[Solved] IPSec doesn't work if behind NAT

bmacadre

Hi everybody,

With the recent containment of the country, my company needs to increase the capacity of its VPN. We decided to use pfSense to set up a second L2TP / IPSec VPN.

I setup a L2TP/IPSec VPN like described in netgate docs. If I try to connect from a workstation inside the company the tunnel mount fine. But if I try from my home (with same configuration/OS) it failed... The pfSense box must be inside the company network so we must access it from the outside by NAT.

Here is the network topology:

LAN Network => pfSense Box => WAN Network => NAT Router => Internet
10.130.166.0/24 => 10.130.166.10 | 10.130.163.208 => 10.130.163.0/24 => X.X.X.X/24

I want my users (W10 clients) connect from home (behind their ISP) to LAN Network by using L2TP/IPSec VPN connectivity like this:
User (192.168.1.X) => ISP Box (A.B.C.D) => VPN NAT IP (X.X.X.X) =>pfSence Box => LAN Network

Here is my configuration :

Mobile Client Tab :

• IKE Extensions: Enabled
• User Authentication: Local Database
• All other checkboxes: Unchecked

Tunnel Phase 1:

• Key version: IKEv1
• Protocol: IPv4
• Interface: WAN
• Auth method: Mutual PSK
• Nego. mode: Main
• My Identifier: IP Address => X.X.X.X
• Encryption: AES 256bits SHA1 14 (2048bits)
• Lifetime: 28800
• Disable rekey: Unchecked
• Responder Only: Unchecked
• NAT Traversal: Auto
• Enable DPD: Unchecked (W10 client doesn't support it)

Tunnel Phase 2:

• Mode : Transport
• Protocol: ESP
• Encryption Algo.: AES 128 bits
• Hash Algo.: SHA1
• PFS key group: off
• Lifetime: 3600

L2TP:

• Enable
• Server address: 10.130.166.11
• Remote address range: 10.130.166.128/25
• Number of users: 50
• Auth type: MS-CHAPv2 (W10 client doesn't work with CHAP)
• Primary L2TP DNS Server: 10.130.166.10
• RADIUS: Enable
• RADIUS Accounting: Enable
• ...

Like explained before if I try to connect from inside the company it works fine. But from outside (with the same workstation) it failed with these logs:

