# IPsec IKEV2 setup works but where is the interface?



## Donald Baud (Nov 4, 2016)

I setup a simple IPsec IKEv2 vpn.  it works fine but how do I get detail about the network information?
- Where is the interface tun0 or gif0 or whatever is holding the VPN client's IPs 10.11.12.0/24
- Where is the routing table stored?, I can't see anything different on `netstat -rn`
- I still can't use Multiple-NAT clients behind the same NAT device. I was under the impression that IKEv2 did not have this same problem as L2TP-IKEv1

=============================
Here is the detail of my setup using security/strongswan on FreeBSD-11.0-RELEASE.
I will detail my installation for whoever is interested in setting up a very plain IKEv2 vpn.

1. Custom KERNEL:
FreeBSD-11 comes pre-built with IPSEC now, but you still need a custom KERNEL if you need NAT Traversal (NAT_T).
So I created a custom KERNEL using:
`buildkernel KERNCONF=GENERIC_IPSEC && make installkernel KERNCONF=GENERIC_IPSEC && reboot`

with file: /sys/amd64/conf/GENERIC_IPSEC

```
include GENERIC
ident           GENERIC_IPsec

# Options for an IPsec enabled kernel
#options         IPSEC       #already included with GENERIC on FreeBSD11
#device          crypto       #already included with GENERIC on FreeBSD11
options         IPSEC_NAT_T
```

2. Customizing IPsec:
install security/strongswan:
/usr/local/etc/ipsec.conf

```
conn nat-t
        keyexchange=ikev2
        mobike=yes
        dpdaction=restart
        dpddelay=5
        authby=psk
        left=%defaultroute
        #leftsubnet=0.0.0.0/0  #does not work
        leftsubnet=128.0.0.0/1,0.0.0.0/1
        leftfirewall=no
        right=%any
        rightsubnet=10.11.12.0/24
        rightsourceip=10.11.12.0/24
        auto=add
```

/usr/local/etc/ipsec.secrets

```
: PSK "My_Very_Good_Secret"
```

Activate service:
`service strongswan onestart`

3. Create NAT rules
A few ipfw() rules to setup NAT:

```
/sbin/kldload ipfw_nat
/sbin/ipfw nat 8668 config same_ports ip my-ipsec-server.example.com
/sbin/ipfw add 2000 nat 8668 ip from 10.11.12.0/24 to any out xmit em0
/sbin/ipfw add 2010 nat 8668 ip from any to my-ipsec-server.example.com in recv em0
```

4. Setup client VPN
In my case, it's an iPhone, a simple config:

```
Settings -> VPN -> Add VPN Configurations:
Type: IKEv2
Description: MyIKEv2
Server: my-ipsec-server.example.com
RemoteID: anything-works
LocalID: anything-works-too
User Authentication: None
Use Certificate: off
Secret: My_Very_Good_Secret
```

=====================


----------



## Crest (Nov 4, 2016)

IPsec tunnel mode ist broken by design. There is no interface and because of that it can't be used for lots of things e.g. dynamic routing protocols. If you want an interface your have to use IPsec in transport mode to protect some kind of tunnel e.g. GRE or L2TP.


----------



## kpa (Nov 4, 2016)

The way I understand is that in tunnel mode the traffic that is part of the security associations is just "hijacked" by the system before it even hits the standard routing process.


----------



## Crest (Nov 4, 2016)

Which breaks lots of useful applications for IPsec and is an obnoxious POLA violation and sadly FreeBSD lacks VTI support.


----------



## Donald Baud (Nov 4, 2016)

I am experimenting with IKEv2-tunnel-mode precisely because I can't do Multi-NAT-T with IKEv1-L2TP.
I tried both security/ipsec-tools and security/strongswan with net/mpd5.

Has anyone been able to do IPsec with a successful multiple NATed clients behind the same NAT device?

John ----|
Jack ----|-->--nat-router ---->-------ipsec-vpn
Fred ----|


----------



## Crest (Nov 4, 2016)

How about using IPv6 and getting rid of the NAT?


