Mobile ikev2 and bovpn ikev2

Hi

I have a site-2-site (A <->B) bovpn using ikev2.

If i sit behind one of the firewall endpoints (A) with a machine connecting with mobile ikev2 vpn to the same endpoint (B) as the site-2-site bovpn, this will not work, right?

Regards
Robert

Comments

  • If they both use the IPSec Firebox certificate, then I can't see how the IKEv2 client could connect to the other end.
    My thinking is that with a cert for the mobile user and a shared key for the BOVPN, that the IKE_AUTH would result in different SAs and thus I would expect that the mobile client could connect successfully.

    Looking to learn more.

  • i have to test ...

  • i works with both a bovpn vif using sjared key and Windows ikev2 using certificate from behind the same firefox to the same destination.

  • Good news.
    Thanks for the confirmation.

  • I might have spoken to soon. Connecting via mobile ikev2 from behind a T15 running 12.5.5 works at the same time when the T15 has a bovpn VIF ikev2 (preshared key) connection to the same vpn destination.

    But connecting with the same vpn client (still muvpn ikev2) from behind a M370 running 12.6.2 which also has to bovpn ikev2 (not VIF and preshared key) to a M370 running 12.6.2 do not work.

    Outging i see the connection is allowed:
    'Allow 172.16.1.34 x.x.x.x.243 isakmp/udp 500 500 Internal network TDC-EXT Allowed 572 127

    On the M370 where the vpn connections is terminated:
    Y.Y.Y.Y = M370 wher ethe tunnels is terminated
    X.X.X.X = M370 source

