OPNsense Forum
English Forums => General Discussion => Topic started by: schnipp on December 20, 2018, 03:18:53 pm
-
I am trying to establish a new IPsec VPN connection (site-to-site) between Opnsense and AVM Fritzbox. I previously tested it with Opnsense 18.7.x and a Fritzbox 7412 (v.6.83) in a lab environment. It worked fine.
But now, for production usage I tried to configure the VPN connection between Opnsense 18.7.9 and Fritzbox 7490 (7560CA also tested; both with fiormware v.7.01) again. The VPN connection does not come up. Opnsense sends an IKE packet to the Fritzbox, which is not responding.
Instead the support logfile of Fritzbox shows the following error:
1970-01-01 01:11:23 avmike:<<< identity protection mode[10.2.0.1] ???: V1.0 196 IC 571384ec2fd93cb2 RC 00000000 0000 SA flags=
1970-01-01 01:11:23 avmike:no phase1ss for cert users configured
1970-01-01 01:11:23 avmike:10.2.0.1:500: new_neighbour_template failed
If I unstand correctly, the box assumes that the opnsense requests certificate based authentication. Is that right? But, Opnsense uses PSK.
The configuration in the Fritzbox looks like:
vpncfg {
vpncfg_version = 1;
connections {
enabled = yes;
editable = no;
conn_type = conntype_lan;
name = "C-Test_neu12";
boxuser_id = 0;
always_renew = no;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 0.0.0.0;
remote_virtualip = 0.0.0.0;
remotehostname = "";
keepalive_ip = 0.0.0.0;
localid {
fqdn = "SECRET";
}
remoteid {
fqdn = "SECRET";
}
mode = phase1_mode_idp;
phase1ss = "dh14/aes/sha";
keytype = connkeytype_pre_shared;
key = "SECRET";
cert_do_server_auth = no;
use_nat_t = no;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 192.168.10.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 10.100.0.0;
mask = 255.255.255.0;
}
}
phase2ss = "esp-aes-sha/ah-all/comp-lzjh-no/pfs";
accesslist =
"permit ip 192.168.10.0 255.255.255.0 10.100.0.0 255.255.255.0";
app_id = 0;
}
}
The IKE packet sent by the Opnsense looks like:
Internet Security Association and Key Management Protocol
Initiator SPI: b7ddbf282036d4cc
Responder SPI: 0000000000000000
Next payload: Security Association (1)
Version: 1.0
0001 .... = MjVer: 0x1
.... 0000 = MnVer: 0x0
Exchange type: Identity Protection (Main Mode) (2)
Flags: 0x00
.... ...0 = Encryption: Not encrypted
.... ..0. = Commit: No commit
.... .0.. = Authentication: No authentication
Message ID: 0x00000000
Length: 196
Payload: Security Association (1)
Next payload: Vendor ID (13)
Reserved: 00
Payload length: 52
Domain of interpretation: IPSEC (1)
Situation: 00000001
.... .... .... .... .... .... .... ...1 = Identity Only: True
.... .... .... .... .... .... .... ..0. = Secrecy: False
.... .... .... .... .... .... .... .0.. = Integrity: False
Payload: Proposal (2) # 0
Next payload: NONE / No Next Payload (0)
Reserved: 00
Payload length: 40
Proposal number: 0
Protocol ID: ISAKMP (1)
SPI Size: 0
Proposal transforms: 1
Payload: Transform (3) # 1
Next payload: NONE / No Next Payload (0)
Reserved: 00
Payload length: 32
Transform number: 1
Transform ID: KEY_IKE (1)
Reserved: 0000
IKE Attribute (t=1,l=2): Encryption-Algorithm: 3DES-CBC
IKE Attribute (t=2,l=2): Hash-Algorithm: SHA
IKE Attribute (t=4,l=2): Group-Description: 2048 bit MODP group
IKE Attribute (t=3,l=2): Authentication-Method: Pre-shared key
IKE Attribute (t=11,l=2): Life-Type: Seconds
IKE Attribute (t=12,l=2): Life-Duration: 3600
Payload: Vendor ID (13) : XAUTH
Next payload: Vendor ID (13)
Reserved: 00
Payload length: 12
Vendor ID: 09002689dfd6b712
Vendor ID: XAUTH
Payload: Vendor ID (13) : RFC 3706 DPD (Dead Peer Detection)
Next payload: Vendor ID (13)
Reserved: 00
Payload length: 20
Vendor ID: afcad71368a1f1c96b8696fc77570100
Vendor ID: RFC 3706 DPD (Dead Peer Detection)
Payload: Vendor ID (13) : CISCO-UNITY 1.0
Next payload: Vendor ID (13)
Reserved: 00
Payload length: 20
Vendor ID: 12f5f28c457168a9702d9fe274cc0100
Vendor ID: CISCO-UNITY
CISCO-UNITY Major version: 1
CISCO-UNITY Minor version: 0
Payload: Vendor ID (13) : Cisco Fragmentation
Next payload: Vendor ID (13)
Reserved: 00
Payload length: 24
Vendor ID: 4048b7d56ebce88525e7de7f00d6c2d380000000
Vendor ID: Cisco Fragmentation
Payload: Vendor ID (13) : RFC 3947 Negotiation of NAT-Traversal in the IKE
Next payload: Vendor ID (13)
Reserved: 00
Payload length: 20
Vendor ID: 4a131c81070358455c5728f20e95452f
Vendor ID: RFC 3947 Negotiation of NAT-Traversal in the IKE
Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-02\n
Next payload: NONE / No Next Payload (0)
Reserved: 00
Payload length: 20
Vendor ID: 90cb80913ebb696e086381b5ec427b1f
Vendor ID: draft-ietf-ipsec-nat-t-ike-02\n
Does anybody have a working site-2-site configuration?
-
Is nobody of the opnsense users connecting to a fritzbox via IPSec VPN?
I thought the fritzbox is a wide-spread CPE for many DSL interfaces and some users have a site2site VPN between opnsense and this box. Maybe, I am wrong?
-
Hi, do you got the ipsec running?
Reguards Michael