IPSEC mobile client in transport mode: possible? No subnets defined somehow

sgw

Thanks ;-)

I don't have issues with Site2Site-IPSEC when they have both static IPs, which isn't the case here.
I also have a IPSEC doc for the MRD-405 already, but not for transport mode.

We figured out the encryption and xauth as you can see, but the IP routing is my problem here.

Konstanti

@sgw

The transport mode is configured only for host-host connection. You need tunnel mode.

Phase 2 settings

Mode: Tunnel
Local Network: (the local network, e.g. LAN, or 0.0.0.0/0 to send everything over VPN)
Protocol: ESP
Encryption Algorithms: AES 128 only
Hash Algorithms: SHA1 only
PFS key group: off
Lifetime: 28800

Then your device will get a virtual IP
And already then it is necessary to think of routing through ipsec tunnel ( if it is possible )

sgw

@konstanti

thanks. We had most of that and get

Feb 11 15:32:16	charon		15[IKE] <con-mobile|1> no matching CHILD_SA config found

[..]

Feb 11 15:32:26	charon		15[IKE] <con-mobile|1> received retransmit of request with ID 2293249901, but no response to retransmit

Do we need a tunnel network in VPN/IPsec/Mobile Clients : "Virtual Private Network"

"Network List" ?

auth is fine, Phase1 as well.

thanks

Konstanti

@sgw
Show phase 2 settings on both sides of the tunnel
and PFSense IPSec log

sgw

I have to leave now I can only share the last part of the remote site logs.
I'll provide Phase2 infos later or tomorrow.

000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000  
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,6,36} trans={0,6,324} attrs={0,6,432} 
000  
000 "MYSITE_primary_TM0": 172.16.160.0/27===10.135.16.195<10.135.16.195>[@land_mob_ipsec,+XC+S=C]---10.135.16.195...MYIP<MYIP>[+XS+S=C]===0.0.0.0/0; unrouted; eroute owner: #0
000 "MYSITE_primary_TM0":     myip=172.16.160.30; hisip=unset;
000 "MYSITE_primary_TM0":     xauth info: myxauthuser=aba_n_ka; 
000 "MYSITE_primary_TM0":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 600s; rekey_fuzz: 100%; keyingtries: 0 
000 "MYSITE_primary_TM0":   policy: PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 27,0; interface: wwan0; 
000 "MYSITE_primary_TM0":   newest ISAKMP SA: #5; newest IPsec SA: #0; 
000 "MYSITE_primary_TM0":   IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)_000-MODP1024(2); flags=-strict
000 "MYSITE_primary_TM0":   IKE algorithms found:  AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)
000 "MYSITE_primary_TM0":   IKE algorithm newest: AES_CBC_128-SHA1-MODP1024
000 "MYSITE_primary_TM0":   ESP algorithms wanted: AES(12)_128-SHA1(2)_000; flags=-strict
000 "MYSITE_primary_TM0":   ESP algorithms loaded: AES(12)_128-SHA1(2)_160
000  
000 #6: "MYSITE_primary_TM0":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 22s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #5: "MYSITE_primary_TM0":4500 STATE_XAUTH_I1 (XAUTH client - awaiting CFG_set); EVENT_SA_REPLACE in 28452s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000

pfsense:

Feb 11 15:48:02	charon		13[ENC] <con-mobile|2> parsed QUICK_MODE request 1769513508 [ HASH SA No ID ID ]
Feb 11 15:48:02	charon		13[IKE] <con-mobile|2> no matching CHILD_SA config found
Feb 11 15:48:02	charon		13[ENC] <con-mobile|2> generating INFORMATIONAL_V1 request 681290560 [ HASH N(INVAL_ID) ]
Feb 11 15:48:02	charon		13[NET] <con-mobile|2> sending packet: from MYIP[4500] to 178.115.129.214[43643] (76 bytes)
Feb 11 15:48:12	charon		13[NET] <con-mobile|2> received packet: from 178.115.129.214[43643] to MYIP[4500] (156 bytes)
Feb 11 15:48:12	charon		13[IKE] <con-mobile|2> received retransmit of request with ID 1769513508, but no response to retransmit
Feb 11 15:48:23	charon		13[IKE] <con-mobile|2> sending keep alive to 178.115.129.214[43643]
Feb 11 15:48:32	charon		13[NET] <con-mobile|2> received packet: from 178.115.129.214[43643] to MYIP[4500] (156 bytes)
Feb 11 15:48:32	charon		13[IKE] <con-mobile|2> received retransmit of request with ID 1769513508, but no response to retransmit
Feb 11 15:48:43	charon		13[IKE] <con-mobile|2> sending keep alive to 178.115.129.214[43643]
Feb 11 15:49:03	charon		13[IKE] <con-mobile|2> sending keep alive to 178.115.129.214[43643]
Feb 11 15:49:12	charon		13[NET] <con-mobile|2> received packet: from 178.115.129.214[43643] to MYIP[4500] (156 bytes)
Feb 11 15:49:12	charon		13[ENC] <con-mobile|2> parsed QUICK_MODE request 1541153441 [ HASH SA No ID ID ]
Feb 11 15:49:12	charon		13[IKE] <con-mobile|2> no matching CHILD_SA config found
Feb 11 15:49:12	charon		13[ENC] <con-mobile|2> generating INFORMATIONAL_V1 request 3407976374 [ HASH N(INVAL_ID) ]
Feb 11 15:49:12	charon		13[NET] <con-mobile|2> sending packet: from MYIP[4500] to 178.115.129.214[43643] (76 bytes)
Feb 11 15:49:23	charon		15[NET] <con-mobile|2> received packet: from 178.115.129.214[43643] to MYIP[4500] (156 bytes)
Feb 11 15:49:23	charon		15[IKE] <con-mobile|2> received retransmit of request with ID 1541153441, but no response to retransmit

I see that my local subnet (VLAN 160 on our side does not get transferred to the LTE-router.

my phase2:

tunnel ANLAGEN ESP AES (128 bits) SHA1

and I don't have "Remote subnet" in there (maybe correct because of dynamic IP on mobile side)

My Local Subnet is a VLAN, maybe I miss firewall rules? But I assume that comes later, at first we need the phase2 up, right?

Konstanti

@sgw said in
I think such a connection is impossible ,I should think , still, this type of connection is used for RW (road warrior)

Konstanti

@sgw

When there is no fixed ip address, for site-site connection I would recommend openvpn tunnel

sgw

@konstanti Yes, I see ... we had the openvpn tunnel up already and pinged the tunnel endpoints, but not the nets behind. Maybe settings on the LTE-router, maybe my fault. We will retry on friday, the other admin is away till then.

EDIT: I will maybe open another topic in "openvpn" section, but just mentioning:
/27 on remote side, allowing that source net to OPENVPN interface and target net /24 (VLAN). Unsure if that should be enough. Didn't see blocked packages in firewall logs.

Konstanti

@sgw
there need correctly configure the OPENVPN server
so that the client know about 10.135.16.195 and the server about 172.16.160.0/27

sgw

@konstanti that 10.135.16.195 ... don't know what that is. Maybe the dynamic WAN on the remote client side. Will check as soon as the admin gets back there. Thanks!

AND we have MultiWAN on our side. I had to add some rule back then, haven't found it yet.

Konstanti

@sgw

yeah, probably.
On the OpenVPN side of the server, in the Tunnel Settings section, you can specify

IPv4 Local Network - the network to which you need access from the server side
IPv4 Remote network - 172.16.160.0/27 (network for routing through tunnel)

In this case, the client will know about the remote network behind the server and the server will know about your network 172.16.160.0/27

and shouldn't be a problem

sgw

@konstanti said in IPSEC mobile client in transport mode: possible? No subnets defined somehow:

@sgw

yeah, probably.
On the OpenVPN side of the server, in the Tunnel Settings section, you can specify

IPv4 Local Network - the network to which you need access from the server side

IPv4 Remote network - 172.16.160.0/27 (network for routing through tunnel)

Yes, we got that. Wrote to the guy, waiting for his changes, tomorrow, I assume.
I also made him change that /27 to /24, just to remove any special stuff to get it working first, then goon from there.

Konstanti

@sgw
Good )))
If there are problems after establishing the connection, look at the routing table on your router-is there a route to the server network ? And at the other side of the tunnel, too, will have to check it )

sgw

@konstanti said in IPSEC mobile client in transport mode: possible? No subnets defined somehow:

@sgw
Good )))
If there are problems after establishing the connection, look at the routing table on your router-is there a route to the server network ? And at the other side of the tunnel, too, will have to check it )

I have checked that as we tested. No routes to that /27 on pfsense, although the ovpn-tunnel was up and we could ping the tunnel-endpoints. So I wait for /27 -> /24 to remove that q.

Konstanti

@sgw
You can always create a static route to the server network , but it is better to do everything correctly so that the server itself sends this information to the client )))