Ikev2/IPsec as VPN client to VPN service

Ranoldas

Hello,

I am trying to setup VPN provider connection via IKEv2 protocol. I am using the following configurations on ipsec.conf:

conn nord
keyexchange=ikev2
dpdaction=clear
dpddelay=300s
eap_identity="Username"
leftauth=eap-mschapv2
left=%defaultroute
leftsourceip=%config
right=178.132.78.136
rightauth=pubkey
rightsubnet=0.0.0.0/0
rightid=%any
type=tunnel
auto=add

and according to logs it seems tunnel is up and running:

[2.4.2-RELEASE][admin@pfSense.localdomain]/root: ipsec up nord
initiating IKE_SA nord[1] to 178.132.78.136
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 10.0.2.15[500] to 178.132.78.136[500] (806 bytes)
received packet: from 178.132.78.136[500] to 10.0.2.15[500] (38 bytes)
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
peer didn't accept DH group CURVE_25519, it requested MODP_2048
initiating IKE_SA nord[1] to 178.132.78.136
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 10.0.2.15[500] to 178.132.78.136[500] (1030 bytes)
received packet: from 178.132.78.136[500] to 10.0.2.15[500] (464 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
local host is behind NAT, sending keep alives
sending cert request for "C=PA, O=NordVPN, CN=NordVPN Root CA"
no IDi configured, fall back on IP address
establishing CHILD_SA nord{1}
generating IKE_AUTH request 1 [ IDi CERTREQ CPRQ(ADDR DNS) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 10.0.2.15[4500] to 178.132.78.136[4500] (396 bytes)
received packet: from 178.132.78.136[4500] to 10.0.2.15[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(1/6) ]
received fragment #1 of 6, waiting for complete IKE message
received packet: from 178.132.78.136[4500] to 10.0.2.15[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(3/6) ]
received fragment #3 of 6, waiting for complete IKE message
received packet: from 178.132.78.136[4500] to 10.0.2.15[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(4/6) ]
received fragment #4 of 6, waiting for complete IKE message
received packet: from 178.132.78.136[4500] to 10.0.2.15[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(5/6) ]
received fragment #5 of 6, waiting for complete IKE message
received packet: from 178.132.78.136[4500] to 10.0.2.15[4500] (480 bytes)
parsed IKE_AUTH response 1 [ EF(6/6) ]
received fragment #6 of 6, waiting for complete IKE message
received packet: from 178.132.78.136[4500] to 10.0.2.15[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(2/6) ]
received fragment #2 of 6, reassembling fragmented IKE message
parsed IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
received end entity cert "CN=se17.nordvpn.com"
received issuer cert "C=PA, O=NordVPN, CN=NordVPN CA2"
  using certificate "CN=se17.nordvpn.com"
  using untrusted intermediate certificate "C=PA, O=NordVPN, CN=NordVPN CA2"
checking certificate status of "CN=se17.nordvpn.com"
certificate status is not available
  using trusted ca certificate "C=PA, O=NordVPN, CN=NordVPN Root CA"
checking certificate status of "C=PA, O=NordVPN, CN=NordVPN CA2"
certificate status is not available
  reached self-signed root ca with a path length of 1
authentication of 'se17.nordvpn.com' with RSA_EMSA_PKCS1_SHA2_256 successful
server requested EAP_IDENTITY (id 0x00), sending 'Username'
generating IKE_AUTH request 2 [ EAP/RES/ID ]
sending packet: from 10.0.2.15[4500] to 178.132.78.136[4500] (92 bytes)
received packet: from 178.132.78.136[4500] to 10.0.2.15[4500] (76 bytes)
parsed IKE_AUTH response 2 [ EAP/REQ/PEAP ]
server requested EAP_PEAP authentication (id 0x01)
requesting EAP_MSCHAPV2 authentication, sending EAP_NAK
generating IKE_AUTH request 3 [ EAP/RES/NAK ]
sending packet: from 10.0.2.15[4500] to 178.132.78.136[4500] (76 bytes)
