[Solved] IPSec doesn't work if behind NAT

bmacadre · Mar 19, 2020, 9:07 PM

Hi everybody,

With the recent containment of the country, my company needs to increase the capacity of its VPN. We decided to use pfSense to set up a second L2TP / IPSec VPN.

I setup a L2TP/IPSec VPN like described in netgate docs. If I try to connect from a workstation inside the company the tunnel mount fine. But if I try from my home (with same configuration/OS) it failed... The pfSense box must be inside the company network so we must access it from the outside by NAT.

Here is the network topology:

LAN Network => pfSense Box => WAN Network => NAT Router => Internet
10.130.166.0/24 => 10.130.166.10 | 10.130.163.208 => 10.130.163.0/24 => X.X.X.X/24

I want my users (W10 clients) connect from home (behind their ISP) to LAN Network by using L2TP/IPSec VPN connectivity like this:
User (192.168.1.X) => ISP Box (A.B.C.D) => VPN NAT IP (X.X.X.X) =>pfSence Box => LAN Network

Here is my configuration :

Mobile Client Tab :

IKE Extensions: Enabled
User Authentication: Local Database
All other checkboxes: Unchecked

Tunnel Phase 1:

Key version: IKEv1
Protocol: IPv4
Interface: WAN
Auth method: Mutual PSK
Nego. mode: Main
My Identifier: IP Address => X.X.X.X
Encryption: AES 256bits SHA1 14 (2048bits)
Lifetime: 28800
Disable rekey: Unchecked
Responder Only: Unchecked
NAT Traversal: Auto
Enable DPD: Unchecked (W10 client doesn't support it)

Tunnel Phase 2:

Mode : Transport
Protocol: ESP
Encryption Algo.: AES 128 bits
Hash Algo.: SHA1
PFS key group: off
Lifetime: 3600

L2TP:

Enable
Server address: 10.130.166.11
Remote address range: 10.130.166.128/25
Number of users: 50
Auth type: MS-CHAPv2 (W10 client doesn't work with CHAP)
Primary L2TP DNS Server: 10.130.166.10
RADIUS: Enable
RADIUS Accounting: Enable
...

Like explained before if I try to connect from inside the company it works fine. But from outside (with the same workstation) it failed with these logs:

