[Solved] IPSec doesn't work if behind NAT
-
Hi everybody,
With the recent containment of the country, my company needs to increase the capacity of its VPN. We decided to use pfSense to set up a second L2TP / IPSec VPN.
I setup a L2TP/IPSec VPN like described in netgate docs. If I try to connect from a workstation inside the company the tunnel mount fine. But if I try from my home (with same configuration/OS) it failed... The pfSense box must be inside the company network so we must access it from the outside by NAT.
Here is the network topology:
LAN Network => pfSense Box => WAN Network => NAT Router => Internet
10.130.166.0/24 => 10.130.166.10 | 10.130.163.208 => 10.130.163.0/24 => X.X.X.X/24I want my users (W10 clients) connect from home (behind their ISP) to LAN Network by using L2TP/IPSec VPN connectivity like this:
User (192.168.1.X) => ISP Box (A.B.C.D) => VPN NAT IP (X.X.X.X) =>pfSence Box => LAN NetworkHere is my configuration :
Mobile Client Tab :
- IKE Extensions: Enabled
- User Authentication: Local Database
- All other checkboxes: Unchecked
Tunnel Phase 1:
- Key version: IKEv1
- Protocol: IPv4
- Interface: WAN
- Auth method: Mutual PSK
- Nego. mode: Main
- My Identifier: IP Address => X.X.X.X
- Encryption: AES 256bits SHA1 14 (2048bits)
- Lifetime: 28800
- Disable rekey: Unchecked
- Responder Only: Unchecked
- NAT Traversal: Auto
- Enable DPD: Unchecked (W10 client doesn't support it)
Tunnel Phase 2:
- Mode : Transport
- Protocol: ESP
- Encryption Algo.: AES 128 bits
- Hash Algo.: SHA1
- PFS key group: off
- Lifetime: 3600
L2TP:
- Enable
- Server address: 10.130.166.11
- Remote address range: 10.130.166.128/25
- Number of users: 50
- Auth type: MS-CHAPv2 (W10 client doesn't work with CHAP)
- Primary L2TP DNS Server: 10.130.166.10
- RADIUS: Enable
- RADIUS Accounting: Enable
- ...
Like explained before if I try to connect from inside the company it works fine. But from outside (with the same workstation) it failed with these logs:
charon: 07[CFG] <23> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 charon: 07[CFG] <23> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 charon: 07[IKE] <23> sending XAuth vendor ID charon: 07[IKE] <23> sending DPD vendor ID charon: 07[IKE] <23> sending FRAGMENTATION vendor ID charon: 07[IKE] <23> sending NAT-T (RFC 3947) vendor ID charon: 07[ENC] <23> generating ID_PROT response 0 [ SA V V V V ] charon: 07[NET] <23> sending packet: from 10.130.163.208[500] to A.B.C.D[500] (160 bytes) charon: 07[NET] <23> received packet: from A.B.C.D[500] to 10.130.163.208[500] (388 bytes) charon: 07[ENC] <23> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] charon: 07[LIB] <23> size of DH secret exponent: 2047 bits charon: 07[IKE] <23> local host is behind NAT, sending keep alives charon: 07[IKE] <23> remote host is behind NAT charon: 07[CFG] <23> candidate "bypasslan", match: 1/1/24 (me/other/ike) charon: 07[CFG] <23> candidate "con-mobile", match: 1/1/28 (me/other/ike) charon: 07[ENC] <23> generating ID_PROT response 0 [ KE No NAT-D NAT-D ] charon: 07[NET] <23> sending packet: from 10.130.163.208[500] to A.B.C.D[500] (372 bytes) charon: 07[NET] <23> received packet: from A.B.C.D[4500] to 10.130.163.208[4500] (76 bytes) charon: 07[ENC] <23> parsed ID_PROT request 0 [ ID HASH ] charon: 07[CFG] <23> looking for pre-shared key peer configs matching 10.130.163.208...A.B.C.D[192.168.1.15] charon: 07[CFG] <23> candidate "bypasslan", match: 1/1/24 (me/other/ike) charon: 07[CFG] <23> candidate "con-mobile", match: 1/1/28 (me/other/ike) charon: 07[CFG] <23> selected peer config "con-mobile" charon: 07[IKE] <con-mobile|23> IKE_SA con-mobile[23] established between 10.130.163.208[X.X.X.X]...A.B.C.D[192.168.1.15] charon: 07[IKE] <con-mobile|23> IKE_SA con-mobile[23] state change: CONNECTING => ESTABLISHED charon: 07[IKE] <con-mobile|23> scheduling reauthentication in 27826s charon: 07[IKE] <con-mobile|23> maximum IKE_SA lifetime 28366s charon: 