New Member
Posts: 2
Registered: ‎12-09-2018

USG Site to Site VPN behind dynamic NAT

My current setup which is working so far:

Site A:

Cable-Internet -> FritzBox 6460(192.168.101.1) -(exposed host)-> (192.168.168.101.20) USG (192.168.1.1)

Controller on RasPi, serveral nanoHD

 

Site B:

DSL-Internet -> FritzBox 7412(192.168.102.1) -(exposed host)-> (192.168.168.102.100) USG (192.168.2.1)

nanoHD

 

Site B does remote provisioning to the controller at Site A. Both sites got dynamic IPs but working DynDNS.

Everything working fine so far.

Now I need a site to site VPN, AutoVPN is no option since both provider routers are required. First I tried doing IPsec via the GUI but failed. Then I used this. Only changed the hostnames, key and interface. I think the interface should be the WAN one?

settings on the controller:

Site A:

{
        "vpn": {
                "ipsec": {
                        "auto-firewall-nat-exclude": "enable",
                        "esp-group": {
                                "ESP_y.y.y.y": {
                                        "compression": "disable",
                                        "lifetime": "3600",
                                        "mode": "tunnel",
                                        "pfs": "disable",
                                        "proposal": {
                                                "1": {
                                                        "encryption": "aes128",
                                                        "hash": "sha1"
                                                }
                                        }
                                }
                        },
                        "ike-group": {
                                "IKE_y.y.y.y": {
                                        "dead-peer-detection": {
                                                "action": "restart",
                                                "interval": "30",
                                                "timeout": "120"
                                        },
                                        "ikev2-reauth": "no",
                                        "key-exchange": "ikev2",
                                        "lifetime": "28800",
                                        "proposal": {
                                                "1": {
                                                        "dh-group": "2",
                                                        "encryption": "aes128",
                                                        "hash": "sha1"
                                                }
                                        }
                                }
                        },
                        "ipsec-interfaces": {
                                "interface": ["eth0"]
                        },
                        "nat-networks": {
                                "allowed-network": {
                                        "0.0.0.0/0": "''"
                                }
                        },
                        "nat-traversal": "enable",
                        "site-to-site": {
                                "peer": {
                                        "siteBfqdn": {
                                                "authentication": {
                                                                                                                "id": "siteAfqdn",
                                                        "mode": "pre-shared-secret",
                                                        "pre-shared-secret": "1234"
                                                },
                                                "connection-type": "initiate",
                                                "ike-group": "IKE_y.y.y.y",
                                                "ikev2-reauth": "inherit",
                                                "local-address": "siteAfqdn",
                                                "tunnel": {
                                                        "0": {
                                                                "allow-nat-networks": "disable",
                                                                "allow-public-networks": "disable",
                                                                "esp-group": "ESP_y.y.y.y",
                                                                "local": {
                                                                        "prefix": "192.168.1.0/24"
                                                                },
                                                                "remote": {
                                                                        "prefix": "192.168.2.0/24"
                                                                }
                                                        }
                                                }
                                        }
                                }
                        }
                }
        }
}

Site B:

{
        "vpn": {
                "ipsec": {
                        "auto-firewall-nat-exclude": "enable",
                        "esp-group": {
                                "ESP_x.x.x.x": {
                                        "compression": "disable",
                                        "lifetime": "3600",
                                        "mode": "tunnel",
                                        "pfs": "disable",
                                        "proposal": {
                                                "1": {
                                                        "encryption": "aes128",
                                                        "hash": "sha1"
                                                }
                                        }
                                }
                        },
                        "ike-group": {
                                "IKE_x.x.x.x": {
                                        "dead-peer-detection": {
                                                "action": "restart",
                                                "interval": "30",
                                                "timeout": "120"
                                        },
                                        "ikev2-reauth": "no",
                                        "key-exchange": "ikev2",
                                        "lifetime": "28800",
                                        "proposal": {
                                                "1": {
                                                        "dh-group": "2",
                                                        "encryption": "aes128",
                                                        "hash": "sha1"
                                                }
                                        }
                                }
                        },
                        "ipsec-interfaces": {
                                "interface": ["eth0"]
                        },
                        "nat-networks": {
                                "allowed-network": {
                                        "0.0.0.0/0": "''"
                                }
                        },
                        "nat-traversal": "enable",
                        "site-to-site": {
                                "peer": {
                                        "siteAfqdn": {
                                                "authentication": {
                                                                                                                "id": "siteBfqdn",
                                                        "mode": "pre-shared-secret",
                                                        "pre-shared-secret": "1234"
                                                },
                                                "connection-type": "initiate",
                                                "ike-group": "IKE_x.x.x.x",
                                                "ikev2-reauth": "inherit",
                                                "local-address": "siteBfqdn",
                                                "tunnel": {
                                                        "0": {
                                                                "allow-nat-networks": "disable",
                                                                "allow-public-networks": "disable",
                                                                "esp-group": "ESP_x.x.x.x",
                                                                "local": {
                                                                        "prefix": "192.168.2.0/24"
                                                                },
                                                                "remote": {
                                                                        "prefix": "192.168.1.0/24"
                                                                }
                                                        }
                                                }
                                        }
                                }
                        }
                }
        }
}

