Mobile IPSec Tunnel on 3rd pfense site fails
-
I have Mobile IPSec tunnels working at Site 1 (MBT-2220/2.6.0 CE) and at Site 2 (SG-1100/22.05).
I'm trying to set up Site 3 (APU/2.6.0 CE), and it's not working. I've tried to ensure that I've followed the recipe and that I've copied as much as possible between my two working sites and Site 3, except for the following:
- Domain and hostname
- LAN address/subnet
- Certificate Authority and the Certificate, which I've generated in accordance with the recipe
but the same client (iOS 16) that will connect to Site 1 and Site 2, won't connect to Site 3.
IPSec is generally working, because I do have a site-to-site tunnel working between Site 1 and Site 3.
I cleared the IPSec log, attempted to connect from my iPhone, and saw this:
Nov 4 15:48:28 charon 30754 11[NET] <7> received packet: from 172.56.185.224[24901] to my.public.ip.address[500] (604 bytes) Nov 4 15:48:28 charon 30754 11[ENC] <7> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] Nov 4 15:48:28 charon 30754 11[IKE] <7> 172.56.185.224 is initiating an IKE_SA Nov 4 15:48:28 charon 30754 11[CFG] <7> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 Nov 4 15:48:29 charon 30754 11[IKE] <7> local host is behind NAT, sending keep alives Nov 4 15:48:29 charon 30754 11[IKE] <7> remote host is behind NAT Nov 4 15:48:29 charon 30754 11[IKE] <7> sending cert request for "CN=ACMERocketCarsCA, C=US, ST=California, L=San Francisco, O=ACME RocketCars" Nov 4 15:48:29 charon 30754 11[ENC] <7> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ] Nov 4 15:48:29 charon 30754 11[NET] <7> sending packet: from my.public.ip.address[500] to 172.56.185.224[24901] (481 bytes) Nov 4 15:48:29 charon 30754 11[NET] <7> received packet: from 172.56.185.224[41889] to my.public.ip.address[4500] (528 bytes) Nov 4 15:48:29 charon 30754 11[ENC] <7> unknown attribute type INTERNAL_DNS_DOMAIN Nov 4 15:48:29 charon 30754 11[ENC] <7> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ] Nov 4 15:48:29 charon 30754 11[CFG] <7> looking for peer configs matching my.public.ip.address[ACMERocketCars.dyndns.org]...172.56.185.224[2607:fb91:309:6a3:1c0b:5b81:840f:854a] Nov 4 15:48:29 charon 30754 11[CFG] <con-mobile|7> selected peer config 'con-mobile' Nov 4 15:48:29 charon 30754 11[IKE] <con-mobile|7> initiating EAP_IDENTITY method (id 0x00) Nov 4 15:48:29 charon 30754 11[IKE] <con-mobile|7> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Nov 4 15:48:29 charon 30754 11[IKE] <con-mobile|7> peer supports MOBIKE Nov 4 15:48:29 charon 30754 11[IKE] <con-mobile|7> authentication of 'ACMERocketCars.dyndns.org' (myself) with RSA signature successful Nov 4 15:48:29 charon 30754 11[IKE] <con-mobile|7> sending end entity cert "CN=ACMERocketCars.dyndns.org, C=US, ST=California, L=San Francisco, O=ACME RocketCars" Nov 4 15:48:29 charon 30754 11[ENC] <con-mobile|7> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] Nov 4 15:48:29 charon 30754 11[ENC] <con-mobile|7> splitting IKE message (1664 bytes) into 2 fragments Nov 4 15:48:29 charon 30754 11[ENC] <con-mobile|7> generating IKE_AUTH response 1 [ EF(1/2) ] Nov 4 15:48:29 charon 30754 11[ENC] <con-mobile|7> generating IKE_AUTH response 1 [ EF(2/2) ] Nov 4 15:48:29 charon 30754 11[NET] <con-mobile|7> sending packet: from my.public.ip.address[4500] to 172.56.185.224[41889] (1236 bytes) Nov 4 15:48:29 charon 30754 11[NET] <con-mobile|7> sending packet: from my.public.ip.address[4500] to 172.56.185.224[41889] (500 bytes)
Any clues as to where it's failing? If my certificate were wrong, would I have gotten this far?
