Problems with IKEv2 tunnel from RB750Gr3 to VPS

vr1l · April 1, 2020, 4:07pm

Dear reader,

my goal is, to have my RB750Gr3 act as NAT server for my local network and send internet requests via an IKEv2 tunnel over my VPS running a Strongswan server.
In this way I want to get a public IP for the HEX and the option of forwarding various ports to devices in my local network.
My ISP doesn’t provide a public IP, so that is why.
I want to use IKEv2 instead of openvpn as not to throttle my connection too much.

Here is a graphic of my layout:

I setup the Hex as an IKEv2 client, but while I do get the connection to show under active peers, it won’t show any installed SAs.
The output of the Strongswan server is:

Apr  1 14:12:15 v2202003116426111615 charon: 07[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Apr  1 14:12:15 v2202003116426111615 charon: 07[IKE] 109.40.241.244 is initiating an IKE_SA
Apr  1 14:12:15 v2202003116426111615 charon: 07[IKE] remote host is behind NAT
Apr  1 14:12:15 v2202003116426111615 charon: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Apr  1 14:12:15 v2202003116426111615 charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) SA TSi TSr CPRQ(ADDR MASK SUBNET DNS) ]
Apr  1 14:12:15 v2202003116426111615 charon: 08[IKE] received end entity cert "CN=VPN root CA"
Apr  1 14:12:15 v2202003116426111615 charon: 08[IKE] EAP-Identity request configured, but not supported
Apr  1 14:12:15 v2202003116426111615 charon: 08[IKE] initiating EAP_MSCHAPV2 method (id 0x91)
Apr  1 14:12:15 v2202003116426111615 charon: 08[IKE] authentication of 'xx.xx.xx.xx' (myself) with RSA signature successful
Apr  1 14:12:15 v2202003116426111615 charon: 08[IKE] sending end entity cert "CN=xx.xx.xx.xx"
Apr  1 14:12:15 v2202003116426111615 charon: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
Apr  1 14:12:16 v2202003116426111615 charon: 09[ENC] parsed IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
Apr  1 14:12:16 v2202003116426111615 charon: 09[IKE] EAP-MS-CHAPv2 username: 'user'
Apr  1 14:12:16 v2202003116426111615 charon: 09[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Apr  1 14:12:16 v2202003116426111615 charon: 10[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Apr  1 14:12:16 v2202003116426111615 charon: 10[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Apr  1 14:12:16 v2202003116426111615 charon: 10[ENC] generating IKE_AUTH response 3 [ EAP/SUCC ]
Apr  1 14:12:16 v2202003116426111615 charon: 11[ENC] parsed IKE_AUTH request 4 [ AUTH ]
Apr  1 14:12:16 v2202003116426111615 charon: 11[IKE] authentication of 'CN=VPN root CA' with EAP successful
Apr  1 14:12:16 v2202003116426111615 charon: 11[IKE] authentication of 'xx.xx.xx.xx' (myself) with EAP
Apr  1 14:12:16 v2202003116426111615 charon: 11[IKE] IKE_SA ikev2-vpn[1] established between xx.xx.xx.xx[xx.xx.xx.xx]...109.40.241.244[CN=VPN root CA]
Apr  1 14:12:16 v2202003116426111615 charon: 11[IKE] peer requested virtual IP %any
Apr  1 14:12:16 v2202003116426111615 charon: 11[IKE] assigning virtual IP 10.10.10.10 to peer 'user'
Apr  1 14:12:16 v2202003116426111615 charon: 11[IKE] CHILD_SA ikev2-vpn{1} established with SPIs c022c28d_i 0997b0ed_o and TS 0.0.0.0/0 === 10.10.10.10/32
Apr  1 14:12:16 v2202003116426111615 charon: 11[ENC] generating IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr ]
Apr  1 14:12:16 v2202003116426111615 charon: 13[ENC] parsed INFORMATIONAL request 5 [ N(TS_UNACCEPT) D ]
Apr  1 14:12:16 v2202003116426111615 charon: 13[IKE] received DELETE for ESP CHILD_SA with SPI 0997b0ed
Apr  1 14:12:16 v2202003116426111615 charon: 13[IKE] closing CHILD_SA ikev2-vpn{1} with SPIs c022c28d_i (0 bytes) 0997b0ed_o (0 bytes) and TS 0.0.0.0/0 === 10.10.10.10/32
Apr  1 14:12:16 v2202003116426111615 charon: 13[IKE] sending DELETE for ESP CHILD_SA with SPI c022c28d
Apr  1 14:12:16 v2202003116426111615 charon: 13[IKE] CHILD_SA closed
Apr  1 14:12:16 v2202003116426111615 charon: 13[ENC] generating INFORMATIONAL response 5 [ D ]

The router is configured as follows:

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip ipsec mode-config
add name=netcupVPN responder=no src-address-list=VPN_LAN
/ip ipsec policy group
add name=netcupVPN
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-128 name=netcupVPN
/ip ipsec peer
add address=xx.xx.xx.xx/32 exchange-mode=ike2 name=netcupVPN profile=netcupVPN
/ip ipsec proposal
add enc-algorithms=aes-128-cbc,3des name=netcupVPN
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.88.0/24 list=VPN_LAN
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" \
    dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
    established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat dst-address=xx.xx.xx.xx src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
    out-interface-list=WAN
/ip ipsec identity
add auth-method=eap certificate=ca-cert.pem_0 eap-methods=eap-mschapv2 mode-config=netcupVPN \
    password=yolo peer=netcupVPN policy-template-group=netcupVPN username=vr1l
/ip ipsec policy
add dst-address=0.0.0.0/0 group=netcupVPN proposal=netcupVPN src-address=0.0.0.0/0 template=yes

And this is my ipsec.conf:

config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
    esp=aes256-sha256,aes256-sha1,3des-sha1!
    fragmentation=yes
    forceencaps=yes

    dpdaction=clear
    dpddelay=300s
    rekey=no

    left=%any
    leftid=xx.xx.xx.xx
    leftcert=server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0

    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.10.10.10
    rightdns=8.8.8.8,8.8.4.4
    rightsendcert=never

    eap_identity=%identity

So, if you have any idea, what I am doing wrong or even a hint to any resources I should study next I would be really grateful.

Zacharias · April 1, 2020, 5:31pm

From a really quick look, i dont see inside your firewall in the input chain a rule to allow UDP Port 500 and/or UDP 4500 !!!
Also where is your IPsec Policy ?

vr1l · April 1, 2020, 6:02pm

Hello Zacharias, thank you for the reply.

Do you mean something else by “IPsec Policy” than the last entry in my router config?
Else it would be

/ip ipsec policy
add dst-address=0.0.0.0/0 group=netcupVPN proposal=netcupVPN src-address=0.0.0.0/0 template=yes

Concerning the ports, I didn’t think that would be necessary, since I’m behind provider NAT and therefore am not reachable anyways but the VPN connection is working when established from my macOS box though.

I will add the rules and report back with the results.

EDIT: Since I didn’t know which would be the relevant chain I did

add action=accept chain=input port=500 protocol=udp
add action=accept chain=input port=4500 protocol=udp
add action=accept chain=forward port=500 protocol=udp
add action=accept chain=forward port=4500 protocol=udp
add action=accept chain=output port=500 protocol=udp
add action=accept chain=output port=4500 protocol=udp

but so far, nothing has changed.

EDIT2:
It works. finally!
I had to set

generate-policy=port-strict

in the identity and now it works.
Thanks everyone.

Zacharias · April 1, 2020, 8:48pm

You need UDP ports 500 and 4500 in the input chain… Delete them and you will see it wont work…
Yes that was the ipsec policy rule, i didn’t see it…

vr1l · April 3, 2020, 11:23am

Thank you again. I now have my IKEv2 tunnel up and running and routing my whole LAN over my VPS.
A few questions remain though. For one, I see a lot of this:

Apr  3 12:58:11 vps charon: 13[NET] received packet: from 109.40.240.146[20458] to xx.xx.xx.xx[4500] (540 bytes)
Apr  3 12:58:11 vps charon: 13[ENC] parsed CREATE_CHILD_SA request 25 [ No KE N(REKEY_SA) SA TSi TSr CPRQ(ADDR MASK SUBNET DNS) ]
Apr  3 12:58:11 vps charon: 13[IKE] no acceptable proposal found
Apr  3 12:58:11 vps charon: 13[IKE] failed to establish CHILD_SA, keeping IKE_SA
Apr  3 12:58:11 vps charon: 13[ENC] generating CREATE_CHILD_SA response 25 [ N(NO_PROP) ]
Apr  3 12:58:11 vps charon: 13[NET] sending packet: from xx.xx.xx.xx[4500] to 109.40.240.146[20458] (76 bytes)

in the logs from my Strongswan server and I guess something still isn’t quite right here.

Also, on the VPS I forwarded all ports except 500 and 4500 udp and ssh to the Hex. How should I go about forwarding them to devices on my LAN from here? Since the IPsec tunnel doesn’t generate it’s own device, I’m a bit at a loss here.

Zacharias · April 3, 2020, 3:28pm

IPsec proposals are about the encryption algorithms used… so something seems to not be good there…

As for your second question, if i understood right, just use simple dst nat rules…

vr1l · April 4, 2020, 6:44pm

Well, lately the error isn’t coming up in the logs anymore, so maybe I don’t need to worry too much.
Also, simple dstnat rules work well, so that’s that.

Thank you again for all your help.

Zacharias · April 5, 2020, 3:53pm

Great, you can mark the post as solved…