    iked (Y.Y.Y.Y<->X.X.X.X)'IKE_AUTH response' message created successfully. length:1328 Debug
    iked (Y.Y.Y.Y<->X.X.X.X)'IKE_AUTH response' message created successfully. length:80 Debug
    iked (Y.Y.Y.Y<->X.X.X.X)'IKE_SA_INIT response' message created successfully. length:496 Debug
    iked (Y.Y.Y.Y<->X.X.X.X)"IKE_AUTH request" message has 1 payloads [ EAP(sz=17)] Debug
    iked (Y.Y.Y.Y<->X.X.X.X)"IKE_AUTH request" message has 1 payloads [ ENCR(sz=1812)] Debug
    iked (Y.Y.Y.Y<->X.X.X.X)"IKE_AUTH request" message has 1 payloads [ ENCR(sz=68)] Debug
    iked (Y.Y.Y.Y<->X.X.X.X)"IKE_AUTH request" message has 7 payloads [ IDi(sz=12) CERTREQ(sz=1545) N(sz=8) CFG(sz=36) SA(sz=44) TSi(sz=64) TSr(sz=64)] Debug
    iked (Y.Y.Y.Y<->X.X.X.X)"IKE_SA_INIT request" message has 10 payloads [ SA(sz=48) KE(sz=264) NONCE(sz=52) N(sz=8) N(sz=28) N(sz=28) V(sz=24) V(sz=20) V(sz=20) V(sz=24)] Debug
    iked (Y.Y.Y.Y<->X.X.X.X)******** RECV an IKE packet at Y.Y.Y.Y:4500(socket=18 ifIndex=6) from Peer X.X.X.X:4500 ******** Debug
    iked (Y.Y.Y.Y<->X.X.X.X)******** RECV an IKE packet at Y.Y.Y.Y:4500(socket=18 ifIndex=6) from Peer X.X.X.X:4500 ******** Debug
    iked (Y.Y.Y.Y<->X.X.X.X)******** RECV an IKE packet at Y.Y.Y.Y:500(socket=17 ifIndex=6) from Peer X.X.X.X:500 ******** Debug
    iked (Y.Y.Y.Y<->X.X.X.X)childState(0xe29218) state change: UNKNOWN ==> CREATED, reason: "Create a Child State" Debug
    iked (Y.Y.Y.Y<->X.X.X.X)dispatch the received IKE_AUTH request message - IkeSA(0xe0a928)'s state=IKE_EAP_EXCHANGE Debug
    iked (Y.Y.Y.Y<->X.X.X.X)dispatch the received IKE_AUTH request message - IkeSA(0xe0a928)'s state=SA_INIT_R Debug
    iked (Y.Y.Y.Y<->X.X.X.X)dispatch the received IKE_SA_INIT request message - IkeSA(0xe0a928)'s state=CREATED Debug
    iked (Y.Y.Y.Y<->X.X.X.X)ENCR: found the matched ENCR algo:ENCR_AES_CBC with AES-key-length:256 Debug
    iked (Y.Y.Y.Y<->X.X.X.X)ENCR: found the matched ENCR algo:ENCR_AES_CBC with AES-key-length:256 Debug
    iked (Y.Y.Y.Y<->X.X.X.X)Found matching IKE policy 'Webshop-Aarhus-Gateway' for peer 'X.X.X.X:500' Debug
    iked (Y.Y.Y.Y<->X.X.X.X)Got IKE policy 'Webshop-Aarhus-Gateway' from ikeSA(0xe0a928 id:00000000 state:'SA_INIT_R') Debug
    iked (Y.Y.Y.Y<->X.X.X.X)Got IKE policy 'Webshop-Aarhus-Gateway' from ikeSA(0xe0a928 id:00000000 state:'IKE_EAP_EXCHANGE') Debug
    iked (Y.Y.Y.Y<->X.X.X.X)ike2_EAP_GetAuthReq: invalid EAP authentication protocol 0 Debug
    iked (Y.Y.Y.Y<->X.X.X.X)ike2_ProcessPayload_CFGREQ: IKEv2 CFG_REQUEST: 0x5ba0 unsupported attribute. Discard them Debug
    iked (Y.Y.Y.Y<->X.X.X.X)ike2_ProcessPayload_CFGREQ: IKEv2 CFG_REQUEST: 0x5ba1 unsupported attribute. Discard them Debug
    iked (Y.Y.Y.Y<->X.X.X.X)IkeGetCertChainByCertID: Form Cert Chain succeed Debug
    iked (Y.Y.Y.Y<->X.X.X.X)IKE proposal[#1] is matched - ENCR_AES_CBC/AUTH_HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/DH_GROUP14 Debug
    iked (Y.Y.Y.Y<->X.X.X.X)ikeSA(0xe0a928)'s msgIdRecv is updated: 0 -> 1 Debug
    iked (Y.Y.Y.Y<->X.X.X.X)ikeSA(0xe0a928)'s msgIdRecv is updated: 1 -> 2 Debug
    iked (Y.Y.Y.Y<->X.X.X.X)ikeSA(0xe0a928)'s msgIdRecv is updated: 2 -> 3 Debug
    iked (Y.Y.Y.Y<->X.X.X.X)ikeSA(0xe0a928) state change: CREATED ==> SA_INIT_R, reason: "IKE_SA_INIT response is Out" Debug
    iked (Y.Y.Y.Y<->X.X.X.X)ikeSA(0xe0a928) state change: IKE_EAP_EXCHANGE ==> IKE_EAP_DONE, reason: "IKE_AUTH response is Out" Debug
    iked (Y.Y.Y.Y<->X.X.X.X)ikeSA(0xe0a928) state change: SA_INIT_R ==> IKE_EAP_EXCHANGE, reason: "IKE_AUTH response is Out" Debug
    iked (Y.Y.Y.Y<->X.X.X.X)ikeSA(0xe0a928) state change: UNKNOWN ==> CREATED, reason: "Init SA state" Debug