charon: 07[CFG] <23> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
charon: 07[CFG] <23> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
charon: 07[IKE] <23> sending XAuth vendor ID
charon: 07[IKE] <23> sending DPD vendor ID
charon: 07[IKE] <23> sending FRAGMENTATION vendor ID
charon: 07[IKE] <23> sending NAT-T (RFC 3947) vendor ID
charon: 07[ENC] <23> generating ID_PROT response 0 [ SA V V V V ]
charon: 07[NET] <23> sending packet: from 10.130.163.208[500] to A.B.C.D[500] (160 bytes)
charon: 07[NET] <23> received packet: from A.B.C.D[500] to 10.130.163.208[500] (388 bytes)
charon: 07[ENC] <23> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
charon: 07[LIB] <23> size of DH secret exponent: 2047 bits
charon: 07[IKE] <23> local host is behind NAT, sending keep alives
charon: 07[IKE] <23> remote host is behind NAT
charon: 07[CFG] <23>   candidate "bypasslan", match: 1/1/24 (me/other/ike)
charon: 07[CFG] <23>   candidate "con-mobile", match: 1/1/28 (me/other/ike)
charon: 07[ENC] <23> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
charon: 07[NET] <23> sending packet: from 10.130.163.208[500] to A.B.C.D[500] (372 bytes)
charon: 07[NET] <23> received packet: from A.B.C.D[4500] to 10.130.163.208[4500] (76 bytes)
charon: 07[ENC] <23> parsed ID_PROT request 0 [ ID HASH ]
charon: 07[CFG] <23> looking for pre-shared key peer configs matching 10.130.163.208...A.B.C.D[192.168.1.15]
charon: 07[CFG] <23>   candidate "bypasslan", match: 1/1/24 (me/other/ike)
charon: 07[CFG] <23>   candidate "con-mobile", match: 1/1/28 (me/other/ike)
charon: 07[CFG] <23> selected peer config "con-mobile"
charon: 07[IKE] <con-mobile|23> IKE_SA con-mobile[23] established between 10.130.163.208[X.X.X.X]...A.B.C.D[192.168.1.15]
charon: 07[IKE] <con-mobile|23> IKE_SA con-mobile[23] state change: CONNECTING => ESTABLISHED
charon: 07[IKE] <con-mobile|23> scheduling reauthentication in 27826s
charon: 07[IKE] <con-mobile|23> maximum IKE_SA lifetime 28366s
charon: 07[ENC] <con-mobile|23> generating ID_PROT response 0 [ ID HASH ]
charon: 07[NET] <con-mobile|23> sending packet: from 10.130.163.208[4500] to A.B.C.D[4500] (76 bytes)
charon: 15[NET] <con-mobile|23> received packet: from A.B.C.D[4500] to 10.130.163.208[4500] (332 bytes)
charon: 15[ENC] <con-mobile|23> parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
charon: 15[IKE] <con-mobile|23> changing received traffic selectors 192.168.1.15/32|/0[udp/l2f]=== X.X.X.X/32|/0[udp/l2f] due to NAT
charon: 15[CFG] <con-mobile|23> looking for a child config for 10.130.163.208/32|/0[udp/l2f] === A.B.C.D/32|/0[udp/l2f]
charon: 15[CFG] <con-mobile|23> proposing traffic selectors for us:
charon: 15[CFG] <con-mobile|23>  10.130.163.208/32|/0
charon: 15[CFG] <con-mobile|23> proposing traffic selectors for other:
charon: 15[CFG] <con-mobile|23>  A.B.C.D/32|/0
charon: 15[CFG] <con-mobile|23>   candidate "con-mobile" with prio 1+1
charon: 15[CFG] <con-mobile|23> found matching child config "con-mobile" with prio 2
charon: 15[CFG] <con-mobile|23> selecting traffic selectors for other:
charon: 15[CFG] <con-mobile|23>  config: A.B.C.D/32|/0, received: A.B.C.D/32|/0[udp/l2f] => match: A.B.C.D/32|/0[udp/l2f]
charon: 15[CFG] <con-mobile|23> selecting traffic selectors for us:
charon: 15[CFG] <con-mobile|23>  config: 10.130.163.208/32|/0, received: 10.130.163.208/32|/0[udp/l2f] => match: 10.130.163.208/32|/0[udp/l2f]
charon: 15[CFG] <con-mobile|23> selecting proposal:
charon: 15[CFG] <con-mobile|23>   proposal matches
charon: 15[CFG] <con-mobile|23> received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
charon: 15[CFG] <con-mobile|23> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
charon: 15[CFG] <con-mobile|23> selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
charon: 15[IKE] <con-mobile|23> received 250000000 lifebytes, configured 0
charon: 15[ENC] <con-mobile|23> generating QUICK_MODE response 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
charon: 15[NET] <con-mobile|23> sending packet: from 10.130.163.208[4500] to A.B.C.D[4500] (204 bytes)
charon: 15[NET] <con-mobile|23> received packet: from A.B.C.D[4500] to 10.130.163.208[4500] (60 bytes)
charon: 15[ENC] <con-mobile|23> parsed QUICK_MODE request 1 [ HASH ]
charon: 15[CHD] <con-mobile|23> CHILD_SA con-mobile{42} state change: CREATED => INSTALLING
charon: 15[CHD] <con-mobile|23>   using AES_CBC for encryption
charon: 15[CHD] <con-mobile|23>   using HMAC_SHA1_96 for integrity
charon: 15[CHD] <con-mobile|23> adding inbound ESP SA
charon: 15[CHD] <con-mobile|23>   SPI 0xca5cf2dd, src A.B.C.D dst 10.130.163.208
charon: 15[CHD] <con-mobile|23> adding outbound ESP SA
charon: 15[CHD] <con-mobile|23>   SPI 0x1b68de24, src 10.130.163.208 dst A.B.C.D
charon: 15[IKE] <con-mobile|23> CHILD_SA con-mobile{42} established with SPIs ca5cf2dd_i 1b68de24_o and TS 10.130.163.208/32|/0[udp/l2f] === A.B.C.D/32|/0[udp/l2f]
charon: 15[CHD] <con-mobile|23> CHILD_SA con-mobile{42} state change: INSTALLING => INSTALLED
