Ikev2/IPsec as VPN client to VPN service



  • Hello,

    I am trying to setup VPN provider connection via IKEv2 protocol. I am using the following configurations on ipsec.conf:

    conn nord
    keyexchange=ikev2
    dpdaction=clear
    dpddelay=300s
    eap_identity="Username"
    leftauth=eap-mschapv2
    left=%defaultroute
    leftsourceip=%config
    right=178.132.78.136
    rightauth=pubkey
    rightsubnet=0.0.0.0/0
    rightid=%any
    type=tunnel
    auto=add

    and according to logs it seems tunnel is up and running:

    [2.4.2-RELEASE][admin@pfSense.localdomain]/root: ipsec up nord
    initiating IKE_SA nord[1] to 178.132.78.136
    generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    sending packet: from 10.0.2.15[500] to 178.132.78.136[500] (806 bytes)
    received packet: from 178.132.78.136[500] to 10.0.2.15[500] (38 bytes)
    parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
    peer didn't accept DH group CURVE_25519, it requested MODP_2048
    initiating IKE_SA nord[1] to 178.132.78.136
    generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    sending packet: from 10.0.2.15[500] to 178.132.78.136[500] (1030 bytes)
    received packet: from 178.132.78.136[500] to 10.0.2.15[500] (464 bytes)
    parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
    local host is behind NAT, sending keep alives
    sending cert request for "C=PA, O=NordVPN, CN=NordVPN Root CA"
    no IDi configured, fall back on IP address
    establishing CHILD_SA nord{1}
    generating IKE_AUTH request 1 [ IDi CERTREQ CPRQ(ADDR DNS) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
    sending packet: from 10.0.2.15[4500] to 178.132.78.136[4500] (396 bytes)
    received packet: from 178.132.78.136[4500] to 10.0.2.15[4500] (544 bytes)
    parsed IKE_AUTH response 1 [ EF(1/6) ]
    received fragment #1 of 6, waiting for complete IKE message
    received packet: from 178.132.78.136[4500] to 10.0.2.15[4500] (544 bytes)
    parsed IKE_AUTH response 1 [ EF(3/6) ]
    received fragment #3 of 6, waiting for complete IKE message
    received packet: from 178.132.78.136[4500] to 10.0.2.15[4500] (544 bytes)
    parsed IKE_AUTH response 1 [ EF(4/6) ]
    received fragment #4 of 6, waiting for complete IKE message
    received packet: from 178.132.78.136[4500] to 10.0.2.15[4500] (544 bytes)
    parsed IKE_AUTH response 1 [ EF(5/6) ]
    received fragment #5 of 6, waiting for complete IKE message
    received packet: from 178.132.78.136[4500] to 10.0.2.15[4500] (480 bytes)
    parsed IKE_AUTH response 1 [ EF(6/6) ]
    received fragment #6 of 6, waiting for complete IKE message
    received packet: from 178.132.78.136[4500] to 10.0.2.15[4500] (544 bytes)
    parsed IKE_AUTH response 1 [ EF(2/6) ]
    received fragment #2 of 6, reassembling fragmented IKE message
    parsed IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
    received end entity cert "CN=se17.nordvpn.com"
    received issuer cert "C=PA, O=NordVPN, CN=NordVPN CA2"
      using certificate "CN=se17.nordvpn.com"
      using untrusted intermediate certificate "C=PA, O=NordVPN, CN=NordVPN CA2"
    checking certificate status of "CN=se17.nordvpn.com"
    certificate status is not available
      using trusted ca certificate "C=PA, O=NordVPN, CN=NordVPN Root CA"
    checking certificate status of "C=PA, O=NordVPN, CN=NordVPN CA2"
    certificate status is not available
      reached self-signed root ca with a path length of 1
    authentication of 'se17.nordvpn.com' with RSA_EMSA_PKCS1_SHA2_256 successful
    server requested EAP_IDENTITY (id 0x00), sending 'Username'
    generating IKE_AUTH request 2 [ EAP/RES/ID ]
    sending packet: from 10.0.2.15[4500] to 178.132.78.136[4500] (92 bytes)
    received packet: from 178.132.78.136[4500] to 10.0.2.15[4500] (76 bytes)
    parsed IKE_AUTH response 2 [ EAP/REQ/PEAP ]
    server requested EAP_PEAP authentication (id 0x01)
    requesting EAP_MSCHAPV2 authentication, sending EAP_NAK
    generating IKE_AUTH request 3 [ EAP/RES/NAK ]
