I have a few remote workers with Windows 10 and would like to move them to
IKEv2 VPN.
On my gateway (OpenBSD 5.7) the iked.conf file is:
ikev2 "IKEv2 DIAL-IN" passive esp \
from 192.168.10.0/24 to 192.168.40.0/24 \
local 1.2.3.4 peer 0.0.0.0/0 \
srcid 1.2.3.4 \
config access-server 192.168.10.10 \
config name-server 192.168.10.21 \
config address 192.168.40.0/24
My remote client is configured like this:
VPN Type: IKEv2
Data encryption: Optional
Authentication: Use machine Certificates (no EAP)
My PF rules contain the following lines which are definitely not overruled by
any rules further down the line:
set skip on {lo,enc0}
pass in on egress proto udp from any to any port {500,4500}
pass in on egress proto {ah,esp}
When the client attempts connection, the SA is configured and Windows reports
the connection as established. It also acquires an IP address and the DNS
server as specified in the iked.conf file:
PPP adapter EDGE:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : EDGE
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.40.87(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.10.21
NetBIOS over Tcpip. . . . . . . . : Enabled
My gateway also reports the connection as established and the SA is shown by
ipsecctl -sa:
FLOWS:
flow esp in from 192.168.40.87 to 192.168.10.0/24 peer 5.6.7.8 srcid
IPV4/1.2.3.4 type use
flow esp out from 192.168.10.0/24 to 192.168.40.87 peer 5.6.7.8 srcid
IPV4/1.2.3.4 type require
flow esp out from ::/0 to ::/0 type deny
SAD:
esp tunnel from 1.2.3.4 to 5.6.7.8 spi 0x7a8197f6 auth hmac-sha1 enc aes-256
esp tunnel from 5.6.7.8 to 1.2.3.4 spi 0x926fb219 auth hmac-sha1 enc aes-256
Output from iked -dvvv:
ikev2_pld_cp: INTERNAL_IP4_SERVER 0x5ba0 length 4
ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 4
ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 4
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length
44
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP spisize 4
xforms 3 spi 0xe7ce691f
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 192.168.40.34 end 192.168.40.34
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00
length 24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 192.168.10.0 end 192.168.10.255
ikev2_msg_send: IKE_AUTH response from 1.2.3.4:4500 to 5.6.7.8:15573 msgid 1,
1452 bytes, NAT-T
pfkey_sa_add: update spi 0xe7ce691f
pfkey_sa: udpencap port 15573
ikev2_childsa_enable: loaded CHILD SA spi 0xe7ce691f
pfkey_sa_add: add spi 0xabf256a4
pfkey_sa: udpencap port 15573
ikev2_childsa_enable: loaded CHILD SA spi 0xabf256a4
ikev2_childsa_enable: loaded flow 0x1166a0b99800
ikev2_childsa_enable: loaded flow 0x1166a0b99400
sa_state: VALID -> ESTABLISHED from 5.6.7.8:15573 to 1.2.3.4:4500 policy
'IKEv2 DIAL-IN'
The problem is, from the remote worker, I cannot connect to any resources on
the remote network. Pinging the remote gateway's internal IP address or the
DNS server produces no replies.
Equally, the gateway cannot ping the remote worker's IP address.
tcpdump on the enc0 and pflog0 interfaces produces no results at all when
creating traffic between the two.
What am I missing?
Kind regards,
Roberto Katalinic
07460663373
kliker IT
www.kliker.it<http://www.kliker.it>
08455442033
Information contained in this e-mail is intended for the use of the addressee
only, and is confidential and may be the subject of Legal Professional
Privilege. Any dissemination, distribution, copying or use of this
communication without prior permission of the addressee is strictly
prohibited. The contents of an attachment to this e-mail may contain software
viruses which could damage your own computer system. While Kliker IT Services
Ltd. has taken every reasonable precaution to minimise this risk, we cannot
accept liability for any damage which you sustain as a result of software
viruses. You should carry out your own virus checks before opening the
attachment. Registered Office: New House, South Grove, Petworth, GU280ED.
Company Number: 8206089.Company Registered in England and Wales.
