New Member
Posts: 7
Registered: ‎09-12-2016
Solutions: 1

IPsec between routable and non-routable addresses

Hi all.

 

I've got EdgeRouter 5 (latest fw installed) with non-routable external IP (10.219.xx.yy) behind ISP NAT and VPS with static routable IP (78.46.xx.yy). How can I create IPsec tunnel between these 2 boxes?

Member
Posts: 187
Registered: ‎11-07-2015
Kudos: 43
Solutions: 15

Re: IPsec between routable and non-routable addresses

Unless your ISP nats you UDP 500, UDP 4500 and ESP, I don't think you can.

 

You might want to take a look at OpenVPN.

Veteran Member
Posts: 6,095
Registered: ‎01-04-2017
Kudos: 885
Solutions: 314

Re: IPsec between routable and non-routable addresses

The rfc1918 router has to be the initiater. Make sure NAT traversal is enabled
Ubiquiti Employee
Posts: 2,900
Registered: ‎05-08-2017
Kudos: 518
Solutions: 416

Re: IPsec between routable and non-routable addresses

There are two IPsec behind NAT methods shown in the article here. The method that uses 'remote peer address 0.0.0.0' will allow you to set up an IPsec tunnel behind NAT even if the ISP does not forward UDP500/4500 to your device.

 

Hope that helps!

 

Ben

 


 

Ben Pin | Ubiquiti Support

New Member
Posts: 7
Registered: ‎09-12-2016
Solutions: 1

Re: IPsec between routable and non-routable addresses

Use this config on router behind NAT:

 

Cartman@gw-ubnt01:~$ show configuration commands | match vpn
set vpn ipsec auto-firewall-nat-exclude enable
set vpn ipsec esp-group ESP-GROUP-COMMON compression disable
set vpn ipsec esp-group ESP-GROUP-COMMON lifetime 3600
set vpn ipsec esp-group ESP-GROUP-COMMON mode tunnel
set vpn ipsec esp-group ESP-GROUP-COMMON pfs dh-group21
set vpn ipsec esp-group ESP-GROUP-COMMON proposal 1 encryption aes256
set vpn ipsec esp-group ESP-GROUP-COMMON proposal 1 hash sha1
set vpn ipsec ike-group IKE-GROUP-COMMON ikev2-reauth yes
set vpn ipsec ike-group IKE-GROUP-COMMON key-exchange ikev2
set vpn ipsec ike-group IKE-GROUP-COMMON lifetime 28800
set vpn ipsec ike-group IKE-GROUP-COMMON proposal 1 dh-group 21
set vpn ipsec ike-group IKE-GROUP-COMMON proposal 1 encryption aes256
set vpn ipsec ike-group IKE-GROUP-COMMON proposal 1 hash sha1
set vpn ipsec site-to-site peer EXTERNAL_IP authentication mode pre-shared-secret
set vpn ipsec site-to-site peer EXTERNAL_IP authentication pre-shared-secret SUPERSECRETKEY
set vpn ipsec site-to-site peer EXTERNAL_IP connection-type initiate
set vpn ipsec site-to-site peer EXTERNAL_IP ike-group IKE-GROUP-COMMON
set vpn ipsec site-to-site peer EXTERNAL_IP ikev2-reauth inherit
set vpn ipsec site-to-site peer EXTERNAL_IP local-address any
set vpn ipsec site-to-site peer EXTERNAL_IP tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer EXTERNAL_IP tunnel 1 allow-public-networks disable
set vpn ipsec site-to-site peer EXTERNAL_IP tunnel 1 esp-group ESP-GROUP-COMMON
set vpn ipsec site-to-site peer EXTERNAL_IP tunnel 1 local prefix 172.31.255.1/32
set vpn ipsec site-to-site peer EXTERNAL_IP tunnel 1 protocol gre
set vpn ipsec site-to-site peer EXTERNAL_IP tunnel 1 remote prefix 172.31.255.2/32


Cartman@gw-ubnt01:~$ show configuration commands | match tun0
set interfaces tunnel tun0 address 10.255.255.1/30
set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 local-ip 172.31.255.1
set interfaces tunnel tun0 mtu 1400
set interfaces tunnel tun0 multicast disable
set interfaces tunnel tun0 remote-ip 172.31.255.2
set interfaces tunnel tun0 ttl 32


Cartman@gw-ubnt01:~$ show configuration commands | match loopback
set interfaces loopback lo address 172.31.255.1/32
set interfaces loopback lo description Loopback


Cartman@gw-ubnt01:~$ show ip route 
S *> 0.0.0.0/0 [210/0] via 10.159.255.254, eth0

...
C *> 10.255.255.0/30 is directly connected, tun0
C *> 172.31.255.1/32 is directly connected, lo

And mirrored config at remote site (replace left and right options at strongswan config) and it doesn't work. IKE established successfully but I can't ping both sides. What I'm doing wrong?

