IPSEC mobile client in transport mode: possible? No subnets defined somehow



  • As I struggled to get OpenVPN working for an external LTE-Router (Westermo MRD405) we switched to doing a IPSEC-mobile-client setup.

    The main goal: an external site with subnet 172.16.160.0/27 behind that Westermo-Router should dial in via (some) VPN, and be tunneled to a local VLAN. A controller PC in that VLAN is accessible already via (1) OpenVPN Roadwarrior (= the external admin of the appliances at the sites) and (2) from LAN in-house.

    I followed https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-an-ipsec-remote-access-mobile-vpn-using-ikev1-xauth.html AFAIK, but switched to "transport mode" as we need the remote subnet routed and not only one IP.

    Is that possible at all?

    I have a valid tunnel in "IPSEC - Status", logs look good mostly, but we don't get the subnets routed:

    con-mobile: #8
    Local subnets: 	/0[udp/l2f]
    Remote subnets:	/0[udp/l2f]
    

    Do we need L2TP for that??
    I allowed UDP/1701 on IPSEC interface without change.
    I can't choose subnets in my Phase2 definition etc and I am stuck somehow.

    The remote router also has no IPs, see logs:

    Westermo MRD405 Syslog.txt
    
    Feb 11 14:06:41 pluto[15440]: Using KLIPS IPsec interface code on 2.6.35.3-00225-gcb58267
    Feb 11 14:06:41 pluto[15440]:   could not open CA cert file 'ca.crt.0'
    Feb 11 14:06:42 pluto[15440]: listening for IKE messages
    Feb 11 14:06:42 pluto[15440]: adding interface ipsec0/wwan0 10.77.210.120:500
    Feb 11 14:06:42 pluto[15440]: adding interface ipsec0/wwan0 10.77.210.120:4500
    Feb 11 14:06:42 pluto[15440]: loading secrets from "/etc/ipsec.secrets"
    Feb 11 14:06:42 pluto[15440]: added connection description "OURSITE_primary_TM0"
    Feb 11 14:06:42 ipsec__plutorun: 002 added connection description "OURSITE_primary_TM0"
    Feb 11 14:06:42 pluto[15440]: listening for IKE messages
    Feb 11 14:06:42 pluto[15440]: forgetting secrets
    Feb 11 14:06:42 pluto[15440]: loading secrets from "/etc/ipsec.secrets"
    Feb 11 14:06:42 pluto[15440]: forgetting secrets
    Feb 11 14:06:42 pluto[15440]: loading secrets from "/etc/ipsec.secrets"
    Feb 11 14:06:42 pluto[15440]:   could not open CA cert file 'ca.crt.0'
    Feb 11 14:06:43 pluto[15440]: "OURSITE_primary_TM0": deleting connection
    Feb 11 14:06:43 pluto[15440]: added connection description "OURSITE_primary_TM0"
    Feb 11 14:06:43 pluto[15440]: "OURSITE_primary_TM0" #1: initiating Aggressive Mode #1, connection "OURSITE_primary_TM0"
    Feb 11 14:06:53 pluto[15440]: "OURSITE_primary_TM0" #1: received Vendor ID payload [XAUTH]
    Feb 11 14:06:53 pluto[15440]: "OURSITE_primary_TM0" #1: received Vendor ID payload [Dead Peer Detection]
    Feb 11 14:06:53 pluto[15440]: "OURSITE_primary_TM0" #1: received Vendor ID payload [RFC 3947] method set to=115 
    Feb 11 14:06:53 pluto[15440]: "OURSITE_primary_TM0" #1: Aggressive mode peer ID is ID_IPV4_ADDR: 'MY_WAN_IP'
    Feb 11 14:06:53 pluto[15440]: "OURSITE_primary_TM0" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): i am NATed
    Feb 11 14:06:53 pluto[15440]: "OURSITE_primary_TM0" #1: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2
    Feb 11 14:06:53 pluto[15440]: "OURSITE_primary_TM0" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024}
    Feb 11 14:06:53 pluto[15440]: "OURSITE_primary_TM0" #1: XAUTH: Answering XAUTH challenge with user='aba_n_ka'
    Feb 11 14:06:53 pluto[15440]: "OURSITE_primary_TM0" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
    Feb 11 14:06:53 pluto[15440]: "OURSITE_primary_TM0" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
    Feb 11 14:06:55 pluto[15440]: "OURSITE_primary_TM0" #1: XAUTH: Successfully Authenticated
    Feb 11 14:06:55 pluto[15440]: "OURSITE_primary_TM0" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
    Feb 11 14:06:55 pluto[15440]: "OURSITE_primary_TM0" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
    Feb 11 14:06:55 pluto[15440]: "OURSITE_primary_TM0" #2: initiating Quick Mode PSK+ENCRYPT+UP+AGGRESSIVE+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:e4e6a2ec proposal=AES(12)_128-SHA1(2)_160 pfsgroup=no-pfs}
    Feb 11 14:06:55 pluto[15440]: "OURSITE_primary_TM0" #2: NAT-Traversal: received 2 NAT-OA. ignored because peer is not NATed
    Feb 11 14:06:55 pluto[15440]: "OURSITE_primary_TM0" #2: our client subnet returned doesn't match my proposal - us:10.77.210.120/32 vs them:77.119.129.39/32
    Feb 11 14:06:55 pluto[15440]: "OURSITE_primary_TM0" #2: Allowing questionable proposal anyway [ALLOW_MICROSOFT_BAD_PROPOSAL]
    Feb 11 14:06:55 pluto[15440]: "OURSITE_primary_TM0" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
    Feb 11 14:06:55 pluto[15440]: "OURSITE_primary_TM0" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0xca770ab1 <0x663d1199 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
    
