[SOLVED] Connect to IPsec from local WLAN
-
Hi all!
I've successfully setup IKEv2 with EAP-MSCHAPv2 for my mobile phones,following https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2. Everything works fine when they are on the mobile network or public wifi. I only have a problem with connecting if I'm on my own local (W)LAN. Connecting fails with:
Client side
Jan 8 09:57:09 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1rc1, Linux 3.4.67-cyanogenmod-g845a9ab, armv7l) Jan 8 09:57:09 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls Jan 8 09:57:09 00[JOB] spawning 16 worker threads Jan 8 09:57:09 05[IKE] initiating IKE_SA android[1] to 10.0.0.2 Jan 8 09:57:09 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Jan 8 09:57:09 05[NET] sending packet: from 10.0.1.17[49205] to 10.0.0.2[500] (744 bytes) Jan 8 09:57:09 04[NET] received packet: from 10.0.0.2[500] to 10.0.1.17[49205] (38 bytes) Jan 8 09:57:09 04[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] Jan 8 09:57:09 04[IKE] peer didn't accept DH group ECP_256, it requested MODP_3072 Jan 8 09:57:09 04[IKE] initiating IKE_SA android[1] to 10.0.0.2 Jan 8 09:57:09 04[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Jan 8 09:57:09 04[NET] sending packet: from 10.0.1.17[49205] to 10.0.0.2[500] (1064 bytes) Jan 8 09:57:10 08[NET] received packet: from 10.0.0.2[500] to 10.0.1.17[49205] (609 bytes) Jan 8 09:57:10 08[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ] Jan 8 09:57:10 08[IKE] faking NAT situation to enforce UDP encapsulation Jan 8 09:57:10 08[IKE] received cert request for "C=NL, ST=-, L=-, O=-, E=none@none.nl, CN=IPsec, OU=-" Jan 8 09:57:10 08[IKE] sending cert request for "C=NL, ST=-, L=-, O=-, E=none@none.nl, CN=IPsec, OU=-" Jan 8 09:57:10 08[IKE] establishing CHILD_SA android Jan 8 09:57:10 08[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] Jan 8 09:57:10 08[NET] sending packet: from 10.0.1.17[59790] to 10.0.0.2[4500] (544 bytes) Jan 8 09:57:10 09[NET] received packet: from 10.0.0.2[4500] to 10.0.1.17[59790] (80 bytes) Jan 8 09:57:10 09[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] Jan 8 09:57:10 09[IKE] received AUTHENTICATION_FAILED notify error
Server side (bottom to top)
Jan 8 13:18:23 charon 14[IKE] <bypasslan|24> IKE_SA bypasslan[24] state change: CONNECTING => DESTROYING Jan 8 13:18:23 charon 14[NET] <bypasslan|24> sending packet: from 10.0.0.2[4500] to 10.0.1.17[40215] (80 bytes) Jan 8 13:18:23 charon 14[ENC] <bypasslan|24> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Jan 8 13:18:23 charon 14[IKE] <bypasslan|24> peer supports MOBIKE Jan 8 13:18:23 charon 14[IKE] <bypasslan|24> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Jan 8 13:18:23 charon 14[IKE] <bypasslan|24> processing INTERNAL_IP6_DNS attribute Jan 8 13:18:23 charon 14[IKE] <bypasslan|24> processing INTERNAL_IP4_DNS attribute Jan 8 13:18:23 charon 14[IKE] <bypasslan|24> processing INTERNAL_IP6_ADDRESS attribute Jan 8 13:18:23 charon 14[IKE] <bypasslan|24> processing INTERNAL_IP4_ADDRESS attribute Jan 8 13:18:23 charon 14[CFG] <bypasslan|24> no alternative config found Jan 8 13:18:23 charon 14[IKE] <bypasslan|24> peer requested EAP, config inacceptable Jan 8 13:18:23 charon 14[CFG] <bypasslan|24> selected peer config 'bypasslan' Jan 8 13:18:23 charon 14[CFG] <24> candidate "bypasslan", match: 1/1/24 (me/other/ike) Jan 8 13:18:23 charon 14[CFG] <24> looking for peer configs matching 10.0.0.2[%any]...10.0.1.17[stfn@XXX.XXX] Jan 8 13:18:23 charon 14[IKE] <24> received cert request for "C=NL, ST=none, L=none, O=none, E=none@none.nl, CN=firewall.hijnn.net, OU=none" Jan 8 13:18:23 charon 14[ENC] <24> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] Jan 8 13:18:23 charon 14[NET] <24> received packet: from 10.0.1.17[40215] to 10.0.0.2[4500] (544 bytes) Jan 8 13:18:23 charon 14[NET] <24> sending packet: from 10.0.0.2[500] to 10.0.1.17[44217] (609 bytes) Jan 8 13:18:23 charon 14[ENC] <24> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ] Jan 8 13:18:23 charon 14[IKE] <24> sending cert request for "C=NL, ST=none, L=none, O=none, E=none@none.nl, CN=firewall.hijnn.net, OU=none" Jan 8 13:18:23 charon 14[IKE] <24> remote host is behind NAT Jan 8 13:18:22 charon 