 

Ubiquiti Employee
Posts: 2,900
Registered: ‎05-08-2017
Kudos: 518
Solutions: 416

Re: IPsec between routable and non-routable addresses

Are you forwarding both UDP500 and UDP4500 from the NATting router at 10.159.255.254 to the EdgeRouter?

 

This configuration line is not required when using your particular GRE over IPsec tunnel:

set vpn ipsec site-to-site peer EXTERNAL_IP tunnel 1 protocol gre

 

 

The remote and local subnets are exchanged using a simple policy-based VPN and the GRE session is build on top of that.

 

Can you also try adding the authentication ID on the router behind NAT? Article link here.

set vpn ipsec site-to-site peer <peer> authentication id <public-ip-of-NATting-router>

 

Please also provide the output of:

sudo swanctl --log

 

On both routers when the VPN is initiated.

 

Hope that helps!

 

Ben

 


 

Ben Pin | Ubiquiti Support

New Member
Posts: 7
Registered: ‎09-12-2016
Solutions: 1

Re: IPsec between routable and non-routable addresses

Need a little clarify about my installation. I've got EdgeRouter with external IP 10.159.21.32/16 (GW 10.159.255.254) provided byDHCP by ISP. Also I've got VPS with public IP EXTERNAL_IP with CentOS 7.

 

As described here and here I've modify my config:

EdgeRouter:

 

Cartman@gw-ubnt01# show vpn
 ipsec {
     auto-firewall-nat-exclude enable
     esp-group ESP-GROUP-COMMON {
         compression disable
         lifetime 3600
         mode tunnel
         pfs enable
         proposal 1 {
             encryption aes256
             hash sha1
         }
     }
     ike-group IKE-GROUP-COMMON {
         ikev2-reauth yes
         key-exchange ikev2
         lifetime 28800
         proposal 1 {
             dh-group 21
             encryption aes256
             hash sha1
         }
     }
     site-to-site {
         peer EXTERNAL_IP {
             authentication {
id EXTERNAL_IP_FROM_ISP mode pre-shared-secret pre-shared-secret SUPER_SECRET_PSK } connection-type initiate description HOME-to-HETZNER dhcp-interface eth0 force-encapsulation enable ike-group IKE-GROUP-COMMON ikev2-reauth inherit tunnel 1 { allow-nat-networks disable allow-public-networks disable esp-group ESP-GROUP-COMMON local { prefix 172.31.255.1/32 } remote { prefix 172.31.255.2/32 } } } } } Cartman@gw-ubnt01# show interfaces tunnel tunnel tun0 { address 10.255.255.1/30 description "GRE over IPsec" encapsulation gre local-ip 172.31.255.1 multicast disable remote-ip 172.31.255.2 ttl 255 } Cartman@gw-ubnt01# show interfaces loopback loopback lo { address 172.31.255.1/32 description Loopback }

On CentOS box I've got StrongSwan 'mirrored' config:

 

