Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How do I bring up a tunnel from a client on an adjacent network?

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 128 Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • senseivitaS Offline
      senseivita
      last edited by

      Some time ago I had set up an IKEv2 server on a loopback address (127.0.0.2) to connect from anywhere all the time.

      I worked great, and as I mentioned, I could connect whether the clients were on the next directly attached subnet or from public addresses.

      Connection on Android devices was reliable but the only way to make them stick on iOS is setting up always-on profiles.

      It's a little messy though, basically when setting up always-on tunnels, iOS no longer authenticates as a user but as a machine account (https://support.apple.com/guide/mdm/always-on-vpn-configurations-mdm41cec49b6/1/web/1) and EAP doesn't work. When I finally got it right (Mutual RSA), only the public-inbound connection the the VPN server would be brought up successfully (iOS dials one from cellular, one from Wi-Fi). The one from Wi-Fi won't connect but it does seem to pass authentication and be in some sort of a loop:

      …
charon		08[CFG] received stroke: delete connection 'con-mobile'
charon		08[CFG] deleted connection 'con-mobile'
charon		08[CFG] received stroke: add connection 'con-mobile'
charon		08[CFG] conn con-mobile
charon		08[CFG] left=127.0.0.2
charon		08[CFG] leftsubnet=0.0.0.0/0
charon		08[CFG] leftauth=pubkey
charon		08[CFG] leftid=fqdn:tunnelserver.domain.tld
charon		08[CFG] leftcert=/var/etc/ipsec/ipsec.d/certs/cert-1.crt
charon		08[CFG] right=%any
charon		08[CFG] rightsourceip=10.7.0.0/24
charon		08[CFG] rightdns=10.0.0.25,10.0.0.30
charon		08[CFG] rightauth=pubkey
charon		08[CFG] rightca=/CN=TunnelServerCertificateAuthority/
charon		08[CFG] ike=aes128-sha256-modp2048,aes128gcm128-sha256-modp2048,aes256gcm128-sha256-modp2048,aes128-sha1-modp1024,aes256-sha256-modp2048!
charon		08[CFG] esp=aes256-sha1-modp2048,aes256-sha256-modp2048,aes192-sha1-modp2048,aes192-sha256-modp2048,aes128-sha1-modp2048,aes128-sha256-modp2048,aes128gcm128-sha1-modp2048,aes128gcm128-sha256-modp2048,aes128gcm96-sha1-modp2048,aes128gcm96-sha256-modp2048,aes128gcm64-sha1-modp2048,aes128gcm64-sha256-modp2048,aes256gcm128-sha1-modp2048,aes256gcm128-sha256-modp2048,aes256gcm96-sha1-modp2048,aes256gcm96-sha256-modp2048,aes256gcm64-sha1-modp2048,aes256gcm64-sha256-modp2048,3des-sha1-modp2048,3des-sha256-modp2048!
charon		08[CFG] dpddelay=10
charon		08[CFG] dpdtimeout=40
charon		08[CFG] dpdaction=1
charon		08[CFG] sha256_96=no
charon		08[CFG] mediation=no
charon		08[CFG] keyexchange=ikev2
charon		08[CFG] reusing virtual IP address pool 10.7.0.0/24
charon		08[CFG] loaded certificate "CN=TunnelServerCertificate" from '/var/etc/ipsec/ipsec.d/certs/cert-1.crt'
charon		08[CFG] added configuration 'con-mobile'
charon		11[CFG] vici client 10624 connected
charon		11[CFG] vici client 10624 registered for: list-sa
charon		15[CFG] vici client 10624 requests: list-sas
charon		15[CFG] vici client 10624 disconnected
charon		13[CFG] vici client 10625 connected
charon		13[CFG] vici client 10625 registered for: list-sa
charon		08[CFG] vici client 10625 requests: list-sas
charon		13[CFG] vici client 10625 disconnected
charon		13[CFG] vici client 10626 connected
charon		07[CFG] vici client 10626 registered for: list-sa
charon		09[CFG] vici client 10626 requests: list-sas
charon		07[CFG] vici client 10626 disconnected
charon		07[CFG] vici client 10627 connected
charon		13[CFG] vici client 10627 registered for: list-sa
charon		09[CFG] vici client 10627 requests: list-sas
charon		13[CFG] vici client 10627 disconnected
charon		13[CFG] vici client 10628 connected
charon		09[CFG] vici client 10628 registered for: list-sa
charon		13[CFG] vici client 10628 requests: list-sas
charon		12[CFG] vici client 10628 disconnected
charon		12[CFG] vici client 10629 connected
charon		12[CFG] vici client 10629 registered for: list-sa
charon		05[CFG] vici client 10629 requests: list-sas
charon		05[CFG] vici client 10629 disconnected
charon		13[CFG] vici client 10630 connected
charon		01[CFG] vici client 10630 registered for: list-sa
charon		13[CFG] vici client 10630 requests: list-sas
charon		01[CFG] vici client 10630 disconnected
charon		01[CFG] vici client 10631 connected
charon		01[CFG] vici client 10631 registered for: list-sa
charon		10[CFG] vici client 10631 requests: list-sas
charon		10[CFG] vici client 10631 disconnected
…

      I assume this is because the tunnel is not really needed to reach the subnet from something I read in the (pfSense)book a long time ago about the tunnel endpoints not being reachable while the tunnel was up. It makes sense.

      But on the other hand, I already had it working both on the intranet and the Internet, furthermore, if I set this up on Windows Server Remote Access Server, both tunnels are brought up despite being in the same…ish network conditions. If anything it should be worse because I usually set Windows Server to allocate a fragment of the same subnet while pfSense sets a completely different subnet for tunnel clients--if that's even the problem here, I'm really just talking out of my A 😅

      Could you two-plus-two-it for me, please? I'm really lost here.

      Thanks!

      Missing something? Word endings, maybe? I included a free puzzle in this msg if you solv--okay, I'm lying. It's dyslexia, makes me do that, sorry! Just finish the word; they're rarely misspelled, just incomplete. Yeah-yeah-I know. Same thing.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.