So I added global setting like this:
Does this address need to be added somewhere else ?
Your latest guide may suggest so, but an example with a screenshot would be nice.
I also tried to add the FQDN in Global setting. That wasn’t accepted.
My DHCP is like this:
Based on that information, how to implement correct parameters in IPSec in my case ?
Also, when creating the certificate, is FQND a requirement?
What parameters in certificate need to comply with iPfire settings ?
I have a working xxxx.ddns.net that I can ping, so FQND should be OK.
The local subnet settings must be wrong ? This is what was predefined by iPfire. (Shown in picture below).
Also I think DNS Servers should be 192.168.20.1 in my case. Correct ?
Or leave blank ?
So for a road warrior IOS, is these steps correct ?
- Create a global setting
- Generate a certificate
- Create a connection
(I leave out the iOS settings for now).
I’m asking, cause it seems during creating a connection, you seems to also be able to generate the certificate, but not with a PW I think.
Yes, those are correct…
And my other questions above. Where do you think the error is, since it’s not working?
Sadly, I am not getting it… 
Andreas and are must be in similar boats (situations).
I tried getting a certificate setup and that failed. Then I hoped pre-shared-key (PSK) must be easier. Ha! I was wrong! I cannot get either to work! 
Since I cannot connect via Cert or PSK I am wildly guessing I setup the Global Configuration incorrectly OR I setup the Certificate Authorities and -Keys incorrectly.
So my setup is an iPhone SE (2 gen) connected to LTE. And talking to an IPFire box on CU 158 (IPFire 2.25 (x86_64) - Core Update 158).
iPhoneSE via LTE → Internet → IPFire box.
This is the only error-ish entry on the IPFire box in the messages log:
...
Jul 22 21:25:10 ipfire charon: 05[IKE] remote host is behind NAT
Jul 22 21:25:10 ipfire charon: 05[IKE] received proposals unacceptable
Jul 22 21:25:10 ipfire charon: 05[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
...
So let me start with the Global:
The Host-to-Net Endpoint in my Dynamic DNS hostname. I am almost positive this is correct. Is it?!?
The Host-to-Net Virtual Private Network (RoadWarrior): is a made up (new) IP subnet using CIDR notation.
Is this correct? Or is the Host-to-Net Virtual Private Network (RoadWarrior): subnet suppose to match my GREEN zone -or- my BLUE zone?
EDIT: Here is the only error I see on the iPhone side.
EDIT2: I am currently testing in PSK mode hoping it will be simpiler.
Deleted
10/ car
You can’t generate certificate in iPfire? That’s working fine for me. Of cause I also don’t know if I’ve done all settings correctly.
Remember to activate the certificate on your phone, after importing profile.
Wouldn’t that depend on which subnet you like to access ? Also I think documentation says you can specify both.
If I leave the Host-to-Net Endpoint blank then the server becomes ipfire.localdomain and there is no connection via the Internet to my IPFire box. So this doesn’t sound right…
I can generate a Cert just fine. But I am not sure it is correct since I cannot connect.
I tried GREEN, and BLUE and neither of them work. From the Wiki, it sounds like it is suppose to be a “new subnet”. I tried that also and it did not work for me…
@jon
Yes, documentation seems to indicate that the remote host (iPad or iPhone) is getting it’s own subnet where you assign an IP.
If this is correct, this may cause a problem for me, as my intention is have access to same subnet as home, in order to make what I’m testing to work. (Roon streaming).
A interesting observation is that if I put a higher number than 28 (tried 33 and 45), I’m getting an error.
Doesn’t matter if it’s 192.168.20.1 of 192.168.20.0
Are you referring to the far right number (the last 20) in the Host-to-Net Virtual Private Network (RoadWarrior): field → 192.168.20.0/20??
If so, please read about CIDR notation (and subnetting). I tried to find a good article for you and found these two links. You may want to keep searching for something better!
To the right of the / can be a number between 32 and 0. So 33 and 45 will not work.
EDIT: For me I picked /28 so I have 16 address to pick from (actually a few less but that doesn’t matter at the moment). But you may want to pick something like /24 (~256 address available). Hope this helps! Read up about CIDR. 
3 Likes
Ugh! I may have stumbled across an answer…
On the Advanced page change the Grouptype from MOD-1024 to MOD-2048.
I see the following in the IPFire messages log (/var/log/messages):
Jul 25 16:25:20 ipfire charon: 06[CFG] received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/MODP_2048
Jul 25 16:25:20 ipfire charon: 06[CFG] configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/MODP_1024
Jul 25 16:25:20 ipfire charon: 06[IKE] remote host is behind NAT
Jul 25 16:25:20 ipfire charon: 06[IKE] received proposals unacceptable
MOD-2048 is what my iPhoneSE sends (see 1st line). And the IPFire box was expecting MODP_1024. I am wild guessing the iPhoneSE doesn’t accept MODP_1024.
I just started testing but all looks good for the moment…
EDIT: FYI - this is testing a PSK and not a certificate.
The screenshot is from Safari 14.1.2 browser on macOS Catalina 10.15.7.
Maybe you are using giggle chrome? Or?
iPad. Safari or Chrome is equal. (Everything latest versions).
I’m wondering if my host name should equal the FQDN ?
So I should change host name from iPfire to iPfire-test (as shown in my examples) and then change domain to ddns.net
…or if there are some basic settings that I haven’t done other places.