Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC mobile client in transport mode: possible? No subnets defined somehow

    Scheduled Pinned Locked Moved IPsec
    17 Posts 2 Posters 993 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sgw
      last edited by sgw

      As I struggled to get OpenVPN working for an external LTE-Router (Westermo MRD405) we switched to doing a IPSEC-mobile-client setup.

      The main goal: an external site with subnet 172.16.160.0/27 behind that Westermo-Router should dial in via (some) VPN, and be tunneled to a local VLAN. A controller PC in that VLAN is accessible already via (1) OpenVPN Roadwarrior (= the external admin of the appliances at the sites) and (2) from LAN in-house.

      I followed https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-an-ipsec-remote-access-mobile-vpn-using-ikev1-xauth.html AFAIK, but switched to "transport mode" as we need the remote subnet routed and not only one IP.

      Is that possible at all?

      I have a valid tunnel in "IPSEC - Status", logs look good mostly, but we don't get the subnets routed:

      con-mobile: #8
      Local subnets: 	/0[udp/l2f]
      Remote subnets:	/0[udp/l2f]
      

      Do we need L2TP for that??
      I allowed UDP/1701 on IPSEC interface without change.
      I can't choose subnets in my Phase2 definition etc and I am stuck somehow.

      The remote router also has no IPs, see logs:

      Westermo MRD405 Syslog.txt
      
      Feb 11 14:06:41 pluto[15440]: Using KLIPS IPsec interface code on 2.6.35.3-00225-gcb58267
      Feb 11 14:06:41 pluto[15440]:   could not open CA cert file 'ca.crt.0'
      Feb 11 14:06:42 pluto[15440]: listening for IKE messages
      Feb 11 14:06:42 pluto[15440]: adding interface ipsec0/wwan0 10.77.210.120:500
      Feb 11 14:06:42 pluto[15440]: adding interface ipsec0/wwan0 10.77.210.120:4500
      Feb 11 14:06:42 pluto[15440]: loading secrets from "/etc/ipsec.secrets"
      Feb 11 14:06:42 pluto[15440]: added connection description "OURSITE_primary_TM0"
      Feb 11 14:06:42 ipsec__plutorun: 002 added connection description "OURSITE_primary_TM0"
      Feb 11 14:06:42 pluto[15440]: listening for IKE messages
      Feb 11 14:06:42 pluto[15440]: forgetting secrets
      Feb 11 14:06:42 pluto[15440]: loading secrets from "/etc/ipsec.secrets"
      Feb 11 14:06:42 pluto[15440]: forgetting secrets
      Feb 11 14:06:42 pluto[15440]: loading secrets from "/etc/ipsec.secrets"
      Feb 11 14:06:42 pluto[15440]:   could not open CA cert file 'ca.crt.0'
      Feb 11 14:06:43 pluto[15440]: "OURSITE_primary_TM0": deleting connection
      Feb 11 14:06:43 pluto[15440]: added connection description "OURSITE_primary_TM0"
      Feb 11 14:06:43 pluto[15440]: "OURSITE_primary_TM0" #1: initiating Aggressive Mode #1, connection "OURSITE_primary_TM0"
      Feb 11 14:06:53 pluto[15440]: "OURSITE_primary_TM0" #1: received Vendor ID payload [XAUTH]
      Feb 11 14:06:53 pluto[15440]: "OURSITE_primary_TM0" #1: received Vendor ID payload [Dead Peer Detection]
      Feb 11 14:06:53 pluto[15440]: "OURSITE_primary_TM0" #1: received Vendor ID payload [RFC 3947] method set to=115 
      Feb 11 14:06:53 pluto[15440]: "OURSITE_primary_TM0" #1: Aggressive mode peer ID is ID_IPV4_ADDR: 'MY_WAN_IP'
      Feb 11 14:06:53 pluto[15440]: "OURSITE_primary_TM0" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): i am NATed
      Feb 11 14:06:53 pluto[15440]: "OURSITE_primary_TM0" #1: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2
      Feb 11 14:06:53 pluto[15440]: "OURSITE_primary_TM0" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024}
      Feb 11 14:06:53 pluto[15440]: "OURSITE_primary_TM0" #1: XAUTH: Answering XAUTH challenge with user='aba_n_ka'
      Feb 11 14:06:53 pluto[15440]: "OURSITE_primary_TM0" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
      Feb 11 14:06:53 pluto[15440]: "OURSITE_primary_TM0" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
      Feb 11 14:06:55 pluto[15440]: "OURSITE_primary_TM0" #1: XAUTH: Successfully Authenticated
      Feb 11 14:06:55 pluto[15440]: "OURSITE_primary_TM0" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
      Feb 11 14:06:55 pluto[15440]: "OURSITE_primary_TM0" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
      Feb 11 14:06:55 pluto[15440]: "OURSITE_primary_TM0" #2: initiating Quick Mode PSK+ENCRYPT+UP+AGGRESSIVE+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:e4e6a2ec proposal=AES(12)_128-SHA1(2)_160 pfsgroup=no-pfs}
      Feb 11 14:06:55 pluto[15440]: "OURSITE_primary_TM0" #2: NAT-Traversal: received 2 NAT-OA. ignored because peer is not NATed
      Feb 11 14:06:55 pluto[15440]: "OURSITE_primary_TM0" #2: our client subnet returned doesn't match my proposal - us:10.77.210.120/32 vs them:77.119.129.39/32
      Feb 11 14:06:55 pluto[15440]: "OURSITE_primary_TM0" #2: Allowing questionable proposal anyway [ALLOW_MICROSOFT_BAD_PROPOSAL]
      Feb 11 14:06:55 pluto[15440]: "OURSITE_primary_TM0" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
      Feb 11 14:06:55 pluto[15440]: "OURSITE_primary_TM0" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0xca770ab1 <0x663d1199 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
      
