Community discussions

 
User avatar
tromjer
just joined
Topic Author
Posts: 1
Joined: Thu Jul 11, 2019 9:32 pm

CHR (6.45.1) + IKEv2 + iOS VPN client

Tue Jul 16, 2019 3:07 pm

Well, this is my first attempt to make things work, so i would be very thankful for pointing at my mistakes and any helpful suggestions.
I'm pretty sure missing something, so please point me out.

With current configuration i'm able to establish IKEv2 connection between CHR (6.45.1) and iOS built-in VPN client only if connected via Wi-Fi behind NAT.
First exit point is behind MT hEX with white static IP, with full access to it and second point is hardware firewall with white static IP, but with limited access.
The third exit point is cellular connection, and with it i'm not even able to establish connection.
cellular-active_peer.jpg
Also i have to mention, that NordVPN IKEv2 connection on that particular iOS device works like a charm within all these conditions.


Below are some details on CHR side, when i'm connected from behind of hEX:
hex-active_peer.jpg

/ip ipsec active-peers print detail 
Flags: R - responder, N - natt-peer 
 0 R  id="vpn.client" local-address=my.public.ip.1 remote-address=my.public.ip.2 state=established side=responder 
      dynamic-address=192.168.2.254 uptime=4m18s last-seen=4m17s ph2-total=1

/ip ipsec installed-sa print detail
Flags: H - hw-aead, A - AH, E - ESP 
 0  E spi=0x29890BB src-address=my.public.ip.2 dst-address=my.public.ip.1 state=mature auth-algorithm=sha1 enc-algorithm=3des 
      enc-key-size=192 auth-key="81da091eb68901435009186377886e07f4f8828c" 
      enc-key="eb9801b9c643f4de3a1600050ab42c6f37c153a5553d08b8" addtime=jul/15/2019 22:26:47 expires-in=25m2s 
      add-lifetime=24m16s/30m21s current-bytes=374712 current-packets=2242 replay=128 

 1  E spi=0xAC8DFE7 src-address=my.public.ip.1 dst-address=my.public.ip.2 state=mature auth-algorithm=sha1 enc-algorithm=3des 
      enc-key-size=192 auth-key="c59a10d00fd21c42aab8cf152c82d753c996a6bb" 
      enc-key="78ab70ef83dd38168362254430bd01ad1f17a995b142a351" addtime=jul/15/2019 22:26:47 expires-in=25m2s 
      add-lifetime=24m16s/30m21s current-bytes=1599709 current-packets=2052 replay=128

/ip ipsec identity print detail 
Flags: D - dynamic, X - disabled 
 0    peer=vpn auth-method=digital-signature mode-config=cfg1 my-id=fqdn:vpn.server remote-id=fqdn:vpn.client 
      certificate=vpn.server remote-certificate=vpn.client generate-policy=port-strict

/ip ipsec proposal print detail 
Flags: X - disabled, * - default 
 0  * name="default" auth-algorithms=sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m pfs-group=modp1024 

 1    name="ios-ikev2-proposal" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m pfs-group=none

/ip firewall connection print detail
Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat 
 0  SAC     protocol=tcp src-address=my.public.ip.3:7554 dst-address=my.public.ip.1:8291 reply-src-address=my.public.ip.1:8291 
            reply-dst-address=my.public.ip.3:7554 tcp-state=established timeout=23h59m59s orig-packets=157 082 
            orig-bytes=10 434 203 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=101 458 
            repl-bytes=212 834 307 repl-fasttrack-packets=0 repl-fasttrack-bytes=0 orig-rate=1760bps repl-rate=10.7kbps 

 1  SAC     protocol=tcp src-address=my.public.ip.2:51087 dst-address=my.public.ip.1:8291 reply-src-address=my.public.ip.1:8291 
            reply-dst-address=my.public.ip.2:51087 tcp-state=established timeout=23h59m59s orig-packets=24 187 
            orig-bytes=1 751 073 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=21 327 repl-bytes=19 217 663 
            repl-fasttrack-packets=0 repl-fasttrack-bytes=0 orig-rate=2.5kbps repl-rate=15.8kbps 

 2  S C     protocol=ipsec-esp src-address=my.public.ip.2 dst-address=my.public.ip.1 reply-src-address=my.public.ip.1 
            reply-dst-address=my.public.ip.2 timeout=9m58s orig-packets=47 549 orig-bytes=40 032 544 orig-fasttrack-packets=0 
            orig-fasttrack-bytes=0 repl-packets=81 864 repl-bytes=94 727 592 repl-fasttrack-packets=0 repl-fasttrack-bytes=0 
            orig-rate=136.5kbps repl-rate=1399.1kbps 

