IPSEC mobile client in transport mode: possible? No subnets defined somehow

sgw

As I struggled to get OpenVPN working for an external LTE-Router (Westermo MRD405) we switched to doing a IPSEC-mobile-client setup.

The main goal: an external site with subnet 172.16.160.0/27 behind that Westermo-Router should dial in via (some) VPN, and be tunneled to a local VLAN. A controller PC in that VLAN is accessible already via (1) OpenVPN Roadwarrior (= the external admin of the appliances at the sites) and (2) from LAN in-house.

I followed https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-an-ipsec-remote-access-mobile-vpn-using-ikev1-xauth.html AFAIK, but switched to "transport mode" as we need the remote subnet routed and not only one IP.

Is that possible at all?

I have a valid tunnel in "IPSEC - Status", logs look good mostly, but we don't get the subnets routed:

con-mobile: #8
Local subnets: 	/0[udp/l2f]
Remote subnets:	/0[udp/l2f]

Do we need L2TP for that??
I allowed UDP/1701 on IPSEC interface without change.
I can't choose subnets in my Phase2 definition etc and I am stuck somehow.

The remote router also has no IPs, see logs:

Westermo MRD405 Syslog.txt

Feb 11 14:06:41 pluto[15440]: Using KLIPS IPsec interface code on 2.6.35.3-00225-gcb58267
Feb 11 14:06:41 pluto[15440]:   could not open CA cert file 'ca.crt.0'
Feb 11 14:06:42 pluto[15440]: listening for IKE messages
Feb 11 14:06:42 pluto[15440]: adding interface ipsec0/wwan0 10.77.210.120:500
Feb 11 14:06:42 pluto[15440]: adding interface ipsec0/wwan0 10.77.210.120:4500
Feb 11 14:06:42 pluto[15440]: loading secrets from "/etc/ipsec.secrets"
Feb 11 14:06:42 pluto[15440]: added connection description "OURSITE_primary_TM0"
Feb 11 14:06:42 ipsec__plutorun: 002 added connection description "OURSITE_primary_TM0"
Feb 11 14:06:42 pluto[15440]: listening for IKE messages
Feb 11 14:06:42 pluto[15440]: forgetting secrets
Feb 11 14:06:42 pluto[15440]: loading secrets from "/etc/ipsec.secrets"
Feb 11 14:06:42 pluto[15440]: forgetting secrets
Feb 11 14:06:42 pluto[15440]: loading secrets from "/etc/ipsec.secrets"
Feb 11 14:06:42 pluto[15440]:   could not open CA cert file 'ca.crt.0'
Feb 11 14:06:43 pluto[15440]: "OURSITE_primary_TM0": deleting connection
Feb 11 14:06:43 pluto[15440]: added connection description "OURSITE_primary_TM0"
Feb 11 14:06:43 pluto[15440]: "OURSITE_primary_TM0" #1: initiating Aggressive Mode #1, connection "OURSITE_primary_TM0"
Feb 11 14:06:53 pluto[15440]: "OURSITE_primary_TM0" #1: received Vendor ID payload [XAUTH]
Feb 11 14:06:53 pluto[15440]: "OURSITE_primary_TM0" #1: received Vendor ID payload [Dead Peer Detection]
Feb 11 14:06:53 pluto[15440]: "OURSITE_primary_TM0" #1: received Vendor ID payload [RFC 3947] method set to=115 
Feb 11 14:06:53 pluto[15440]: "OURSITE_primary_TM0" #1: Aggressive mode peer ID is ID_IPV4_ADDR: 'MY_WAN_IP'
Feb 11 14:06:53 pluto[15440]: "OURSITE_primary_TM0" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): i am NATed
Feb 11 14:06:53 pluto[15440]: "OURSITE_primary_TM0" #1: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2
Feb 11 14:06:53 pluto[15440]: "OURSITE_primary_TM0" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024}
Feb 11 14:06:53 pluto[15440]: "OURSITE_primary_TM0" #1: XAUTH: Answering XAUTH challenge with user='aba_n_ka'
Feb 11 14:06:53 pluto[15440]: "OURSITE_primary_TM0" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
Feb 11 14:06:53 pluto[15440]: "OURSITE_primary_TM0" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
Feb 11 14:06:55 pluto[15440]: "OURSITE_primary_TM0" #1: XAUTH: Successfully Authenticated
Feb 11 14:06:55 pluto[15440]: "OURSITE_primary_TM0" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
Feb 11 14:06:55 pluto[15440]: "OURSITE_primary_TM0" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
Feb 11 14:06:55 pluto[15440]: "OURSITE_primary_TM0" #2: initiating Quick Mode PSK+ENCRYPT+UP+AGGRESSIVE+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:e4e6a2ec proposal=AES(12)_128-SHA1(2)_160 pfsgroup=no-pfs}
Feb 11 14:06:55 pluto[15440]: "OURSITE_primary_TM0" #2: NAT-Traversal: received 2 NAT-OA. ignored because peer is not NATed
Feb 11 14:06:55 pluto[15440]: "OURSITE_primary_TM0" #2: our client subnet returned doesn't match my proposal - us:10.77.210.120/32 vs them:77.119.129.39/32
Feb 11 14:06:55 pluto[15440]: "OURSITE_primary_TM0" #2: Allowing questionable proposal anyway [ALLOW_MICROSOFT_BAD_PROPOSAL]
Feb 11 14:06:55 pluto[15440]: "OURSITE_primary_TM0" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Feb 11 14:06:55 pluto[15440]: "OURSITE_primary_TM0" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0xca770ab1 <0x663d1199 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}