      

      Any help would be appreciated here, especially as I have to connect more of those ;-)

      --

      And maybe I should go back to OpenVPN and fix the issues there (we only pinged the tunnel endpoints but not through. Another thread then ...)

      thanks, Stefan

      PS: PFS and DPD disabled right now to get it working first.

      K 1 Reply Last reply Reply Quote 0
      • K
        Konstanti @sgw
        last edited by Konstanti

        @sgw

        https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-a-site-to-site-ipsec-vpn.html

        https://www.youtube.com/watch?v=2IdV4CgHo3w

        https://www.westermo.com/-/media/Files/User-guides/westermo_mg_6623-3210_brd-mrd.pdf (pp 162-187)

        S 1 Reply Last reply Reply Quote 0
        • S
          sgw @Konstanti
          last edited by

          @konstanti

          Thanks ;-)

          I don't have issues with Site2Site-IPSEC when they have both static IPs, which isn't the case here.
          I also have a IPSEC doc for the MRD-405 already, but not for transport mode.

          We figured out the encryption and xauth as you can see, but the IP routing is my problem here.

          K 1 Reply Last reply Reply Quote 0
          • K
            Konstanti @sgw
            last edited by Konstanti

            @sgw

            The transport mode is configured only for host-host connection. You need tunnel mode.

            Phase 2 settings

            Mode: Tunnel
            Local Network: (the local network, e.g. LAN, or 0.0.0.0/0 to send everything over VPN)
            Protocol: ESP
            Encryption Algorithms: AES 128 only
            Hash Algorithms: SHA1 only
            PFS key group: off
            Lifetime: 28800

            Then your device will get a virtual IP
            And already then it is necessary to think of routing through ipsec tunnel ( if it is possible )

            S 1 Reply Last reply Reply Quote 0
            • S
              sgw @Konstanti
              last edited by

              @konstanti

              thanks. We had most of that and get

              Feb 11 15:32:16	charon		15[IKE] <con-mobile|1> no matching CHILD_SA config found
              
              [..]
              
              Feb 11 15:32:26	charon		15[IKE] <con-mobile|1> received retransmit of request with ID 2293249901, but no response to retransmit
              

              Do we need a tunnel network in VPN/IPsec/Mobile Clients : "Virtual Private Network"

              "Network List" ?

              auth is fine, Phase1 as well.

              thanks

              K 1 Reply Last reply Reply Quote 0
              • K
                Konstanti @sgw
                last edited by

                @sgw
                Show phase 2 settings on both sides of the tunnel
                and PFSense IPSec log

                1 Reply Last reply Reply Quote 0
                • S
                  sgw
                  last edited by

                  I have to leave now I can only share the last part of the remote site logs.
                  I'll provide Phase2 infos later or tomorrow.

