphone
       Password  : *
       GroupId   : 1

     

     


                             SAVE                          CANCEL
    _______________________________________________________________________________
    XAuth user settings:

    Additional you have to choose the IKE config mode in the IP Settings ("Interface IP Settings" > "Basic IP-Settings" ). Please check if IP Address Pool exists if not, you have to create one ("IP" -> "IP Address Pools" -> "Pools").
    Please note, that you have to specify a DNS server for the internet connection, otherwise the Apple iPhone will have no proper access to the internet, once the IPSec connection is established.

    R3000 Setup Tool                       Funkwerk Enterprise Communications GmbH
    [IPSEC][PEERS][EDIT][IP][BASIC]: IP-Settings (iphone)                    r3000
    _______________________________________________________________________________


      IP Transit Network                    IKE Config Mode


      Local IP Address                      2.2.2.100


      IP Address Pool                        2.2.2.200


                        SAVE                               CANCEL
    _______________________________________________________________________________
    4. Configuration of the Apple iPhone
    Please choose: "Settings" -> "VPN" -> "Add VPN Configuration..." ->"IPSec"


    Description:  Name of the connection e.g., "IPSec VPN"
    Server:  FQDN of the bintec router e.g., "yourname.dyndns.org"
    Account:  Name of XAUTH profil-user e.g., "iphone"
    Password:  Password of the XAUTH profile-user e.g., "test123"
    Group Name:  Name of the IPSec Peer
    Secret:  Your PreShared Key e.g., "test789"

    5. Connection establishment of the IPSec tunnel
    Please choose: "Settings" -> "VPN" -> "Name of your VPN connection"


    Please activate the VPN button. The Apple iPhone establishs the IPSec VPN connection.

