IKEv2 Multiple NAT'd Clients

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

IKEv2 Multiple NAT'd Clients

David Anthony
Hello,

I have an IKEv2 VPN server setup with OpenBSD + IKED + PF. Everything is working properly - a single client device will properly route all traffic through the VPN and exit from the VPN server via PF + NAT.

However, I experience errors with two clients simultaneously connecting. Both clients appear to successfully connect, but I believe NAT issues are preventing traffic from leaving the box, or confusing the two client traffic streams during NAT. I’m looking for any clues / suggestions which may help achieve my use case.

The internet suggests using unique “from CLIENTIPADDR” clauses for each potential client in /etc/iked.conf - but I can’t tell ahead of time which CIDR ranges my devices will be connecting from (Especially roaming cell phones). Also, in some cases I may have two devices connecting from the same CIDR range. I’m not even sure it’s an IKED issue, rather NAT.

Respectfully,
David Anthony

/etc/pf.conf
        set skip on lo
        block return
        match out on vio0 from 10.0.0.0/24 to any nat-to vio0
        pass
        block return in on ! lo0 proto tcp to port 6000:6010
        block return out log proto {tcp udp} user _pbuild

/etc/iked.conf
        ikev2 “inet” esp \
                from 0.0.0.0/0 to 10.0.0.0/24 \
                peer any \
                psk “foobar” \
                config address 10.0.0.64/27 \
                config name-server 10.0.0.1 \
                config protected-subnet 0.0.0.0/0

/etc/hostname.enc0
        inet 10.0.0.1 255.255.255.0 10.0.0.255
        up

/etc/rc.conf.local
        iked_flags=
        unbound_flags=

/etc/sysctl.conf
        net.inet.ip.forwarding=1
        net.inet.esp.enable=1
        net.inet.ah.enable=1
        net.inet.ipcomp.enable=1
Reply | Threaded
Open this post in threaded view
|

Re: IKEv2 Multiple NAT'd Clients

雷致强
You don’t have to configure /etc/hostname.enc0, I think. How about remove it and then check if this happen again?

> On Jul 6, 2019, at 3:40 AM, David Anthony <[hidden email]> wrote:
>
> Hello,
>
> I have an IKEv2 VPN server setup with OpenBSD + IKED + PF. Everything is working properly - a single client device will properly route all traffic through the VPN and exit from the VPN server via PF + NAT.
>
> However, I experience errors with two clients simultaneously connecting. Both clients appear to successfully connect, but I believe NAT issues are preventing traffic from leaving the box, or confusing the two client traffic streams during NAT. I’m looking for any clues / suggestions which may help achieve my use case.
>
> The internet suggests using unique “from CLIENTIPADDR” clauses for each potential client in /etc/iked.conf - but I can’t tell ahead of time which CIDR ranges my devices will be connecting from (Especially roaming cell phones). Also, in some cases I may have two devices connecting from the same CIDR range. I’m not even sure it’s an IKED issue, rather NAT.
>
> Respectfully,
> David Anthony
>
> /etc/pf.conf
> set skip on lo
> block return
> match out on vio0 from 10.0.0.0/24 to any nat-to vio0
> pass
> block return in on ! lo0 proto tcp to port 6000:6010
> block return out log proto {tcp udp} user _pbuild
>
> /etc/iked.conf
> ikev2 “inet” esp \
> from 0.0.0.0/0 to 10.0.0.0/24 \
> peer any \
> psk “foobar” \
> config address 10.0.0.64/27 \
> config name-server 10.0.0.1 \
> config protected-subnet 0.0.0.0/0
>
> /etc/hostname.enc0
> inet 10.0.0.1 255.255.255.0 10.0.0.255
> up
>
> /etc/rc.conf.local
> iked_flags=
> unbound_flags=
>
> /etc/sysctl.conf
> net.inet.ip.forwarding=1
> net.inet.esp.enable=1
> net.inet.ah.enable=1
> net.inet.ipcomp.enable=1