Hello,
Thank all of you for your time and your help in this matter!
I think that the ISP of A.B.C.0/23 is filtering/blocking some certificates.
I have moved VPN server and clients out of A.B.C.0/23. They can connect pretty
fine using CA now. Clients from A.B.C.0/23 still can NOT connect to VPN serv.
Site-to-Site VPN is doing its job.
The road_warriors(Windows) can ping GW88_LAN_machine (192.168.2.1) ONLY if "use
default gateway on remote network" is set.
I need to make road_warriors:
- reaching GW88_LAN_machines 192.168.2.254/24
- reaching GW119_LAN_machines 172.16.X.X via GW88 - if it is possible
- force road_warriors to use its own gateway for the rest of traffic - unticked
"use default gateway on remote network".
I was playing around with iked.conf and pf.conf but I did not find the way to
make it work.
I will be grateful if anyone could help me with that.
My network diagram and configs of GW88:
GW88$ cat /etc/hostname.enc0
inet 10.0.1.254 255.255.255.0
GW88$ cat /etc/iked.conf
#
ikev2 "roadWarrior" passive esp \
from 192.168.2.0/24 to 10.0.1.0/24 \
local 4.5.6.88 peer any \
srcid 4.5.6.88 \
config address 10.0.1.0/24
#
#
remote_gw_GW119 = "1.2.3.119" # fw_GW119
remote_lan_GW119_1 = "172.16.1.0/24"
remote_lan_GW119_2 = "172.16.2.0/24"
local_gw_GW88_2 = "192.168.2.254"
local_lan_GW88_2 = "192.168.2.0/24"
ikev2 active esp from $local_gw_GW88_2 to $remote_gw_GW119 \
from $local_lan_GW88_2 to $remote_lan_GW119_1 peer $remote_gw_GW119 \
psk "pkspass"
ikev2 active esp from $local_gw_GW88_2 to $remote_gw_GW119 \
from $local_lan_GW88_2 to $remote_lan_GW119_2 peer $remote_gw_GW119 \
psk "pskpass"
GW88$ cat /etc/pf.conf
set skip on {lo, enc}
match in all scrub (no-df random-id)
match out all scrub (no-df random-id)
match out on egress from lan:network to any nat-to egress
block log all
pass in on egress proto udp from any to any port {isakmp,ipsec-nat-t}
pass in on egress proto {ah,esp}
pass out on egress
pass on lan
table <bruteforce> persist counters
pass in on egress proto tcp from { 1.2.3.119 A.B.C.0/23 } to port ssh flags
S/SA \
set prio (6, 7) keep state \
(max-src-conn 15, max-src-conn-rate 2/10, overload <bruteforce> flush
global)
icmp_types = "{ echoreq, unreach }"
pass inet proto icmp all icmp-type $icmp_types
+------------+
|road_warrior|
+---------+10.0.1.0/24 |
| +------------+
|
ikev2
|
|
v
4.5.6.88 1.2.3.119
+---------+ +----------+
| |
| GW88 | <--+site-to-site VPN+------> | GW119 |
+--+------+ +-------+--+
| |
+-----+192.168.1.254/24 |
| |
| 172.16.1.254/24---+
| |
+---+-+192.168.2.254/24 |
| | |
| | +-----------+ |
| +---+192.168.2.1| 172.16.2.254/24---|
| +------------+
|
|----+192.168.3.254/24
Thanks!
On Thu, 8 Nov 2018 14:04:23 +0100
Radek <alee...@gmail.com> wrote:
> I've been playing around with netcat.
> I noticed that the netcat process on my VPN_server does not show any "X" on
> stdout for ports 4500 and 1701.
>
> May it be relevant to my VPN issue?