Any help would be appreciated here, especially as I have to connect more of those ;-)

--

And maybe I should go back to OpenVPN and fix the issues there (we only pinged the tunnel endpoints but not through. Another thread then ...)

thanks, Stefan

PS: PFS and DPD disabled right now to get it working first.

Konstanti

@sgw

https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-a-site-to-site-ipsec-vpn.html

https://www.youtube.com/watch?v=2IdV4CgHo3w

https://www.westermo.com/-/media/Files/User-guides/westermo_mg_6623-3210_brd-mrd.pdf (pp 162-187)

sgw

@konstanti

Thanks ;-)

I don't have issues with Site2Site-IPSEC when they have both static IPs, which isn't the case here.
I also have a IPSEC doc for the MRD-405 already, but not for transport mode.

We figured out the encryption and xauth as you can see, but the IP routing is my problem here.

Konstanti

@sgw

The transport mode is configured only for host-host connection. You need tunnel mode.

Phase 2 settings

Mode: Tunnel
Local Network: (the local network, e.g. LAN, or 0.0.0.0/0 to send everything over VPN)
Protocol: ESP
Encryption Algorithms: AES 128 only
Hash Algorithms: SHA1 only
PFS key group: off
Lifetime: 28800

Then your device will get a virtual IP
And already then it is necessary to think of routing through ipsec tunnel ( if it is possible )

sgw

@konstanti

thanks. We had most of that and get

Feb 11 15:32:16	charon		15[IKE] <con-mobile|1> no matching CHILD_SA config found

[..]

Feb 11 15:32:26	charon		15[IKE] <con-mobile|1> received retransmit of request with ID 2293249901, but no response to retransmit

Do we need a tunnel network in VPN/IPsec/Mobile Clients : "Virtual Private Network"

"Network List" ?

auth is fine, Phase1 as well.

thanks

Konstanti

@sgw
Show phase 2 settings on both sides of the tunnel
and PFSense IPSec log

sgw

I have to leave now I can only share the last part of the remote site logs.
I'll provide Phase2 infos later or tomorrow.

000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000  
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,6,36} trans={0,6,324} attrs={0,6,432} 
000  
000 "MYSITE_primary_TM0": 172.16.160.0/27===10.135.16.195<10.135.16.195>[@land_mob_ipsec,+XC+S=C]---10.135.16.195...MYIP<MYIP>[+XS+S=C]===0.0.0.0/0; unrouted; eroute owner: #0
000 "MYSITE_primary_TM0":     myip=172.16.160.30; hisip=unset;
000 "MYSITE_primary_TM0":     xauth info: myxauthuser=aba_n_ka; 
000 "MYSITE_primary_TM0":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 600s; rekey_fuzz: 100%; keyingtries: 0 
000 "MYSITE_primary_TM0":   policy: PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 27,0; interface: wwan0; 
000 "MYSITE_primary_TM0":   newest ISAKMP SA: #5; newest IPsec SA: #0; 
000 "MYSITE_primary_TM0":   IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)_000-MODP1024(2); flags=-strict
000 "MYSITE_primary_TM0":   IKE algorithms found:  AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)
000 "MYSITE_primary_TM0":   IKE algorithm newest: AES_CBC_128-SHA1-MODP1024
000 "MYSITE_primary_TM0":   ESP algorithms wanted: AES(12)_128-SHA1(2)_000; flags=-strict
000 "MYSITE_primary_TM0":   ESP algorithms loaded: AES(12)_128-SHA1(2)_160
000  
000 #6: "MYSITE_primary_TM0":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 22s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #5: "MYSITE_primary_TM0":4500 STATE_XAUTH_I1 (XAUTH client - awaiting CFG_set); EVENT_SA_REPLACE in 28452s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000  

pfsense:

Feb 11 15:48:02	charon		13[ENC] <con-mobile|2> parsed QUICK_MODE request 1769513508 [ HASH SA No ID ID ]
Feb 11 15:48:02	charon		13[IKE] <con-mobile|2> no matching CHILD_SA config found
Feb 11 15:48:02	charon		13[ENC] <con-mobile|2> generating INFORMATIONAL_V1 request 681290560 [ HASH N(INVAL_ID) ]
Feb 11 15:48:02	charon		13[NET] <con-mobile|2> sending packet: from MYIP[4500] to 178.115.129.214[43643] (76 bytes)
Feb 11 15:48:12	charon		13[NET] <con-mobile|2> received packet: from 178.115.129.214[43643] to MYIP[4500] (156 bytes)
Feb 11 15:48:12	charon		13[IKE] <con-mobile|2> received retransmit of request with ID 1769513508, but no response to retransmit
Feb 11 15:48:23	charon		13[IKE] <con-mobile|2> sending keep alive to 178.115.129.214[43643]
Feb 11 15:48:32	charon		13[NET] <con-mobile|2> received packet: from 178.115.129.214[43643] to MYIP[4500] (156 bytes)
Feb 11 15:48:32	charon		13[IKE] <con-mobile|2> received retransmit of request with ID 1769513508, but no response to retransmit
Feb 11 15:48:43	charon		13[IKE] <con-mobile|2> sending keep alive to 178.115.129.214[43643]
Feb 11 15:49:03	charon		13[IKE] <con-mobile|2> sending keep alive to 178.115.129.214[43643]
Feb 11 15:49:12	charon		13[NET] <con-mobile|2> received packet: from 178.115.129.214[43643] to MYIP[4500] (156 bytes)
Feb 11 15:49:12	charon		13[ENC] <con-mobile|2> parsed QUICK_MODE request 1541153441 [ HASH SA No ID ID ]
Feb 11 15:49:12	charon		13[IKE] <con-mobile|2> no matching CHILD_SA config found
Feb 11 15:49:12	charon		13[ENC] <con-mobile|2> generating INFORMATIONAL_V1 request 3407976374 [ HASH N(INVAL_ID) ]
Feb 11 15:49:12	charon		13[NET] <con-mobile|2> sending packet: from MYIP[4500] to 178.115.129.214[43643] (76 bytes)
Feb 11 15:49:23	charon		15[NET] <con-mobile|2> received packet: from 178.115.129.214[43643] to MYIP[4500] (156 bytes)
Feb 11 15:49:23	charon		15[IKE] <con-mobile|2> received retransmit of request with ID 1541153441, but no response to retransmit

I see that my local subnet (VLAN 160 on our side does not get transferred to the LTE-router.

my phase2:

tunnel ANLAGEN ESP AES (128 bits) SHA1

and I don't have "Remote subnet" in there (maybe correct because of dynamic IP on mobile side)

My Local Subnet is a VLAN, maybe I miss firewall rules? But I assume that comes later, at first we need the phase2 up, right?

Konstanti

@sgw said in
I think such a connection is impossible ,I should think , still, this type of connection is used for RW (road warrior)

Konstanti

@sgw

When there is no fixed ip address, for site-site connection I would recommend openvpn tunnel

sgw

@konstanti Yes, I see ... we had the openvpn tunnel up already and pinged the tunnel endpoints, but not the nets behind. Maybe settings on the LTE-router, maybe my fault. We will retry on friday, the other admin is away till then.

EDIT: I will maybe open another topic in "openvpn" section, but just mentioning:
/27 on remote side, allowing that source net to OPENVPN interface and target net /24 (VLAN). Unsure if that should be enough. Didn't see blocked packages in firewall logs.

Konstanti

@sgw
there need correctly configure the OPENVPN server
so that the client know about 10.135.16.195 and the server about 172.16.160.0/27

sgw

@konstanti that 10.135.16.195 ... don't know what that is. Maybe the dynamic WAN on the remote client side. Will check as soon as the admin gets back there. Thanks!

AND we have MultiWAN on our side. I had to add some rule back then, haven't found it yet.

Konstanti

@sgw

yeah, probably.
On the OpenVPN side of the server, in the Tunnel Settings section, you can specify

1. IPv4 Local Network - the network to which you need access from the server side
2. IPv4 Remote network - 172.16.160.0/27 (network for routing through tunnel)

In this case, the client will know about the remote network behind the server and the server will know about your network 172.16.160.0/27

and shouldn't be a problem

sgw

@konstanti said in IPSEC mobile client in transport mode: possible? No subnets defined somehow:

@sgw

yeah, probably.
On the OpenVPN side of the server, in the Tunnel Settings section, you can specify

1. IPv4 Local Network - the network to which you need access from the server side
2. IPv4 Remote network - 172.16.160.0/27 (network for routing through tunnel)

Yes, we got that. Wrote to the guy, waiting for his changes, tomorrow, I assume.
I also made him change that /27 to /24, just to remove any special stuff to get it working first, then goon from there.

Konstanti

@sgw
Good )))
If there are problems after establishing the connection, look at the routing table on your router-is there a route to the server network ? And at the other side of the tunnel, too, will have to check it )

sgw

@konstanti said in IPSEC mobile client in transport mode: possible? No subnets defined somehow:

@sgw
Good )))
If there are problems after establishing the connection, look at the routing table on your router-is there a route to the server network ? And at the other side of the tunnel, too, will have to check it )

I have checked that as we tested. No routes to that /27 on pfsense, although the ovpn-tunnel was up and we could ping the tunnel-endpoints. So I wait for /27 -> /24 to remove that q.

Konstanti

@sgw
You can always create a static route to the server network , but it is better to do everything correctly so that the server itself sends this information to the client )))