charon: 07[CFG] <23> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
charon: 07[CFG] <23> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
charon: 07[IKE] <23> sending XAuth vendor ID
charon: 07[IKE] <23> sending DPD vendor ID
charon: 07[IKE] <23> sending FRAGMENTATION vendor ID
charon: 07[IKE] <23> sending NAT-T (RFC 3947) vendor ID
charon: 07[ENC] <23> generating ID_PROT response 0 [ SA V V V V ]
charon: 07[NET] <23> sending packet: from 10.130.163.208[500] to A.B.C.D[500] (160 bytes)
charon: 07[NET] <23> received packet: from A.B.C.D[500] to 10.130.163.208[500] (388 bytes)
charon: 07[ENC] <23> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
charon: 07[LIB] <23> size of DH secret exponent: 2047 bits
charon: 07[IKE] <23> local host is behind NAT, sending keep alives
charon: 07[IKE] <23> remote host is behind NAT
charon: 07[CFG] <23>   candidate "bypasslan", match: 1/1/24 (me/other/ike)
charon: 07[CFG] <23>   candidate "con-mobile", match: 1/1/28 (me/other/ike)
charon: 07[ENC] <23> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
charon: 07[NET] <23> sending packet: from 10.130.163.208[500] to A.B.C.D[500] (372 bytes)
charon: 07[NET] <23> received packet: from A.B.C.D[4500] to 10.130.163.208[4500] (76 bytes)
charon: 07[ENC] <23> parsed ID_PROT request 0 [ ID HASH ]
charon: 07[CFG] <23> looking for pre-shared key peer configs matching 10.130.163.208...A.B.C.D[192.168.1.15]
charon: 07[CFG] <23>   candidate "bypasslan", match: 1/1/24 (me/other/ike)
charon: 07[CFG] <23>   candidate "con-mobile", match: 1/1/28 (me/other/ike)
charon: 07[CFG] <23> selected peer config "con-mobile"
charon: 07[IKE] <con-mobile|23> IKE_SA con-mobile[23] established between 10.130.163.208[X.X.X.X]...A.B.C.D[192.168.1.15]
charon: 07[IKE] <con-mobile|23> IKE_SA con-mobile[23] state change: CONNECTING => ESTABLISHED
charon: 07[IKE] <con-mobile|23> scheduling reauthentication in 27826s
charon: 07[IKE] <con-mobile|23> maximum IKE_SA lifetime 28366s
charon: 07[ENC] <con-mobile|23> generating ID_PROT response 0 [ ID HASH ]
charon: 07[NET] <con-mobile|23> sending packet: from 10.130.163.208[4500] to A.B.C.D[4500] (76 bytes)
charon: 15[NET] <con-mobile|23> received packet: from A.B.C.D[4500] to 10.130.163.208[4500] (332 bytes)
charon: 15[ENC] <con-mobile|23> parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
charon: 15[IKE] <con-mobile|23> changing received traffic selectors 192.168.1.15/32|/0[udp/l2f]=== X.X.X.X/32|/0[udp/l2f] due to NAT
charon: 15[CFG] <con-mobile|23> looking for a child config for 10.130.163.208/32|/0[udp/l2f] === A.B.C.D/32|/0[udp/l2f]
charon: 15[CFG] <con-mobile|23> proposing traffic selectors for us:
charon: 15[CFG] <con-mobile|23>  10.130.163.208/32|/0
charon: 15[CFG] <con-mobile|23> proposing traffic selectors for other:
charon: 15[CFG] <con-mobile|23>  A.B.C.D/32|/0
charon: 15[CFG] <con-mobile|23>   candidate "con-mobile" with prio 1+1
charon: 15[CFG] <con-mobile|23> found matching child config "con-mobile" with prio 2
charon: 15[CFG] <con-mobile|23> selecting traffic selectors for other:
charon: 15[CFG] <con-mobile|23>  config: A.B.C.D/32|/0, received: A.B.C.D/32|/0[udp/l2f] => match: A.B.C.D/32|/0[udp/l2f]
charon: 15[CFG] <con-mobile|23> selecting traffic selectors for us:
charon: 15[CFG] <con-mobile|23>  config: 10.130.163.208/32|/0, received: 10.130.163.208/32|/0[udp/l2f] => match: 10.130.163.208/32|/0[udp/l2f]
charon: 15[CFG] <con-mobile|23> selecting proposal:
charon: 15[CFG] <con-mobile|23>   proposal matches
charon: 15[CFG] <con-mobile|23> received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
charon: 15[CFG] <con-mobile|23> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
charon: 15[CFG] <con-mobile|23> selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
charon: 15[IKE] <con-mobile|23> received 250000000 lifebytes, configured 0
charon: 15[ENC] <con-mobile|23> generating QUICK_MODE response 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
charon: 15[NET] <con-mobile|23> sending packet: from 10.130.163.208[4500] to A.B.C.D[4500] (204 bytes)
charon: 15[NET] <con-mobile|23> received packet: from A.B.C.D[4500] to 10.130.163.208[4500] (60 bytes)
charon: 15[ENC] <con-mobile|23> parsed QUICK_MODE request 1 [ HASH ]
charon: 15[CHD] <con-mobile|23> CHILD_SA con-mobile{42} state change: CREATED => INSTALLING
charon: 15[CHD] <con-mobile|23>   using AES_CBC for encryption
charon: 15[CHD] <con-mobile|23>   using HMAC_SHA1_96 for integrity
charon: 15[CHD] <con-mobile|23> adding inbound ESP SA
charon: 15[CHD] <con-mobile|23>   SPI 0xca5cf2dd, src A.B.C.D dst 10.130.163.208
charon: 15[CHD] <con-mobile|23> adding outbound ESP SA
charon: 15[CHD] <con-mobile|23>   SPI 0x1b68de24, src 10.130.163.208 dst A.B.C.D
charon: 15[IKE] <con-mobile|23> CHILD_SA con-mobile{42} established with SPIs ca5cf2dd_i 1b68de24_o and TS 10.130.163.208/32|/0[udp/l2f] === A.B.C.D/32|/0[udp/l2f]
charon: 15[CHD] <con-mobile|23> CHILD_SA con-mobile{42} state change: INSTALLING => INSTALLED