    

    Any help would be appreciated here, especially as I have to connect more of those ;-)

    --

    And maybe I should go back to OpenVPN and fix the issues there (we only pinged the tunnel endpoints but not through. Another thread then ...)

    thanks, Stefan

    PS: PFS and DPD disabled right now to get it working first.





  • @konstanti

    Thanks ;-)

    I don't have issues with Site2Site-IPSEC when they have both static IPs, which isn't the case here.
    I also have a IPSEC doc for the MRD-405 already, but not for transport mode.

    We figured out the encryption and xauth as you can see, but the IP routing is my problem here.



  • @sgw

    The transport mode is configured only for host-host connection. You need tunnel mode.

    Phase 2 settings

    Mode: Tunnel
    Local Network: (the local network, e.g. LAN, or 0.0.0.0/0 to send everything over VPN)
    Protocol: ESP
    Encryption Algorithms: AES 128 only
    Hash Algorithms: SHA1 only
    PFS key group: off
    Lifetime: 28800

    Then your device will get a virtual IP
    And already then it is necessary to think of routing through ipsec tunnel ( if it is possible )



  • @konstanti

    thanks. We had most of that and get

    Feb 11 15:32:16	charon		15[IKE] <con-mobile|1> no matching CHILD_SA config found
    
    [..]
    
    Feb 11 15:32:26	charon		15[IKE] <con-mobile|1> received retransmit of request with ID 2293249901, but no response to retransmit
    

    Do we need a tunnel network in VPN/IPsec/Mobile Clients : "Virtual Private Network"

    "Network List" ?

    auth is fine, Phase1 as well.

    thanks



  • @sgw
    Show phase 2 settings on both sides of the tunnel
    and PFSense IPSec log



  • I have to leave now I can only share the last part of the remote site logs.
    I'll provide Phase2 infos later or tomorrow.

    000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
    000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
    000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
    000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
    000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
    000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
    000  
    000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,6,36} trans={0,6,324} attrs={0,6,432} 
    000  
    000 "MYSITE_primary_TM0": 172.16.160.0/27===10.135.16.195<10.135.16.195>[@land_mob_ipsec,+XC+S=C]---10.135.16.195...MYIP<MYIP>[+XS+S=C]===0.0.0.0/0; unrouted; eroute owner: #0
    000 "MYSITE_primary_TM0":     myip=172.16.160.30; hisip=unset;
    000 "MYSITE_primary_TM0":     xauth info: myxauthuser=aba_n_ka; 
    000 "MYSITE_primary_TM0":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 600s; rekey_fuzz: 100%; keyingtries: 0 
    000 "MYSITE_primary_TM0":   policy: PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 27,0; interface: wwan0; 
    000 "MYSITE_primary_TM0":   newest ISAKMP SA: #5; newest IPsec SA: #0; 
    000 "MYSITE_primary_TM0":   IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)_000-MODP1024(2); flags=-strict
    000 "MYSITE_primary_TM0":   IKE algorithms found:  AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)
    000 "MYSITE_primary_TM0":   IKE algorithm newest: AES_CBC_128-SHA1-MODP1024
    000 "MYSITE_primary_TM0":   ESP algorithms wanted: AES(12)_128-SHA1(2)_000; flags=-strict
    000 "MYSITE_primary_TM0":   ESP algorithms loaded: AES(12)_128-SHA1(2)_160
    000  
    000 #6: "MYSITE_primary_TM0":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 22s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
    000 #5: "MYSITE_primary_TM0":4500 STATE_XAUTH_I1 (XAUTH client - awaiting CFG_set); EVENT_SA_REPLACE in 28452s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
    000  
    

    pfsense:

    Feb 11 15:48:02	charon		13[ENC] <con-mobile|2> parsed QUICK_MODE request 1769513508 [ HASH SA No ID ID ]
    Feb 11 15:48:02	charon		13[IKE] <con-mobile|2> no matching CHILD_SA config found
    Feb 11 15:48:02	charon		13[ENC] <con-mobile|2> generating INFORMATIONAL_V1 request 681290560 [ HASH N(INVAL_ID) ]
    Feb 11 15:48:02	charon		13[NET] <con-mobile|2> sending packet: from MYIP[4500] to 178.115.129.214[43643] (76 bytes)
    Feb 11 15:48:12	charon		13[NET] <con-mobile|2> received packet: from 178.115.129.214[43643] to MYIP[4500] (156 bytes)
    Feb 11 15:48:12	charon		13[IKE] <con-mobile|2> received retransmit of request with ID 1769513508, but no response to retransmit
    Feb 11 15:48:23	charon		13[IKE] <con-mobile|2> sending keep alive to 178.115.129.214[43643]
    Feb 11 15:48:32	charon		13[NET] <con-mobile|2> received packet: from 178.115.129.214[43643] to MYIP[4500] (156 bytes)
    Feb 11 15:48:32	charon		13[IKE] <con-mobile|2> received retransmit of request with ID 1769513508, but no response to retransmit
    Feb 11 15:48:43	charon		13[IKE] <con-mobile|2> sending keep alive to 178.115.129.214[43643]
    Feb 11 15:49:03	charon		13[IKE] <con-mobile|2> sending keep alive to 178.115.129.214[43643]
    Feb 11 15:49:12	charon		13[NET] <con-mobile|2> received packet: from 178.115.129.214[43643] to MYIP[4500] (156 bytes)
    Feb 11 15:49:12	charon		13[ENC] <con-mobile|2> parsed QUICK_MODE request 1541153441 [ HASH SA No ID ID ]
    Feb 11 15:49:12	charon		13[IKE] <con-mobile|2> no matching CHILD_SA config found
    Feb 11 15:49:12	charon		13[ENC] <con-mobile|2> generating INFORMATIONAL_V1 request 3407976374 [ HASH N(INVAL_ID) ]
    Feb 11 15:49:12	charon		13[NET] <con-mobile|2> sending packet: from MYIP[4500] to 178.115.129.214[43643] (76 bytes)
    Feb 11 15:49:23	charon		15[NET] <con-mobile|2> received packet: from 178.115.129.214[43643] to MYIP[4500] (156 bytes)
    Feb 11 15:49:23	charon		15[IKE] <con-mobile|2> received retransmit of request with ID 1541153441, but no response to retransmit
    

    I see that my local subnet (VLAN 160 on our side does not get transferred to the LTE-router.

    my phase2:

    tunnel ANLAGEN ESP AES (128 bits) SHA1

    and I don't have "Remote subnet" in there (maybe correct because of dynamic IP on mobile side)

    My Local Subnet is a VLAN, maybe I miss firewall rules? But I assume that comes later, at first we need the phase2 up, right?



  • @sgw said in
    I think such a connection is impossible ,I should think , still, this type of connection is used for RW (road warrior)



  • @sgw

    When there is no fixed ip address, for site-site connection I would recommend openvpn tunnel



  • @konstanti Yes, I see ... we had the openvpn tunnel up already and pinged the tunnel endpoints, but not the nets behind. Maybe settings on the LTE-router, maybe my fault. We will retry on friday, the other admin is away till then.

    EDIT: I will maybe open another topic in "openvpn" section, but just mentioning:
    /27 on remote side, allowing that source net to OPENVPN interface and target net /24 (VLAN). Unsure if that should be enough. Didn't see blocked packages in firewall logs.



  • @sgw
    there need correctly configure the OPENVPN server
    so that the client know about 10.135.16.195 and the server about 172.16.160.0/27



  • @konstanti that 10.135.16.195 ... don't know what that is. Maybe the dynamic WAN on the remote client side. Will check as soon as the admin gets back there. Thanks!

    AND we have MultiWAN on our side. I had to add some rule back then, haven't found it yet.



  • @sgw

    yeah, probably.
    On the OpenVPN side of the server, in the Tunnel Settings section, you can specify

    1. IPv4 Local Network - the network to which you need access from the server side
    2. IPv4 Remote network - 172.16.160.0/27 (network for routing through tunnel)

    In this case, the client will know about the remote network behind the server and the server will know about your network 172.16.160.0/27

    and shouldn't be a problem



  • @konstanti said in IPSEC mobile client in transport mode: possible? No subnets defined somehow:

    @sgw

    yeah, probably.
    On the OpenVPN side of the server, in the Tunnel Settings section, you can specify

    1. IPv4 Local Network - the network to which you need access from the server side
    2. IPv4 Remote network - 172.16.160.0/27 (network for routing through tunnel)

    Yes, we got that. Wrote to the guy, waiting for his changes, tomorrow, I assume.
    I also made him change that /27 to /24, just to remove any special stuff to get it working first, then goon from there.



  • @sgw
    Good )))
    If there are problems after establishing the connection, look at the routing table on your router-is there a route to the server network ? And at the other side of the tunnel, too, will have to check it )



  • @konstanti said in IPSEC mobile client in transport mode: possible? No subnets defined somehow:

    @sgw
    Good )))
    If there are problems after establishing the connection, look at the routing table on your router-is there a route to the server network ? And at the other side of the tunnel, too, will have to check it )

    I have checked that as we tested. No routes to that /27 on pfsense, although the ovpn-tunnel was up and we could ping the tunnel-endpoints. So I wait for /27 -> /24 to remove that q.



  • @sgw
    You can always create a static route to the server network , but it is better to do everything correctly so that the server itself sends this information to the client )))