[Solved] IPSec doesn't work if behind NAT



  • Hi everybody,

    With the recent containment of the country, my company needs to increase the capacity of its VPN. We decided to use pfSense to set up a second L2TP / IPSec VPN.

    I setup a L2TP/IPSec VPN like described in netgate docs. If I try to connect from a workstation inside the company the tunnel mount fine. But if I try from my home (with same configuration/OS) it failed... The pfSense box must be inside the company network so we must access it from the outside by NAT.

    Here is the network topology:

    LAN Network => pfSense Box => WAN Network => NAT Router => Internet
    10.130.166.0/24 => 10.130.166.10 | 10.130.163.208 => 10.130.163.0/24 => X.X.X.X/24

    I want my users (W10 clients) connect from home (behind their ISP) to LAN Network by using L2TP/IPSec VPN connectivity like this:
    User (192.168.1.X) => ISP Box (A.B.C.D) => VPN NAT IP (X.X.X.X) =>pfSence Box => LAN Network

    Here is my configuration :

    Mobile Client Tab :

    • IKE Extensions: Enabled
    • User Authentication: Local Database
    • All other checkboxes: Unchecked

    Tunnel Phase 1:

    • Key version: IKEv1
    • Protocol: IPv4
    • Interface: WAN
    • Auth method: Mutual PSK
    • Nego. mode: Main
    • My Identifier: IP Address => X.X.X.X
    • Encryption: AES 256bits SHA1 14 (2048bits)
    • Lifetime: 28800
    • Disable rekey: Unchecked
    • Responder Only: Unchecked
    • NAT Traversal: Auto
    • Enable DPD: Unchecked (W10 client doesn't support it)

    Tunnel Phase 2:

    • Mode : Transport
    • Protocol: ESP
    • Encryption Algo.: AES 128 bits
    • Hash Algo.: SHA1
    • PFS key group: off
    • Lifetime: 3600

    L2TP:

    • Enable
    • Server address: 10.130.166.11
    • Remote address range: 10.130.166.128/25
    • Number of users: 50
    • Auth type: MS-CHAPv2 (W10 client doesn't work with CHAP)
    • Primary L2TP DNS Server: 10.130.166.10
    • RADIUS: Enable
    • RADIUS Accounting: Enable
    • ...

    Like explained before if I try to connect from inside the company it works fine. But from outside (with the same workstation) it failed with these logs:

    charon: 07[CFG] <23> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
    charon: 07[CFG] <23> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
    charon: 07[IKE] <23> sending XAuth vendor ID
    charon: 07[IKE] <23> sending DPD vendor ID
    charon: 07[IKE] <23> sending FRAGMENTATION vendor ID
    charon: 07[IKE] <23> sending NAT-T (RFC 3947) vendor ID
    charon: 07[ENC] <23> generating ID_PROT response 0 [ SA V V V V ]
    charon: 07[NET] <23> sending packet: from 10.130.163.208[500] to A.B.C.D[500] (160 bytes)
    charon: 07[NET] <23> received packet: from A.B.C.D[500] to 10.130.163.208[500] (388 bytes)
    charon: 07[ENC] <23> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
    charon: 07[LIB] <23> size of DH secret exponent: 2047 bits
    charon: 07[IKE] <23> local host is behind NAT, sending keep alives
    charon: 07[IKE] <23> remote host is behind NAT
    charon: 07[CFG] <23>   candidate "bypasslan", match: 1/1/24 (me/other/ike)
    charon: 07[CFG] <23>   candidate "con-mobile", match: 1/1/28 (me/other/ike)
    charon: 07[ENC] <23> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
    charon: 07[NET] <23> sending packet: from 10.130.163.208[500] to A.B.C.D[500] (372 bytes)
    charon: 07[NET] <23> received packet: from A.B.C.D[4500] to 10.130.163.208[4500] (76 bytes)
    charon: 07[ENC] <23> parsed ID_PROT request 0 [ ID HASH ]
    charon: 07[CFG] <23> looking for pre-shared key peer configs matching 10.130.163.208...A.B.C.D[192.168.1.15]
    charon: 07[CFG] <23>   candidate "bypasslan", match: 1/1/24 (me/other/ike)
    charon: 07[CFG] <23>   candidate "con-mobile", match: 1/1/28 (me/other/ike)
    charon: 07[CFG] <23> selected peer config "con-mobile"
    charon: 07[IKE] <con-mobile|23> IKE_SA con-mobile[23] established between 10.130.163.208[X.X.X.X]...A.B.C.D[192.168.1.15]
    charon: 07[IKE] <con-mobile|23> IKE_SA con-mobile[23] state change: CONNECTING => ESTABLISHED
    charon: 07[IKE] <con-mobile|23> scheduling reauthentication in 27826s
    charon: 07[IKE] <con-mobile|23> maximum IKE_SA lifetime 28366s
    charon: 07[ENC] <con-mobile|23> generating ID_PROT response 0 [ ID HASH ]
    charon: 07[NET] <con-mobile|23> sending packet: from 10.130.163.208[4500] to A.B.C.D[4500] (76 bytes)
    charon: 15[NET] <con-mobile|23> received packet: from A.B.C.D[4500] to 10.130.163.208[4500] (332 bytes)
    charon: 15[ENC] <con-mobile|23> parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
    charon: 15[IKE] <con-mobile|23> changing received traffic selectors 192.168.1.15/32|/0[udp/l2f]=== X.X.X.X/32|/0[udp/l2f] due to NAT
    charon: 15[CFG] <con-mobile|23> looking for a child config for 10.130.163.208/32|/0[udp/l2f] === A.B.C.D/32|/0[udp/l2f]
    charon: 15[CFG] <con-mobile|23> proposing traffic selectors for us:
    charon: 15[CFG] <con-mobile|23>  10.130.163.208/32|/0
    charon: 15[CFG] <con-mobile|23> proposing traffic selectors for other:
    charon: 15[CFG] <con-mobile|23>  A.B.C.D/32|/0
    charon: 15[CFG] <con-mobile|23>   candidate "con-mobile" with prio 1+1
    charon: 15[CFG] <con-mobile|23> found matching child config "con-mobile" with prio 2
    charon: 15[CFG] <con-mobile|23> selecting traffic selectors for other:
    charon: 15[CFG] <con-mobile|23>  config: A.B.C.D/32|/0, received: A.B.C.D/32|/0[udp/l2f] => match: A.B.C.D/32|/0[udp/l2f]
    charon: 15[CFG] <con-mobile|23> selecting traffic selectors for us:
    charon: 15[CFG] <con-mobile|23>  config: 10.130.163.208/32|/0, received: 10.130.163.208/32|/0[udp/l2f] => match: 10.130.163.208/32|/0[udp/l2f]
    charon: 15[CFG] <con-mobile|23> selecting proposal:
    charon: 15[CFG] <con-mobile|23>   proposal matches
    charon: 15[CFG] <con-mobile|23> received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
    charon: 15[CFG] <con-mobile|23> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
    charon: 15[CFG] <con-mobile|23> selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
    charon: 15[IKE] <con-mobile|23> received 250000000 lifebytes, configured 0
    charon: 15[ENC] <con-mobile|23> generating QUICK_MODE response 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
    charon: 15[NET] <con-mobile|23> sending packet: from 10.130.163.208[4500] to A.B.C.D[4500] (204 bytes)
    charon: 15[NET] <con-mobile|23> received packet: from A.B.C.D[4500] to 10.130.163.208[4500] (60 bytes)
    charon: 15[ENC] <con-mobile|23> parsed QUICK_MODE request 1 [ HASH ]
    charon: 15[CHD] <con-mobile|23> CHILD_SA con-mobile{42} state change: CREATED => INSTALLING
    charon: 15[CHD] <con-mobile|23>   using AES_CBC for encryption
    charon: 15[CHD] <con-mobile|23>   using HMAC_SHA1_96 for integrity
    charon: 15[CHD] <con-mobile|23> adding inbound ESP SA
    charon: 15[CHD] <con-mobile|23>   SPI 0xca5cf2dd, src A.B.C.D dst 10.130.163.208
    charon: 15[CHD] <con-mobile|23> adding outbound ESP SA
    charon: 15[CHD] <con-mobile|23>   SPI 0x1b68de24, src 10.130.163.208 dst A.B.C.D
    charon: 15[IKE] <con-mobile|23> CHILD_SA con-mobile{42} established with SPIs ca5cf2dd_i 1b68de24_o and TS 10.130.163.208/32|/0[udp/l2f] === A.B.C.D/32|/0[udp/l2f]
    charon: 15[CHD] <con-mobile|23> CHILD_SA con-mobile{42} state change: INSTALLING => INSTALLED
