IPSEC mobile client in transport mode: possible? No subnets defined somehow
-
As I struggled to get OpenVPN working for an external LTE-Router (Westermo MRD405) we switched to doing a IPSEC-mobile-client setup.
The main goal: an external site with subnet 172.16.160.0/27 behind that Westermo-Router should dial in via (some) VPN, and be tunneled to a local VLAN. A controller PC in that VLAN is accessible already via (1) OpenVPN Roadwarrior (= the external admin of the appliances at the sites) and (2) from LAN in-house.
I followed https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-an-ipsec-remote-access-mobile-vpn-using-ikev1-xauth.html AFAIK, but switched to "transport mode" as we need the remote subnet routed and not only one IP.
Is that possible at all?
I have a valid tunnel in "IPSEC - Status", logs look good mostly, but we don't get the subnets routed:
con-mobile: #8 Local subnets: /0[udp/l2f] Remote subnets: /0[udp/l2f]
Do we need L2TP for that??
I allowed UDP/1701 on IPSEC interface without change.
I can't choose subnets in my Phase2 definition etc and I am stuck somehow.The remote router also has no IPs, see logs:
Westermo MRD405 Syslog.txt Feb 11 14:06:41 pluto[15440]: Using KLIPS IPsec interface code on 2.6.35.3-00225-gcb58267 Feb 11 14:06:41 pluto[15440]: could not open CA cert file 'ca.crt.0' Feb 11 14:06:42 pluto[15440]: listening for IKE messages Feb 11 14:06:42 pluto[15440]: adding interface ipsec0/wwan0 10.77.210.120:500 Feb 11 14:06:42 pluto[15440]: adding interface ipsec0/wwan0 10.77.210.120:4500 Feb 11 14:06:42 pluto[15440]: loading secrets from "/etc/ipsec.secrets" Feb 11 14:06:42 pluto[15440]: added connection description "OURSITE_primary_TM0" Feb 11 14:06:42 ipsec__plutorun: 002 added connection description "OURSITE_primary_TM0" Feb 11 14:06:42 pluto[15440]: listening for IKE messages Feb 11 14:06:42 pluto[15440]: forgetting secrets Feb 11 14:06:42 pluto[15440]: loading secrets from "/etc/ipsec.secrets" Feb 11 14:06:42 pluto[15440]: forgetting secrets Feb 11 14:06:42 pluto[15440]: loading secrets from "/etc/ipsec.secrets" Feb 11 14:06:42 pluto[15440]: could not open CA cert file 'ca.crt.0' Feb 11 14:06:43 pluto[15440]: "OURSITE_primary_TM0": deleting connection Feb 11 14:06:43 pluto[15440]: added connection description "OURSITE_primary_TM0" Feb 11 14:06:43 pluto[15440]: "OURSITE_primary_TM0" #1: initiating Aggressive Mode #1, connection "OURSITE_primary_TM0" Feb 11 14:06:53 pluto[15440]: "OURSITE_primary_TM0" #1: received Vendor ID payload [XAUTH] Feb 11 14:06:53 pluto[15440]: "OURSITE_primary_TM0" #1: received Vendor ID payload [Dead Peer Detection] Feb 11 14:06:53 pluto[15440]: "OURSITE_primary_TM0" #1: received Vendor ID payload [RFC 3947] method set to=115 Feb 11 14:06:53 pluto[15440]: "OURSITE_primary_TM0" #1: Aggressive mode peer ID is ID_IPV4_ADDR: 'MY_WAN_IP' Feb 11 14:06:53 pluto[15440]: "OURSITE_primary_TM0" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): i am NATed Feb 11 14:06:53 pluto[15440]: "OURSITE_primary_TM0" #1: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2 Feb 11 14:06:53 pluto[15440]: "OURSITE_primary_TM0" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024} Feb 11 14:06:53 pluto[15440]: "OURSITE_primary_TM0" #1: XAUTH: Answering XAUTH challenge with user='aba_n_ka' Feb 11 14:06:53 pluto[15440]: "OURSITE_primary_TM0" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1 Feb 11 14:06:53 pluto[15440]: "OURSITE_primary_TM0" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set Feb 11 14:06:55 pluto[15440]: "OURSITE_primary_TM0" #1: XAUTH: Successfully Authenticated Feb 11 14:06:55 pluto[15440]: "OURSITE_primary_TM0" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1 Feb 11 14:06:55 pluto[15440]: "OURSITE_primary_TM0" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set Feb 11 14:06:55 pluto[15440]: "OURSITE_primary_TM0" #2: initiating Quick Mode PSK+ENCRYPT+UP+AGGRESSIVE+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:e4e6a2ec proposal=AES(12)_128-SHA1(2)_160 pfsgroup=no-pfs} Feb 11 14:06:55 pluto[15440]: "OURSITE_primary_TM0" #2: NAT-Traversal: received 2 NAT-OA. ignored because peer is not NATed Feb 11 14:06:55 pluto[15440]: "OURSITE_primary_TM0" #2: our client subnet returned doesn't match my proposal - us:10.77.210.120/32 vs them:77.119.129.39/32 Feb 11 14:06:55 pluto[15440]: "OURSITE_primary_TM0" #2: Allowing questionable proposal anyway [ALLOW_MICROSOFT_BAD_PROPOSAL] Feb 11 14:06:55 pluto[15440]: "OURSITE_primary_TM0" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2 Feb 11 14:06:55 pluto[15440]: "OURSITE_primary_TM0" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0xca770ab1 <0x663d1199 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Any help would be appreciated here, especially as I have to connect more of those ;-)
--
And maybe I should go back to OpenVPN and fix the issues there (we only pinged the tunnel endpoints but not through. Another thread then ...)
