[SOLVED] Connect to IPsec from local WLAN

stefanl

Hi all!

I've successfully setup IKEv2 with EAP-MSCHAPv2 for my mobile phones,following https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2. Everything works fine when they are on the mobile network or public wifi. I only have a problem with connecting if I'm on my own local (W)LAN. Connecting fails with:

Client side

Jan  8 09:57:09 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1rc1, Linux 3.4.67-cyanogenmod-g845a9ab, armv7l)
Jan  8 09:57:09 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls
Jan  8 09:57:09 00[JOB] spawning 16 worker threads
Jan  8 09:57:09 05[IKE] initiating IKE_SA android[1] to 10.0.0.2
Jan  8 09:57:09 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan  8 09:57:09 05[NET] sending packet: from 10.0.1.17[49205] to 10.0.0.2[500] (744 bytes)
Jan  8 09:57:09 04[NET] received packet: from 10.0.0.2[500] to 10.0.1.17[49205] (38 bytes)
Jan  8 09:57:09 04[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Jan  8 09:57:09 04[IKE] peer didn't accept DH group ECP_256, it requested MODP_3072
Jan  8 09:57:09 04[IKE] initiating IKE_SA android[1] to 10.0.0.2
Jan  8 09:57:09 04[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan  8 09:57:09 04[NET] sending packet: from 10.0.1.17[49205] to 10.0.0.2[500] (1064 bytes)
Jan  8 09:57:10 08[NET] received packet: from 10.0.0.2[500] to 10.0.1.17[49205] (609 bytes)
Jan  8 09:57:10 08[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
Jan  8 09:57:10 08[IKE] faking NAT situation to enforce UDP encapsulation
Jan  8 09:57:10 08[IKE] received cert request for "C=NL, ST=-, L=-, O=-, E=none@none.nl, CN=IPsec, OU=-"
Jan  8 09:57:10 08[IKE] sending cert request for "C=NL, ST=-, L=-, O=-, E=none@none.nl, CN=IPsec, OU=-"
Jan  8 09:57:10 08[IKE] establishing CHILD_SA android
Jan  8 09:57:10 08[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Jan  8 09:57:10 08[NET] sending packet: from 10.0.1.17[59790] to 10.0.0.2[4500] (544 bytes)
Jan  8 09:57:10 09[NET] received packet: from 10.0.0.2[4500] to 10.0.1.17[59790] (80 bytes)
Jan  8 09:57:10 09[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jan  8 09:57:10 09[IKE] received AUTHENTICATION_FAILED notify error

Server side (bottom to top)

