Mobile ikev2 and bovpn ikev2

Hi

I have a site-2-site (A <->B) bovpn using ikev2.

If i sit behind one of the firewall endpoints (A) with a machine connecting with mobile ikev2 vpn to the same endpoint (B) as the site-2-site bovpn, this will not work, right?

Regards
Robert

Comments

  • If they both use the IPSec Firebox certificate, then I can't see how the IKEv2 client could connect to the other end.
    My thinking is that with a cert for the mobile user and a shared key for the BOVPN, that the IKE_AUTH would result in different SAs and thus I would expect that the mobile client could connect successfully.

    Looking to learn more.

  • i have to test ...

  • i works with both a bovpn vif using sjared key and Windows ikev2 using certificate from behind the same firefox to the same destination.

  • Good news.
    Thanks for the confirmation.

  • I might have spoken to soon. Connecting via mobile ikev2 from behind a T15 running 12.5.5 works at the same time when the T15 has a bovpn VIF ikev2 (preshared key) connection to the same vpn destination.

    But connecting with the same vpn client (still muvpn ikev2) from behind a M370 running 12.6.2 which also has to bovpn ikev2 (not VIF and preshared key) to a M370 running 12.6.2 do not work.

    Outging i see the connection is allowed:
    'Allow 172.16.1.34 x.x.x.x.243 isakmp/udp 500 500 Internal network TDC-EXT Allowed 572 127

    On the M370 where the vpn connections is terminated:
    Y.Y.Y.Y = M370 wher ethe tunnels is terminated
    X.X.X.X = M370 source