-
Interesting. I have this working from macOS (10.14.6), but not from iOS 16.
Here's the IPSec log after my Mac connects successfully:
Nov 8 15:21:23 charon 1186 06[NET] <11> received packet: from my.mobile.ip.address[500] to my.public.gateway.address[500] (604 bytes) Nov 8 15:21:23 charon 1186 06[ENC] <11> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] Nov 8 15:21:23 charon 1186 06[IKE] <11> my.mobile.ip.address is initiating an IKE_SA Nov 8 15:21:23 charon 1186 06[CFG] <11> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 Nov 8 15:21:24 charon 1186 06[IKE] <11> remote host is behind NAT Nov 8 15:21:24 charon 1186 06[IKE] <11> sending cert request for "CN=ACMERocketCarsCA, C=US, ST=California, L=San Francisco, O=ACME RocketCars" Nov 8 15:21:24 charon 1186 06[ENC] <11> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ] Nov 8 15:21:24 charon 1186 06[NET] <11> sending packet: from my.public.gateway.address[500] to my.mobile.ip.address[500] (481 bytes) Nov 8 15:21:24 charon 1186 06[NET] <11> received packet: from my.mobile.ip.address[51296] to my.public.gateway.address[4500] (528 bytes) Nov 8 15:21:24 charon 1186 06[ENC] <11> unknown attribute type INTERNAL_DNS_DOMAIN Nov 8 15:21:24 charon 1186 06[ENC] <11> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] Nov 8 15:21:24 charon 1186 06[CFG] <11> looking for peer configs matching my.public.gateway.address[ACMERocketCars.dyndns.org]...my.mobile.ip.address[192.168.0.213] Nov 8 15:21:24 charon 1186 06[CFG] <con-mobile|11> selected peer config 'con-mobile' Nov 8 15:21:24 charon 1186 06[IKE] <con-mobile|11> initiating EAP_IDENTITY method (id 0x00) Nov 8 15:21:24 charon 1186 06[IKE] <con-mobile|11> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Nov 8 15:21:24 charon 1186 06[IKE] <con-mobile|11> peer supports MOBIKE Nov 8 15:21:24 charon 1186 06[IKE] <con-mobile|11> authentication of 'ACMERocketCars.dyndns.org' (myself) with RSA signature successful Nov 8 15:21:24 charon 1186 06[IKE] <con-mobile|11> sending end entity cert "CN=ACMERocketCars.dyndns.org, C=US, ST=California, L=San Francisco, O=ACME RocketCars" Nov 8 15:21:24 charon 1186 06[ENC] <con-mobile|11> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] Nov 8 15:21:24 charon 1186 06[ENC] <con-mobile|11> splitting IKE message (1664 bytes) into 2 fragments Nov 8 15:21:24 charon 1186 06[ENC] <con-mobile|11> generating IKE_AUTH response 1 [ EF(1/2) ] Nov 8 15:21:24 charon 1186 06[ENC] <con-mobile|11> generating IKE_AUTH response 1 [ EF(2/2) ] Nov 8 15:21:24 charon 1186 06[NET] <con-mobile|11> sending packet: from my.public.gateway.address[4500] to my.mobile.ip.address[51296] (1236 bytes) Nov 8 15:21:24 charon 1186 06[NET] <con-mobile|11> sending packet: from my.public.gateway.address[4500] to my.mobile.ip.address[51296] (500 bytes) Nov 8 15:21:24 charon 1186 06[NET] <con-mobile|11> received packet: from my.mobile.ip.address[51296] to my.public.gateway.address[4500] (112 bytes) Nov 8 15:21:24 charon 1186 06[ENC] <con-mobile|11> parsed IKE_AUTH request 2 [ EAP/RES/ID ] Nov 8 15:21:24 charon 1186 06[IKE] <con-mobile|11> received EAP identity 'user@domain.com' Nov 8 15:21:24 charon 1186 06[IKE] <con-mobile|11> initiating EAP_MSCHAPV2 method (id 0xE8) Nov 8 15:21:24 charon 1186 