Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Mobile IPSec Tunnel on 3rd pfense site fails

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 474 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      TheWaterbug
      last edited by TheWaterbug

      I have Mobile IPSec tunnels working at Site 1 (MBT-2220/2.6.0 CE) and at Site 2 (SG-1100/22.05).

      I'm trying to set up Site 3 (APU/2.6.0 CE), and it's not working. I've tried to ensure that I've followed the recipe and that I've copied as much as possible between my two working sites and Site 3, except for the following:

      • Domain and hostname
      • LAN address/subnet
      • Certificate Authority and the Certificate, which I've generated in accordance with the recipe

      but the same client (iOS 16) that will connect to Site 1 and Site 2, won't connect to Site 3.

      IPSec is generally working, because I do have a site-to-site tunnel working between Site 1 and Site 3.

      I cleared the IPSec log, attempted to connect from my iPhone, and saw this:

      
Nov 4 15:48:28	charon	30754	11[NET] <7> received packet: from 172.56.185.224[24901] to my.public.ip.address[500] (604 bytes)
Nov 4 15:48:28	charon	30754	11[ENC] <7> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Nov 4 15:48:28	charon	30754	11[IKE] <7> 172.56.185.224 is initiating an IKE_SA
Nov 4 15:48:28	charon	30754	11[CFG] <7> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Nov 4 15:48:29	charon	30754	11[IKE] <7> local host is behind NAT, sending keep alives
Nov 4 15:48:29	charon	30754	11[IKE] <7> remote host is behind NAT
Nov 4 15:48:29	charon	30754	11[IKE] <7> sending cert request for "CN=ACMERocketCarsCA, C=US, ST=California, L=San Francisco, O=ACME RocketCars"
Nov 4 15:48:29	charon	30754	11[ENC] <7> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Nov 4 15:48:29	charon	30754	11[NET] <7> sending packet: from my.public.ip.address[500] to 172.56.185.224[24901] (481 bytes)
Nov 4 15:48:29	charon	30754	11[NET] <7> received packet: from 172.56.185.224[41889] to my.public.ip.address[4500] (528 bytes)
Nov 4 15:48:29	charon	30754	11[ENC] <7> unknown attribute type INTERNAL_DNS_DOMAIN
Nov 4 15:48:29	charon	30754	11[ENC] <7> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
Nov 4 15:48:29	charon	30754	11[CFG] <7> looking for peer configs matching my.public.ip.address[ACMERocketCars.dyndns.org]...172.56.185.224[2607:fb91:309:6a3:1c0b:5b81:840f:854a]
Nov 4 15:48:29	charon	30754	11[CFG] <con-mobile|7> selected peer config 'con-mobile'
Nov 4 15:48:29	charon	30754	11[IKE] <con-mobile|7> initiating EAP_IDENTITY method (id 0x00)
Nov 4 15:48:29	charon	30754	11[IKE] <con-mobile|7> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Nov 4 15:48:29	charon	30754	11[IKE] <con-mobile|7> peer supports MOBIKE
Nov 4 15:48:29	charon	30754	11[IKE] <con-mobile|7> authentication of 'ACMERocketCars.dyndns.org' (myself) with RSA signature successful
Nov 4 15:48:29	charon	30754	11[IKE] <con-mobile|7> sending end entity cert "CN=ACMERocketCars.dyndns.org, C=US, ST=California, L=San Francisco, O=ACME RocketCars"
Nov 4 15:48:29	charon	30754	11[ENC] <con-mobile|7> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Nov 4 15:48:29	charon	30754	11[ENC] <con-mobile|7> splitting IKE message (1664 bytes) into 2 fragments
Nov 4 15:48:29	charon	30754	11[ENC] <con-mobile|7> generating IKE_AUTH response 1 [ EF(1/2) ]
Nov 4 15:48:29	charon	30754	11[ENC] <con-mobile|7> generating IKE_AUTH response 1 [ EF(2/2) ]
Nov 4 15:48:29	charon	30754	11[NET] <con-mobile|7> sending packet: from my.public.ip.address[4500] to 172.56.185.224[41889] (1236 bytes)
Nov 4 15:48:29	charon	30754	11[NET] <con-mobile|7> sending packet: from my.public.ip.address[4500] to 172.56.185.224[41889] (500 bytes)

      Any clues as to where it's failing? If my certificate were wrong, would I have gotten this far?