charon: 15[NET] <con-mobile|23> received packet: from A.B.C.D[4500] to 10.130.163.208[4500] (332 bytes)
charon: 15[ENC] <con-mobile|23> parsed QUICK_MODE request 2 [ HASH SA No ID ID NAT-OA NAT-OA ]
charon: 15[IKE] <con-mobile|23> changing received traffic selectors 192.168.1.15/32|/0[udp/l2f]=== X.X.X.X/32|/0[udp/l2f] due to NAT
charon: 15[CFG] <con-mobile|23> looking for a child config for 10.130.163.208/32|/0[udp/l2f] === A.B.C.D/32|/0[udp/l2f]
charon: 15[CFG] <con-mobile|23> proposing traffic selectors for us:
charon: 15[CFG] <con-mobile|23>  10.130.163.208/32|/0
charon: 15[CFG] <con-mobile|23> proposing traffic selectors for other:
charon: 15[CFG] <con-mobile|23>  A.B.C.D/32|/0
charon: 15[CFG] <con-mobile|23>   candidate "con-mobile" with prio 1+1
charon: 15[CFG] <con-mobile|23> found matching child config "con-mobile" with prio 2
charon: 15[CFG] <con-mobile|23> selecting traffic selectors for other:
charon: 15[CFG] <con-mobile|23>  config: A.B.C.D/32|/0, received: A.B.C.D/32|/0[udp/l2f] => match: A.B.C.D/32|/0[udp/l2f]
charon: 15[CFG] <con-mobile|23> selecting traffic selectors for us:
charon: 15[CFG] <con-mobile|23>  config: 10.130.163.208/32|/0, received: 10.130.163.208/32|/0[udp/l2f] => match: 10.130.163.208/32|/0[udp/l2f]
charon: 15[CFG] <con-mobile|23> selecting proposal:
charon: 15[CFG] <con-mobile|23>   proposal matches
charon: 15[CFG] <con-mobile|23> received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
charon: 15[CFG] <con-mobile|23> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
charon: 15[CFG] <con-mobile|23> selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
charon: 15[IKE] <con-mobile|23> received 250000000 lifebytes, configured 0
charon: 15[CHD] <con-mobile|23> CHILD_SA con-mobile{42} state change: INSTALLED => REKEYING
charon: 15[IKE] <con-mobile|23> detected rekeying of CHILD_SA con-mobile{42}
charon: 15[ENC] <con-mobile|23> generating QUICK_MODE response 2 [ HASH SA No ID ID NAT-OA NAT-OA ]
charon: 15[NET] <con-mobile|23> sending packet: from 10.130.163.208[4500] to A.B.C.D[4500] (204 bytes)
charon: 07[NET] <con-mobile|23> received packet: from A.B.C.D[4500] to 10.130.163.208[4500] (60 bytes)
charon: 07[ENC] <con-mobile|23> parsed QUICK_MODE request 2 [ HASH ]
charon: 07[CHD] <con-mobile|23> CHILD_SA con-mobile{43} state change: CREATED => INSTALLING
charon: 07[CHD] <con-mobile|23>   using AES_CBC for encryption
charon: 07[CHD] <con-mobile|23>   using HMAC_SHA1_96 for integrity
charon: 07[CHD] <con-mobile|23> adding inbound ESP SA
charon: 07[CHD] <con-mobile|23>   SPI 0xc8b548f8, src A.B.C.D dst 10.130.163.208
charon: 07[CHD] <con-mobile|23> adding outbound ESP SA
charon: 07[CHD] <con-mobile|23>   SPI 0xf8b312b4, src 10.130.163.208 dst A.B.C.D
charon: 07[IKE] <con-mobile|23> CHILD_SA con-mobile{43} established with SPIs c8b548f8_i f8b312b4_o and TS 10.130.163.208/32|/0[udp/l2f] === A.B.C.D/32|/0[udp/l2f]
charon: 07[CHD] <con-mobile|23> CHILD_SA con-mobile{43} state change: INSTALLING => INSTALLED
charon: 07[CHD] <con-mobile|23> CHILD_SA con-mobile{42} state change: REKEYING => REKEYED
charon: 14[NET] <con-mobile|23> received packet: from A.B.C.D[4500] to 10.130.163.208[4500] (76 bytes)
charon: 14[ENC] <con-mobile|23> parsed INFORMATIONAL_V1 request 3505664253 [ HASH D ]
charon: 14[IKE] <con-mobile|23> received DELETE for ESP CHILD_SA with SPI 1b68de24
charon: 14[CHD] <con-mobile|23> CHILD_SA con-mobile{42} state change: REKEYED => DELETING
charon: 14[IKE] <con-mobile|23> closing CHILD_SA con-mobile{42} with SPIs ca5cf2dd_i (0 bytes) 1b68de24_o (0 bytes) and TS 10.130.163.208/32|/0[udp/l2f] === A.B.C.D/32|/0[udp/l2f]
charon: 14[CHD] <con-mobile|23> CHILD_SA con-mobile{42} state change: DELETING => DELETED
charon: 14[CHD] <con-mobile|23> CHILD_SA con-mobile{42} state change: DELETED => DESTROYING

Why rekeying is detected from outsied (behind NAT) and not from inside ? I've tried with disable rekey checked but it doesn't work too.

I hope anybody have clue, I'm really lost....
Thanks
Bruno

bmacadre · Mar 19, 2020, 1:51 PM

After some tests it appears that this problem occurs only with Windows10 clients.... Linux L2TP client works fine and MacOSX too !!

jimp · Mar 19, 2020, 8:09 PM

@bmacadre said in IPSec doesn't work if behind NAT:

After some tests it appears that this problem occurs only with Windows10 clients.... Linux L2TP client works fine and MacOSX too !!

That's a known problem. See https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/l2tp-ipsec.html

One of many reasons that L2TP/IPsec should be avoided.

bmacadre · Mar 19, 2020, 9:08 PM

Thanks for your reply but O've already read this page and my problem doesn't apprear on it.

I've just found the solution, it's just a bug in Windows 10.

You just need to add a reg key like this :

REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f

Restart you computer and all work like a charm !

And honestly for me L2TP/IPSec is the best clientless VPN solution (my users can't install client so OpenVPN is not a possibility).

Regards,