----------



## obsigna (Nov 4, 2016)

Donald Baud said:


> I am experimenting with IKEv2-tunnel-mode precisely because I can't do Multi-NAT-T with IKEv1-L2TP.
> I tried both security/ipsec-tools and security/strongswan with net/mpd5.
> 
> Has anyone been able to do IPsec with a successful multiple NATed clients behind the same NAT device?
> ...


I have running a L2TP/IPsec server on an AWS-EC2 instance using security/strongswan and net/mpd5.

From behind my NAT at home I can establish L2TP/IPsec-VPN connections from multiple clients at the same time.







The point is that at any time only one Windows client can connect, while any number of iOS and macOS clients (I tried up to 5 Apple clients + 1 Windows) may connect concurrently.

For iOS/macOS connectivity, I recommend L2TP/IPsec. For connectivity of multiple Windows clients from behind the same NAT, we are out of luck with any VPN scheme. According to all my experiments in the past, neither L2TP/IPsec nor IKEv2 connections may operate concurrently together with other Windows connections from behind the same NAT because Windows simply does not provide its local IP-adress/ports to the VPN server, while Apple clients do. So the server cannot distinguish two Windows clients while it can distinguish any Apple client.

If you are looking for VPN connections from multiple Apple clients from behind the same NAT together with max. 1 Windows machine at the same time, then please ask for more details on my setup. If you are looking for mulitiple Windows connections, I can't help, and I fear nobody can.


----------



## Donald Baud (Nov 5, 2016)

I took another shot at IKEv1/L2TP and I was pleasantly surprised that Multi-NAT-T with my iPhone and iPAD as clients was successful on security/strongswan

* So far this is what I've noticed, correct me if I'm wrong:
- Multi-NAT-T works with IKEv1/L2TP security/strongswan (except for windows clients)
- Multi-NAT-T does not work with IKEv1/L2TP security/ipsec-tools
- Multi-NAT-T does not work with IKEv2 (Tunnel) security/strongswan

* Has anyone tried IKEv2/L2TP security/strongswan is it possible?

* Has anyone tried IKEv2 with security/racoon2?

* The strongSwan.org implementation talks about "connmark plugin" for NAT-Traversal but required Linux's 
	
	



```
iptable -j MARK
```
.  What is the equivalent of "MARK" with ipfw()?

* All this leads me to ask again, how do we trace the inner IP packets in IPsec if we want to understand the issues:
   - How do we tcpdump() IP packets that are "Transport"ed to the L2TP net/mpd5?
   - Where is the routing table of the clients IP's encapsulated? 
	
	



```
netstat -rn
```
 does not show the VPN detail


----------



## obsigna (Nov 5, 2016)

I will focus on your questions that I got an answer for.



Donald Baud said:


> * So far this is what I've noticed, correct me if I'm wrong:
> - Multi-NAT-T works with IKEv1/L2TP security/strongswan (except for windows clients)
> - Multi-NAT-T does not work with IKEv1/L2TP security/ipsec-tools


For L2TP/IPsec a lot of people had success by patching the kernel and the tools. See:
http://forums.freebsd.org/viewtopic.php?p=258710
http://forums.freebsd.org/viewtopic.php?p=237778

I switched from security/ipsec-tools to security/strongswan with the advent of FreeBSD 10.1, and after this I didn't maintain the patches anymore.



Donald Baud said:


> * Has anyone tried IKEv2/L2TP security/strongswan is it possible?



I didn't try this. I assume that L2TP/IPsec should be possible with IKEv2 since the L2TP does not care about the key exchange mechanism during establishing the IPsec link. As a matter of fact L2TP does not even know that the UDP packets on port 1701 are coming in from or going out into a IPsec link. L2TP by itself would even work without IPsec, of course not encrypted.

The crucial point is that clients and servers need to agree on the exact details of both protocols, and a server with L2TP/IPsec-IKEv2 cannot be addressed by clients that want to talk L2TP/IPsec-IKEv1 -- of course. That said, the built-in L2TP/IPsec clients that I know of (macOS, iOS, Windows, Android), are restricted to IKEv1. So at present the answer seems to be: theoretically YES, practically NO.



