Text only | Text with Images

OPNsense Forum

International Forums => German - Deutsch => Topic started by: orgdv on August 26, 2019, 01:27:53 PM

Title: IPSEC-Tunnel Verbindungsabbrüche
Post by: orgdv on August 26, 2019, 01:27:53 PM
Hallo OPNsense-Community,

leider habe ich folgendes Problem:

Ich würde gerne zwei bzw. mehrere route-based IPSec-Tunnel in unser Rechenzentrum aufbauen. Leider bricht aber die Verbindung sporadisch ab sobald ich mehr als einen Tunnel (Phase1) laufen lasse.

Die Konfiguration der Phasen ist bis auf den PSK und VTI-IPs identisch. Wenn ihr weitere Informationen braucht füge ich diese gerne hinzu. Ich bin neu im Bereich IPsec unter opnsense, von daher bin ich für eure Hilfe sehrdankbar!

LG
Title: Re: IPSEC-Tunnel Verbindungsabbrüche
Post by: mimugmail on August 26, 2019, 02:18:22 PM
Logs wären interessant :)
Title: Re: IPSEC-Tunnel Verbindungsabbrüche
Post by: orgdv on August 26, 2019, 04:25:13 PM
Wenn es nochmal auftritt stelle ich es rein! Danke schonmal...
Title: Re: IPSEC-Tunnel Verbindungsabbrüche
Post by: orgdv on August 26, 2019, 04:54:28 PM
Aug 26 16:53:18    charon: 06[CFG] trap not found, unable to acquire reqid 0
Aug 26 16:53:18    charon: 11[KNL] creating acquire job for policy 213.202.237.174/32 === 78.94.254.119/32 with reqid {0}
Aug 26 16:53:18    charon: 11[KNL] received an SADB_ACQUIRE with policy id 2 but no matching policy found
Aug 26 16:53:14    charon: 11[NET] <con1|4> sending packet: from 213.202.237.174[4500] to 78.94.254.119[4500] (65 bytes)
Aug 26 16:53:14    charon: 11[ENC] <con1|4> generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Aug 26 16:53:14    charon: 11[IKE] <con1|4> tried 1 shared key for '213.202.237.174' - '78.94.254.119', but MAC mismatched
Aug 26 16:53:14    charon: 11[ENC] <con1|4> parsed IKE_AUTH response 1 [ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Aug 26 16:53:14    charon: 11[NET] <con1|4> received packet: from 78.94.254.119[4500] to 213.202.237.174[4500] (349 bytes)
Aug 26 16:53:14    charon: 11[NET] <con1|4> sending packet: from 213.202.237.174[4500] to 78.94.254.119[4500] (446 bytes)
Aug 26 16:53:14    charon: 11[ENC] <con1|4> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Aug 26 16:53:14    charon: 11[IKE] <con1|4> establishing CHILD_SA con1{2}
Aug 26 16:53:14    charon: 11[IKE] <con1|4> authentication of '213.202.237.174' (myself) with pre-shared key
Aug 26 16:53:14    charon: 11[IKE] <con1|4> sending cert request for "C=DE, ST=Nordrhein-Westfahlen, L=D??ren, O=DI-Gruppe, E=orgdv@di-gruppe.de, CN=opnsense-proxy-ssl-ca"
Aug 26 16:53:14    charon: 11[IKE] <con1|4> sending cert request for "C=DE, ST=Nordrhein-Westfahlen, L=D??ren, O=DI Management, E=orgdv@di-gruppe.de, CN=OPENVPN_CA_IT_ROADWARRIOR"
Aug 26 16:53:14    charon: 11[IKE] <con1|4> sending cert request for "C=DE, ST=NRW, L=Dueren, O=JFG, E=orgdv@jagdfeld-gruppe.de, CN=jfg-rz001-fw001.jfg.one"
Aug 26 16:53:14    charon: 11[IKE] <con1|4> received cert request for "C=DE, ST=NRW, L=Dueren, O=JFG, E=orgdv@jagdfeld-gruppe.de, CN=jfg-rz001-fw001.jfg.one"
Aug 26 16:53:14    charon: 11[CFG] <con1|4> selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/MODP_2048
Aug 26 16:53:14    charon: 11[ENC] <con1|4> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Aug 26 16:53:14    charon: 11[NET] <con1|4> received packet: from 78.94.254.119[500] to 213.202.237.174[500] (489 bytes)
Aug 26 16:53:14    charon: 11[NET] <con1|4> sending packet: from 213.202.237.174[500] to 78.94.254.119[500] (456 bytes)
Aug 26 16:53:14    charon: 11[ENC] <con1|4> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 26 16:53:14    charon: 11[IKE] <con1|4> initiating IKE_SA con1[4] to 78.94.254.119
Aug 26 16:53:14    charon: 13[CFG] received stroke: initiate 'con1'
Aug 26 16:53:07    charon: 13[CFG] trap not found, unable to acquire reqid 0
Aug 26 16:53:07    charon: 14[KNL] creating acquire job for policy 213.202.237.174/32 === 176.94.251.183/32 with reqid {0}
Aug 26 16:53:07    charon: 14[KNL] received an SADB_ACQUIRE with policy id 6 but no matching policy found
Aug 26 16:53:05    charon: 14[CFG] trap not found, unable to acquire reqid 0
Aug 26 16:53:05    charon: 13[KNL] creating acquire job for policy 213.202.237.174/32 === 78.94.254.119/32 with reqid {0}
Aug 26 16:53:05    charon: 13[KNL] received an SADB_ACQUIRE with policy id 2 but no matching policy found
Title: Re: IPSEC-Tunnel Verbindungsabbrüche
Post by: mimugmail on August 29, 2019, 02:07:12 PM
Aug 26 16:53:14    charon: 11[IKE] <con1|4> tried 1 shared key for '213.202.237.174' - '78.94.254.119', but MAC mismatched
Title: Re: IPSEC-Tunnel Verbindungsabbrüche
Post by: orgdv on September 02, 2019, 12:59:08 PM
Jetzt bekomme ich folgende Meldungen... sobald ich den Tunnel nach einem Verbindungsabbruch wieder aufbauen will...


Aug 30 08:42:00   charon: 10[KNL] <con5|8> querying policy 0.0.0.0/0 === 0.0.0.0/0 in failed, not found
Aug 30 08:41:59   charon: 12[CFG] trap not found, unable to acquire reqid 0
Aug 30 08:41:59   charon: 12[KNL] creating acquire job for policy 78.94.254.119/32 === 213.202.237.174/32 with reqid {0}
Aug 30 08:41:59   charon: 12[KNL] received an SADB_ACQUIRE with policy id 2 but no matching policy found
Aug 30 08:41:58   charon: 12[CFG] trap not found, unable to acquire reqid 0
Title: Re: IPSEC-Tunnel Verbindungsabbrüche
Post by: mimugmail on September 02, 2019, 01:13:06 PM
Screenshots von P1 und P2 bitte ...
Text only | Text with Images