Mobile ikev2 and bovpn ikev2
Hi
I have a site-2-site (A <->B) bovpn using ikev2.
If i sit behind one of the firewall endpoints (A) with a machine connecting with mobile ikev2 vpn to the same endpoint (B) as the site-2-site bovpn, this will not work, right?
Regards
Robert
0
Sign In to comment.
Comments
If they both use the IPSec Firebox certificate, then I can't see how the IKEv2 client could connect to the other end.
My thinking is that with a cert for the mobile user and a shared key for the BOVPN, that the IKE_AUTH would result in different SAs and thus I would expect that the mobile client could connect successfully.
Looking to learn more.
i have to test ...
i works with both a bovpn vif using sjared key and Windows ikev2 using certificate from behind the same firefox to the same destination.
Good news.
Thanks for the confirmation.
I might have spoken to soon. Connecting via mobile ikev2 from behind a T15 running 12.5.5 works at the same time when the T15 has a bovpn VIF ikev2 (preshared key) connection to the same vpn destination.
But connecting with the same vpn client (still muvpn ikev2) from behind a M370 running 12.6.2 which also has to bovpn ikev2 (not VIF and preshared key) to a M370 running 12.6.2 do not work.
Outging i see the connection is allowed:
'Allow 172.16.1.34 x.x.x.x.243 isakmp/udp 500 500 Internal network TDC-EXT Allowed 572 127
On the M370 where the vpn connections is terminated:
Y.Y.Y.Y = M370 wher ethe tunnels is terminated
X.X.X.X = M370 source
iked (Y.Y.Y.Y<->X.X.X.X)'IKE_AUTH response' message created successfully. length:1328 Debug
iked (Y.Y.Y.Y<->X.X.X.X)'IKE_AUTH response' message created successfully. length:80 Debug
iked (Y.Y.Y.Y<->X.X.X.X)'IKE_SA_INIT response' message created successfully. length:496 Debug
iked (Y.Y.Y.Y<->X.X.X.X)"IKE_AUTH request" message has 1 payloads [ EAP(sz=17)] Debug
iked (Y.Y.Y.Y<->X.X.X.X)"IKE_AUTH request" message has 1 payloads [ ENCR(sz=1812)] Debug
iked (Y.Y.Y.Y<->X.X.X.X)"IKE_AUTH request" message has 1 payloads [ ENCR(sz=68)] Debug
iked (Y.Y.Y.Y<->X.X.X.X)"IKE_AUTH request" message has 7 payloads [ IDi(sz=12) CERTREQ(sz=1545) N(sz=8) CFG(sz=36) SA(sz=44) TSi(sz=64) TSr(sz=64)] Debug
iked (Y.Y.Y.Y<->X.X.X.X)"IKE_SA_INIT request" message has 10 payloads [ SA(sz=48) KE(sz=264) NONCE(sz=52) N(sz=8) N(sz=28) N(sz=28) V(sz=24) V(sz=20) V(sz=20) V(sz=24)] Debug
iked (Y.Y.Y.Y<->X.X.X.X)******** RECV an IKE packet at Y.Y.Y.Y:4500(socket=18 ifIndex=6) from Peer X.X.X.X:4500 ******** Debug
iked (Y.Y.Y.Y<->X.X.X.X)******** RECV an IKE packet at Y.Y.Y.Y:4500(socket=18 ifIndex=6) from Peer X.X.X.X:4500 ******** Debug
iked (Y.Y.Y.Y<->X.X.X.X)******** RECV an IKE packet at Y.Y.Y.Y:500(socket=17 ifIndex=6) from Peer X.X.X.X:500 ******** Debug
iked (Y.Y.Y.Y<->X.X.X.X)childState(0xe29218) state change: UNKNOWN ==> CREATED, reason: "Create a Child State" Debug
iked (Y.Y.Y.Y<->X.X.X.X)dispatch the received IKE_AUTH request message - IkeSA(0xe0a928)'s state=IKE_EAP_EXCHANGE Debug
iked (Y.Y.Y.Y<->X.X.X.X)dispatch the received IKE_AUTH request message - IkeSA(0xe0a928)'s state=SA_INIT_R Debug