Donald Baud said:


> * All this leads me to ask again, how do we trace the inner IP packets in IPsec if we want to understand the issues:
> - How do we tcpdump() IP packets that are "Transport"ed to the L2TP net/mpd5?


You don't, since the IPsec packets are entirely decapsulated/decrypted in the kernel and passed to the destination that is specified in the SPD and SAD, and for L2TP that would be UDP 127.0.0.1:1701 for incoming and usually UDP 0.0.0.0:1701 for outgoing traffic. Note that at any stage outside of the kernel, the packets are normal UDP, no IPsec anymore.



Donald Baud said:


> - Where is the routing table of the clients IP's encapsulated?
> 
> 
> 
> ...



IPsec routing is handled in the kernel by the Security Association Database (SAD) and the Security Policy Database (SPD). You may use the tool setkey(8) to inspect and manipulate the entries in said databases. For example, for a L2TP/IPsec-VPN connection from my Mac to my VPN server the following entries are created in the respective databases:
Security Association Database (SAD): `# setkey -D`

```
172.xxx.yyy.zzz 189.aaa.bbb.ccc
    esp mode=transport spi=202096292(0x0c0bbea4) reqid=19(0x00000013)
    E: rijndael-cbc  7e93ceb0 c5cc77bc 3e8919dc c702475e 281d4478 227a6f74 cf65a6ed 88fb0811
    A: hmac-sha1  8e2aed56 66323f83 a707c1d3 4725a999 765abfd0
    seq=0x0000015b replay=0 flags=0x00000000 state=mature
    created: Nov  5 20:25:38 2016    current: Nov  5 20:26:01 2016
    diff: 23(s)    hard: 3600(s)    soft: 2781(s)
    last: Nov  5 20:25:57 2016    hard: 0(s)    soft: 0(s)
    current: 132088(bytes)    hard: 0(bytes)    soft: 0(bytes)
    allocated: 347    hard: 0    soft: 0
    sadb_seq=1 pid=11748 refcnt=2
189.aaa.bbb.ccc 172.xxx.yyy.zzz
    esp mode=transport spi=3227647785(0xc061ff29) reqid=19(0x00000013)
    E: rijndael-cbc  53834d82 74fa2072 fe7cb243 2ad3bf78 272be284 cdb74ef0 d184356b a235cfcf
    A: hmac-sha1  14134590 36e3fdf5 1a9d6e72 76774e90 ff558465
    seq=0x000001c7 replay=4 flags=0x00000000 state=mature
    created: Nov  5 20:25:38 2016    current: Nov  5 20:26:01 2016
    diff: 23(s)    hard: 3600(s)    soft: 2833(s)
    last: Nov  5 20:25:57 2016    hard: 0(s)    soft: 0(s)
    current: 69447(bytes)    hard: 0(bytes)    soft: 0(bytes)
    allocated: 455    hard: 0    soft: 0
    sadb_seq=0 pid=11748 refcnt=1
```
Security Policy Database (SPD): `# setkey -DP`

```
189.aaa.bbb.ccc[65217] 172.xxx.yyy.zzz[1701] udp
    in ipsec
    esp/transport//unique:19
    created: Nov  5 20:25:38 2016  lastused: Nov  5 20:26:45 2016
    lifetime: 9223372036854775807(s) validtime: 0(s)
    spid=126 seq=1 pid=11752
    refcnt=1
172.xxx.yyy.zzz[1701] 189.aaa.bbb.ccc[65217] udp
    out ipsec
    esp/transport//unique:19
    created: Nov  5 20:25:38 2016  lastused: Nov  5 20:26:45 2016
    lifetime: 9223372036854775807(s) validtime: 0(s)
    spid=125 seq=0 pid=11752
    refcnt=1
```
Note the port number [65217] in the entries of the SPD. These make the difference for a working Multi-NAT-T. Apple clients are able to inform the port numbers, Windows clients do not, and therefore, Multi-NAT-T does work with Apple clients and does not with Windows clients.

That said, without patching the kernel and setting a registry entry [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent -- DWORD -- AssumeUDPEncapsulationContextOnSendRule = 2], Windows L2TP/IPsec clients wont't work at all from behind NAT. And even for IKEv2 the kernel patch is necessary, if the IPsec server is behind NAT, as mine is on the AWS-EC2 instance.