14[CFG] <24> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072 Jan 8 13:18:22 charon 14[CFG] <24> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024 Jan 8 13:18:22 charon 14[CFG] <24> received proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/(31)/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_1024, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/(31)/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_1024 Jan 8 13:18:22 charon 14[CFG] <24> proposal matches Jan 8 13:18:22 charon 14[CFG] <24> selecting proposal: Jan 8 13:18:22 charon 14[IKE] <24> IKE_SA (unnamed)[24] state change: CREATED => CONNECTING Jan 8 13:18:22 charon 14[IKE] <24> 10.0.1.17 is initiating an IKE_SA Jan 8 13:18:22 charon 14[CFG] <24> found matching ike config: %any...%any with prio 24 Jan 8 13:18:22 charon 14[CFG] <24> candidate: %any...%any, prio 24 Jan 8 13:18:22 charon 14[CFG] <24> looking for an ike config for 10.0.0.2...10.0.1.17 Jan 8 13:18:22 charon 14[ENC] <24> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Jan 8 13:18:22 charon 14[NET] <24> received packet: from 10.0.1.17[44217] to 10.0.0.2[500] (1064 bytes) Jan 8 13:18:22 charon 14[IKE] <23> IKE_SA (unnamed)[23] state change: CONNECTING => DESTROYING Jan 8 13:18:22 charon 14[NET] <23> sending packet: from 10.0.0.2[500] to 10.0.1.17[44217] (38 bytes) Jan 8 13:18:22 charon 14[ENC] <23> generating IKE_SA_INIT response 0 [ N(INVAL_KE) ] Jan 8 13:18:22 charon 14[IKE] <23> DH group ECP_256 inacceptable, requesting MODP_3072 Jan 8 13:18:22 charon 14[IKE] <23> remote host is behind NAT Jan 8 13:18:22 charon 14[CFG] <23> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072 Jan 8 13:18:22 charon 14[CFG] <23> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024 Jan 8 13:18:22 charon 14[CFG] <23> received proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/(31)/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_1024, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/(31)/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_1024 Jan 8 13:18:22 charon 14[CFG] <23> proposal matches Jan 8 13:18:22 charon 14[CFG] <23> selecting proposal: Jan 8 13:18:22 charon 14[IKE] <23> IKE_SA (unnamed)[23] state change: CREATED => CONNECTING Jan 8 13:18:22 charon 14[IKE] <23> 10.0.1.17 is initiating an IKE_SA Jan 8 13:18:22 charon 14[CFG] <23> found matching ike config: %any...%any with prio 24 Jan 8 13:18:22 charon 14[CFG] <23> candidate: %any...%any, prio 24 Jan 8 13:18:22 charon 14[CFG] <23> looking for an ike config for 10.0.0.2...10.0.1.17 Jan 8 13:18:22 charon 14[ENC] <23> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Jan 8 13:18:22 charon 14[NET] <23> received packet: from 10.0.1.17[44217] to 10.0.0.2[500] (744 bytes)</bypasslan|24></bypasslan|24></bypasslan|24></bypasslan|24></bypasslan|24></bypasslan|24></bypasslan|24></bypasslan|24></bypasslan|24></bypasslan|24></bypasslan|24></bypasslan|24>
My certificate has 2 IP's, the local LAN and the public WAN. And the FQDN as common name and alternative name.
My Phase 2:
Mode Local Subnet Remote Subnet P2 Protocol P2 Transforms P2 Auth Methods
tunnel 0.0.0.0/0 ESP AES (auto) SHA1, SHA256My LAN is 10.0.0/16, where DHCP is 10.0.1.0/24 and all my servers are in 10.0.0.0/24. IPsec is on 10.1.0.0/24.
I'm on 2.3.2-RELEASE-p1 (amd64) on a PC Engines apu2c4.
I think my error is somewhere in Phase 2, but I could easy be completely wrong.
Since i'm struggling with this error for weeks now, I really hope someone can help me!
-
Nobody?
If you need some additional info, please let me know!
-
This is how I got it working: In the Strongswan android app change the FQDN to the WAN IP of my modem. In my modem add a rule for port 500 + 4500 to pfSense.
Now I can connect via my mobile provider and my own wifi.
What I do not understand is why I have to add a specific rule in my modem to forward port 500 + 4500, since I already forward ALL traffic to my pfSense box.
If there's a better way to accomplish this, I would love to hear.
-
Hello Stefani,
I have the same issue as you have seen in https://forum.pfsense.org/index.php?topic=126332.0
My question, did you resoved the issue? For me it is not really clear, wheter you can connect from internal LAN now?
Thanks, Perino