Author Topic: [SOLVED] Ipsec between two FW (Read 4252 times)

Julien · « **on:** August 03, 2017, 01:27:48 am »

Hi Guys,
between two OPNsense Firewall have configured the IPSEC VPN as explained below
https://docs.opnsense.org/manual/how-tos/ipsec-s2s.html?highlight=ipsec

the tunnel is not coming up, I have stoped the services and even rebooted both firewalls.
Can someone please point me to the right directions ?

Log site A

Code: [Select]

Aug 3 01:24:51	charon: 02[CFG] received stroke: route 'con1'
Aug 3 01:24:51	charon: 05[CFG] added configuration 'con1'
Aug 3 01:24:51	charon: 05[CFG] received stroke: add connection 'con1'
Aug 3 01:24:51	charon: 00[JOB] spawning 16 worker threads
Aug 3 01:24:51	charon: 00[LIB] loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac gcm attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock
Aug 3 01:24:51	charon: 00[CFG] loaded 0 RADIUS server configurations
Aug 3 01:24:51	charon: 00[CFG] loaded IKE secret for 98.44.55.66
Aug 3 01:24:51	charon: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Aug 3 01:24:51	charon: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
Aug 3 01:24:51	charon: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Aug 3 01:24:51	charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Aug 3 01:24:51	charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'

Log Site B

Code: [Select]

Aug 3 01:20:18	charon: 05[NET] sending packet: from IP SITE B [500] to IP SITE A[500] (36 bytes)
Aug 3 01:20:18	charon: 05[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Aug 3 01:20:18	charon: 05[IKE] received proposals inacceptable
Aug 3 01:20:18	charon: 05[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Aug 3 01:20:18	charon: 05[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Aug 3 01:20:18	charon: 05[IKE] 5.200.21.175 is initiating an IKE_SA
Aug 3 01:20:18	charon: 05[IKE] 5.200.21.175 is initiating an IKE_SA
Aug 3 01:20:18	charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 3 01:20:18	charon: 05[NET] received packet: from IP SITE A [500] to IP SITE B[500] (466 bytes)
Aug 3 01:18:12	charon: 05[CFG] received stroke: route 'con1'

Julien · « **Reply #1 on:** August 03, 2017, 03:06:40 am »

I have created a OPENVPN Tunnel and it does works.
https://docs.opnsense.org/manual/how-tos/sslvpn_s2s.html?highlight=vpn
I'll stick with the ssl tunnel as its more secure than the IPSEC.

kug1977 · « **Reply #2 on:** August 03, 2017, 10:03:49 am »

Hi,

it's complain about the Algorithms ... doesn't find an acceptable algorithms proposed by the party try to connect to (in IPsec most of the time called right side).

Code: [Select]

Aug 3 01:20:18	charon: 05[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Aug 3 01:20:18	charon: 05[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048

You have to use one of them 128bit (AES_CBC_128) or 256bit AES (AES_CBC_256) ... or make both available for selection on at least one site.

King regards,
Kay-Uwe Genz

Julien · « **Reply #3 on:** August 03, 2017, 11:07:30 am »

Quote from: kug1977 on August 03, 2017, 10:03:49 am

Hi,

it's complain about the Algorithms ... doesn't find an acceptable algorithms proposed by the party try to connect to (in IPsec most of the time called right side).

Code: [Select]
Aug 3 01:20:18 charon: 05[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048 Aug 3 01:20:18 charon: 05[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048You have to use one of them 128bit (AES_CBC_128) or 256bit AES (AES_CBC_256) ... or make both available for selection in at least one side.

King regards,
Kay-Uwe Genz

Thank you for your answer,
this absolutely a good catch
do you suggest to use IPSEC over the OPENVPN ?
According to research the openvpn is faster than the IPSEC.
Can someone share his experience with us.

mimugmail · « **Reply #4 on:** August 03, 2017, 11:30:39 am »

If you feel more comfortable with OpenVPN, stick to it. Only if you see a lack of performance try IPSEC, but I think you should be very fine now.

kug1977 · « **Reply #5 on:** August 03, 2017, 04:18:23 pm »

Quote

do you suggest to use IPSEC over the OPENVPN ?
According to research the openvpn is faster than the IPSEC.

For site-to-site connections I prefer IPsec tunnels. For mobile Clients (aka Road warrior) I use OpenVPN. And, honestly, OPNSense has some history on break IPsec while upgrading ... hopefully that's past. So having both might by a good idea anyway.

Julien · « **Reply #6 on:** August 04, 2017, 03:47:38 am »

Quote from: kug1977 on August 03, 2017, 04:18:23 pm

Quote
do you suggest to use IPSEC over the OPENVPN ?
According to research the openvpn is faster than the IPSEC.

For site-to-site connections I prefer IPsec tunnels. For mobile Clients (aka Road warrior) I use OpenVPN. And, honestly, OPNSense has some history on break IPsec while upgrading ... hopefully that's past. So having both might by a good idea anyway.

Today I've done some tests.
with IPSEC the tunnel is not really stable and is slower than the OPENVPN.
the idea behind the tunnel is office 1 can reach active directory on office 2. no remote users.
remote users are using openvpn

Author Topic: [SOLVED] Ipsec between two FW (Read 4252 times)

Julien

[SOLVED] Ipsec between two FW

Julien

Re: Ipsec between two FW

kug1977

Re: [SOLVED] Ipsec between two FW

Julien

Re: [SOLVED] Ipsec between two FW

mimugmail

Re: [SOLVED] Ipsec between two FW

kug1977

Re: [SOLVED] Ipsec between two FW

Julien

Re: [SOLVED] Ipsec between two FW