[root@cloud-srv-1 ~]# cat /etc/strongswan/ipsec.conf
config setup

conn %default
    keyexchange = ikev1

conn peer-0.0.0.0-tunnel-1
    left = EXTERNAL_IP
    right = 0.0.0.0
    leftsubnet = 172.31.255.2/32
    rightsubnet = 172.31.255.1/32
    ike = aes256-sha1-ecp521!
    keyexchange = ikev2
    reauth = yes
    ikelifetime = 28800s
    esp = aes256-sha1-ecp521!
    keylife = 3600s
    rekeymargin = 540s
    type = tunnel
    compress = no
    authby = secret
    auto = route
    keyingtries = %forever
[root@cloud-srv-1 ~]# cat /etc/sysconfig/network-scripts/ifcfg-tun0 
DEVICE=tun0
BOOTPROTO=none
ONBOOT=yes
TYPE=GRE
IPADDR=10.255.255.2
PREFIX=30
MY_OUTER_IPADDR=172.31.255.2
MY_INNER_IPADDR=10.255.255.2
PEER_OUTER_IPADDR=172.31.255.1
PEER_INNER_IPADDR=10.255.255.1
ZONE=public
[root@cloud-srv-1 ~]# firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh dhcpv6-client ipsec http
  ports: 500/udp 4500/udp
  protocols: 
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule protocol value="esp" accept
	rule protocol value="ah" accept

With this config when I reset vpn peer from EdgeRouter side I've got this messages:

 

 

Cartman@gw-ubnt01:~$ sudo swanctl --log
07[CFG] received stroke: terminate 'peer-EXTERNAL_IP-tunnel-1'
06[IKE] deleting IKE_SA peer-EXTERNAL_IP-tunnel-1[5] between 10.159.21.32[10.159.21.32]...EXTERNAL_IP[EXTERNAL_IP]
06[IKE] sending DELETE for IKE_SA peer-EXTERNAL_IP-tunnel-1[5]
06[ENC] generating INFORMATIONAL request 2 [ D ]
06[NET] sending packet: from 10.159.21.32[4500] to EXTERNAL_IP[4500] (76 bytes)
15[NET] received packet: from EXTERNAL_IP[4500] to 10.159.21.32[4500] (76 bytes)
15[ENC] parsed INFORMATIONAL response 2 [ ]
15[IKE] IKE_SA deleted
14[CFG] received stroke: initiate 'peer-EXTERNAL_IP-tunnel-1'
11[IKE] initiating IKE_SA peer-EXTERNAL_IP-tunnel-1[6] to EXTERNAL_IP
11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
11[NET] sending packet: from 10.159.21.32[500] to EXTERNAL_IP[500] (308 bytes)
15[NET] received packet: from EXTERNAL_IP[500] to 10.159.21.32[500] (341 bytes)
15[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
15[IKE] local host is behind NAT, sending keep alives
15[IKE] received 1 cert requests for an unknown ca
15[IKE] authentication of '10.159.21.32' (myself) with pre-shared key
15[IKE] establishing CHILD_SA peer-EXTERNAL_IP-tunnel-1
15[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
15[NET] sending packet: from 10.159.21.32[4500] to EXTERNAL_IP[4500] (348 bytes)
13[NET] received packet: from EXTERNAL_IP[4500] to 10.159.21.32[4500] (236 bytes)
13[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]
13[IKE] authentication of 'EXTERNAL_IP' with pre-shared key successful
13[IKE] IKE_SA peer-EXTERNAL_IP-tunnel-1[6] established between 10.159.21.32[10.159.21.32]...EXTERNAL_IP[EXTERNAL_IP]
13[IKE] scheduling reauthentication in 28094s
13[IKE] maximum IKE_SA lifetime 28634s
13[IKE] CHILD_SA peer-EXTERNAL_IP-tunnel-1{1} established with SPIs c9b76683_i c137b285_o and TS 172.31.255.1/32 === 172.31.255.2/32 
13[IKE] received AUTH_LIFETIME of 27816s, scheduling reauthentication in 27276s
13[IKE] peer supports MOBIKE
Cartman@gw-ubnt01:~$ show vpn log tail May 14 23:15:51 11[IKE] <peer-EXTERNAL_IP-tunnel-1|3> deleting IKE_SA peer-EXTERNAL_IP-tunnel-1[3] between 10.159.21.32[10.159.21.32]...EXTERNAL_IP[EXTERNAL_IP] May 14 23:15:51 16[IKE] <peer-EXTERNAL_IP-tunnel-1|3> IKE_SA deleted May 14 23:15:51 09[IKE] <peer-EXTERNAL_IP-tunnel-1|4> initiating IKE_SA peer-EXTERNAL_IP-tunnel-1[4] to EXTERNAL_IP May 14 23:15:51 15[IKE] <peer-EXTERNAL_IP-tunnel-1|4> establishing CHILD_SA peer-EXTERNAL_IP-tunnel-1 May 14 23:15:51 07[IKE] <peer-EXTERNAL_IP-tunnel-1|4> IKE_SA peer-EXTERNAL_IP-tunnel-1[4] established between 10.159.21.32[10.159.21.32]...EXTERNAL_IP[EXTERNAL_IP] May 14 23:15:51 07[IKE] <peer-EXTERNAL_IP-tunnel-1|4> CHILD_SA peer-EXTERNAL_IP-tunnel-1{1} established with SPIs cf102070_i cc4419bc_o and TS 172.31.255.1/32 === 172.31.255.2/32

