How do I bring up a tunnel from a client on an adjacent network?
-
Some time ago I had set up an IKEv2 server on a loopback address (127.0.0.2) to connect from anywhere all the time.
I worked great, and as I mentioned, I could connect whether the clients were on the next directly attached subnet or from public addresses.
Connection on Android devices was reliable but the only way to make them stick on iOS is setting up always-on profiles.
It's a little messy though, basically when setting up always-on tunnels, iOS no longer authenticates as a user but as a machine account (https://support.apple.com/guide/mdm/always-on-vpn-configurations-mdm41cec49b6/1/web/1) and EAP doesn't work. When I finally got it right (Mutual RSA), only the public-inbound connection the the VPN server would be brought up successfully (iOS dials one from cellular, one from Wi-Fi). The one from Wi-Fi won't connect but it does seem to pass authentication and be in some sort of a loop:
… charon 08[CFG] received stroke: delete connection 'con-mobile' charon 08[CFG] deleted connection 'con-mobile' charon 08[CFG] received stroke: add connection 'con-mobile' charon 08[CFG] conn con-mobile charon 08[CFG] left=127.0.0.2 charon 08[CFG] leftsubnet=0.0.0.0/0 charon 08[CFG] leftauth=pubkey charon 08[CFG] leftid=fqdn:tunnelserver.domain.tld charon 08[CFG] leftcert=/var/etc/ipsec/ipsec.d/certs/cert-1.crt charon 08[CFG] right=%any charon 08[CFG] rightsourceip=10.7.0.0/24 charon 08[CFG] rightdns=10.0.0.25,10.0.0.30 charon 08[CFG] rightauth=pubkey charon 08[CFG] rightca=/CN=TunnelServerCertificateAuthority/ charon 08[CFG] ike=aes128-sha256-modp2048,aes128gcm128-sha256-modp2048,aes256gcm128-sha256-modp2048,aes128-sha1-modp1024,aes256-sha256-modp2048! charon 08[CFG] esp=aes256-sha1-modp2048,aes256-sha256-modp2048,aes192-sha1-modp2048,aes192-sha256-modp2048,aes128-sha1-modp2048,aes128-sha256-modp2048,aes128gcm128-sha1-modp2048,aes128gcm128-sha256-modp2048,aes128gcm96-sha1-modp2048,aes128gcm96-sha256-modp2048,aes128gcm64-sha1-modp2048,aes128gcm64-sha256-modp2048,aes256gcm128-sha1-modp2048,aes256gcm128-sha256-modp2048,aes256gcm96-sha1-modp2048,aes256gcm96-sha256-modp2048,aes256gcm64-sha1-modp2048,aes256gcm64-sha256-modp2048,3des-sha1-modp2048,3des-sha256-modp2048! charon 08[CFG] dpddelay=10 charon 08[CFG] dpdtimeout=40 charon 08[CFG] dpdaction=1 charon 08[CFG] sha256_96=no charon 08[CFG] mediation=no charon 08[CFG] keyexchange=ikev2 charon 08[CFG] reusing virtual IP address pool 10.7.0.0/24 charon 08[CFG] loaded certificate "CN=TunnelServerCertificate" from '/var/etc/ipsec/ipsec.d/certs/cert-1.crt' charon 08[CFG] added configuration 'con-mobile' charon 11[CFG] vici client 10624 connected charon 11[CFG] vici client 10624 registered for: list-sa charon 15[CFG] vici client 10624 requests: list-sas charon 15[CFG] vici client 10624 disconnected charon 13[CFG] vici client 10625 connected charon 13[CFG] vici client 10625 registered for: list-sa charon 08[CFG] vici client 10625 requests: list-sas charon 13[CFG] vici client 10625 disconnected charon 13[CFG] vici client 10626 connected charon 07[CFG] vici client 10626 registered for: list-sa charon 09[CFG] vici client 10626 requests: list-sas charon 07[CFG] vici client 10626 disconnected charon 07[CFG] vici client 10627 connected charon 13[CFG] vici client 10627 registered for: list-sa charon 09[CFG] vici client 10627 requests: list-sas charon 13[CFG] vici client 10627 disconnected charon 13[CFG] vici client 10628 connected charon 09[CFG] vici client 10628 registered for: list-sa charon 13[CFG] vici client 10628 requests: list-sas charon 12[CFG] vici client 10628 disconnected charon 12[CFG] vici client 10629 connected charon 12[CFG] vici client 10629 registered for: list-sa charon 05[CFG] vici client 10629 requests: list-sas charon 05[CFG] vici client 10629 disconnected charon 13[CFG] vici client 10630 connected charon 01[CFG] vici client 10630 registered for: list-sa charon 13[CFG] vici client 10630 requests: list-sas charon 01[CFG] vici client 10630 disconnected charon 01[CFG] vici client 10631 connected charon 01[CFG] vici client 10631 registered for: list-sa charon 10[CFG] vici client 10631 requests: list-sas charon 10[CFG] vici client 10631 disconnected …
I assume this is because the tunnel is not really needed to reach the subnet from something I read in the (pfSense)book a long time ago about the tunnel endpoints not being reachable while the tunnel was up. It makes sense.
But on the other hand, I already had it working both on the intranet and the Internet, furthermore, if I set this up on Windows Server Remote Access Server, both tunnels are brought up despite being in the same…ish network conditions. If anything it should be worse because I usually set Windows Server to allocate a fragment of the same subnet while pfSense sets a completely different subnet for tunnel clients--if that's even the problem here, I'm really just talking out of my A
Could you two-plus-two-it for me, please? I'm really lost here.
Thanks!