----------



## Charlie86 (Feb 3, 2018)

Hi,

I am total beginner in BSD and VPN world and would like to set up VPN server with IKEv2. I successfully installed strongswan. But now have few problems with configuration. First one is with custom kernel. If I understan correctly NAT-T means server is behaind router-NAT and is not doing NAT for LAN. In my case, my connections goes modem---->router----->FreeBSD so I am assuming I need to do custom kernel. I try to copy command
`root@VPN:~ # buildkernel KERNCONF=GENERIC_IPSEC && make installkernel KERNCONF=GENERIC_IPSEC && reboot

buildkernel: Command not found.`

What am I doing wrong?

Second questions about conf

This is how my conf file looks like


```
# ipsec.conf - strongSwan IPsec configuration file


# basic configuration


config setup

        # strictcrlpolicy=yes

        # uniqueids = no


# Add connections here.


# Sample VPN connections


#conn sample-self-signed

#      leftsubnet=10.1.0.0/16

#      leftcert=selfCert.der

#      leftsendcert=never

#      right=192.168.0.2

#      rightsubnet=10.2.0.0/16

#      rightcert=peerCert.der

#      auto=start


#conn sample-with-ca-cert

#      leftsubnet=10.1.0.0/16

#      leftcert=myCert.pem

#      right=192.168.0.2

#      rightsubnet=10.2.0.0/16

#      rightid="C=CH, O=Linux strongSwan CN=peer name"

#      auto=start
```

Should I copy config from OPs post and edit IPs or must I edit my conf file? Also not shure how to edit it, IP of FreeBSD box is 192.168.178.17 if some one can help me I would be glad, because I am lost at the moment 

I want to set up VPN just for test and fun, nothing special. Client will be my iPhone.

Thank you


----------



## obsigna (Feb 3, 2018)

Since the release of 11.1, FreeBSD comes with NAT-T enabled in the kernel by default, and in addition a long standing issue with the checksum of UDP packets encapsulated by the way of ESP has been addressed, and now with that even Windows clients are able to establish ESP-IPsec connections from behind a NAT. So, as long as we are talking about FreeBSD 11.1-RELEASE or newer, no custom kernel is needed.

I use still an iPhone 4 and with that one I am stuck with iOS 7, which doesn't speak IKEv2, however, I am perfectly happy with the built-in L2TP/IPsec client and the L2TP/IPsec service on my FreeBSD server(s). I cannot tell if newer iOS can speak IKEv2, you want to verify that before you continue. However, why not L2TP/IPsec VPN dial-in to the FreeBSD home server. Again, only with older FreeBSD installations you need to build a custom kernel.


----------



## Charlie86 (Feb 3, 2018)

Hi, since I have FreeBSD 11 I leave costume kernel. Thank you for yours info. My iphone 6s is capable of IKEv2, but if I am honest. I am not shore why I chouse IKEv2. I did some google searching and find out IKEv2 should be the best. Because you give us nice instructions for L2TP/IPsec I will try that. I succesffuly instal mdp5 but now I am stuck at

`root@VPN:~ #   portmaster --no-term-title -yBD security / strongswan 


===>>> security is not installed

===>>> Aborting update


root@VPN:~ #`

how to install security?

BDW If I understand you correctly, because I use FreeBSD11 I do not need to mess up with kernel so I start with
*Install dial-up software *in yours tutorial.


----------



## obsigna (Feb 3, 2018)

The Google translator added some blanks to the commands where there shouldn't any.

The correct command is `portmaster --no-term-title -yBD security/strongswan`. Another option nowadays is to install also strongSwan from binary packages since IKEv1 and PKI-Tools has been turned into default options, and for this reason it is no more necessary to install strongSwan from sources -- `pkg install strongswan`

For FreeBSD 11.0 you need to compile a custom kernel with added options IPSEC_NAT_T. For FreeBSD 11.1 NAT-T  is enabled by default. Short answer: FreeBSD 11.0 - custom kernel: YES; FreeBSD 11.1 - custom kernel: NO.