    iked (Y.Y.Y.Y<->X.X.X.X)IKE SA EAP state change: EAP_NONE ==> EAP_REQ_I, reason: "IKE_AUTH response is Out" Debug
    iked (Y.Y.Y.Y<->X.X.X.X)IKE SA EAP state change: EAP_REQ_I ==> EAP_FAIL, reason: "Failed to build EAP payload" Debug
    iked (Y.Y.Y.Y<->X.X.X.X)IKEv2 "IKE_AUTH request"'s decrypted message contains 1 payloads [ EAP(sz=17)] Debug
    iked (Y.Y.Y.Y<->X.X.X.X)IKEv2 "IKE_AUTH request"'s decrypted message contains 7 payloads [ IDi(sz=12) CERTREQ(sz=1545) N(sz=8) CFG(sz=36) SA(sz=44) TSi(sz=64) TSr(sz=64)] Debug
    iked (Y.Y.Y.Y<->X.X.X.X)Initiating MUVPN EAP exchange with client:X.X.X.X:4500. IKE-Policy:'WG IKEv2 MVPN' Debug
    iked (Y.Y.Y.Y<->X.X.X.X)NATT: as the responder, we need to update UDP port (myPort: 500 -> 4500, peerPort: 500 -> 4500), local 0 remote 1 Debug
    iked (Y.Y.Y.Y<->X.X.X.X)non-supported notify type: 16396(N(MOBIKE_SUPPORTED)), ignore it Debug
    iked (Y.Y.Y.Y<->X.X.X.X)non-supported notify type: 16430(UNKNOWN), ignore it Debug
    iked (Y.Y.Y.Y<->X.X.X.X)Peer 'X.X.X.X:500' require EAP authentication, Use default IKEv2 muvpn policy 'WG IKEv2 MVPN' Debug
    iked (Y.Y.Y.Y<->X.X.X.X)Processed IKE_SA_INIT request message successfully Debug
    iked (Y.Y.Y.Y<->X.X.X.X)Received IKEv2 "IKE_AUTH request" message with message-ID:1 length:1840 SPI[i=5c17d368e105d732 r=d2bbaefddcef3831] Debug
    iked (Y.Y.Y.Y<->X.X.X.X)Received IKEv2 "IKE_AUTH request" message with message-ID:2 length:96 SPI[i=5c17d368e105d732 r=d2bbaefddcef3831] Debug
    iked (Y.Y.Y.Y<->X.X.X.X)Received IKEv2 "IKE_SA_INIT request" message with message-ID:0 length:544 SPI[i=5c17d368e105d732 r=0000000000000000] Debug
    iked (Y.Y.Y.Y<->X.X.X.X)Sent out IKE_AUTH response message (msgId=1) from Y.Y.Y.Y:4500 to X.X.X.X:4500 for 'WG IKEv2 MVPN' gateway endpoint successfully. Debug
    iked (Y.Y.Y.Y<->X.X.X.X)Sent out IKE_AUTH response message (msgId=2) from Y.Y.Y.Y:4500 to X.X.X.X:4500 for 'WG IKEv2 MVPN' gateway endpoint successfully. Debug
    iked (Y.Y.Y.Y<->X.X.X.X)Sent out IKE_SA_INIT response message (msgId=0) from Y.Y.Y.Y:500 to X.X.X.X:500 for 'Webshop-Aarhus-Gateway' gateway endpoint successfully. Debug
    iked (Y.Y.Y.Y<->X.X.X.X)The local is NOT behind NAT Debug
    iked (Y.Y.Y.Y<->X.X.X.X)The peer is behind NAT Debug
    iked (Y.Y.Y.Y<->X.X.X.X)the received IPSec proposal[#1] is matched - ENCR_AES_CBC/AUTH_HMAC_SHA1_96/ Debug
    iked (Y.Y.Y.Y<->X.X.X.X)use ikePcy(Webshop-Aarhus-Gateway) to update ikeSA(0xe0a928) Debug
    iked (Y.Y.Y.Y<->X.X.X.X)use ikePcy(WG IKEv2 MVPN) to update ikeSA(0xe0a928) Debug
    iked (Y.Y.Y.Y<->X.X.X.X)stop the given response retry object(0xe28318, name="IKE_AUTH response", msgId=2) Debug

    I see fireware finds the ike policy 'Webshop-Aarhus-Gateway' which is the bovpn preshared tunnel when the vpn mobile client tries to connect. Could this be a issue where fireware locate the wrong ike policy for the connection?

    /Robert

  • Perhaps it is related to this Known Issue ?

    Mobile VPN with L2TP connections fail when there is a Branch Office VPN (BOVPN) connection to remote Firebox
    https://techsearch.watchguard.com/KB?type=Known Issues&amp;SFDCID=kA10H000000g3QuSAI&amp;lang=en_US

    Description
    If you are behind a gateway router or firewall with a Branch Office VPN connection to a remote Firebox, Mobile VPN with L2TP connections to that remote Firebox will fail.

    Workaround
    You can use another Mobile VPN option, such as Mobile VPN with SSL.

  • I saw this article and maybe you are right - it´s "just" a bug.

Sign In to comment.