Ipsec behind NAT to Public IP
-
hello I cannot seem to figure out why my tunnels arent coming up anymore, in the lab when configuring i had 4 distant end IPSEC tunnels( all were behind NAT running on cradlepoint devices) going to my local PFsense machine (with public IP) they were working and up and then as the cradlepoints started getting deployed in the field i am now not making it past phase 1 with any of them. The only thing i can see in the logs that sticks out is that says deleting half open IKE SA with x.x.x.x(distant end cradlepoint) after timeout. any suggestions would be helpful. Logs below
ound matching ike config: 174.141.213.123...0.0.0.0 with prio 1052
Jun 19 18:09:22 charon 94951 06[IKE] <26462> local endpoint changed from 0.0.0.0[500] to 174.141.213.123[500]
Jun 19 18:09:22 charon 94951 06[IKE] <26462> remote endpoint changed from 0.0.0.0 to 35.131.239.194[17896]
Jun 19 18:09:22 charon 94951 06[IKE] <26462> 35.131.239.194 is initiating an IKE_SA
Jun 19 18:09:22 charon 94951 06[IKE] <26462> IKE_SA (unnamed)[26462] state change: CREATED => CONNECTING
Jun 19 18:09:22 charon 94951 06[CFG] <26462> selecting proposal:
Jun 19 18:09:22 charon 94951 06[CFG] <26462> proposal matches
Jun 19 18:09:22 charon 94951 06[CFG] <26462> received proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048, IKE:AES_CBC_128/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Jun 19 18:09:22 charon 94951 06[CFG] <26462> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jun 19 18:09:22 charon 94951 06[CFG] <26462> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jun 19 18:09:22 charon 94951 06[CFG] <26462> received supported signature hash algorithms: sha256 sha384 sha512 identity
Jun 19 18:09:22 charon 94951 06[IKE] <26462> remote host is behind NAT
Jun 19 18:09:22 charon 94951 06[CFG] <26462> sending supported signature hash algorithms: sha256 sha384 sha512 identity
Jun 19 18:09:22 charon 94951 06[ENC] <26462> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jun 19 18:09:22 charon 94951 06[NET] <26462> sending packet: from 174.141.213.123[500] to 35.131.239.194[17896] (472 bytes)
Jun 19 18:09:23 charon 94951 06[JOB] <26458> deleting half open IKE_SA with 35.131.239.194 after timeout
Jun 19 18:09:23 charon 94951 06[IKE] <26458> IKE_SA (unnamed)[26458] state change: CONNECTING => DESTROYING
Jun 19 18:09:24 charon 94951 06[JOB] <26459> deleting half open IKE_SA with 35.131.239.194 after timeout -
@philip-abraham
Also the log of the remote site could be helplful, since it obviously isn't responding to this packet:Jun 19 18:09:22 charon 94951 06[ENC] <26462> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ] Jun 19 18:09:22 charon 94951 06[NET] <26462> sending packet: from 174.141.213.123[500] to 35.131.239.194[17896] (472 bytes) -
@viragomann i would get it if i could the main problem being since the tunnel is not coming up anymore i have to have someone hook a laptop up to it and anydesk to try and manage it i will see what i can do. Its just strange that the tunnels were all up in the lab and now in the field they no longer come up.
-
@philip-abraham said in Ipsec behind NAT to Public IP:
Its just strange that the tunnels were all up in the lab and now in the field they no longer come up.
The only settings you have to adapt in this case are "Remote Gateway", "My identifier" and "Peer identifier" if you've stated one in phase 1.
Best practice would be to set the Peer identifier to any for testing and restrict it later. -
@viragomann They are all set to any already. that was my exact thinking get them up and then tighten them down once they were up.