      T 1 Reply Last reply Reply Quote 0
      • T
        TheWaterbug @TheWaterbug
        last edited by

        @thewaterbug

        Interesting. I have this working from macOS (10.14.6), but not from iOS 16.

        Here's the IPSec log after my Mac connects successfully:

        Nov 8 15:21:23	charon	1186	06[NET] <11> received packet: from my.mobile.ip.address[500] to my.public.gateway.address[500] (604 bytes)
Nov 8 15:21:23	charon	1186	06[ENC] <11> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Nov 8 15:21:23	charon	1186	06[IKE] <11> my.mobile.ip.address is initiating an IKE_SA
Nov 8 15:21:23	charon	1186	06[CFG] <11> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Nov 8 15:21:24	charon	1186	06[IKE] <11> remote host is behind NAT
Nov 8 15:21:24	charon	1186	06[IKE] <11> sending cert request for "CN=ACMERocketCarsCA, C=US, ST=California, L=San Francisco, O=ACME RocketCars"
Nov 8 15:21:24	charon	1186	06[ENC] <11> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Nov 8 15:21:24	charon	1186	06[NET] <11> sending packet: from my.public.gateway.address[500] to my.mobile.ip.address[500] (481 bytes)
Nov 8 15:21:24	charon	1186	06[NET] <11> received packet: from my.mobile.ip.address[51296] to my.public.gateway.address[4500] (528 bytes)
Nov 8 15:21:24	charon	1186	06[ENC] <11> unknown attribute type INTERNAL_DNS_DOMAIN
Nov 8 15:21:24	charon	1186	06[ENC] <11> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Nov 8 15:21:24	charon	1186	06[CFG] <11> looking for peer configs matching my.public.gateway.address[ACMERocketCars.dyndns.org]...my.mobile.ip.address[192.168.0.213]
Nov 8 15:21:24	charon	1186	06[CFG] <con-mobile|11> selected peer config 'con-mobile'
Nov 8 15:21:24	charon	1186	06[IKE] <con-mobile|11> initiating EAP_IDENTITY method (id 0x00)
Nov 8 15:21:24	charon	1186	06[IKE] <con-mobile|11> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Nov 8 15:21:24	charon	1186	06[IKE] <con-mobile|11> peer supports MOBIKE
Nov 8 15:21:24	charon	1186	06[IKE] <con-mobile|11> authentication of 'ACMERocketCars.dyndns.org' (myself) with RSA signature successful
Nov 8 15:21:24	charon	1186	06[IKE] <con-mobile|11> sending end entity cert "CN=ACMERocketCars.dyndns.org, C=US, ST=California, L=San Francisco, O=ACME RocketCars"
Nov 8 15:21:24	charon	1186	06[ENC] <con-mobile|11> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Nov 8 15:21:24	charon	1186	06[ENC] <con-mobile|11> splitting IKE message (1664 bytes) into 2 fragments
Nov 8 15:21:24	charon	1186	06[ENC] <con-mobile|11> generating IKE_AUTH response 1 [ EF(1/2) ]
Nov 8 15:21:24	charon	1186	06[ENC] <con-mobile|11> generating IKE_AUTH response 1 [ EF(2/2) ]
Nov 8 15:21:24	charon	1186	06[NET] <con-mobile|11> sending packet: from my.public.gateway.address[4500] to my.mobile.ip.address[51296] (1236 bytes)
Nov 8 15:21:24	charon	1186	06[NET] <con-mobile|11> sending packet: from my.public.gateway.address[4500] to my.mobile.ip.address[51296] (500 bytes)
Nov 8 15:21:24	charon	1186	06[NET] <con-mobile|11> received packet: from my.mobile.ip.address[51296] to my.public.gateway.address[4500] (112 bytes)
Nov 8 15:21:24	charon	1186	06[ENC] <con-mobile|11> parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Nov 8 15:21:24	charon	1186	06[IKE] <con-mobile|11> received EAP identity 'user@domain.com'
Nov 8 15:21:24	charon	1186	06[IKE] <con-mobile|11> initiating EAP_MSCHAPV2 method (id 0xE8)
