Project

General

Profile

Issue #3309

IKEv2 route-based VPN - cannot ping between hosts

Added by M V 8 months ago. Updated 8 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
configuration
Affected version:
5.7.2
Resolution:

Description

Hi,

I'm trying to replace OpenVPN (because MikroTik supports OpenVPN in TCP mode only).

I don't want to use PPTP. I have working L2TP/IPsec server running on strongSwan and xl2tpd. Everything works well. However, I still would like to use a more modern IKEv2.

Furthermore, since internal networks behind computers do not have public IP addresses, I use iptables DNAT on the VPN server to access end computers from internet.

For testing, now I'm using one MikroTik and one Windows 10 PC.

There are my configs:

# /etc/strongswan.d/charon.conf :
  #...
  install_routes = no
  load_modular = yes
  dns1 = 8.8.8.8
  dns2 = 8.8.4.4
# /etc/ipsec.conf
config setup
  charondebug="ike 2, knl 2, cfg 2" 
  uniqueids=no

conn %default
  ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
  esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!

  left=%any
  leftsubnet=10.100.100.0/24
  leftcert=server-cert.pem
  leftid="CN=vpn.do.example.cz" 
  leftauth=pubkey
  rightsubnet=10.100.100.0/24
  rightauth=eap-mschapv2
  rightsendcert=never
  keyexchange=ikev2
  auto=route

conn win10
  rightsourceip=10.100.100.110
  right=%any
  eap_identity=win10
  mark=110

conn mikrotik
  rightsourceip=10.100.100.120
  right=%any
  eap_identity=mikrotik
  mark=120

#conn clientN...
  #...
# /etc/ipsec.secrets 
: RSA "server-key.pem" 
"win10"    : EAP "win10" 
"mikrotik" : EAP "mikrotik" 

I run these commands on VPN server:

ip tunnel add vti110 local 10.100.100.1 remote 10.100.100.110 mode vti key 110
ip tunnel add vti120 local 10.100.100.1 remote 10.100.100.120 mode vti key 120
ip link set up dev vti110
ip link set up dev vti120
echo 1 > /proc/sys/net/ipv4/conf/vti110/disable_policy
echo 1 > /proc/sys/net/ipv4/conf/vti120/disable_policy
ip route add 10.100.100.110 dev vti110
ip route add 10.100.100.120 dev vti120
iptables -t mangle -A FORWARD -m policy --pol ipsec --dir in -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
iptables -t mangle -A FORWARD -m policy --pol ipsec --dir out -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
iptables -t nat -A POSTROUTING -s 10.100.100.0/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_no_pmtu_disc

I cannot use XFRM interfaces due old strongSwan (Debian 10, kernel 4.19, strongSwan 5.7.2).

Both clients (MikroTik and Windows 10) connects without any error.
But is not possible to ping any device from anywhere. (VPN server to win10/mikrotik, win10 to vpn server, ...).

Status of my network on VPN server:

root@vpn:~# ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 9e:d9:c1:e7:9d:b2 brd ff:ff:ff:ff:ff:ff
    inet 141.92.164.238/20 brd 142.93.175.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet 10.19.0.5/16 brd 10.19.255.255 scope global eth0:1
       valid_lft forever preferred_lft forever
    inet6 fe80::9cd9:c1ff:fee7:9db2/64 scope link 
       valid_lft forever preferred_lft forever
3: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/ipip 0.0.0.0 brd 0.0.0.0
4: vti110@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ipip 10.100.100.1 peer 10.100.100.110
    inet6 fe80::5efe:a64:6401/64 scope link 
       valid_lft forever preferred_lft forever
5: vti120@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ipip 10.100.100.1 peer 10.100.100.120
    inet6 fe80::5efe:a64:6401/64 scope link 
       valid_lft forever preferred_lft forever

root@vpn:~# ip r
default via 142.93.160.1 dev eth0 onlink 
10.19.0.0/16 dev eth0 proto kernel scope link src 10.19.0.5 
10.100.100.110 dev vti110 scope link 
10.100.100.120 dev vti120 scope link 
142.93.160.0/20 dev eth0 proto kernel scope link src 141.92.164.238 