    iked (Y.Y.Y.Y<->X.X.X.X)'IKE_AUTH response' message created successfully. length:1328 Debug
    iked (Y.Y.Y.Y<->X.X.X.X)'IKE_AUTH response' message created successfully. length:80 Debug
    iked (Y.Y.Y.Y<->X.X.X.X)'IKE_SA_INIT response' message created successfully. length:496 Debug
    iked (Y.Y.Y.Y<->X.X.X.X)"IKE_AUTH request" message has 1 payloads [ EAP(sz=17)] Debug
    iked (Y.Y.Y.Y<->X.X.X.X)"IKE_AUTH request" message has 1 payloads [ ENCR(sz=1812)] Debug
    iked (Y.Y.Y.Y<->X.X.X.X)"IKE_AUTH request" message has 1 payloads [ ENCR(sz=68)] Debug
    iked (Y.Y.Y.Y<->X.X.X.X)"IKE_AUTH request" message has 7 payloads [ IDi(sz=12) CERTREQ(sz=1545) N(sz=8) CFG(sz=36) SA(sz=44) TSi(sz=64) TSr(sz=64)] Debug
    iked (Y.Y.Y.Y<->X.X.X.X)"IKE_SA_INIT request" message has 10 payloads [ SA(sz=48) KE(sz=264) NONCE(sz=52) N(sz=8) N(sz=28) N(sz=28) V(sz=24) V(sz=20) V(sz=20) V(sz=24)] Debug
    iked (Y.Y.Y.Y<->X.X.X.X)******** RECV an IKE packet at Y.Y.Y.Y:4500(socket=18 ifIndex=6) from Peer X.X.X.X:4500 ******** Debug
    iked (Y.Y.Y.Y<->X.X.X.X)******** RECV an IKE packet at Y.Y.Y.Y:4500(socket=18 ifIndex=6) from Peer X.X.X.X:4500 ******** Debug
    iked (Y.Y.Y.Y<->X.X.X.X)******** RECV an IKE packet at Y.Y.Y.Y:500(socket=17 ifIndex=6) from Peer X.X.X.X:500 ******** Debug
    iked (Y.Y.Y.Y<->X.X.X.X)childState(0xe29218) state change: UNKNOWN ==> CREATED, reason: "Create a Child State" Debug
    iked (Y.Y.Y.Y<->X.X.X.X)dispatch the received IKE_AUTH request message - IkeSA(0xe0a928)'s state=IKE_EAP_EXCHANGE Debug
    iked (Y.Y.Y.Y<->X.X.X.X)dispatch the received IKE_AUTH request message - IkeSA(0xe0a928)'s state=SA_INIT_R Debug
    iked (Y.Y.Y.Y<->X.X.X.X)dispatch the received IKE_SA_INIT request message - IkeSA(0xe0a928)'s state=CREATED Debug
    iked (Y.Y.Y.Y<->X.X.X.X)ENCR: found the matched ENCR algo:ENCR_AES_CBC with AES-key-length:256 Debug
    iked (Y.Y.Y.Y<->X.X.X.X)ENCR: found the matched ENCR algo:ENCR_AES_CBC with AES-key-length:256 Debug
    iked (Y.Y.Y.Y<->X.X.X.X)Found matching IKE policy 'Webshop-Aarhus-Gateway' for peer 'X.X.X.X:500' Debug
    iked (Y.Y.Y.Y<->X.X.X.X)Got IKE policy 'Webshop-Aarhus-Gateway' from ikeSA(0xe0a928 id:00000000 state:'SA_INIT_R') Debug
    iked (Y.Y.Y.Y<->X.X.X.X)Got IKE policy 'Webshop-Aarhus-Gateway' from ikeSA(0xe0a928 id:00000000 state:'IKE_EAP_EXCHANGE') Debug
    iked (Y.Y.Y.Y<->X.X.X.X)ike2_EAP_GetAuthReq: invalid EAP authentication protocol 0 Debug
    iked (Y.Y.Y.Y<->X.X.X.X)ike2_ProcessPayload_CFGREQ: IKEv2 CFG_REQUEST: 0x5ba0 unsupported attribute. Discard them Debug
    iked (Y.Y.Y.Y<->X.X.X.X)ike2_ProcessPayload_CFGREQ: IKEv2 CFG_REQUEST: 0x5ba1 unsupported attribute. Discard them Debug
    iked (Y.Y.Y.Y<->X.X.X.X)IkeGetCertChainByCertID: Form Cert Chain succeed Debug
    iked (Y.Y.Y.Y<->X.X.X.X)IKE proposal[#1] is matched - ENCR_AES_CBC/AUTH_HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/DH_GROUP14 Debug
    iked (Y.Y.Y.Y<->X.X.X.X)ikeSA(0xe0a928)'s msgIdRecv is updated: 0 -> 1 Debug
    iked (Y.Y.Y.Y<->X.X.X.X)ikeSA(0xe0a928)'s msgIdRecv is updated: 1 -> 2 Debug
    iked (Y.Y.Y.Y<->X.X.X.X)ikeSA(0xe0a928)'s msgIdRecv is updated: 2 -> 3 Debug
    iked (Y.Y.Y.Y<->X.X.X.X)ikeSA(0xe0a928) state change: CREATED ==> SA_INIT_R, reason: "IKE_SA_INIT response is Out" Debug
    iked (Y.Y.Y.Y<->X.X.X.X)ikeSA(0xe0a928) state change: IKE_EAP_EXCHANGE ==> IKE_EAP_DONE, reason: "IKE_AUTH response is Out" Debug
    iked (Y.Y.Y.Y<->X.X.X.X)ikeSA(0xe0a928) state change: SA_INIT_R ==> IKE_EAP_EXCHANGE, reason: "IKE_AUTH response is Out" Debug
    iked (Y.Y.Y.Y<->X.X.X.X)ikeSA(0xe0a928) state change: UNKNOWN ==> CREATED, reason: "Init SA state" Debug
    iked (Y.Y.Y.Y<->X.X.X.X)IKE SA EAP state change: EAP_NONE ==> EAP_REQ_I, reason: "IKE_AUTH response is Out" Debug
    iked (Y.Y.Y.Y<->X.X.X.X)IKE SA EAP state change: EAP_REQ_I ==> EAP_FAIL, reason: "Failed to build EAP payload" Debug
    iked (Y.Y.Y.Y<->X.X.X.X)IKEv2 "IKE_AUTH request"'s decrypted message contains 1 payloads [ EAP(sz=17)] Debug
    iked (Y.Y.Y.Y<->X.X.X.X)IKEv2 "IKE_AUTH request"'s decrypted message contains 7 payloads [ IDi(sz=12) CERTREQ(sz=1545) N(sz=8) CFG(sz=36) SA(sz=44) TSi(sz=64) TSr(sz=64)] Debug
    iked (Y.Y.Y.Y<->X.X.X.X)Initiating MUVPN EAP exchange with client:X.X.X.X:4500. IKE-Policy:'WG IKEv2 MVPN' Debug
    iked (Y.Y.Y.Y<->X.X.X.X)NATT: as the responder, we need to update UDP port (myPort: 500 -> 4500, peerPort: 500 -> 4500), local 0 remote 1 Debug
    iked (Y.Y.Y.Y<->X.X.X.X)non-supported notify type: 16396(N(MOBIKE_SUPPORTED)), ignore it Debug
    iked (Y.Y.Y.Y<->X.X.X.X)non-supported notify type: 16430(UNKNOWN), ignore it Debug
    iked (Y.Y.Y.Y<->X.X.X.X)Peer 'X.X.X.X:500' require EAP authentication, Use default IKEv2 muvpn policy 'WG IKEv2 MVPN' Debug
    iked (Y.Y.Y.Y<->X.X.X.X)Processed IKE_SA_INIT request message successfully Debug
    iked (Y.Y.Y.Y<->X.X.X.X)Received IKEv2 "IKE_AUTH request" message with message-ID:1 length:1840 SPI[i=5c17d368e105d732 r=d2bbaefddcef3831] Debug
    iked (Y.Y.Y.Y<->X.X.X.X)Received IKEv2 "IKE_AUTH request" message with message-ID:2 length:96 SPI[i=5c17d368e105d732 r=d2bbaefddcef3831] Debug
    iked (Y.Y.Y.Y<->X.X.X.X)Received IKEv2 "IKE_SA_INIT request" message with message-ID:0 length:544 SPI[i=5c17d368e105d732 r=0000000000000000] Debug
    iked (Y.Y.Y.Y<->X.X.X.X)Sent out IKE_AUTH response message (msgId=1) from Y.Y.Y.Y:4500 to X.X.X.X:4500 for 'WG IKEv2 MVPN' gateway endpoint successfully. Debug
    iked (Y.Y.Y.Y<->X.X.X.X)Sent out IKE_AUTH response message (msgId=2) from Y.Y.Y.Y:4500 to X.X.X.X:4500 for 'WG IKEv2 MVPN' gateway endpoint successfully. Debug
    iked (Y.Y.Y.Y<->X.X.X.X)Sent out IKE_SA_INIT response message (msgId=0) from Y.Y.Y.Y:500 to X.X.X.X:500 for 'Webshop-Aarhus-Gateway' gateway endpoint successfully. Debug
    iked (Y.Y.Y.Y<->X.X.X.X)The local is NOT behind NAT Debug
    iked (Y.Y.Y.Y<->X.X.X.X)The peer is behind NAT Debug
    iked (Y.Y.Y.Y<->X.X.X.X)the received IPSec proposal[#1] is matched - ENCR_AES_CBC/AUTH_HMAC_SHA1_96/ Debug
    iked (Y.Y.Y.Y<->X.X.X.X)use ikePcy(Webshop-Aarhus-Gateway) to update ikeSA(0xe0a928) Debug
    iked (Y.Y.Y.Y<->X.X.X.X)use ikePcy(WG IKEv2 MVPN) to update ikeSA(0xe0a928) Debug
    iked (Y.Y.Y.Y<->X.X.X.X)stop the given response retry object(0xe28318, name="IKE_AUTH response", msgId=2) Debug