 3  SAC  s  protocol=tcp src-address=192.168.2.254:51978 dst-address=17.252.92.68:5223 reply-src-address=17.252.92.68:5223 
            reply-dst-address=my.public.ip.1:51978 tcp-state=established timeout=23h55m8s orig-packets=22 orig-bytes=8 977 
            orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=12 repl-bytes=4 425 repl-fasttrack-packets=0 
            repl-fasttrack-bytes=0 orig-rate=0bps repl-rate=0bps 

 4  SAC  s  protocol=tcp src-address=192.168.2.254:63981 dst-address=172.217.17.138:443 reply-src-address=172.217.17.138:443 
            reply-dst-address=my.public.ip.1:63981 tcp-state=established timeout=23h59m59s orig-packets=24 orig-bytes=2 772 
            orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=19 repl-bytes=7 635 repl-fasttrack-packets=0 
            repl-fasttrack-bytes=0 orig-rate=17.7kbps repl-rate=36.7kbps 

 5  SAC  s  protocol=tcp src-address=192.168.2.254:63982 dst-address=172.217.17.150:443 reply-src-address=172.217.17.150:443 
            reply-dst-address=my.public.ip.1:63982 tcp-state=established timeout=23h59m59s orig-packets=95 orig-bytes=7 067 
            orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=56 repl-bytes=114 317 repl-fasttrack-packets=0 
            repl-fasttrack-bytes=0 orig-rate=34.4kbps repl-rate=462.6kbps 

 6  SAC  s  protocol=tcp src-address=192.168.2.254:63983 dst-address=159.148.147.205:443 reply-src-address=159.148.147.205:443 
            reply-dst-address=my.public.ip.1:63983 tcp-state=established timeout=23h59m59s orig-packets=137 
            orig-bytes=12 303 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=151 repl-bytes=221 319 
            repl-fasttrack-packets=0 repl-fasttrack-bytes=0 orig-rate=43.3kbps repl-rate=496.3kbps 

 7  SAC  s  protocol=tcp src-address=192.168.2.254:63985 dst-address=159.148.147.205:443 reply-src-address=159.148.147.205:443 
            reply-dst-address=my.public.ip.1:63985 tcp-state=established timeout=23h59m59s orig-packets=91 orig-bytes=8 265 
            orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=99 repl-bytes=153 702 repl-fasttrack-packets=0 
            repl-fasttrack-bytes=0 orig-rate=0bps repl-rate=0bps 

 8  SAC  s  protocol=tcp src-address=192.168.2.254:63984 dst-address=159.148.147.205:443 reply-src-address=159.148.147.205:443 
            reply-dst-address=my.public.ip.1:63984 tcp-state=established timeout=23h59m59s orig-packets=124 orig-bytes=9 876 
            orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=139 repl-bytes=205 730 repl-fasttrack-packets=0 
            repl-fasttrack-bytes=0 orig-rate=0bps repl-rate=0bps 

 9  SAC  s  protocol=tcp src-address=192.168.2.254:63986 dst-address=159.148.147.205:443 reply-src-address=159.148.147.205:443 
            reply-dst-address=my.public.ip.1:63986 tcp-state=established timeout=23h59m59s orig-packets=37 orig-bytes=5 474 
            orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=25 repl-bytes=45 942 repl-fasttrack-packets=0 
            repl-fasttrack-bytes=0 orig-rate=0bps repl-rate=0bps
And these are some details on CHR side, when i'm connected from behind hardware firewall:
dfl-active_peer.jpg

/ip ipsec active-peers print detail
Flags: R - responder, N - natt-peer 
 0 R  id="vpn.client" local-address=my.public.ip.1 remote-address=my.public.ip.3 port=33670 state=established side=responder dynamic-address=192.168.2.255 uptime=57s last-seen=57s ph2-total=1 

/ip ipsec active-peers print detail
Flags: R - responder, N - natt-peer 
 0 R  id="vpn.client" local-address=my.public.ip.1 remote-address=my.public.ip.3 port=33670 state=established side=responder dynamic-address=192.168.2.255 uptime=57s last-seen=57s ph2-total=1 

/ip ipsec installed-sa print detail
Flags: H - hw-aead, A - AH, E - ESP 
 0  E spi=0x65C5E06 src-address=my.public.ip.3 dst-address=my.public.ip.1 state=mature auth-algorithm=sha1 enc-algorithm=3des enc-key-size=192 auth-key="31a79dc1bca0730aedc3da16136660c3085520a5" 
      enc-key="875b1fd2fe4ec699a2ab32196b3981a7c6378d7961983092" add-lifetime=24m/30m replay=128 

 1  E spi=0xA37BF18 src-address=my.public.ip.1 dst-address=my.public.ip.3 state=mature auth-algorithm=sha1 enc-algorithm=3des enc-key-size=192 auth-key="2ea376f295e3b5e89eeae7c643a10290af0a0fe5" 
      enc-key="00989b89bdf251dbad93851f9a93e58de841ef72a7d5da50" add-lifetime=24m/30m replay=128