07[ENC] <con-mobile|23> generating ID_PROT response 0 [ ID HASH ] charon: 07[NET] <con-mobile|23> sending packet: from 10.130.163.208[4500] to A.B.C.D[4500] (76 bytes) charon: 15[NET] <con-mobile|23> received packet: from A.B.C.D[4500] to 10.130.163.208[4500] (332 bytes) charon: 15[ENC] <con-mobile|23> parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ] charon: 15[IKE] <con-mobile|23> changing received traffic selectors 192.168.1.15/32|/0[udp/l2f]=== X.X.X.X/32|/0[udp/l2f] due to NAT charon: 15[CFG] <con-mobile|23> looking for a child config for 10.130.163.208/32|/0[udp/l2f] === A.B.C.D/32|/0[udp/l2f] charon: 15[CFG] <con-mobile|23> proposing traffic selectors for us: charon: 15[CFG] <con-mobile|23> 10.130.163.208/32|/0 charon: 15[CFG] <con-mobile|23> proposing traffic selectors for other: charon: 15[CFG] <con-mobile|23> A.B.C.D/32|/0 charon: 15[CFG] <con-mobile|23> candidate "con-mobile" with prio 1+1 charon: 15[CFG] <con-mobile|23> found matching child config "con-mobile" with prio 2 charon: 15[CFG] <con-mobile|23> selecting traffic selectors for other: charon: 15[CFG] <con-mobile|23> config: A.B.C.D/32|/0, received: A.B.C.D/32|/0[udp/l2f] => match: A.B.C.D/32|/0[udp/l2f] charon: 15[CFG] <con-mobile|23> selecting traffic selectors for us: charon: 15[CFG] <con-mobile|23> config: 10.130.163.208/32|/0, received: 10.130.163.208/32|/0[udp/l2f] => match: 10.130.163.208/32|/0[udp/l2f] charon: 15[CFG] <con-mobile|23> selecting proposal: charon: 15[CFG] <con-mobile|23> proposal matches charon: 15[CFG] <con-mobile|23> received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ charon: 15[CFG] <con-mobile|23> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ charon: 15[CFG] <con-mobile|23> selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ charon: 15[IKE] <con-mobile|23> received 250000000 lifebytes, configured 0 charon: 15[ENC] <con-mobile|23> generating QUICK_MODE response 1 [ HASH SA No ID ID NAT-OA NAT-OA ] charon: 15[NET] <con-mobile|23> sending packet: from 10.130.163.208[4500] to A.B.C.D[4500] (204 bytes) charon: 15[NET] <con-mobile|23> received packet: from A.B.C.D[4500] to 10.130.163.208[4500] (60 bytes) charon: 15[ENC] <con-mobile|23> parsed QUICK_MODE request 1 [ HASH ] charon: 15[CHD] <con-mobile|23> CHILD_SA con-mobile{42} state change: CREATED => INSTALLING charon: 15[CHD] <con-mobile|23> using AES_CBC for encryption charon: 15[CHD] <con-mobile|23> using HMAC_SHA1_96 for integrity charon: 15[CHD] <con-mobile|23> adding inbound ESP SA charon: 15[CHD] <con-mobile|23> SPI 0xca5cf2dd, src A.B.C.D dst 10.130.163.208 charon: 15[CHD] <con-mobile|23> adding outbound ESP SA charon: 15[CHD] <con-mobile|23> SPI 0x1b68de24, src 10.130.163.208 dst A.B.C.D charon: 15[IKE] <con-mobile|23> CHILD_SA con-mobile{42} established with SPIs ca5cf2dd_i 1b68de24_o and TS 10.130.163.208/32|/0[udp/l2f] === A.B.C.D/32|/0[udp/l2f] charon: 15[CHD] <con-mobile|23> CHILD_SA con-mobile{42} state change: INSTALLING => INSTALLED charon: 15[NET] <con-mobile|23> received packet: from A.B.C.D[4500] to 10.130.163.208[4500] (332 bytes) charon: 15[ENC] <con-mobile|23> parsed QUICK_MODE request 2 [ HASH SA No ID ID NAT-OA NAT-OA ] charon: 15[IKE] <con-mobile|23> changing received traffic selectors 192.168.1.15/32|/0[udp/l2f]=== X.X.X.X/32|/0[udp/l2f] due to NAT charon: 15[CFG] <con-mobile|23> looking for a child config for 10.130.163.208/32|/0[udp/l2f] === A.B.C.D/32|/0[udp/l2f] charon: 15[CFG] <con-mobile|23> proposing traffic selectors for us: charon: 15[CFG] <con-mobile|23> 10.130.163.208/32|/0 charon: 15[CFG] <con-mobile|23> proposing traffic selectors for other: charon: 15[CFG] <con-mobile|23> A.B.C.D/32|/0 charon: 15[CFG] <con-mobile|23> candidate "con-mobile" with prio 1+1 charon: 15[CFG] <con-mobile|23> found matching child config "con-mobile" with prio 2 charon: 15[CFG] <con-mobile|23> selecting traffic selectors for other: charon: 15[CFG] <con-mobile|23> config: A.B.C.D/32|/0, received: A.B.C.D/32|/0[udp/l2f] => match: A.B.C.D/32|/0[udp/l2f] charon: 15[CFG] <con-mobile|23> selecting traffic selectors for us: charon: 15[CFG] <con-mobile|23> config: 10.130.163.208/32|/0, received: 10.130.163.208/32|/0[udp/l2f] => match: 10.130.163.208/32|/0[udp/l2f] charon: 15[CFG] <con-mobile|23> selecting proposal: charon: 15[CFG] <con-mobile|23> proposal matches charon: 15[CFG] <con-mobile|23> received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ charon: 15[CFG] <con-mobile|23> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ charon: 15[CFG] <con-mobile|23> selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ charon: 15[IKE] <con-mobile|23> received 250000000 lifebytes, configured 0 charon: 15[CHD] <con-mobile|23> CHILD_SA con-mobile{42} state change: INSTALLED => REKEYING charon: 15[IKE] <con-mobile|23> detected rekeying of CHILD_SA con-mobile{42} charon: 15[ENC] <con-mobile|23> generating QUICK_MODE response 2 [ HASH SA No ID ID NAT-OA NAT-OA ] charon: 15[NET] <con-mobile|23> sending packet: from 10.130.163.208[4500] to A.B.C.D[4500] (204 bytes) charon: 07[NET] <con-mobile|23> received packet: from A.B.C.D[4500] to 10.130.163.208[4500] (60 bytes) charon: 07[ENC] <con-mobile|23> parsed QUICK_MODE request 2 [ HASH ] charon: 07[CHD] <con-mobile|23> CHILD_SA con-mobile{43} state change: CREATED => INSTALLING charon: 07[CHD] <con-mobile|23> using AES_CBC for encryption charon: 07[CHD] <con-mobile|23> using HMAC_SHA1_96 for integrity charon: 07[CHD] <con-mobile|23> adding inbound ESP SA charon: 07[CHD] <con-mobile|23> SPI 0xc8b548f8, src A.B.C.D dst 10.130.163.208 charon: 07[CHD] <con-mobile|23> adding outbound ESP SA charon: 07[CHD] <con-mobile|23> SPI 0xf8b312b4, src 10.130.163.208 dst A.B.C.D charon: 07[IKE] <con-mobile|23> CHILD_SA con-mobile{43} established with SPIs c8b548f8_i f8b312b4_o and TS 10.130.163.208/32|/0[udp/l2f] === A.B.C.D/32|/0[udp/l2f] charon: 07[CHD] <con-mobile|23> CHILD_SA con-mobile{43} state change: INSTALLING => INSTALLED charon: 07[CHD] <con-mobile|23> CHILD_SA con-mobile{42} state change: REKEYING => REKEYED charon: 14[NET] <con-mobile|23> received packet: from A.B.C.D[4500] to 10.130.163.208[4500] (76 bytes) charon: 14[ENC] <con-mobile|23> parsed INFORMATIONAL_V1 request 3505664253 [ HASH D ] charon: 14[IKE] <con-mobile|23> received DELETE for ESP CHILD_SA with SPI 1b68de24 charon: 14[CHD] <con-mobile|23> CHILD_SA con-mobile{42} state change: REKEYED => DELETING charon: 14[IKE] <con-mobile|23> closing CHILD_SA con-mobile{42} with SPIs ca5cf2dd_i (0 bytes) 1b68de24_o (0 bytes) and TS 10.130.163.208/32|/0[udp/l2f] === A.B.C.D/32|/0[udp/l2f] charon: 14[CHD] <con-mobile|23> CHILD_SA con-mobile{42} state change: DELETING => DELETED charon: 14[CHD] <con-mobile|23> CHILD_SA con-mobile{42} state change: DELETED => DESTROYING
Why rekeying is detected from outsied (behind NAT) and not from inside ? I've tried with disable rekey checked but it doesn't work too.
I hope anybody have clue, I'm really lost....
Thanks
Bruno -
After some tests it appears that this problem occurs only with Windows10 clients.... Linux L2TP client works fine and MacOSX too !!
-
@bmacadre said in IPSec doesn't work if behind NAT:
After some tests it appears that this problem occurs only with Windows10 clients.... Linux L2TP client works fine and MacOSX too !!
That's a known problem. See https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/l2tp-ipsec.html
One of many reasons that L2TP/IPsec should be avoided.
-
Thanks for your reply but O've already read this page and my problem doesn't apprear on it.
I've just found the solution, it's just a bug in Windows 10.
You just need to add a reg key like this :
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f
Restart you computer and all work like a charm !
And honestly for me L2TP/IPSec is the best clientless VPN solution (my users can't install client so OpenVPN is not a possibility).
Regards,