Honestly, before anything else, I suggest you upgrade to FreeBSD 11.1-RELEASE. Between 11 und 11.1 the IPsec stack got a lot of improvements. While the iPhone will be happy working with FreeBSD 11, Windows and also some Androids would be more happy with 11.1.


----------



## Charlie86 (Feb 4, 2018)

Hi,

Thank you for all your information and help, but after a long night googeling, I am still stuck. Having problems with updating FreeBSD to 11.1. Any suggestion how to update it on some other way? Internet connection is working OK.

`root@VPN:/ # freebsd-version

11.0-RELEASE-p1

root@VPN:/ # freebsd-update fetch

Looking up update.FreeBSD.org mirrors... 3 mirrors found.

Fetching public key from update6.freebsd.org... failed.

Fetching public key from update5.freebsd.org... failed.

Fetching public key from update4.freebsd.org... failed.

No mirrors remaining, giving up.`


----------



## Phishfry (Feb 4, 2018)

`freebsd-update upgrade -r 11.1-RELEASE`


----------



## obsigna (Feb 4, 2018)

Phishfry said:


> `freebsd-update upgrade -r 11.1-RELEASE`



Well, I always suggest to update the system to the latest patch level, which is p6 now, before doing the upgrade.



Charlie86 said:


> ... Having problems with updating FreeBSD to 11.1. Any suggestion how to update it on some other way? Internet connection is working OK.
> 
> ```
> root@VPN:/ # freebsd-version
> ...



Perhaps it might help to clean up the freebsd-update(8) metadata on your system:
`# rm -r /var/db/freebsd-update/*`

Be careful not to delete the directory which holds the metadata, though.


----------



## Phishfry (Feb 4, 2018)

One thing to watch for is "rebuild all ports or packages" phase.
I skipped it one time and hosed my system up. Next reboot it deleted old libraries.
If I had only followed the instructions onscreen.


----------



## Charlie86 (Feb 21, 2018)

obsigna said:


> Well, I always suggest to update the system to the latest patch level, which is p6 now, before doing the upgrade.
> 
> 
> 
> ...




OK, after lots of problems I am now successfuly updated FreeBSD to 11.1

Now I am editing mpd.conf and have (again) few questions.


```
# configure the web server
    set web self 192.168.1.35 5006
```
 I am assuming this is also address to connect to VPN locally for test and forward ports on router for global access?

```
l2tp_server:
# Define dynamic IP address pool -- 192.168.1.160/28
set ippool add pool_l2tp 192.168.1.161 192.168.1.174
```


```
# Specify IP address pool for dynamic assigment
    set ipcp ranges 192.168.1.35/32 ippool pool_l2tp
    set ipcp dns 192.168.1.35
```

for what are this two pools? I am assuming one is range of IPs, that clients will get? Which one it is and for what is other one? Can this range be same for both?

My configuration:

gateway 192.168.178.1
freeBSD host 192.168.178.41
VPN jail 192.168.178.142

Sorry for n00b questions,..


----------



## Charlie86 (Feb 26, 2018)

Anybody?


----------



## daviddpd (May 30, 2018)

Charlie86 said:


> Anybody?



This thread has gone on a bit ... I was actually looking for getting if_ipsec to use multiple neisr threads - as my system is currently maxing out a core on netisr - however, I may be able to help.

I've spent A LOT of time, getting this to work, and have a test/router lab setup, but in the lab I now have two Juniper SRXes and two FreeBSD 11.1-stable (VMs) using if_ipsec, connected in a full mesh with BIRD doing iBGP on FreeBSD to iBGP on the Juniper SRXes.   I'm also using racoon for IKE.  No NAT - distributing out internal 1918 routed IP space over the tunnels.

This is using ESP and Layer 3 P2P, not tunneling Layer 2, and using different software packages.   I still need to deploy the lab config from 4 sites to 5 sites in production (3 Junipers, 2 FreeBSD).  Let me know if that can be helpful and I'll attempt to document the setup and post it.


----------



## Crest (May 30, 2018)

Did you document your setup somewhere?


----------