                  000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
                  000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
                  000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
                  000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
                  000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
                  000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
                  000  
                  000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,6,36} trans={0,6,324} attrs={0,6,432} 
                  000  
                  000 "MYSITE_primary_TM0": 172.16.160.0/27===10.135.16.195<10.135.16.195>[@land_mob_ipsec,+XC+S=C]---10.135.16.195...MYIP<MYIP>[+XS+S=C]===0.0.0.0/0; unrouted; eroute owner: #0
                  000 "MYSITE_primary_TM0":     myip=172.16.160.30; hisip=unset;
                  000 "MYSITE_primary_TM0":     xauth info: myxauthuser=aba_n_ka; 
                  000 "MYSITE_primary_TM0":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 600s; rekey_fuzz: 100%; keyingtries: 0 
                  000 "MYSITE_primary_TM0":   policy: PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 27,0; interface: wwan0; 
                  000 "MYSITE_primary_TM0":   newest ISAKMP SA: #5; newest IPsec SA: #0; 
                  000 "MYSITE_primary_TM0":   IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)_000-MODP1024(2); flags=-strict
                  000 "MYSITE_primary_TM0":   IKE algorithms found:  AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)
                  000 "MYSITE_primary_TM0":   IKE algorithm newest: AES_CBC_128-SHA1-MODP1024
                  000 "MYSITE_primary_TM0":   ESP algorithms wanted: AES(12)_128-SHA1(2)_000; flags=-strict
                  000 "MYSITE_primary_TM0":   ESP algorithms loaded: AES(12)_128-SHA1(2)_160
                  000  
                  000 #6: "MYSITE_primary_TM0":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 22s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
                  000 #5: "MYSITE_primary_TM0":4500 STATE_XAUTH_I1 (XAUTH client - awaiting CFG_set); EVENT_SA_REPLACE in 28452s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
                  000  
                  

                  pfsense:

                  Feb 11 15:48:02	charon		13[ENC] <con-mobile|2> parsed QUICK_MODE request 1769513508 [ HASH SA No ID ID ]
                  Feb 11 15:48:02	charon		13[IKE] <con-mobile|2> no matching CHILD_SA config found
                  Feb 11 15:48:02	charon		13[ENC] <con-mobile|2> generating INFORMATIONAL_V1 request 681290560 [ HASH N(INVAL_ID) ]
                  Feb 11 15:48:02	charon		13[NET] <con-mobile|2> sending packet: from MYIP[4500] to 178.115.129.214[43643] (76 bytes)
                  Feb 11 15:48:12	charon		13[NET] <con-mobile|2> received packet: from 178.115.129.214[43643] to MYIP[4500] (156 bytes)
                  Feb 11 15:48:12	charon		13[IKE] <con-mobile|2> received retransmit of request with ID 1769513508, but no response to retransmit
                  Feb 11 15:48:23	charon		13[IKE] <con-mobile|2> sending keep alive to 178.115.129.214[43643]
                  Feb 11 15:48:32	charon		13[NET] <con-mobile|2> received packet: from 178.115.129.214[43643] to MYIP[4500] (156 bytes)
                  Feb 11 15:48:32	charon		13[IKE] <con-mobile|2> received retransmit of request with ID 1769513508, but no response to retransmit
                  Feb 11 15:48:43	charon		13[IKE] <con-mobile|2> sending keep alive to 178.115.129.214[43643]
                  Feb 11 15:49:03	charon		13[IKE] <con-mobile|2> sending keep alive to 178.115.129.214[43643]
                  Feb 11 15:49:12	charon		13[NET] <con-mobile|2> received packet: from 178.115.129.214[43643] to MYIP[4500] (156 bytes)
                  Feb 11 15:49:12	charon		13[ENC] <con-mobile|2> parsed QUICK_MODE request 1541153441 [ HASH SA No ID ID ]
                  Feb 11 15:49:12	charon		13[IKE] <con-mobile|2> no matching CHILD_SA config found
                  Feb 11 15:49:12	charon		13[ENC] <con-mobile|2> generating INFORMATIONAL_V1 request 3407976374 [ HASH N(INVAL_ID) ]
                  Feb 11 15:49:12	charon		13[NET] <con-mobile|2> sending packet: from MYIP[4500] to 178.115.129.214[43643] (76 bytes)
                  Feb 11 15:49:23	charon		15[NET] <con-mobile|2> received packet: from 178.115.129.214[43643] to MYIP[4500] (156 bytes)
                  Feb 11 15:49:23	charon		15[IKE] <con-mobile|2> received retransmit of request with ID 1541153441, but no response to retransmit
                  

                  I see that my local subnet (VLAN 160 on our side does not get transferred to the LTE-router.

                  my phase2:

                  tunnel ANLAGEN ESP AES (128 bits) SHA1

                  and I don't have "Remote subnet" in there (maybe correct because of dynamic IP on mobile side)

                  My Local Subnet is a VLAN, maybe I miss firewall rules? But I assume that comes later, at first we need the phase2 up, right?

