How do I bring up a tunnel from a client on an adjacent network?



  • Some time ago I had set up an IKEv2 server on a loopback address (127.0.0.2) to connect from anywhere all the time.

    I worked great, and as I mentioned, I could connect whether the clients were on the next directly attached subnet or from public addresses.

    Connection on Android devices was reliable but the only way to make them stick on iOS is setting up always-on profiles.

    It's a little messy though, basically when setting up always-on tunnels, iOS no longer authenticates as a user but as a machine account (https://support.apple.com/guide/mdm/always-on-vpn-configurations-mdm41cec49b6/1/web/1) and EAP doesn't work. When I finally got it right (Mutual RSA), only the public-inbound connection the the VPN server would be brought up successfully (iOS dials one from cellular, one from Wi-Fi). The one from Wi-Fi won't connect but it does seem to pass authentication and be in some sort of a loop:

    …
    charon		08[CFG] received stroke: delete connection 'con-mobile'
    charon		08[CFG] deleted connection 'con-mobile'
    charon		08[CFG] received stroke: add connection 'con-mobile'
    charon		08[CFG] conn con-mobile
    charon		08[CFG] left=127.0.0.2
    charon		08[CFG] leftsubnet=0.0.0.0/0
    charon		08[CFG] leftauth=pubkey
    charon		08[CFG] leftid=fqdn:tunnelserver.domain.tld
    charon		08[CFG] leftcert=/var/etc/ipsec/ipsec.d/certs/cert-1.crt
    charon		08[CFG] right=%any
    charon		08[CFG] rightsourceip=10.7.0.0/24
    charon		08[CFG] rightdns=10.0.0.25,10.0.0.30
    charon		08[CFG] rightauth=pubkey
    charon		08[CFG] rightca=/CN=TunnelServerCertificateAuthority/
    charon		08[CFG] ike=aes128-sha256-modp2048,aes128gcm128-sha256-modp2048,aes256gcm128-sha256-modp2048,aes128-sha1-modp1024,aes256-sha256-modp2048!
    charon		08[CFG] esp=aes256-sha1-modp2048,aes256-sha256-modp2048,aes192-sha1-modp2048,aes192-sha256-modp2048,aes128-sha1-modp2048,aes128-sha256-modp2048,aes128gcm128-sha1-modp2048,aes128gcm128-sha256-modp2048,aes128gcm96-sha1-modp2048,aes128gcm96-sha256-modp2048,aes128gcm64-sha1-modp2048,aes128gcm64-sha256-modp2048,aes256gcm128-sha1-modp2048,aes256gcm128-sha256-modp2048,aes256gcm96-sha1-modp2048,aes256gcm96-sha256-modp2048,aes256gcm64-sha1-modp2048,aes256gcm64-sha256-modp2048,3des-sha1-modp2048,3des-sha256-modp2048!
    charon		08[CFG] dpddelay=10
    charon		08[CFG] dpdtimeout=40
    charon		08[CFG] dpdaction=1
    charon		08[CFG] sha256_96=no
    charon		08[CFG] mediation=no
    charon		08[CFG] keyexchange=ikev2
    charon		08[CFG] reusing virtual IP address pool 10.7.0.0/24
    charon		08[CFG] loaded certificate "CN=TunnelServerCertificate" from '/var/etc/ipsec/ipsec.d/certs/cert-1.crt'
    charon		08[CFG] added configuration 'con-mobile'
    charon		11[CFG] vici client 10624 connected
    charon		11[CFG] vici client 10624 registered for: list-sa
    charon		15[CFG] vici client 10624 requests: list-sas
    charon		15[CFG] vici client 10624 disconnected
    charon		13[CFG] vici client 10625 connected
    charon		13[CFG] vici client 10625 registered for: list-sa
    charon		08[CFG] vici client 10625 requests: list-sas
    charon		13[CFG] vici client 10625 disconnected
    charon		13[CFG] vici client 10626 connected
    charon		07[CFG] vici client 10626 registered for: list-sa
    charon		09[CFG] vici client 10626 requests: list-sas
    charon		07[CFG] vici client 10626 disconnected
    charon		07[CFG] vici client 10627 connected
    charon		13[CFG] vici client 10627 registered for: list-sa
    charon		09[CFG] vici client 10627 requests: list-sas
    charon		13[CFG] vici client 10627 disconnected
    charon		13[CFG] vici client 10628 connected
    charon		09[CFG] vici client 10628 registered for: list-sa
    charon		13[CFG] vici client 10628 requests: list-sas
    charon		12[CFG] vici client 10628 disconnected
    charon		12[CFG] vici client 10629 connected
    charon		12[CFG] vici client 10629 registered for: list-sa
    charon		05[CFG] vici client 10629 requests: list-sas
    charon		05[CFG] vici client 10629 disconnected
    charon		13[CFG] vici client 10630 connected
    charon		01[CFG] vici client 10630 registered for: list-sa
    charon		13[CFG] vici client 10630 requests: list-sas
    charon		01[CFG] vici client 10630 disconnected
    charon		01[CFG] vici client 10631 connected
    charon		01[CFG] vici client 10631 registered for: list-sa
    charon		10[CFG] vici client 10631 requests: list-sas
    charon		10[CFG] vici client 10631 disconnected
    …
    

    I assume this is because the tunnel is not really needed to reach the subnet from something I read in the (pfSense)book a long time ago about the tunnel endpoints not being reachable while the tunnel was up. It makes sense.

    But on the other hand, I already had it working both on the intranet and the Internet, furthermore, if I set this up on Windows Server Remote Access Server, both tunnels are brought up despite being in the same…ish network conditions. If anything it should be worse because I usually set Windows Server to allocate a fragment of the same subnet while pfSense sets a completely different subnet for tunnel clients--if that's even the problem here, I'm really just talking out of my A 😅

    Could you two-plus-two-it for me, please? I'm really lost here.

    Thanks!


Log in to reply