/ip ipsec identity print detail
Flags: D - dynamic, X - disabled 
 0    peer=vpn auth-method=digital-signature mode-config=cfg1 my-id=fqdn:vpn.server remote-id=fqdn:vpn.client certificate=vpn.server remote-certificate=vpn.client generate-policy=port-strict

/ip ipsec proposal print detail
Flags: X - disabled, * - default 
 0  * name="default" auth-algorithms=sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m pfs-group=modp1024 

 1    name="ios-ikev2-proposal" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m pfs-group=none

/ip firewall connection print detail 
Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat 
 0  SAC     protocol=tcp src-address=my.public.ip.2:51087 dst-address=my.public.ip.1:8291 reply-src-address=my.public.ip.1:8291 reply-dst-address=my.public.ip.2:51087 tcp-state=established 
            timeout=23h59m59s orig-packets=140 146 orig-bytes=9 759 081 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=112 127 repl-bytes=74 998 603 repl-fasttrack-packets=0 
            repl-fasttrack-bytes=0 orig-rate=3.2kbps repl-rate=26.9kbps 

 1  SAC     protocol=tcp src-address=my.public.ip.3:31137 dst-address=my.public.ip.1:8291 reply-src-address=my.public.ip.1:8291 reply-dst-address=my.public.ip.3:31137 tcp-state=established 
            timeout=23h59m59s orig-packets=1 420 orig-bytes=117 047 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=1 297 repl-bytes=732 885 repl-fasttrack-packets=0 
            repl-fasttrack-bytes=0 orig-rate=4.3kbps repl-rate=14.7kbps 

 2  SAC     protocol=udp src-address=my.public.ip.3:33670 dst-address=my.public.ip.1:500 reply-src-address=my.public.ip.1:500 reply-dst-address=my.public.ip.3:33670 timeout=2m37s orig-packets=4 
            orig-bytes=2 880 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=4 repl-bytes=1 895 repl-fasttrack-packets=0 repl-fasttrack-bytes=0 orig-rate=0bps repl-rate=0bps
Current config:
/ip ipsec profile
add dh-group=modp1024 dpd-interval=1h enc-algorithm=3des name=vpn nat-traversal=no

/ip ipsec peer
add exchange-mode=ike2 name=vpn passive=yes profile=vpn send-initial-contact=no

/ip ipsec proposal
add enc-algorithms=3des name=ios-ikev2-proposal pfs-group=none

/ip pool
add name=vpn ranges=192.168.2.0/24

/ip ipsec mode-config
add address-pool=vpn name=cfg1

/ip address
add address=my.public.ip.1/24 interface=ether1 network=my.public.ip.net

/ip dns
set servers=1.1.1.1,8.8.8.8

/ip firewall address-list
add address=my.public.ip.3 list="Allowed"
add address=my.public.ip.2 list="Allowed"

/ip neighbor discovery-settings
set discover-interface-list=none

/ip firewall filter
add action=drop chain=input comment="dropping port scanners" src-address-list="port scanners"
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=12w6d chain=input comment="Port scanners to list " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=accept chain=input comment="test ipsec" in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input comment="test ipsec" connection-state=established,related,new dst-port=500 in-interface=ether1 protocol=udp
add action=accept chain=input comment="test ipsec" connection-state=established,related,new dst-port=4500 in-interface=ether1 protocol=udp
add action=accept chain=forward connection-state=established,related protocol=udp
add action=accept chain=forward connection-state=established,related protocol=udp
add action=accept chain=output connection-state=established,related protocol=ipsec-esp
add action=accept chain=output connection-state=established,related protocol=udp
add action=accept chain=input comment="Allow Winbox" connection-state=established,new dst-port=8291 protocol=tcp src-address-list="Allowed"
add action=accept chain=input comment="Allow SSH" connection-state=established,new dst-port=22 protocol=tcp src-address-list="Allowed"
add action=drop chain=input comment="Drop WAN ping reply" icmp-options=8:0-255 in-interface=ether1 protocol=icmp
add action=drop chain=forward comment="Drop WAN ping reply" disabled=yes icmp-options=8:0-255 in-interface=ether1 protocol=icmp
add action=accept chain=input connection-state=established,related
add action=drop chain=output comment=test connection-state=invalid
add action=drop chain=forward comment="Drop invalid connections" connection-state=invalid
add action=drop chain=input comment="Drop everything else"

/ip firewall nat
add action=masquerade chain=srcnat

/ip ipsec identity
add auth-method=digital-signature certificate=vpn.server generate-policy=port-strict mode-config=cfg1 my-id=fqdn:vpn.server peer=vpn remote-certificate=vpn.client remote-id=fqdn:vpn.client

/ip ipsec policy
set 0 dst-address=0.0.0.0/0 proposal=ios-ikev2-proposal src-address=0.0.0.0/0

/ip ipsec settings
set accounting=no

/ip route
add distance=1 gateway=my.public.ip.1-gateway
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: Majestic-12 [Bot] and 28 guests