Jan 8 13:18:23	charon		14[IKE] <bypasslan|24> IKE_SA bypasslan[24] state change: CONNECTING => DESTROYING
Jan 8 13:18:23	charon		14[NET] <bypasslan|24> sending packet: from 10.0.0.2[4500] to 10.0.1.17[40215] (80 bytes)
Jan 8 13:18:23	charon		14[ENC] <bypasslan|24> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jan 8 13:18:23	charon		14[IKE] <bypasslan|24> peer supports MOBIKE
Jan 8 13:18:23	charon		14[IKE] <bypasslan|24> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jan 8 13:18:23	charon		14[IKE] <bypasslan|24> processing INTERNAL_IP6_DNS attribute
Jan 8 13:18:23	charon		14[IKE] <bypasslan|24> processing INTERNAL_IP4_DNS attribute
Jan 8 13:18:23	charon		14[IKE] <bypasslan|24> processing INTERNAL_IP6_ADDRESS attribute
Jan 8 13:18:23	charon		14[IKE] <bypasslan|24> processing INTERNAL_IP4_ADDRESS attribute
Jan 8 13:18:23	charon		14[CFG] <bypasslan|24> no alternative config found
Jan 8 13:18:23	charon		14[IKE] <bypasslan|24> peer requested EAP, config inacceptable
Jan 8 13:18:23	charon		14[CFG] <bypasslan|24> selected peer config 'bypasslan'
Jan 8 13:18:23	charon		14[CFG] <24> candidate "bypasslan", match: 1/1/24 (me/other/ike)
Jan 8 13:18:23	charon		14[CFG] <24> looking for peer configs matching 10.0.0.2[%any]...10.0.1.17[stfn@XXX.XXX]
Jan 8 13:18:23	charon		14[IKE] <24> received cert request for "C=NL, ST=none, L=none, O=none, E=none@none.nl, CN=firewall.hijnn.net, OU=none"
Jan 8 13:18:23	charon		14[ENC] <24> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Jan 8 13:18:23	charon		14[NET] <24> received packet: from 10.0.1.17[40215] to 10.0.0.2[4500] (544 bytes)
Jan 8 13:18:23	charon		14[NET] <24> sending packet: from 10.0.0.2[500] to 10.0.1.17[44217] (609 bytes)
Jan 8 13:18:23	charon		14[ENC] <24> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
Jan 8 13:18:23	charon		14[IKE] <24> sending cert request for "C=NL, ST=none, L=none, O=none, E=none@none.nl, CN=firewall.hijnn.net, OU=none"
Jan 8 13:18:23	charon		14[IKE] <24> remote host is behind NAT
Jan 8 13:18:22	charon		14[CFG] <24> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
Jan 8 13:18:22	charon		14[CFG] <24> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024
Jan 8 13:18:22	charon		14[CFG] <24> received proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/(31)/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_1024, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/(31)/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_1024
Jan 8 13:18:22	charon		14[CFG] <24> proposal matches
Jan 8 13:18:22	charon		14[CFG] <24> selecting proposal:
Jan 8 13:18:22	charon		14[IKE] <24> IKE_SA (unnamed)[24] state change: CREATED => CONNECTING
Jan 8 13:18:22	charon		14[IKE] <24> 10.0.1.17 is initiating an IKE_SA
Jan 8 13:18:22	charon		14[CFG] <24> found matching ike config: %any...%any with prio 24
Jan 8 13:18:22	charon		14[CFG] <24> candidate: %any...%any, prio 24
Jan 8 13:18:22	charon		14[CFG] <24> looking for an ike config for 10.0.0.2...10.0.1.17
Jan 8 13:18:22	charon		14[ENC] <24> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 8 13:18:22	charon		14[NET] <24> received packet: from 10.0.1.17[44217] to 10.0.0.2[500] (1064 bytes)
Jan 8 13:18:22	charon		14[IKE] <23> IKE_SA (unnamed)[23] state change: CONNECTING => DESTROYING
Jan 8 13:18:22	charon		14[NET] <23> sending packet: from 10.0.0.2[500] to 10.0.1.17[44217] (38 bytes)
Jan 8 13:18:22	charon		14[ENC] <23> generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Jan 8 13:18:22	charon		14[IKE] <23> DH group ECP_256 inacceptable, requesting MODP_3072
Jan 8 13:18:22	charon		14[IKE] <23> remote host is behind NAT
Jan 8 13:18:22	charon		14[CFG] <23> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
Jan 8 13:18:22	charon		14[CFG] <23> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024
Jan 8 13:18:22	charon		14[CFG] <23> received proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/(31)/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_1024, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/(31)/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_1024
Jan 8 13:18:22	charon		14[CFG] <23> proposal matches
Jan 8 13:18:22	charon		14[CFG] <23> selecting proposal:
Jan 8 13:18:22	charon		14[IKE] <23> IKE_SA (unnamed)[23] state change: CREATED => CONNECTING
Jan 8 13:18:22	charon		14[IKE] <23> 10.0.1.17 is initiating an IKE_SA
Jan 8 13:18:22	charon		14[CFG] <23> found matching ike config: %any...%any with prio 24
Jan 8 13:18:22	charon		14[CFG] <23> candidate: %any...%any, prio 24
Jan 8 13:18:22	charon		14[CFG] <23> looking for an ike config for 10.0.0.2...10.0.1.17
Jan 8 13:18:22	charon		14[ENC] <23> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 8 13:18:22	charon		14[NET] <23> received packet: from 10.0.1.17[44217] to 10.0.0.2[500] (744 bytes)</bypasslan|24></bypasslan|24></bypasslan|24></bypasslan|24></bypasslan|24></bypasslan|24></bypasslan|24></bypasslan|24></bypasslan|24></bypasslan|24></bypasslan|24></bypasslan|24>

My certificate has 2 IP's, the local LAN and the public WAN. And the FQDN as common name and alternative name.

My Phase 2:

Mode Local Subnet Remote Subnet P2 Protocol P2 Transforms P2 Auth Methods
tunnel 0.0.0.0/0 ESP AES (auto) SHA1, SHA256

My LAN is 10.0.0/16, where DHCP is 10.0.1.0/24 and all my servers are in 10.0.0.0/24. IPsec is on 10.1.0.0/24.

I'm on 2.3.2-RELEASE-p1 (amd64) on a PC Engines apu2c4.

I think my error is somewhere in Phase 2, but I could easy be completely wrong.

Since i'm struggling with this error for weeks now, I really hope someone can help me!

stefanl

Nobody?

If you need some additional info, please let me know!

stefanl

This is how I got it working: In the Strongswan android app change the FQDN to the WAN IP of my modem. In my modem add a rule for port 500 + 4500 to pfSense.

Now I can connect via my mobile provider and my own wifi.

What I do not understand is why I have to add a specific rule in my modem to forward port 500 + 4500, since I already forward ALL traffic to my pfSense box.

If there's a better way to accomplish this, I would love to hear.

Perino

Hello Stefani,

I have the same issue as you have seen in https://forum.pfsense.org/index.php?topic=126332.0

My question, did you resoved the issue? For me it is not really clear, wheter you can connect from internal LAN now?

Thanks, Perino