IPSec from behind an uncontrolled NAT device

jp7189

Trying to connect 2 pfSense 2.0 beta 5 firewalls with an IPSec tunnel.  1 of the pfSense boxes is behind another firewall that I don't control.  I can't make any inbound rules/forwards to that box, but the other pfSense has a public IP.  When pinging from Site 1, I can see the tunnel begin phase 1, but there is NOTHING at all logged at Site 2.  Not in the IPSec log, not in the firewall log.  I've double checked that the remote gateway IP is correct, rebooted both pfSenses, restart racoon as was indicated by another post…

jp7189

Site 1 - behind NAT firewall
Feb 17 14:17:45 racoon: INFO: begin Aggressive mode.
Feb 17 14:17:45 racoon: ERROR: sendto (No route to host)
Feb 17 14:17:45 racoon: ERROR: sendfromto failed
Feb 17 14:17:45 racoon: ERROR: phase1 negotiation failed due to send error. ef85822e0f718a1f:0000000000000000
Feb 17 14:17:45 racoon: ERROR: failed to begin ipsec sa negotication.
Feb 17 14:18:08 racoon: [HS3 Colo]: INFO: IPsec-SA request for x.x.x.x queued due to no phase1 found.
Feb 17 14:18:08 racoon: [HS3 Colo]: INFO: initiate new phase 1 negotiation: y.y.y.y[500]<=>x.x.x.x[500]
Feb 17 14:18:08 racoon: INFO: begin Aggressive mode.
Feb 17 14:18:08 racoon: ERROR: sendto (No route to host)
Feb 17 14:18:08 racoon: ERROR: sendfromto failed
Feb 17 14:18:08 racoon: ERROR: phase1 negotiation failed due to send error. a936ec3bc428c860:0000000000000000
Feb 17 14:18:08 racoon: ERROR: failed to begin ipsec sa negotication.
Feb 17 14:18:31 racoon: [HS3 Colo]: INFO: IPsec-SA request for x.x.x.x queued due to no phase1 found.
Feb 17 14:18:31 racoon: [HS3 Colo]: INFO: initiate new phase 1 negotiation: y.y.y.y[500]<=>x.x.x.x[500]
Feb 17 14:18:31 racoon: INFO: begin Aggressive mode.
Feb 17 14:18:31 racoon: ERROR: sendto (No route to host)
Feb 17 14:18:31 racoon: ERROR: sendfromto failed
Feb 17 14:18:31 racoon: ERROR: phase1 negotiation failed due to send error. 6ca3082f600a86a7:0000000000000000
Feb 17 14:18:31 racoon: ERROR: failed to begin ipsec sa negotication.

jp7189

Site 2 - Public IP
Feb 17 14:18:51 racoon: INFO: @(#)ipsec-tools 0.8.0.beta3 (http://ipsec-tools.sourceforge.net)
Feb 17 14:18:51 racoon: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/)
Feb 17 14:18:51 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Feb 17 14:18:51 racoon: [Unknown Gateway/Dynamic]: INFO: x.x.x.x[4500] used for NAT-T
Feb 17 14:18:51 racoon: [Self]: INFO: x.x.x.x[4500] used as isakmp port (fd=16)
Feb 17 14:18:51 racoon: INFO: x.x.x.x[500] used for NAT-T
Feb 17 14:18:51 racoon: [Self]: INFO: x.x.x.x[500] used as isakmp port (fd=17)

This is the entire log.

jimp

Try to force NAT-T on both ends.

Actually if they're both 2.0 and you control both of them, I'd ditch IPsec and go for OpenVPN. It wouldn't have any issues in this situation.

Just make the side that can accept connections the server, and the side behind the firewall you don't control the client.

jp7189

Thanks for the reply.  Both sides do have NAT-T turned on (actually the reason I went with 2.0).

I'll give OpenVPN a try.  Is it SSL based?

jimp

It's ssl-based, yes. With a site-to-site setup it's fairly easy to make a shared key setup and be up in very little time.

jp7189

I setup OpenVPN.  Quite easy.  However, the server end still sees no connection attempts, and the client times out.  Nothing in the firewall log.  Just for grins, I opened ICMP, and I can ping the server from the client.  Logs to follow.

jp7189

Site 1 client behind NAT firewall:

Mar 3 19:41:52 openvpn[7686]: event_wait : Interrupted system call (code=4)
Mar 3 19:41:52 openvpn[7686]: /usr/local/sbin/ovpn-linkdown ovpnc1 1500 1560 init
Mar 3 19:41:52 openvpn[7686]: SIGTERM[hard,] received, process exiting
Mar 3 19:41:53 openvpn[46080]: OpenVPN testing-cee388313521 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20100307-1] built on Feb 21 2011
Mar 3 19:41:53 openvpn[46080]: [DEPRECATED FEATURE ENABLED: random-resolv] Resolving hostnames will use randomisation if more than one IP address is found
Mar 3 19:41:53 openvpn[46080]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Mar 3 19:41:53 openvpn[46080]: TUN/TAP device /dev/tun1 opened
Mar 3 19:41:53 openvpn[46080]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1560 init
Mar 3 19:41:53 openvpn[46776]: UDPv4 link local (bound): [AF_INET]x.x.x.x
Mar 3 19:41:53 openvpn[46776]: UDPv4 link remote: [AF_INET]y.y.y.y:1194
Mar 3 19:42:53 openvpn[46776]: Inactivity timeout (–ping-restart), restarting
Mar 3 19:42:53 openvpn[46776]: SIGUSR1[soft,ping-restart] received, process restarting
Mar 3 19:42:55 openvpn[46776]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Mar 3 19:42:55 openvpn[46776]: Re-using pre-shared static key
Mar 3 19:42:55 openvpn[46776]: Preserving previous TUN/TAP instance: ovpnc1
Mar 3 19:42:55 openvpn[46776]: UDPv4 link local (bound): [AF_INET]x.x.x.x
Mar 3 19:42:55 openvpn[46776]: UDPv4 link remote: [AF_INET]y.y.y.y:1194
Mar 3 19:43:55 openvpn[46776]: Inactivity timeout (–ping-restart), restarting
Mar 3 19:43:55 openvpn[46776]: SIGUSR1[soft,ping-restart] received, process restarting
Mar 3 19:43:57 openvpn[46776]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Mar 3 19:43:57 openvpn[46776]: Re-using pre-shared static key
Mar 3 19:43:57 openvpn[46776]: Preserving previous TUN/TAP instance: ovpnc1
Mar 3 19:43:57 openvpn[46776]: UDPv4 link local (bound): [AF_INET]x.x.x.x
Mar 3 19:43:57 openvpn[46776]: UDPv4 link remote: [AF_INET]y.y.y.y:1194
Mar 3 19:44:57 openvpn[46776]: Inactivity timeout (–ping-restart), restarting
Mar 3 19:44:57 openvpn[46776]: SIGUSR1[soft,ping-restart] received, process restarting
Mar 3 19:44:59 openvpn[46776]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Mar 3 19:44:59 openvpn[46776]: Re-using pre-shared static key
Mar 3 19:44:59 openvpn[46776]: Preserving previous TUN/TAP instance: ovpnc1
Mar 3 19:44:59 openvpn[46776]: UDPv4 link local (bound): [AF_INET]x.x.x.x
Mar 3 19:44:59 openvpn[46776]: UDPv4 link remote: [AF_INET]y.y.y.y:1194
Mar 3 19:45:59 openvpn[46776]: Inactivity timeout (–ping-restart), restarting
Mar 3 19:45:59 openvpn[46776]: SIGUSR1[soft,ping-restart] received, process restarting
Mar 3 19:46:01 openvpn[46776]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Mar 3 19:46:01 openvpn[46776]: Re-using pre-shared static key
Mar 3 19:46:01 openvpn[46776]: Preserving previous TUN/TAP instance: ovpnc1
Mar 3 19:46:01 openvpn[46776]: UDPv4 link local (bound): [AF_INET]x.x.x.x
Mar 3 19:46:01 openvpn[46776]: UDPv4 link remote: [AF_INET]y.y.y.y:1194

jp7189

Site 2 server with Public IP:

Mar 3 19:41:35 openvpn[56496]: event_wait : Interrupted system call (code=4)
Mar 3 19:41:35 openvpn[56496]: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1560 10.0.8.1 10.0.8.2 init
Mar 3 19:41:35 openvpn[56496]: SIGTERM[hard,] received, process exiting
Mar 3 19:41:36 openvpn[45557]: OpenVPN testing-cee388313521 amd64-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20100307-1] built on Feb 22 2011
Mar 3 19:41:36 openvpn[45557]: [DEPRECATED FEATURE ENABLED: random-resolv] Resolving hostnames will use randomisation if more than one IP address is found
Mar 3 19:41:36 openvpn[45557]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Mar 3 19:41:36 openvpn[45557]: TUN/TAP device /dev/tun1 opened
Mar 3 19:41:36 openvpn[45557]: do_ifconfig, tt->ipv6=0
Mar 3 19:41:36 openvpn[45557]: /sbin/ifconfig ovpns1 10.0.8.1 10.0.8.2 mtu 1500 netmask 255.255.255.255 up
Mar 3 19:41:36 openvpn[45557]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1560 10.0.8.1 10.0.8.2 init
Mar 3 19:41:36 openvpn[46329]: UDPv4 link local (bound): [AF_INET]y.y.y.y:1194
Mar 3 19:41:36 openvpn[46329]: UDPv4 link remote: [undef]