    6. State of the VPN-IPSec connection & debug messages
    10:39:04 DEBUG/IPSEC: P1: peer 0 () sa 4 (R): new ip 84.149.177.xxx <- ip 80.187.108.xxx
    10:39:04 INFO/IPSEC: P1: peer 0 () sa 4 (R): Vendor ID: 80.187.108.xxx:17369 (No Id) is '4a131c81070358455c5728f20e95452f'
    10:39:04 INFO/IPSEC: P1: peer 0 () sa 4 (R): Vendor ID: 80.187.108.xxx:17369 (No Id) is '4df37928e9fc4fd1b3262170d515c662'
    10:39:04 INFO/IPSEC: P1: peer 0 () sa 4 (R): Vendor ID: 80.187.108.xxx:17369 (No Id) is '8f8d83826d246b6fc7a8a6a428c11de8'
    10:39:04 INFO/IPSEC: P1: peer 0 () sa 4 (R): Vendor ID: 80.187.108.xxx:17369 (No Id) is '439b59f8ba676c4c7737ae22eab8f582'
    10:39:04 INFO/IPSEC: P1: peer 0 () sa 4 (R): Vendor ID: 80.187.108.xxx:17369 (No Id) is '4d1e0e136deafa34c4f3ea9f02ec7285'
    10:39:04 INFO/IPSEC: P1: peer 0 () sa 4 (R): Vendor ID: 80.187.108.xxx:17369 (No Id) is '80d0bb3def54565ee84645d4c85ce3ee'
    10:39:04 INFO/IPSEC: P1: peer 0 () sa 4 (R): Vendor ID: 80.187.108.xxx:17369 (No Id) is '9909b64eed937c6573de52ace952fa6b'
    10:39:04 INFO/IPSEC: P1: peer 0 () sa 4 (R): Vendor ID: 80.187.108.xxx:17369 (No Id) is 'draft-ietf-ipsec-nat-t-ike-03'
    10:39:04 INFO/IPSEC: P1: peer 0 () sa 4 (R): Vendor ID: 80.187.108.xxx:17369 (No Id) is 'draft-ietf-ipsec-nat-t-ike-02'
    10:39:04 INFO/IPSEC: P1: peer 0 () sa 4 (R): Vendor ID: 80.187.108.xxx:17369 (No Id) is 'draft-ietf-ipsec-nat-t-ike-02'
    10:39:04 INFO/IPSEC: P1: peer 0 () sa 4 (R): Vendor ID: 80.187.108.xxx:17369 (No Id) is 'draft-ietf-ipsra-isakmp-xauth-06'
    10:39:04 INFO/IPSEC: P1: peer 0 () sa 4 (R): Vendor ID: 80.187.108.xxx:17369 (No Id) is '12f5f28c457168a9702d9fe274cc0100'
    10:39:04 INFO/IPSEC: P1: peer 0 () sa 4 (R): Vendor ID: 80.187.108.xxx:17369 (No Id) is 'Dead Peer Detection (DPD, RFC 3706)'
    10:39:04 DEBUG/IPSEC: P1: peer 1 (iPhone) sa 4 (R): identified ip 84.149.177.xxx <- ip 80.187.108.xxx
    10:39:05 DEBUG/IPSEC: P1: peer 1 (iPhone) sa 4 (R): [Aggr] NAT-T: port change: local: 84.149.177.xxx:500->84.149.177.xxx:4500, remote: 80.187.108.xxx:17369->80.187.108.xxx:54225
    10:39:05 INFO/IPSEC: XAUTH: peer 1 (iPhone) sa 4 (I): request extended authentication
    10:39:05 INFO/IPSEC: P1: peer 1 (iPhone) sa 4 (R): done id fqdn(any:0,[0..2]=vpn) <- id key_id(any:0,[0..5]=69 50 68 6f 6e 65 ) AG[1bfe322b 3b30d1eb : 2cd08398 369e4640]
    10:39:05 DEBUG/IPSEC: P1: peer 1 (iPhone) sa 4 (R): Notify "Initial contact notification" from 80.187.108.xxx:54225 for protocol ISAKMP spi[16]=1BFE322B
    10:39:05 INFO/IPSEC: XAUTH: peer 1 (iPhone) sa 4 (I): extended authentication for user 'iPhone' succeeded
    10:39:05 INFO/IPSEC: CFG: peer 1 (iPhone) sa 4 (R): request for ip address received
    10:39:05 INFO/IPSEC: CFG: peer 1 (iPhone) sa 4 (R): ip address 2.2.2.200 assigned
    10:39:06 INFO/IPSEC: P2: peer 1 (iPhone) traf 0 bundle 1 (R): created 0.0.0.0/0:0 < any > 2.2.2.200/32:0 rekeyed 0
    10:39:06 DEBUG/IPSEC: P2: peer 1 (iPhone) traf 0 bundle 1 (R): SA 1 established ESP[12428bb9] in[0] Mode tunnel enc aes-cbc (256 bit) auth md5 (128 bit)
    10:39:06 DEBUG/IPSEC: P2: peer 1 (iPhone) traf 0 bundle 1 (R): SA 2 established ESP[09d8cd88] out[0] Mode tunnel enc aes-cbc (256 bit) auth md5 (128 bit)
    10:39:06 INFO/IPSEC: Activate Bundle 1 (Peer 1 Traffic -1)
    10:39:06 INFO/IPSEC: P2: peer 1 (iPhone) traf 0 bundle 1 (R): established  (84.149.177.xxx<->80.187.108.xxx) with 2 SAs life 3600 Sec/0 Kb rekey 3240 Sec/0 Kb Hb none
    10:39:10 DEBUG/IPSEC: IKE_DELETE_PAYLOAD_RECEIVED: 20090612103910:   Source addr:84.149.177.xxx  Destination addr:80.187.108.xxx  SPI:0x40469e369883d02cebd1303b2b32fe1b  Description:Received delete notification
    10:39:10 INFO/IPSEC: CFG: peer 1 (iPhone) sa 4 (R): ip address 2.2.2.200 released

    lm

    2013 bintec elmeg GmbH