iked (Y.Y.Y.Y<->X.X.X.X)dispatch the received IKE_SA_INIT request message - IkeSA(0xe0a928)'s state=CREATED Debug
iked (Y.Y.Y.Y<->X.X.X.X)ENCR: found the matched ENCR algo:ENCR_AES_CBC with AES-key-length:256 Debug
iked (Y.Y.Y.Y<->X.X.X.X)ENCR: found the matched ENCR algo:ENCR_AES_CBC with AES-key-length:256 Debug
iked (Y.Y.Y.Y<->X.X.X.X)Found matching IKE policy 'Webshop-Aarhus-Gateway' for peer 'X.X.X.X:500' Debug
iked (Y.Y.Y.Y<->X.X.X.X)Got IKE policy 'Webshop-Aarhus-Gateway' from ikeSA(0xe0a928 id:00000000 state:'SA_INIT_R') Debug
iked (Y.Y.Y.Y<->X.X.X.X)Got IKE policy 'Webshop-Aarhus-Gateway' from ikeSA(0xe0a928 id:00000000 state:'IKE_EAP_EXCHANGE') Debug
iked (Y.Y.Y.Y<->X.X.X.X)ike2_EAP_GetAuthReq: invalid EAP authentication protocol 0 Debug
iked (Y.Y.Y.Y<->X.X.X.X)ike2_ProcessPayload_CFGREQ: IKEv2 CFG_REQUEST: 0x5ba0 unsupported attribute. Discard them Debug
iked (Y.Y.Y.Y<->X.X.X.X)ike2_ProcessPayload_CFGREQ: IKEv2 CFG_REQUEST: 0x5ba1 unsupported attribute. Discard them Debug
iked (Y.Y.Y.Y<->X.X.X.X)IkeGetCertChainByCertID: Form Cert Chain succeed Debug
iked (Y.Y.Y.Y<->X.X.X.X)IKE proposal[#1] is matched - ENCR_AES_CBC/AUTH_HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/DH_GROUP14 Debug
iked (Y.Y.Y.Y<->X.X.X.X)ikeSA(0xe0a928)'s msgIdRecv is updated: 0 -> 1 Debug
iked (Y.Y.Y.Y<->X.X.X.X)ikeSA(0xe0a928)'s msgIdRecv is updated: 1 -> 2 Debug
iked (Y.Y.Y.Y<->X.X.X.X)ikeSA(0xe0a928)'s msgIdRecv is updated: 2 -> 3 Debug
iked (Y.Y.Y.Y<->X.X.X.X)ikeSA(0xe0a928) state change: CREATED ==> SA_INIT_R, reason: "IKE_SA_INIT response is Out" Debug
iked (Y.Y.Y.Y<->X.X.X.X)ikeSA(0xe0a928) state change: IKE_EAP_EXCHANGE ==> IKE_EAP_DONE, reason: "IKE_AUTH response is Out" Debug
iked (Y.Y.Y.Y<->X.X.X.X)ikeSA(0xe0a928) state change: SA_INIT_R ==> IKE_EAP_EXCHANGE, reason: "IKE_AUTH response is Out" Debug
iked (Y.Y.Y.Y<->X.X.X.X)ikeSA(0xe0a928) state change: UNKNOWN ==> CREATED, reason: "Init SA state" Debug
iked (Y.Y.Y.Y<->X.X.X.X)IKE SA EAP state change: EAP_NONE ==> EAP_REQ_I, reason: "IKE_AUTH response is Out" Debug
iked (Y.Y.Y.Y<->X.X.X.X)IKE SA EAP state change: EAP_REQ_I ==> EAP_FAIL, reason: "Failed to build EAP payload" Debug
iked (Y.Y.Y.Y<->X.X.X.X)IKEv2 "IKE_AUTH request"'s decrypted message contains 1 payloads [ EAP(sz=17)] Debug
iked (Y.Y.Y.Y<->X.X.X.X)IKEv2 "IKE_AUTH request"'s decrypted message contains 7 payloads [ IDi(sz=12) CERTREQ(sz=1545) N(sz=8) CFG(sz=36) SA(sz=44) TSi(sz=64) TSr(sz=64)] Debug
iked (Y.Y.Y.Y<->X.X.X.X)Initiating MUVPN EAP exchange with client:X.X.X.X:4500. IKE-Policy:'WG IKEv2 MVPN' Debug
iked (Y.Y.Y.Y<->X.X.X.X)NATT: as the responder, we need to update UDP port (myPort: 500 -> 4500, peerPort: 500 -> 4500), local 0 remote 1 Debug
iked (Y.Y.Y.Y<->X.X.X.X)non-supported notify type: 16396(N(MOBIKE_SUPPORTED)), ignore it Debug
iked (Y.Y.Y.Y<->X.X.X.X)non-supported notify type: 16430(UNKNOWN), ignore it Debug
iked (Y.Y.Y.Y<->X.X.X.X)Peer 'X.X.X.X:500' require EAP authentication, Use default IKEv2 muvpn policy 'WG IKEv2 MVPN' Debug
iked (Y.Y.Y.Y<->X.X.X.X)Processed IKE_SA_INIT request message successfully Debug