 

 

As I understand IPsec established as usual:

 

Cartman@gw-ubnt01:~$ show vpn ipsec sa
peer-EXTERNAL_IP-tunnel-1: #6, ESTABLISHED, IKEv2, c8d04be4b4cc0528:b6702bd1673de056
  local  '10.159.21.32' @ 10.159.21.32
  remote 'EXTERNAL_IP' @ EXTERNAL_IP
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_521
  established 206s ago, reauth in 27070s
  peer-78.46.206.44-tunnel-1: #1, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/HMAC_SHA1_96
    installed 206 ago, rekeying in 2702s, expires in 3394s
    in  c9b76683,      0 bytes,     0 packets
    out c137b285,   2261 bytes,    14 packets,    19s ago
    local  172.31.255.1/32
    remote 172.31.255.2/32

 

But I can't ping tunnel interfaces from both sides.

 

 

Veteran Member
Posts: 7,960
Registered: ‎03-24-2016
Kudos: 2076
Solutions: 912

Re: IPsec between routable and non-routable addresses

Previously, the auto-firewall-nat-exclude thingy lacked a rule to allow traffic through VPN to the ER itself

 

try to add something like below:

Spoiler
set firewall group address-group RFC1918 address 10.0.0.0/8
set firewall group address-group RFC1918 address 192.168.0.0/16
set firewall group address-group RFC1918 address 172.16.0.0/12


set firewall name WAN2LOCAL rule 54 action accept
set firewall name WAN2LOCAL rule 54 description RouterAccessThroughVPN
set firewall name WAN2LOCAL rule 54 destination group address-group RFC1918
set firewall name WAN2LOCAL rule 54 ipsec match-ipsec
set firewall name WAN2LOCAL rule 54 log disable
set firewall name WAN2LOCAL rule 54 source group address-group RFC1918

This rule is generic, you could specify 172.31.255.x addresses instead

New Member
Posts: 7
Registered: ‎09-12-2016
Solutions: 1

Re: IPsec between routable and non-routable addresses

Add this:

set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description IKE
set firewall name WAN_LOCAL rule 30 destination port 500
set firewall name WAN_LOCAL rule 30 log disable
set firewall name WAN_LOCAL rule 30 protocol udp

set firewall name WAN_LOCAL rule 40 action accept
set firewall name WAN_LOCAL rule 40 description ESP
set firewall name WAN_LOCAL rule 40 log disable
set firewall name WAN_LOCAL rule 40 protocol esp

set firewall name WAN_LOCAL rule 50 action accept
set firewall name WAN_LOCAL rule 50 description NAT-T
set firewall name WAN_LOCAL rule 50 destination port 4500
set firewall name WAN_LOCAL rule 50 log disable
set firewall name WAN_LOCAL rule 50 protocol udp

set firewall name WAN_LOCAL rule 60 action accept
set firewall name WAN_LOCAL rule 60 description IPsec
set firewall name WAN_LOCAL rule 60 source address 172.31.255.2/32
set firewall name WAN_LOCAL rule 60 destination address 172.31.255.1/32
set firewall name WAN_LOCAL rule 60 log disable
set firewall name WAN_LOCAL rule 60 ipsec match-ipsec

set firewall name WAN_LOCAL rule 70 action accept
set firewall name WAN_LOCAL rule 70 description 'Allow GRE'
set firewall name WAN_LOCAL rule 70 protocol gre

set firewall name WAN_IN rule 30 action accept
set firewall name WAN_IN rule 30 description IPsec
set firewall name WAN_IN rule 30 source address 172.31.255.2/32
set firewall name WAN_IN rule 30 destination address 172.31.255.1/32
set firewall name WAN_IN rule 30 log disable
set firewall name WAN_IN rule 30 ipsec match-ipsec

 Doesn't work

Highlighted
Ubiquiti Employee
Posts: 2,900
Registered: ‎05-08-2017
Kudos: 518
Solutions: 416

Re: IPsec between routable and non-routable addresses

Can you try disabling PFS on both sides? You can also run a packet capture on the remote device to see if the encrypted traffic from the EdgeRouter is arriving. There may be a firewall policy dropping the traffic as well.