    sending packet: from 10.0.2.15[4500] to 178.132.78.136[4500] (76 bytes)
    received packet: from 178.132.78.136[4500] to 10.0.2.15[4500] (108 bytes)
    parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
    server requested EAP_MSCHAPV2 authentication (id 0x02)
    generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
    sending packet: from 10.0.2.15[4500] to 178.132.78.136[4500] (140 bytes)
    received packet: from 178.132.78.136[4500] to 10.0.2.15[4500] (124 bytes)
    parsed IKE_AUTH response 4 [ EAP/REQ/MSCHAPV2 ]
    EAP-MS-CHAPv2 succeeded: '(null)'
    generating IKE_AUTH request 5 [ EAP/RES/MSCHAPV2 ]
    sending packet: from 10.0.2.15[4500] to 178.132.78.136[4500] (76 bytes)
    received packet: from 178.132.78.136[4500] to 10.0.2.15[4500] (76 bytes)
    parsed IKE_AUTH response 5 [ EAP/SUCC ]
    EAP method EAP_MSCHAPV2 succeeded, MSK established
    authentication of '10.0.2.15' (myself) with EAP
    generating IKE_AUTH request 6 [ AUTH ]
    sending packet: from 10.0.2.15[4500] to 178.132.78.136[4500] (92 bytes)
    received packet: from 178.132.78.136[4500] to 10.0.2.15[4500] (348 bytes)
    parsed IKE_AUTH response 6 [ AUTH CPRP(ADDR DNS DNS MASK) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
    authentication of 'se17.nordvpn.com' with EAP successful
    IKE_SA nord[1] established between 10.0.2.15[10.0.2.15]…178.132.78.136[se17.nordvpn.com]
    scheduling reauthentication in 10233s
    maximum IKE_SA lifetime 10773s
    installing DNS server 78.46.223.24 via resolvconf
    resolvconf: cp: /dev/null.bak: Operation not supported
    installing DNS server 162.242.211.137 via resolvconf
    resolvconf: cp: /dev/null.bak: Operation not supported
    handling INTERNAL_IP4_NETMASK attribute failed
    installing new virtual IP 10.6.6.29
    created TUN device: tun0
    CHILD_SA nord{1} established with SPIs ced806f6_i ca9d3db6_o and TS 10.6.6.29/32|/0 === 0.0.0.0/0|/0
    received AUTH_LIFETIME of 27944s, reauthentication already scheduled in 10233s
    connection 'nord' established successfully
    [2.4.2-RELEASE][admin@pfSense.localdomain]/root: ipsec status
    Security Associations (1 up, 0 connecting):
            nord[1]: ESTABLISHED 69 seconds ago, 10.0.2.15[10.0.2.15]…178.132.78.136[se17.nordvpn.com]
            nord{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ced806f6_i ca9d3db6_o
            nord{1}:  10.6.6.29/32|/0 === 0.0.0.0/0|/0
    [2.4.2-RELEASE][admin@pfSense.localdomain]/root: ifconfig tun0
    tun0: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
            options=80000 <linkstate>inet6 fe80::a00:27ff:fe7d:850a%tun0 prefixlen 64 scopeid 0x7
            inet 10.6.6.29 –> 10.6.6.29  netmask 0xffffffff
            nd6 options=21 <performnud,auto_linklocal>groups: tun
            Opened by PID 94214

    However, all connection still goes through ISP connection. Do you guy maybe know any reason or cause?</performnud,auto_linklocal></linkstate></up,pointopoint,running,multicast>


  • LAYER 8 Netgate

    Because only traffic from 10.6.6.29/32 will be interesting to IPsec and sent out the tunnel.

    I don't think there is any facility for pfSense to behave like a mobile IPsec client.

    You cannot policy route and outbound NAT to a gateway on an IPsec like you can with an OpenVPN assigned interface.

    You have gotten pretty close though it looks like.



  • Hmmm that's sad :/

    Although, I tried pinging the gateway of VPN - 10.6.6.1 , and it seems IPsec tunnel receives and send packets to the server. I guess I will try to make more research into Strongswan and hope will find anything there.



  • Hey, once more.

    So, I have played around a little bit more with configurations and I managed to force that opt1 interface would be used on tun0:
    http://prntscr.com/iifq73

    I set Manual NAT rules, and forced LAN to go through OPT1 gateway but that did not make the trick.

    Maybe you guys would have any trick under the sleeve? As it feels that all configurations are so close.


Log in to reply