Nov 8 15:21:24	charon	1186	06[ENC] <con-mobile|11> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Nov 8 15:21:24	charon	1186	06[NET] <con-mobile|11> sending packet: from my.public.gateway.address[4500] to my.mobile.ip.address[51296] (112 bytes)
Nov 8 15:21:24	charon	1186	06[NET] <con-mobile|11> received packet: from my.mobile.ip.address[51296] to my.public.gateway.address[4500] (160 bytes)
Nov 8 15:21:24	charon	1186	06[ENC] <con-mobile|11> parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Nov 8 15:21:24	charon	1186	06[ENC] <con-mobile|11> generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Nov 8 15:21:24	charon	1186	06[NET] <con-mobile|11> sending packet: from my.public.gateway.address[4500] to my.mobile.ip.address[51296] (144 bytes)
Nov 8 15:21:24	charon	1186	06[NET] <con-mobile|11> received packet: from my.mobile.ip.address[51296] to my.public.gateway.address[4500] (80 bytes)
Nov 8 15:21:24	charon	1186	06[ENC] <con-mobile|11> parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Nov 8 15:21:24	charon	1186	06[IKE] <con-mobile|11> EAP method EAP_MSCHAPV2 succeeded, MSK established
Nov 8 15:21:24	charon	1186	06[ENC] <con-mobile|11> generating IKE_AUTH response 4 [ EAP/SUCC ]
Nov 8 15:21:24	charon	1186	06[NET] <con-mobile|11> sending packet: from my.public.gateway.address[4500] to my.mobile.ip.address[51296] (80 bytes)
Nov 8 15:21:24	charon	1186	06[NET] <con-mobile|11> received packet: from my.mobile.ip.address[51296] to my.public.gateway.address[4500] (112 bytes)
Nov 8 15:21:24	charon	1186	06[ENC] <con-mobile|11> parsed IKE_AUTH request 5 [ AUTH ]
Nov 8 15:21:24	charon	1186	06[IKE] <con-mobile|11> authentication of '192.168.0.213' with EAP successful
Nov 8 15:21:24	charon	1186	06[IKE] <con-mobile|11> authentication of 'ACMERocketCars.dyndns.org' (myself) with EAP
Nov 8 15:21:24	charon	1186	06[IKE] <con-mobile|11> IKE_SA con-mobile[11] established between my.public.gateway.address[ACMERocketCars.dyndns.org]...my.mobile.ip.address[192.168.0.213]
Nov 8 15:21:24	charon	1186	06[IKE] <con-mobile|11> scheduling rekeying in 23424s
Nov 8 15:21:24	charon	1186	06[IKE] <con-mobile|11> maximum IKE_SA lifetime 26304s
Nov 8 15:21:24	charon	1186	06[IKE] <con-mobile|11> peer requested virtual IP %any
Nov 8 15:21:24	charon	1186	06[CFG] <con-mobile|11> reassigning offline lease to 'user@domain.com'
Nov 8 15:21:24	charon	1186	06[IKE] <con-mobile|11> assigning virtual IP 192.168.202.1 to peer 'user@domain.com'
Nov 8 15:21:24	charon	1186	06[IKE] <con-mobile|11> peer requested virtual IP %any6
Nov 8 15:21:24	charon	1186	06[IKE] <con-mobile|11> no virtual IP found for %any6 requested by 'user@domain.com'
Nov 8 15:21:24	charon	1186	06[CFG] <con-mobile|11> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Nov 8 15:21:24	charon	1186	06[IKE] <con-mobile|11> CHILD_SA con-mobile{2} established with SPIs cdbc8d8f_i 0e359038_o and TS 192.168.200.0/24|/0 === 192.168.202.1/32|/0
Nov 8 15:21:24	charon	1186	06[ENC] <con-mobile|11> generating IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS DNS SUBNET (27674) (27675)) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Nov 8 15:21:24	charon	1186	06[NET] <con-mobile|11> sending packet: from my.public.gateway.address[4500] to my.mobile.ip.address[51296] (352 bytes)
        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.