root@vpn:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-6-cloud-amd64, x86_64):
  uptime: 7 minutes, since Jan 12 17:37:00 2020
  malloc: sbrk 1757184, mmap 0, used 949472, free 807712
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
  loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
Virtual IP pools (size/online/offline):
  10.100.100.110: 1/1/0
  10.100.100.120: 1/1/0
Listening IP addresses:
  141.92.164.238
  10.19.0.5
Connections:
       win10:  %any...%any  IKEv2
       win10:   local:  [CN=vpn.do.example.cz] uses public key authentication
       win10:    cert:  "CN=vpn.do.example.cz" 
       win10:   remote: uses EAP_MSCHAPV2 authentication with EAP identity 'win10'
       win10:   child:  10.100.100.0/24 === 10.100.100.0/24 TUNNEL
    mikrotik:  %any...%any  IKEv2
    mikrotik:   local:  [CN=vpn.do.example.cz] uses public key authentication
    mikrotik:    cert:  "CN=vpn.do.example.cz" 
    mikrotik:   remote: uses EAP_MSCHAPV2 authentication with EAP identity 'mikrotik'
    mikrotik:   child:  10.100.100.0/24 === 10.100.100.0/24 TUNNEL
Security Associations (2 up, 0 connecting):
       win10[3]: ESTABLISHED 7 minutes ago, 141.92.164.238[CN=vpn.do.example.cz]...67.68.89.199[10.0.4.15]
       win10[3]: Remote EAP identity: win10
       win10[3]: IKEv2 SPIs: 0689cf82afea94e0_i 3fdb4b685a89ef8f_r*, public key reauthentication in 2 hours
       win10[3]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
    mikrotik[2]: ESTABLISHED 7 minutes ago, 141.92.164.238[CN=vpn.do.example.cz]...96.50.287.273[172.16.14.13]
    mikrotik[2]: Remote EAP identity: mikrotik
    mikrotik[2]: IKEv2 SPIs: 467f43b080d173df_i 2666c13112c1784c_r*, public key reauthentication in 2 hours
    mikrotik[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
    mikrotik{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c66d4d76_i 0e4e3ee0_o
    mikrotik{1}:  AES_GCM_16_128, 0 bytes_i, 0 bytes_o, rekeying in 36 minutes
    mikrotik{1}:   10.100.100.0/24 === 10.100.100.0/24

On MikroTik I'm using these commands:

/certificate import file-name=server-cert.pem
/ip ipsec profile add name=MyIKEv2VPN dh-group=ecp256,modp2048,modp1024 enc-algorithm=aes-256,aes-192,aes-128
/ip ipsec proposal add name=MyIKEv2VPN auth-algorithms=sha256,sha512 enc-algorithms=aes-128-gcm pfs-group=modp2048
/ip ipsec policy group add name=MyIKEv2VPN
/ip ipsec policy add dst-address=0.0.0.0/0 group=MyIKEv2VPN proposal=MyIKEv2VPN src-address=0.0.0.0/0 template=yes level=unique
/ip ipsec mode-config add name=MyIKEv2VPN responder=no
/ip ipsec peer add address=vpn.do.example.cz exchange-mode=ike2 name=MyIKEv2VPN profile=MyIKEv2VPN
/ip ipsec identity add auth-method=eap remote-certificate=server-cert.pem_0 eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=MyIKEv2VPN peer=MyIKEv2VPN policy-template-group=MyIKEv2VPN username=mikrotik password=mikrotik

After connect I have dynamic IP 10.100.100.120/24 and dynamic route 10.100.100.0/24 via 10.100.100.120. It looks good.

On Windows 10 I'm using internal IKEv2 client.
After connect I have IP 10.100.100.100/110/32 and routes:
- 10.0.0.0/8 via 10.100.100.100.110
- 10.100.100.110/32 via 10.100.100.100.110
I do not understand why these route are different (bad) on windows.

What I do bad?

I used the following howtos:
- https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN
- https://blog.sys4.de/routing-based-vpn-with-strongswan-de.html

Thanks for help,
Martin

History

#1 Updated by Tobias Brunner 8 months ago

  • Category set to configuration
  • Status changed from New to Feedback

You don't want to configure rightsubnet if you assign virtual IP addresses (see VirtualIP for details).

Also available in: Atom PDF