thanks, Stefan
PS: PFS and DPD disabled right now to get it working first.
-
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-a-site-to-site-ipsec-vpn.html
https://www.youtube.com/watch?v=2IdV4CgHo3w
https://www.westermo.com/-/media/Files/User-guides/westermo_mg_6623-3210_brd-mrd.pdf (pp 162-187)
-
Thanks ;-)
I don't have issues with Site2Site-IPSEC when they have both static IPs, which isn't the case here.
I also have a IPSEC doc for the MRD-405 already, but not for transport mode.We figured out the encryption and xauth as you can see, but the IP routing is my problem here.
-
The transport mode is configured only for host-host connection. You need tunnel mode.
Phase 2 settings
Mode: Tunnel
Local Network: (the local network, e.g. LAN, or 0.0.0.0/0 to send everything over VPN)
Protocol: ESP
Encryption Algorithms: AES 128 only
Hash Algorithms: SHA1 only
PFS key group: off
Lifetime: 28800Then your device will get a virtual IP
And already then it is necessary to think of routing through ipsec tunnel ( if it is possible ) -
thanks. We had most of that and get
Feb 11 15:32:16 charon 15[IKE] <con-mobile|1> no matching CHILD_SA config found [..] Feb 11 15:32:26 charon 15[IKE] <con-mobile|1> received retransmit of request with ID 2293249901, but no response to retransmit
Do we need a tunnel network in VPN/IPsec/Mobile Clients : "Virtual Private Network"
"Network List" ?
auth is fine, Phase1 as well.
thanks
-
@sgw
Show phase 2 settings on both sides of the tunnel
and PFSense IPSec log -
I have to leave now I can only share the last part of the remote site logs.
I'll provide Phase2 infos later or tomorrow.000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192 000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048 000 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,6,36} trans={0,6,324} attrs={0,6,432} 000 000 "MYSITE_primary_TM0": 172.16.160.0/27===10.135.16.195<10.135.16.195>[@land_mob_ipsec,+XC+S=C]---10.135.16.195...MYIP<MYIP>[+XS+S=C]===0.0.0.0/0; unrouted; eroute owner: #0 000 "MYSITE_primary_TM0": myip=172.16.160.30; hisip=unset; 000 "MYSITE_primary_TM0": xauth info: myxauthuser=aba_n_ka; 000 "MYSITE_primary_TM0": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 600s; rekey_fuzz: 100%; keyingtries: 0 000 "MYSITE_primary_TM0": policy: PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 27,0; interface: wwan0; 000 "MYSITE_primary_TM0": newest ISAKMP SA: #5; newest IPsec SA: #0; 000 "MYSITE_primary_TM0": IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)_000-MODP1024(2); flags=-strict 000 "MYSITE_primary_TM0": IKE algorithms found: AES_CBC(7)_128-SHA1(2)_160-MODP1024(2) 000 "MYSITE_primary_TM0": IKE algorithm newest: AES_CBC_128-SHA1-MODP1024 000 "MYSITE_primary_TM0": ESP algorithms wanted: AES(12)_128-SHA1(2)_000; flags=-strict 000 "MYSITE_primary_TM0": ESP algorithms loaded: AES(12)_128-SHA1(2)_160 000 000 #6: "MYSITE_primary_TM0":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 22s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate 000 #5: "MYSITE_primary_TM0":4500 STATE_XAUTH_I1 (XAUTH client - awaiting CFG_set); EVENT_SA_REPLACE in 28452s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate 000
pfsense:
Feb 11 15:48:02 charon 13[ENC] <con-mobile|2> parsed QUICK_MODE request 1769513508 [ HASH SA No ID ID ] Feb 11 15:48:02 charon 13[IKE] <con-mobile|2> no matching CHILD_SA config found Feb 11 15:48:02 charon 13[ENC] <con-mobile|2> generating INFORMATIONAL_V1 request 681290560 [ HASH N(INVAL_ID) ] Feb 11 15:48:02 charon 13[NET] <con-mobile|2> sending packet: from MYIP[4500] to 178.115.129.214[43643] (76 bytes) Feb 11 15:48:12 charon 13[NET] <con-mobile|2> received packet: from 178.115.129.214[43643] to MYIP[4500] (156 bytes) Feb 11 15:48:12 charon 13[IKE] <con-mobile|2> received retransmit of request with ID 1769513508, but no response to retransmit Feb 11 15:48:23 charon 13[IKE] <con-mobile|2> sending keep alive to 178.115.129.214[43643] Feb 11 15:48:32 charon 13[NET] <con-mobile|2> received packet: from 178.115.129.214[43643] to MYIP[4500] (156 bytes) Feb 11 15:48:32 charon 13[IKE] <con-mobile|2> received retransmit of request with ID 1769513508, but no response to retransmit Feb 11 15:48:43 charon 13[IKE] <con-mobile|2> sending