                  K 1 Reply Last reply Reply Quote 0
                  • K
                    Konstanti
                    last edited by

                    @sgw said in
                    I think such a connection is impossible ,I should think , still, this type of connection is used for RW (road warrior)

                    1 Reply Last reply Reply Quote 0
                    • K
                      Konstanti @sgw
                      last edited by

                      @sgw

                      When there is no fixed ip address, for site-site connection I would recommend openvpn tunnel

                      S 1 Reply Last reply Reply Quote 0
                      • S
                        sgw @Konstanti
                        last edited by sgw

                        @konstanti Yes, I see ... we had the openvpn tunnel up already and pinged the tunnel endpoints, but not the nets behind. Maybe settings on the LTE-router, maybe my fault. We will retry on friday, the other admin is away till then.

                        EDIT: I will maybe open another topic in "openvpn" section, but just mentioning:
                        /27 on remote side, allowing that source net to OPENVPN interface and target net /24 (VLAN). Unsure if that should be enough. Didn't see blocked packages in firewall logs.

                        K 1 Reply Last reply Reply Quote 0
                        • K
                          Konstanti @sgw
                          last edited by Konstanti

                          @sgw
                          there need correctly configure the OPENVPN server
                          so that the client know about 10.135.16.195 and the server about 172.16.160.0/27

                          S 1 Reply Last reply Reply Quote 0
                          • S
                            sgw @Konstanti
                            last edited by sgw

                            @konstanti that 10.135.16.195 ... don't know what that is. Maybe the dynamic WAN on the remote client side. Will check as soon as the admin gets back there. Thanks!

                            AND we have MultiWAN on our side. I had to add some rule back then, haven't found it yet.

                            K 1 Reply Last reply Reply Quote 0
                            • K
                              Konstanti @sgw
                              last edited by Konstanti

                              @sgw

                              yeah, probably.
                              On the OpenVPN side of the server, in the Tunnel Settings section, you can specify

                              1. IPv4 Local Network - the network to which you need access from the server side
                              2. IPv4 Remote network - 172.16.160.0/27 (network for routing through tunnel)

                              In this case, the client will know about the remote network behind the server and the server will know about your network 172.16.160.0/27

                              and shouldn't be a problem

                              S 1 Reply Last reply Reply Quote 0
                              • S
                                sgw @Konstanti
                                last edited by

                                @konstanti said in IPSEC mobile client in transport mode: possible? No subnets defined somehow:

                                @sgw

                                yeah, probably.
                                On the OpenVPN side of the server, in the Tunnel Settings section, you can specify

                                1. IPv4 Local Network - the network to which you need access from the server side
                                2. IPv4 Remote network - 172.16.160.0/27 (network for routing through tunnel)

                                Yes, we got that. Wrote to the guy, waiting for his changes, tomorrow, I assume.
                                I also made him change that /27 to /24, just to remove any special stuff to get it working first, then goon from there.

                                K 1 Reply Last reply Reply Quote 0
                                • K
                                  Konstanti @sgw
                                  last edited by

                                  @sgw
                                  Good )))
                                  If there are problems after establishing the connection, look at the routing table on your router-is there a route to the server network ? And at the other side of the tunnel, too, will have to check it )

                                  S 1 Reply Last reply Reply Quote 0
                                  • S
                                    sgw @Konstanti
                                    last edited by

                                    @konstanti said in IPSEC mobile client in transport mode: possible? No subnets defined somehow:

                                    @sgw
                                    Good )))
                                    If there are problems after establishing the connection, look at the routing table on your router-is there a route to the server network ? And at the other side of the tunnel, too, will have to check it )

                                    I have checked that as we tested. No routes to that /27 on pfsense, although the ovpn-tunnel was up and we could ping the tunnel-endpoints. So I wait for /27 -> /24 to remove that q.

                                    K 1 Reply Last reply Reply Quote 0
                                    • K
                                      Konstanti @sgw
                                      last edited by

                                      @sgw
                                      You can always create a static route to the server network , but it is better to do everything correctly so that the server itself sends this information to the client )))

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.