charon: 15[NET] <con-mobile|23> received packet: from A.B.C.D[4500] to 10.130.163.208[4500] (332 bytes)
charon: 15[ENC] <con-mobile|23> parsed QUICK_MODE request 2 [ HASH SA No ID ID NAT-OA NAT-OA ]
charon: 15[IKE] <con-mobile|23> changing received traffic selectors 192.168.1.15/32|/0[udp/l2f]=== X.X.X.X/32|/0[udp/l2f] due to NAT
charon: 15[CFG] <con-mobile|23> looking for a child config for 10.130.163.208/32|/0[udp/l2f] === A.B.C.D/32|/0[udp/l2f]
charon: 15[CFG] <con-mobile|23> proposing traffic selectors for us:
charon: 15[CFG] <con-mobile|23>  10.130.163.208/32|/0
charon: 15[CFG] <con-mobile|23> proposing traffic selectors for other:
charon: 15[CFG] <con-mobile|23>  A.B.C.D/32|/0
charon: 15[CFG] <con-mobile|23>   candidate "con-mobile" with prio 1+1
charon: 15[CFG] <con-mobile|23> found matching child config "con-mobile" with prio 2
charon: 15[CFG] <con-mobile|23> selecting traffic selectors for other:
charon: 15[CFG] <con-mobile|23>  config: A.B.C.D/32|/0, received: A.B.C.D/32|/0[udp/l2f] => match: A.B.C.D/32|/0[udp/l2f]
charon: 15[CFG] <con-mobile|23> selecting traffic selectors for us:
charon: 15[CFG] <con-mobile|23>  config: 10.130.163.208/32|/0, received: 10.130.163.208/32|/0[udp/l2f] => match: 10.130.163.208/32|/0[udp/l2f]
charon: 15[CFG] <con-mobile|23> selecting proposal:
charon: 15[CFG] <con-mobile|23>   proposal matches
charon: 15[CFG] <con-mobile|23> received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
charon: 15[CFG] <con-mobile|23> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
charon: 15[CFG] <con-mobile|23> selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
charon: 15[IKE] <con-mobile|23> received 250000000 lifebytes, configured 0
charon: 15[CHD] <con-mobile|23> CHILD_SA con-mobile{42} state change: INSTALLED => REKEYING
charon: 15[IKE] <con-mobile|23> detected rekeying of CHILD_SA con-mobile{42}
charon: 15[ENC] <con-mobile|23> generating QUICK_MODE response 2 [ HASH SA No ID ID NAT-OA NAT-OA ]
charon: 15[NET] <con-mobile|23> sending packet: from 10.130.163.208[4500] to A.B.C.D[4500] (204 bytes)
charon: 07[NET] <con-mobile|23> received packet: from A.B.C.D[4500] to 10.130.163.208[4500] (60 bytes)
charon: 07[ENC] <con-mobile|23> parsed QUICK_MODE request 2 [ HASH ]
charon: 07[CHD] <con-mobile|23> CHILD_SA con-mobile{43} state change: CREATED => INSTALLING
charon: 07[CHD] <con-mobile|23>   using AES_CBC for encryption
charon: 07[CHD] <con-mobile|23>   using HMAC_SHA1_96 for integrity
charon: 07[CHD] <con-mobile|23> adding inbound ESP SA
charon: 07[CHD] <con-mobile|23>   SPI 0xc8b548f8, src A.B.C.D dst 10.130.163.208
charon: 07[CHD] <con-mobile|23> adding outbound ESP SA
charon: 07[CHD] <con-mobile|23>   SPI 0xf8b312b4, src 10.130.163.208 dst A.B.C.D
charon: 07[IKE] <con-mobile|23> CHILD_SA con-mobile{43} established with SPIs c8b548f8_i f8b312b4_o and TS 10.130.163.208/32|/0[udp/l2f] === A.B.C.D/32|/0[udp/l2f]
charon: 07[CHD] <con-mobile|23> CHILD_SA con-mobile{43} state change: INSTALLING => INSTALLED
charon: 07[CHD] <con-mobile|23> CHILD_SA con-mobile{42} state change: REKEYING => REKEYED
charon: 14[NET] <con-mobile|23> received packet: from A.B.C.D[4500] to 10.130.163.208[4500] (76 bytes)
charon: 14[ENC] <con-mobile|23> parsed INFORMATIONAL_V1 request 3505664253 [ HASH D ]
charon: 14[IKE] <con-mobile|23> received DELETE for ESP CHILD_SA with SPI 1b68de24
charon: 14[CHD] <con-mobile|23> CHILD_SA con-mobile{42} state change: REKEYED => DELETING
charon: 14[IKE] <con-mobile|23> closing CHILD_SA con-mobile{42} with SPIs ca5cf2dd_i (0 bytes) 1b68de24_o (0 bytes) and TS 10.130.163.208/32|/0[udp/l2f] === A.B.C.D/32|/0[udp/l2f]
charon: 14[CHD] <con-mobile|23> CHILD_SA con-mobile{42} state change: DELETING => DELETED
charon: 14[CHD] <con-mobile|23> CHILD_SA con-mobile{42} state change: DELETED => DESTROYING

Why rekeying is detected from outsied (behind NAT) and not from inside ? I've tried with disable rekey checked but it doesn't work too.

I hope anybody have clue, I'm really lost....
Thanks
Bruno

bmacadre

After some tests it appears that this problem occurs only with Windows10 clients.... Linux L2TP client works fine and MacOSX too !!

jimp

@bmacadre said in IPSec doesn't work if behind NAT:

After some tests it appears that this problem occurs only with Windows10 clients.... Linux L2TP client works fine and MacOSX too !!

That's a known problem. See https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/l2tp-ipsec.html

One of many reasons that L2TP/IPsec should be avoided.

bmacadre

Thanks for your reply but O've already read this page and my problem doesn't apprear on it.

I've just found the solution, it's just a bug in Windows 10.

You just need to add a reg key like this :

REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f

Restart you computer and all work like a charm !

And honestly for me L2TP/IPSec is the best clientless VPN solution (my users can't install client so OpenVPN is not a possibility).

Regards,