keep alive to 178.115.129.214[43643] Feb 11 15:49:03 charon 13[IKE] <con-mobile|2> sending keep alive to 178.115.129.214[43643] Feb 11 15:49:12 charon 13[NET] <con-mobile|2> received packet: from 178.115.129.214[43643] to MYIP[4500] (156 bytes) Feb 11 15:49:12 charon 13[ENC] <con-mobile|2> parsed QUICK_MODE request 1541153441 [ HASH SA No ID ID ] Feb 11 15:49:12 charon 13[IKE] <con-mobile|2> no matching CHILD_SA config found Feb 11 15:49:12 charon 13[ENC] <con-mobile|2> generating INFORMATIONAL_V1 request 3407976374 [ HASH N(INVAL_ID) ] Feb 11 15:49:12 charon 13[NET] <con-mobile|2> sending packet: from MYIP[4500] to 178.115.129.214[43643] (76 bytes) Feb 11 15:49:23 charon 15[NET] <con-mobile|2> received packet: from 178.115.129.214[43643] to MYIP[4500] (156 bytes) Feb 11 15:49:23 charon 15[IKE] <con-mobile|2> received retransmit of request with ID 1541153441, but no response to retransmit
I see that my local subnet (VLAN 160 on our side does not get transferred to the LTE-router.
my phase2:
tunnel ANLAGEN ESP AES (128 bits) SHA1
and I don't have "Remote subnet" in there (maybe correct because of dynamic IP on mobile side)
My Local Subnet is a VLAN, maybe I miss firewall rules? But I assume that comes later, at first we need the phase2 up, right?
-
@sgw said in
I think such a connection is impossible ,I should think , still, this type of connection is used for RW (road warrior) -
When there is no fixed ip address, for site-site connection I would recommend openvpn tunnel
-
@konstanti Yes, I see ... we had the openvpn tunnel up already and pinged the tunnel endpoints, but not the nets behind. Maybe settings on the LTE-router, maybe my fault. We will retry on friday, the other admin is away till then.
EDIT: I will maybe open another topic in "openvpn" section, but just mentioning:
/27 on remote side, allowing that source net to OPENVPN interface and target net /24 (VLAN). Unsure if that should be enough. Didn't see blocked packages in firewall logs. -
@sgw
there need correctly configure the OPENVPN server
so that the client know about 10.135.16.195 and the server about 172.16.160.0/27 -
@konstanti that 10.135.16.195 ... don't know what that is. Maybe the dynamic WAN on the remote client side. Will check as soon as the admin gets back there. Thanks!
AND we have MultiWAN on our side. I had to add some rule back then, haven't found it yet.
-
yeah, probably.
On the OpenVPN side of the server, in the Tunnel Settings section, you can specify- IPv4 Local Network - the network to which you need access from the server side
- IPv4 Remote network - 172.16.160.0/27 (network for routing through tunnel)
In this case, the client will know about the remote network behind the server and the server will know about your network 172.16.160.0/27
and shouldn't be a problem
-
@konstanti said in IPSEC mobile client in transport mode: possible? No subnets defined somehow:
yeah, probably.
On the OpenVPN side of the server, in the Tunnel Settings section, you can specify- IPv4 Local Network - the network to which you need access from the server side
- IPv4 Remote network - 172.16.160.0/27 (network for routing through tunnel)
Yes, we got that. Wrote to the guy, waiting for his changes, tomorrow, I assume.
I also made him change that /27 to /24, just to remove any special stuff to get it working first, then goon from there. -
@sgw
Good )))
If there are problems after establishing the connection, look at the routing table on your router-is there a route to the server network ? And at the other side of the tunnel, too, will have to check it ) -
@konstanti said in IPSEC mobile client in transport mode: possible? No subnets defined somehow:
@sgw
Good )))
If there are problems after establishing the connection, look at the routing table on your router-is there a route to the server network ? And at the other side of the tunnel, too, will have to check it )I have checked that as we tested. No routes to that /27 on pfsense, although the ovpn-tunnel was up and we could ping the tunnel-endpoints. So I wait for /27 -> /24 to remove that q.
-
@sgw
You can always create a static route to the server network , but it is better to do everything correctly so that the server itself sends this information to the client )))