    charon: 15[NET] <con-mobile|23> received packet: from A.B.C.D[4500] to 10.130.163.208[4500] (332 bytes)
    charon: 15[ENC] <con-mobile|23> parsed QUICK_MODE request 2 [ HASH SA No ID ID NAT-OA NAT-OA ]
    charon: 15[IKE] <con-mobile|23> changing received traffic selectors 192.168.1.15/32|/0[udp/l2f]=== X.X.X.X/32|/0[udp/l2f] due to NAT
    charon: 15[CFG] <con-mobile|23> looking for a child config for 10.130.163.208/32|/0[udp/l2f] === A.B.C.D/32|/0[udp/l2f]
    charon: 15[CFG] <con-mobile|23> proposing traffic selectors for us:
    charon: 15[CFG] <con-mobile|23>  10.130.163.208/32|/0
    charon: 15[CFG] <con-mobile|23> proposing traffic selectors for other:
    charon: 15[CFG] <con-mobile|23>  A.B.C.D/32|/0
    charon: 15[CFG] <con-mobile|23>   candidate "con-mobile" with prio 1+1
    charon: 15[CFG] <con-mobile|23> found matching child config "con-mobile" with prio 2
    charon: 15[CFG] <con-mobile|23> selecting traffic selectors for other:
    charon: 15[CFG] <con-mobile|23>  config: A.B.C.D/32|/0, received: A.B.C.D/32|/0[udp/l2f] => match: A.B.C.D/32|/0[udp/l2f]
    charon: 15[CFG] <con-mobile|23> selecting traffic selectors for us:
    charon: 15[CFG] <con-mobile|23>  config: 10.130.163.208/32|/0, received: 10.130.163.208/32|/0[udp/l2f] => match: 10.130.163.208/32|/0[udp/l2f]
    charon: 15[CFG] <con-mobile|23> selecting proposal:
    charon: 15[CFG] <con-mobile|23>   proposal matches
    charon: 15[CFG] <con-mobile|23> received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
    charon: 15[CFG] <con-mobile|23> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
    charon: 15[CFG] <con-mobile|23> selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
    charon: 15[IKE] <con-mobile|23> received 250000000 lifebytes, configured 0
    charon: 15[CHD] <con-mobile|23> CHILD_SA con-mobile{42} state change: INSTALLED => REKEYING
    charon: 15[IKE] <con-mobile|23> detected rekeying of CHILD_SA con-mobile{42}
    charon: 15[ENC] <con-mobile|23> generating QUICK_MODE response 2 [ HASH SA No ID ID NAT-OA NAT-OA ]
    charon: 15[NET] <con-mobile|23> sending packet: from 10.130.163.208[4500] to A.B.C.D[4500] (204 bytes)
    charon: 07[NET] <con-mobile|23> received packet: from A.B.C.D[4500] to 10.130.163.208[4500] (60 bytes)
    charon: 07[ENC] <con-mobile|23> parsed QUICK_MODE request 2 [ HASH ]
    charon: 07[CHD] <con-mobile|23> CHILD_SA con-mobile{43} state change: CREATED => INSTALLING
    charon: 07[CHD] <con-mobile|23>   using AES_CBC for encryption
    charon: 07[CHD] <con-mobile|23>   using HMAC_SHA1_96 for integrity
    charon: 07[CHD] <con-mobile|23> adding inbound ESP SA
    charon: 07[CHD] <con-mobile|23>   SPI 0xc8b548f8, src A.B.C.D dst 10.130.163.208
    charon: 07[CHD] <con-mobile|23> adding outbound ESP SA
    charon: 07[CHD] <con-mobile|23>   SPI 0xf8b312b4, src 10.130.163.208 dst A.B.C.D
    charon: 07[IKE] <con-mobile|23> CHILD_SA con-mobile{43} established with SPIs c8b548f8_i f8b312b4_o and TS 10.130.163.208/32|/0[udp/l2f] === A.B.C.D/32|/0[udp/l2f]
    charon: 07[CHD] <con-mobile|23> CHILD_SA con-mobile{43} state change: INSTALLING => INSTALLED
    charon: 07[CHD] <con-mobile|23> CHILD_SA con-mobile{42} state change: REKEYING => REKEYED
    charon: 14[NET] <con-mobile|23> received packet: from A.B.C.D[4500] to 10.130.163.208[4500] (76 bytes)
    charon: 14[ENC] <con-mobile|23> parsed INFORMATIONAL_V1 request 3505664253 [ HASH D ]
    charon: 14[IKE] <con-mobile|23> received DELETE for ESP CHILD_SA with SPI 1b68de24
    charon: 14[CHD] <con-mobile|23> CHILD_SA con-mobile{42} state change: REKEYED => DELETING
    charon: 14[IKE] <con-mobile|23> closing CHILD_SA con-mobile{42} with SPIs ca5cf2dd_i (0 bytes) 1b68de24_o (0 bytes) and TS 10.130.163.208/32|/0[udp/l2f] === A.B.C.D/32|/0[udp/l2f]
    charon: 14[CHD] <con-mobile|23> CHILD_SA con-mobile{42} state change: DELETING => DELETED
    charon: 14[CHD] <con-mobile|23> CHILD_SA con-mobile{42} state change: DELETED => DESTROYING
    

    Why rekeying is detected from outsied (behind NAT) and not from inside ? I've tried with disable rekey checked but it doesn't work too.

    I hope anybody have clue, I'm really lost....
    Thanks
    Bruno



  • After some tests it appears that this problem occurs only with Windows10 clients.... Linux L2TP client works fine and MacOSX too !!


  • Rebel Alliance Developer Netgate

    @bmacadre said in IPSec doesn't work if behind NAT:

    After some tests it appears that this problem occurs only with Windows10 clients.... Linux L2TP client works fine and MacOSX too !!

    That's a known problem. See https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/l2tp-ipsec.html

    One of many reasons that L2TP/IPsec should be avoided.



  • Thanks for your reply but O've already read this page and my problem doesn't apprear on it.

    I've just found the solution, it's just a bug in Windows 10.

    You just need to add a reg key like this :

    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f
    

    Restart you computer and all work like a charm !

    And honestly for me L2TP/IPSec is the best clientless VPN solution (my users can't install client so OpenVPN is not a possibility).

    Regards,


Log in to reply