06[ENC] <con-mobile|11> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ] Nov 8 15:21:24 charon 1186 06[NET] <con-mobile|11> sending packet: from my.public.gateway.address[4500] to my.mobile.ip.address[51296] (112 bytes) Nov 8 15:21:24 charon 1186 06[NET] <con-mobile|11> received packet: from my.mobile.ip.address[51296] to my.public.gateway.address[4500] (160 bytes) Nov 8 15:21:24 charon 1186 06[ENC] <con-mobile|11> parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ] Nov 8 15:21:24 charon 1186 06[ENC] <con-mobile|11> generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ] Nov 8 15:21:24 charon 1186 06[NET] <con-mobile|11> sending packet: from my.public.gateway.address[4500] to my.mobile.ip.address[51296] (144 bytes) Nov 8 15:21:24 charon 1186 06[NET] <con-mobile|11> received packet: from my.mobile.ip.address[51296] to my.public.gateway.address[4500] (80 bytes) Nov 8 15:21:24 charon 1186 06[ENC] <con-mobile|11> parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ] Nov 8 15:21:24 charon 1186 06[IKE] <con-mobile|11> EAP method EAP_MSCHAPV2 succeeded, MSK established Nov 8 15:21:24 charon 1186 06[ENC] <con-mobile|11> generating IKE_AUTH response 4 [ EAP/SUCC ] Nov 8 15:21:24 charon 1186 06[NET] <con-mobile|11> sending packet: from my.public.gateway.address[4500] to my.mobile.ip.address[51296] (80 bytes) Nov 8 15:21:24 charon 1186 06[NET] <con-mobile|11> received packet: from my.mobile.ip.address[51296] to my.public.gateway.address[4500] (112 bytes) Nov 8 15:21:24 charon 1186 06[ENC] <con-mobile|11> parsed IKE_AUTH request 5 [ AUTH ] Nov 8 15:21:24 charon 1186 06[IKE] <con-mobile|11> authentication of '192.168.0.213' with EAP successful Nov 8 15:21:24 charon 1186 06[IKE] <con-mobile|11> authentication of 'ACMERocketCars.dyndns.org' (myself) with EAP Nov 8 15:21:24 charon 1186 06[IKE] <con-mobile|11> IKE_SA con-mobile[11] established between my.public.gateway.address[ACMERocketCars.dyndns.org]...my.mobile.ip.address[192.168.0.213] Nov 8 15:21:24 charon 1186 06[IKE] <con-mobile|11> scheduling rekeying in 23424s Nov 8 15:21:24 charon 1186 06[IKE] <con-mobile|11> maximum IKE_SA lifetime 26304s Nov 8 15:21:24 charon 1186 06[IKE] <con-mobile|11> peer requested virtual IP %any Nov 8 15:21:24 charon 1186 06[CFG] <con-mobile|11> reassigning offline lease to 'user@domain.com' Nov 8 15:21:24 charon 1186 06[IKE] <con-mobile|11> assigning virtual IP 192.168.202.1 to peer 'user@domain.com' Nov 8 15:21:24 charon 1186 06[IKE] <con-mobile|11> peer requested virtual IP %any6 Nov 8 15:21:24 charon 1186 06[IKE] <con-mobile|11> no virtual IP found for %any6 requested by 'user@domain.com' Nov 8 15:21:24 charon 1186 06[CFG] <con-mobile|11> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ Nov 8 15:21:24 charon 1186 06[IKE] <con-mobile|11> CHILD_SA con-mobile{2} established with SPIs cdbc8d8f_i 0e359038_o and TS 192.168.200.0/24|/0 === 192.168.202.1/32|/0 Nov 8 15:21:24 charon 1186 06[ENC] <con-mobile|11> generating IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS DNS SUBNET (27674) (27675)) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ] Nov 8 15:21:24 charon 1186 06[NET] <con-mobile|11> sending packet: from my.public.gateway.address[4500] to my.mobile.ip.address[51296] (352 bytes)