received packet: from 178.132.78.136[4500] to 10.0.2.15[4500] (108 bytes)
parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
server requested EAP_MSCHAPV2 authentication (id 0x02)
generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
sending packet: from 10.0.2.15[4500] to 178.132.78.136[4500] (140 bytes)
received packet: from 178.132.78.136[4500] to 10.0.2.15[4500] (124 bytes)
parsed IKE_AUTH response 4 [ EAP/REQ/MSCHAPV2 ]
EAP-MS-CHAPv2 succeeded: '(null)'
generating IKE_AUTH request 5 [ EAP/RES/MSCHAPV2 ]
sending packet: from 10.0.2.15[4500] to 178.132.78.136[4500] (76 bytes)
received packet: from 178.132.78.136[4500] to 10.0.2.15[4500] (76 bytes)
parsed IKE_AUTH response 5 [ EAP/SUCC ]
EAP method EAP_MSCHAPV2 succeeded, MSK established
authentication of '10.0.2.15' (myself) with EAP
generating IKE_AUTH request 6 [ AUTH ]
sending packet: from 10.0.2.15[4500] to 178.132.78.136[4500] (92 bytes)
received packet: from 178.132.78.136[4500] to 10.0.2.15[4500] (348 bytes)
parsed IKE_AUTH response 6 [ AUTH CPRP(ADDR DNS DNS MASK) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
authentication of 'se17.nordvpn.com' with EAP successful
IKE_SA nord[1] established between 10.0.2.15[10.0.2.15]…178.132.78.136[se17.nordvpn.com]
scheduling reauthentication in 10233s
maximum IKE_SA lifetime 10773s
installing DNS server 78.46.223.24 via resolvconf
resolvconf: cp: /dev/null.bak: Operation not supported
installing DNS server 162.242.211.137 via resolvconf
resolvconf: cp: /dev/null.bak: Operation not supported
handling INTERNAL_IP4_NETMASK attribute failed
installing new virtual IP 10.6.6.29
created TUN device: tun0
CHILD_SA nord{1} established with SPIs ced806f6_i ca9d3db6_o and TS 10.6.6.29/32|/0 === 0.0.0.0/0|/0
received AUTH_LIFETIME of 27944s, reauthentication already scheduled in 10233s
connection 'nord' established successfully
[2.4.2-RELEASE][admin@pfSense.localdomain]/root: ipsec status
Security Associations (1 up, 0 connecting):
        nord[1]: ESTABLISHED 69 seconds ago, 10.0.2.15[10.0.2.15]…178.132.78.136[se17.nordvpn.com]
        nord{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ced806f6_i ca9d3db6_o
        nord{1}:  10.6.6.29/32|/0 === 0.0.0.0/0|/0
[2.4.2-RELEASE][admin@pfSense.localdomain]/root: ifconfig tun0
tun0: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
        options=80000 <linkstate>inet6 fe80::a00:27ff:fe7d:850a%tun0 prefixlen 64 scopeid 0x7
        inet 10.6.6.29 –> 10.6.6.29  netmask 0xffffffff
        nd6 options=21 <performnud,auto_linklocal>groups: tun
        Opened by PID 94214

However, all connection still goes through ISP connection. Do you guy maybe know any reason or cause?</performnud,auto_linklocal></linkstate></up,pointopoint,running,multicast>

Derelict

Because only traffic from 10.6.6.29/32 will be interesting to IPsec and sent out the tunnel.

I don't think there is any facility for pfSense to behave like a mobile IPsec client.

You cannot policy route and outbound NAT to a gateway on an IPsec like you can with an OpenVPN assigned interface.

You have gotten pretty close though it looks like.

Ranoldas

Hmmm that's sad :/

Although, I tried pinging the gateway of VPN - 10.6.6.1 , and it seems IPsec tunnel receives and send packets to the server. I guess I will try to make more research into Strongswan and hope will find anything there.

Ranoldas

Hey, once more.

So, I have played around a little bit more with configurations and I managed to force that opt1 interface would be used on tun0:
http://prntscr.com/iifq73

I set Manual NAT rules, and forced LAN to go through OPT1 gateway but that did not make the trick.

Maybe you guys would have any trick under the sleeve? As it feels that all configurations are so close.