 

I replicated your configuration using two EdgeRouters on v1.10.x and I am able to ping the loopback/tunnel addresses:

sudo swanctl --log
09[NET] received packet: from 203.0.113.1[500] to 10.255.12.2[500] (308 bytes)
09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
09[IKE] 203.0.113.1 is initiating an IKE_SA
09[IKE] local host is behind NAT, sending keep alives
09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
09[NET] sending packet: from 10.255.12.2[500] to 203.0.113.1[500] (316 bytes)
08[NET] received packet: from 203.0.113.1[4500] to 10.255.12.2[4500] (316 bytes)
08[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
08[CFG] looking for peer configs matching 10.255.12.2[203.0.113.2]...203.0.113.1[203.0.113.1]
08[CFG] selected peer config 'peer-203.0.113.1-tunnel-1'
08[IKE] authentication of '203.0.113.1' with pre-shared key successful
08[IKE] peer supports MOBIKE
08[IKE] authentication of '203.0.113.2' (myself) with pre-shared key
08[IKE] IKE_SA peer-203.0.113.1-tunnel-1[1] established between 10.255.12.2[203.0.113.2]...203.0.113.1[203.0.113.1]
08[IKE] scheduling reauthentication in 27818s
08[IKE] maximum IKE_SA lifetime 28358s
08[IKE] CHILD_SA peer-203.0.113.1-tunnel-1{1} established with SPIs ccf0f9b0_i c1623cfd_o and TS 172.31.255.2/32 === 172.31.255.1/32 
08[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
08[NET] sending packet: from 10.255.12.2[4500] to 203.0.113.1[4500] (252 bytes)

show vpn ipsec sa
peer-203.0.113.1-tunnel-1: #1, ESTABLISHED, IKEv2, 11f6906dbb4d8216:afe4ead3cbe73040
  local  '203.0.113.2' @ 10.255.12.2
  remote '203.0.113.1' @ 203.0.113.1
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_521
  established 34s ago, reauth in 27784s
  peer-203.0.113.1-tunnel-1: #1, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/HMAC_SHA1_96
    installed 34 ago, rekeying in 2618s, expires in 3567s
    in  ccf0f9b0,    588 bytes,     7 packets,    26s ago
    out c1623cfd,    588 bytes,     7 packets,    26s ago
    local  172.31.255.2/32
    remote 172.31.255.1/32
	
ping 172.31.255.1
64 bytes from 172.31.255.1: icmp_req=2 ttl=64 time=1.36 ms
64 bytes from 172.31.255.1: icmp_req=3 ttl=64 time=1.00 ms
64 bytes from 172.31.255.1: icmp_req=4 ttl=64 time=1.00 ms

ping 10.255.255.1
64 bytes from 10.255.255.1: icmp_req=1 ttl=64 time=1.52 ms
64 bytes from 10.255.255.1: icmp_req=2 ttl=64 time=1.15 ms
64 bytes from 10.255.255.1: icmp_req=3 ttl=64 time=1.13 ms

 

Note that when the authentication ID is set to the WAN address of your NATting device, it should display under local in the show vpn ipsec sa output.

Cartman@gw-ubnt01:~$ show vpn ipsec sa
peer-EXTERNAL_IP-tunnel-1: #6, ESTABLISHED, IKEv2, c8d04be4b4cc0528:b6702bd1673de056
  local  '10.159.21.32' @ 10.159.21.32
  remote 'EXTERNAL_IP' @ EXTERNAL_IP

show vpn ipsec sa
peer-203.0.113.1-tunnel-1: #1, ESTABLISHED, IKEv2, 11f6906dbb4d8216:afe4ead3cbe73040
  local  '203.0.113.2' @ 10.255.12.2
  remote '203.0.113.1' @ 203.0.113.1

 

Ben

 


 

Ben Pin | Ubiquiti Support