OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 17.7 Legacy Series »
  • [SOLVED] Ipsec between two FW
« previous next »
  • Print
Pages: [1]

Author Topic: [SOLVED] Ipsec between two FW  (Read 6306 times)

Julien

  • Hero Member
  • *****
  • Posts: 651
  • Karma: 32
    • View Profile
[SOLVED] Ipsec between two FW
« on: August 03, 2017, 01:27:48 am »
Hi Guys,
between two OPNsense Firewall have configured the IPSEC VPN as explained below
https://docs.opnsense.org/manual/how-tos/ipsec-s2s.html?highlight=ipsec

the tunnel is not coming up, I have stoped the services and even rebooted both firewalls.
Can someone please point me to the right directions ?

Log site A

Code: [Select]
Aug 3 01:24:51 charon: 02[CFG] received stroke: route 'con1'
Aug 3 01:24:51 charon: 05[CFG] added configuration 'con1'
Aug 3 01:24:51 charon: 05[CFG] received stroke: add connection 'con1'
Aug 3 01:24:51 charon: 00[JOB] spawning 16 worker threads
Aug 3 01:24:51 charon: 00[LIB] loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac gcm attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock
Aug 3 01:24:51 charon: 00[CFG] loaded 0 RADIUS server configurations
Aug 3 01:24:51 charon: 00[CFG] loaded IKE secret for 98.44.55.66
Aug 3 01:24:51 charon: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Aug 3 01:24:51 charon: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
Aug 3 01:24:51 charon: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Aug 3 01:24:51 charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Aug 3 01:24:51 charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'

Log Site B

Code: [Select]
Aug 3 01:20:18 charon: 05[NET] sending packet: from IP SITE B [500] to IP SITE A[500] (36 bytes)
Aug 3 01:20:18 charon: 05[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Aug 3 01:20:18 charon: 05[IKE] received proposals inacceptable
Aug 3 01:20:18 charon: 05[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Aug 3 01:20:18 charon: 05[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Aug 3 01:20:18 charon: 05[IKE] 5.200.21.175 is initiating an IKE_SA
Aug 3 01:20:18 charon: 05[IKE] 5.200.21.175 is initiating an IKE_SA
Aug 3 01:20:18 charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 3 01:20:18 charon: 05[NET] received packet: from IP SITE A [500] to IP SITE B[500] (466 bytes)
Aug 3 01:18:12 charon: 05[CFG] received stroke: route 'con1'
« Last Edit: August 03, 2017, 07:22:24 am by franco »
Logged
An intelligent man is sometimes forced to be drunk to spend time with his fool.

Julien

  • Hero Member
  • *****
  • Posts: 651
  • Karma: 32
    • View Profile
Re: Ipsec between two FW
« Reply #1 on: August 03, 2017, 03:06:40 am »
I have created a OPENVPN Tunnel and it does works.
https://docs.opnsense.org/manual/how-tos/sslvpn_s2s.html?highlight=vpn
I'll stick with the ssl tunnel as its more secure than the IPSEC.

Logged
An intelligent man is sometimes forced to be drunk to spend time with his fool.

kug1977

  • Newbie
  • *
  • Posts: 29
  • Karma: 4
    • View Profile
Re: [SOLVED] Ipsec between two FW
« Reply #2 on: August 03, 2017, 10:03:49 am »
Hi,

it's complain about the Algorithms ... doesn't find an acceptable algorithms proposed by the party try to connect to (in IPsec most of the time called right side).

Code: [Select]
Aug 3 01:20:18 charon: 05[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Aug 3 01:20:18 charon: 05[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
You have to use one of them 128bit (AES_CBC_128) or 256bit AES (AES_CBC_256) ... or make both available for selection on at least one site.

King regards,
Kay-Uwe Genz
« Last Edit: August 03, 2017, 04:19:17 pm by kug1977 »
Logged

Julien

  • Hero Member
  • *****
  • Posts: 651
  • Karma: 32
    • View Profile
Re: [SOLVED] Ipsec between two FW
« Reply #3 on: August 03, 2017, 11:07:30 am »
Quote from: kug1977 on August 03, 2017, 10:03:49 am
Hi,

it's complain about the Algorithms ... doesn't find an acceptable algorithms proposed by the party try to connect to (in IPsec most of the time called right side).

Code: [Select]
Aug 3 01:20:18 charon: 05[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Aug 3 01:20:18 charon: 05[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
You have to use one of them 128bit (AES_CBC_128) or 256bit AES (AES_CBC_256) ... or make both available for selection in at least one side.

King regards,
Kay-Uwe Genz

Thank you for your answer,
this absolutely a good catch
do you suggest to use IPSEC over the OPENVPN ?
According to research the openvpn is faster than the IPSEC.
Can someone share his experience with us.

« Last Edit: August 03, 2017, 11:12:36 am by Julien »
Logged
An intelligent man is sometimes forced to be drunk to spend time with his fool.

mimugmail

  • Hero Member
  • *****
  • Posts: 6290
  • Karma: 432
    • View Profile
Re: [SOLVED] Ipsec between two FW
« Reply #4 on: August 03, 2017, 11:30:39 am »
If you feel more comfortable with OpenVPN, stick to it. Only if you see a lack of performance try IPSEC, but I think you should be very fine now.
Logged
Twitter: mimu_muc
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

kug1977

  • Newbie
  • *
  • Posts: 29
  • Karma: 4
    • View Profile
Re: [SOLVED] Ipsec between two FW
« Reply #5 on: August 03, 2017, 04:18:23 pm »
Quote
do you suggest to use IPSEC over the OPENVPN ?
According to research the openvpn is faster than the IPSEC.

For site-to-site connections I prefer IPsec tunnels. For mobile Clients (aka Road warrior)  I use OpenVPN. And, honestly, OPNSense has some history on break IPsec while upgrading ... hopefully that's past. So having both might by a good idea anyway.
Logged

Julien

  • Hero Member
  • *****
  • Posts: 651
  • Karma: 32
    • View Profile
Re: [SOLVED] Ipsec between two FW
« Reply #6 on: August 04, 2017, 03:47:38 am »
Quote from: kug1977 on August 03, 2017, 04:18:23 pm
Quote
do you suggest to use IPSEC over the OPENVPN ?
According to research the openvpn is faster than the IPSEC.

For site-to-site connections I prefer IPsec tunnels. For mobile Clients (aka Road warrior)  I use OpenVPN. And, honestly, OPNSense has some history on break IPsec while upgrading ... hopefully that's past. So having both might by a good idea anyway.

Today I've done some tests.
with IPSEC the tunnel is not really stable and is slower than the OPENVPN.
the idea behind the tunnel is office 1 can reach active directory on office 2. no remote users.
remote users are using openvpn
Logged
An intelligent man is sometimes forced to be drunk to spend time with his fool.

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 17.7 Legacy Series »
  • [SOLVED] Ipsec between two FW
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2