>
> VPN_serv is A.B.C.77/23 (it is not behind NAT):
>
> $ pfctl -s rules
> pass all flags S/SA
>
> $ nc -u -l 500
> XXXX
>
> X.Y.Z.11/29$ nc -vuz A.B.C.77 4500
> A.B.C.69/23$ nc -vuz A.B.C.77 4500
> $ nc -u -l 4500
> NOTHING IS HERE
>
> $ nc -u -l 4499
> XXXX
>
> $ nc -u -l 4501
> XXXX
>
> X.Y.Z.11/29$ nc -vuz A.B.C.77 1701
> A.B.C.69/23$ nc -vuz A.B.C.77 1701
> $ nc -u -l 1701
> NOTHING IS HERE
>
> $ nc -u -l 22
> XXXX
>
> $ nc -u -l 1234
> XXXX
>
> On Wed, 7 Nov 2018 12:17:09 +0100
> Radek <alee...@gmail.com> wrote:
>
> > Yesterday I tried this scenario:
> >
> > Win7_warrior - 192.168.x.x, NAT, GW: 1.2.3.119
> > VPN_L2TP (Mikrotik) - A.B.C.75/23, not NATed
> > VPN_IKEv2 - A.B.C.77/23, not NATed
> >
> > I connected Win7_warrior to VPN_L2TP and then to VPN_IKEv2. I was having
> > two active VPN conn in one time.
> > Next, I disconnected VPN_L2TP. VPN_IKEv2 was still active and was working
> > fine.
> >
> > When I disconnected VPN_IKEv2 and was trying to connect VPN_IKEv2 omitting
> > VPN_L2TP - I got 809.
> >
> > Removing home_router which is between Win7_warrior and 1.2.3.119 does not
> > change anything.
> >
> > Another thing:
> > I install VPN_IKEv2 OS via PXEboot and get private IP from dhcp server.
> > Then I move to public A.B.C.77/23 editing /etc/hostname, mygate,
> > resolv.conf. Maybe I missed something in network conf that is important for
> > OpenIKED?
> >
> > Any idea?
> >
> >
> > On Tue, 6 Nov 2018 11:21:52 +0100
> > Radek <alee...@gmail.com> wrote:
> >
> > > Hello Kim,
> > >
> > > > My question was concerning the VPN_server, is the server NATed?
> > > A.B.C.0/23 is not NATed, it is a public pool. VPN_server is not NATed.
> > >
> > > > How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall
> > > > ...
> > > I only have switches in my building.
> > > All routers/firewalls of my network are in another building, I do not
> > > know the whole network structure, devices, security policies... but I
> > > have never noticed that any ports were blocked.
> > >
> > > I can setup a IKEV2 site-to-site VPN A.B.C.D/23 <--> !A.B.C.0/23 and it
> > > works like a charm.
> > > https://community.riocities.com/openike_openbsd.html
> > > But I can not setup a VPN_server for road warriors.
> > >
> > > I have just set up a VPN_L2TP_serv on Mikrotik (A.B.C.75/23). I can
> > > connect my Win7_warrior from !A.B.C.0/23 (currently testing on GSM
> > > network).
> > > L2TP and IKEV2 use 500, 4500 ports. If L2TP works fine so I conclude that
> > > it is not any Router/FW problem.
> > >
> > > On Tue, 6 Nov 2018 07:48:37 +0100
> > > Kim Zeitler <kim.zeit...@konzept-is.de> wrote:
> > >
> > > > Good morning Radek,
> > > >
> > > > I have a suspicion ...
> > > >
> > > > > For (1), (2) and (3) VPN is working just fine with Win7_warrior and
> > > > > puffy_warrior if they are connecting from A.B.C.0/23 (it does not
> > > > > matter if warrior has public IP or it is behind NAT). The rest of the
> > > > > world fails to connect the VPN_server.
> > > > My question was concerning the VPN_server, is the server NATed?
> > > > How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall
> > > > ...
> > > >
> > > > Cheers,
> > > > Kim
> > > >
> > > >
> > >
> > >
> > > --
> > > radek
> >
> >
> > --
> > radek
>
>
> --
> radek
--
radek