    I see fireware finds the ike policy 'Webshop-Aarhus-Gateway' which is the bovpn preshared tunnel when the vpn mobile client tries to connect. Could this be a issue where fireware locate the wrong ike policy for the connection?

    /Robert

  • Perhaps it is related to this Known Issue ?

    Mobile VPN with L2TP connections fail when there is a Branch Office VPN (BOVPN) connection to remote Firebox
    https://techsearch.watchguard.com/KB?type=Known Issues&amp;SFDCID=kA10H000000g3QuSAI&amp;lang=en_US

    Description
    If you are behind a gateway router or firewall with a Branch Office VPN connection to a remote Firebox, Mobile VPN with L2TP connections to that remote Firebox will fail.

    Workaround
    You can use another Mobile VPN option, such as Mobile VPN with SSL.

  • I saw this article and maybe you are right - it´s "just" a bug.

  • I will comment on my own old post here.

    You will get "invalid EAP authentication protocol 0" if you connect from behind the firebox with a ikev2 mobile device and you have a existing ikev2 bovpn virtual connection configured where both endpoints is configured with stastic ip´s to the same destination.
    This is with the exact same phase1 configuration on both ends as with the mobile ikev2 phase1 settings.

    On the other hand if you configure one of your bovpn virtual endpoints with dynamic ip and use fqdn names, it will use the ikeV2 shared configuration (again with the same phase1 configration) the mobile ikev2 connection do establish and work side by side with the existing bovpn connection.

    Fireware seems to handle ikev2 connections from the same endpoint different wether it uses the shared ikeV2 settings or not.

Sign In to comment.