So far I can deploy the settings and try to access 192.168.2.123 from Site A. Everything looks fine until here:

Feb 16 21:01:57 00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux 3.10.107-UBNT, mips64)
Feb 16 21:02:04 08[KNL] creating acquire job for policy 192.168.1.67/32[tcp/65002] === 192.168.2.123/32[tcp/http] with reqid {1}
Feb 16 21:02:04 10[IKE] <peer-siteBfqdn-tunnel-0|1> initiating IKE_SA peer-siteBfqdn-tunnel-0[1] to 12.34.56.78

Nothing more happening. If i do a 

sudo tcpdump -i eth0 -n udp dst port 500

I don't see a single frame. So didn't anyone got a idea what I missed? At leas I should see frames going out. If I send random UDP frames I can see them at bothh ends. So forwarding port 500 seems to work.

New Member
Posts: 2
Registered: ‎12-09-2018

Re: USG Site to Site VPN behind dynamic NAT

admin@GatewaySH57:~$ show vpn ipsec status
IPSec Process Running PID: 25091

0 Active IPsec Tunnels

IPsec Interfaces :
        eth0    (no IP on interface statically configured as local-address for any VPN peer)
admin@GatewaySH57:~$ show vpn ipsec sa peer-siteBfqdn-tunnel-0: #1, CONNECTING, IKEv2, f6fbbd023095ea19:0000000000000000 local '%any' @ IPa remote '%any' @ IPb queued: CHILD_CREATE CHILD_CREATE CHILD_CREATE active: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE
admin@GatewaySH57:~$ show vpn debug Status of IKE charon daemon (strongSwan 5.2.2, Linux 3.10.107-UBNT, mips64): uptime: 2 days, since Feb 16 21:01:58 2019 malloc: sbrk 376832, mmap 0, used 274720, free 102112 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1 loaded plugins: charon ldap sqlite pkcs11 aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pem openssl agent xcbc cmac ctr ccm gcm curl attr kernel-netlink resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap addrblock Listening IP addresses: 192.168.101.20 192.168.1.1 Connections: peer-siteBfqdn-tunnel-0: siteAfqdn...siteBfqdn IKEv2, dpddelay=30s peer-siteBfqdn-tunnel-0: local: [siteAfqdn] uses pre-shared key authentication peer-siteBfqdn-tunnel-0: remote: uses pre-shared key authentication peer-siteBfqdn-tunnel-0: child: 192.168.1.0/24 === 192.168.2.0/24 TUNNEL, dpdaction=restart Routed Connections: peer-siteBfqdn-tunnel-0{1}: ROUTED, TUNNEL peer-siteBfqdn-tunnel-0{1}: 192.168.1.0/24 === 192.168.2.0/24 Security Associations (1 up, 0 connecting): peer-siteBfqdn-tunnel-0[1]: CONNECTING, IPa[%any]...IPb[%any] peer-siteBfqdn-tunnel-0[1]: IKEv2 SPIs: f6fbbd023095ea19_i* 0000000000000000_r peer-siteBfqdn-tunnel-0[1]: Tasks queued: CHILD_CREATE CHILD_CREATE CHILD_CREATE peer-siteBfqdn-tunnel-0[1]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE

I tried to get any further usable information but I can't find any...

May I missed something realy stupid?