iked (Y.Y.Y.Y<->X.X.X.X)Received IKEv2 "IKE_AUTH request" message with message-ID:1 length:1840 SPI[i=5c17d368e105d732 r=d2bbaefddcef3831] Debug
iked (Y.Y.Y.Y<->X.X.X.X)Received IKEv2 "IKE_AUTH request" message with message-ID:2 length:96 SPI[i=5c17d368e105d732 r=d2bbaefddcef3831] Debug
iked (Y.Y.Y.Y<->X.X.X.X)Received IKEv2 "IKE_SA_INIT request" message with message-ID:0 length:544 SPI[i=5c17d368e105d732 r=0000000000000000] Debug
iked (Y.Y.Y.Y<->X.X.X.X)Sent out IKE_AUTH response message (msgId=1) from Y.Y.Y.Y:4500 to X.X.X.X:4500 for 'WG IKEv2 MVPN' gateway endpoint successfully. Debug
iked (Y.Y.Y.Y<->X.X.X.X)Sent out IKE_AUTH response message (msgId=2) from Y.Y.Y.Y:4500 to X.X.X.X:4500 for 'WG IKEv2 MVPN' gateway endpoint successfully. Debug
iked (Y.Y.Y.Y<->X.X.X.X)Sent out IKE_SA_INIT response message (msgId=0) from Y.Y.Y.Y:500 to X.X.X.X:500 for 'Webshop-Aarhus-Gateway' gateway endpoint successfully. Debug
iked (Y.Y.Y.Y<->X.X.X.X)The local is NOT behind NAT Debug
iked (Y.Y.Y.Y<->X.X.X.X)The peer is behind NAT Debug
iked (Y.Y.Y.Y<->X.X.X.X)the received IPSec proposal[#1] is matched - ENCR_AES_CBC/AUTH_HMAC_SHA1_96/ Debug
iked (Y.Y.Y.Y<->X.X.X.X)use ikePcy(Webshop-Aarhus-Gateway) to update ikeSA(0xe0a928) Debug
iked (Y.Y.Y.Y<->X.X.X.X)use ikePcy(WG IKEv2 MVPN) to update ikeSA(0xe0a928) Debug
iked (Y.Y.Y.Y<->X.X.X.X)stop the given response retry object(0xe28318, name="IKE_AUTH response", msgId=2) Debug
I see fireware finds the ike policy 'Webshop-Aarhus-Gateway' which is the bovpn preshared tunnel when the vpn mobile client tries to connect. Could this be a issue where fireware locate the wrong ike policy for the connection?
/Robert
Perhaps it is related to this Known Issue ?
Mobile VPN with L2TP connections fail when there is a Branch Office VPN (BOVPN) connection to remote Firebox
https://techsearch.watchguard.com/KB?type=Known Issues&SFDCID=kA10H000000g3QuSAI&lang=en_US
Description
If you are behind a gateway router or firewall with a Branch Office VPN connection to a remote Firebox, Mobile VPN with L2TP connections to that remote Firebox will fail.
Workaround
You can use another Mobile VPN option, such as Mobile VPN with SSL.
I saw this article and maybe you are right - it´s "just" a bug.
I will comment on my own old post here.
You will get "invalid EAP authentication protocol 0" if you connect from behind the firebox with a ikev2 mobile device and you have a existing ikev2 bovpn virtual connection configured where both endpoints is configured with stastic ip´s to the same destination.
This is with the exact same phase1 configuration on both ends as with the mobile ikev2 phase1 settings.
On the other hand if you configure one of your bovpn virtual endpoints with dynamic ip and use fqdn names, it will use the ikeV2 shared configuration (again with the same phase1 configration) the mobile ikev2 connection do establish and work side by side with the existing bovpn connection.
Fireware seems to handle ikev2 connections from the same endpoint different wether it uses the shared ikeV2 settings or not.