Text only | Text with Images

OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: FCM on May 17, 2018, 12:20:09 PM

Title: [solved]IPsec, phase 2 and routing
Post by: FCM on May 17, 2018, 12:20:09 PM
Hello there :)

In my long quest to make my distant data lan and voip lan to work, I am trying the IPsec VPN after the OpenVPN...

So I followed the wiki and created IPsec site to site tunnel.

the problem is that the tunnel itself seems to have glitches on site A, and the phase 2 is not in place...

I mirrored all the configuration and don't know where is the problem...
And something bother me, when I look at the routes tables, I see that the distant LAN is routed via the WAN gateway of each Opnsense, is this normal ?

site A and B routes :

(http://pub.andrake.com/ipsec/ipsec_routesmainsite.jpg)

(http://pub.andrake.com/ipsec/ipsec_routes_site1.jpg)

My configurations :

IPsec configurations :

(http://pub.andrake.com/ipsec/ipsec_mainsite.jpg)

(http://pub.andrake.com/ipsec/ipsec_site1.jpg)

IPsec Status :

(http://pub.andrake.com/ipsec/ipsec_statutsmainsite.jpg)

(http://pub.andrake.com/ipsec/ipsec_statuts_site1.jpg)

The glitches that occurs :

(http://pub.andrake.com/ipsec/ipsec_statutsmainsite_bugged.jpg)


I can add connection logs if it can add informations that help...
Thanks

Networks :
Site A
LAN in 192.168.20.32/23
WAN in 192.168.13.4/24
Opnsense behind a Stormshield firewall

Site B
LAN in 192.168.13.1/24
WAN in 192.168.100.16/24
Title: Re: IPsec, phase 2 and routing
Post by: FCM on May 17, 2018, 04:36:36 PM
and without a reason, they can't authentificate anymore...

Code Select
May 17 16:34:25 charon: 06[IKE] received AUTHENTICATION_FAILED notify error
May 17 16:34:25 charon: 06[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
May 17 16:34:25 charon: 06[NET] received packet: from 88.188.61.125[4500] to 192.168.13.4[4500] (96 bytes)
May 17 16:34:25 charon: 06[NET] sending packet: from 192.168.13.4[4500] to 88.188.61.125[4500] (416 bytes)
May 17 16:34:25 charon: 06[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
May 17 16:34:25 charon: 06[IKE] establishing CHILD_SA con1{2}
May 17 16:34:25 charon: 06[IKE] establishing CHILD_SA con1{2}
May 17 16:34:25 charon: 06[IKE] authentication of '192.168.13.4' (myself) with pre-shared key
May 17 16:34:25 charon: 06[IKE] sending cert request for "C=NL, ST=ZH, L=Middelharnis, O=OPNsense, E=spam@opnsense.org, CN=internal-sslvpn-ca"
May 17 16:34:25 charon: 06[IKE] received 2 cert requests for an unknown ca
May 17 16:34:25 charon: 06[IKE] remote host is behind NAT
May 17 16:34:25 charon: 06[IKE] local host is behind NAT, sending keep alives
May 17 16:34:25 charon: 06[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
May 17 16:34:25 charon: 06[NET] received packet: from 88.188.61.125[500] to 192.168.13.4[500] (509 bytes)
May 17 16:34:25 charon: 06[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 17 16:34:25 charon: 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
May 17 16:34:25 charon: 06[IKE] initiating IKE_SA con1[8] to 88.188.61.125
May 17 16:34:25 charon: 06[IKE] initiating IKE_SA con1[8] to 88.188.61.125
May 17 16:34:25 charon: 11[CFG] received stroke: initiate 'con1'
Title: Re: IPsec, phase 2 and routing
Post by: Droppie391 on May 18, 2018, 08:17:31 AM
hi, try to only use one cypher in both the authentication and cypher settings for phase2. we had problems with more then one in the past. e.g Cypher protocol = AES256 and Auth = SHA1 or whatever you prefer.
Title: Re: IPsec, phase 2 and routing
Post by: mimugmail on May 18, 2018, 08:34:49 AM
For me it seems to be mismatched secret and also P1 not established
Title: Re: IPsec, phase 2 and routing
Post by: FCM on May 18, 2018, 09:01:31 AM
I know :(
but the secret word is simple and short and the same on each side...
and this morning, like yesterday, I have the green play button on both site status...

I don't understand I did nothing but in the afternoon Auth failed then in the morning no more fail...
and sometimes site A status icone change from green to orange
same thing each day for the last 2 days... this time it's not authentification but connection ??

and still no phase 2 :(

logs from this morning :
Code Select
May 18 08:51:34 charon: 13[IKE] establishing IKE_SA failed, peer not responding
May 18 08:51:34 charon: 13[IKE] giving up after 5 retransmits
May 18 08:50:18 charon: 13[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:50:18 charon: 13[IKE] retransmit 5 of request with message ID 0
May 18 08:49:36 charon: 13[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:49:36 charon: 13[IKE] retransmit 4 of request with message ID 0
May 18 08:49:13 charon: 13[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:49:13 charon: 13[IKE] retransmit 3 of request with message ID 0
May 18 08:49:00 charon: 13[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:49:00 charon: 13[IKE] retransmit 2 of request with message ID 0
May 18 08:48:53 charon: 13[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:48:53 charon: 13[IKE] retransmit 1 of request with message ID 0
May 18 08:48:49 charon: 13[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:48:49 charon: 13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
May 18 08:48:49 charon: 13[IKE] initiating IKE_SA con1[16] to 88.188.61.125
May 18 08:48:49 charon: 13[IKE] initiating IKE_SA con1[16] to 88.188.61.125
May 18 08:48:49 charon: 13[IKE] peer not responding, trying again (3/3)
May 18 08:48:49 charon: 13[IKE] giving up after 5 retransmits
May 18 08:47:33 charon: 13[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:47:33 charon: 13[IKE] retransmit 5 of request with message ID 0
May 18 08:46:51 charon: 13[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:46:51 charon: 13[IKE] retransmit 4 of request with message ID 0
May 18 08:46:28 charon: 13[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:46:28 charon: 13[IKE] retransmit 3 of request with message ID 0
May 18 08:46:14 charon: 13[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:46:14 charon: 13[IKE] retransmit 2 of request with message ID 0
May 18 08:46:07 charon: 06[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:46:07 charon: 06[IKE] retransmit 1 of request with message ID 0
May 18 08:46:03 charon: 06[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:46:03 charon: 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
May 18 08:46:03 charon: 06[IKE] initiating IKE_SA con1[16] to 88.188.61.125
May 18 08:46:03 charon: 06[IKE] initiating IKE_SA con1[16] to 88.188.61.125
May 18 08:46:03 charon: 06[IKE] peer not responding, trying again (2/3)
May 18 08:46:03 charon: 06[IKE] giving up after 5 retransmits
May 18 08:44:48 charon: 06[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:44:48 charon: 06[IKE] retransmit 5 of request with message ID 0
May 18 08:44:06 charon: 08[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:44:06 charon: 08[IKE] retransmit 4 of request with message ID 0
May 18 08:43:42 charon: 11[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:43:42 charon: 11[IKE] retransmit 3 of request with message ID 0
May 18 08:43:29 charon: 11[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:43:29 charon: 11[IKE] retransmit 2 of request with message ID 0
May 18 08:43:22 charon: 11[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:43:22 charon: 11[IKE] retransmit 1 of request with message ID 0
May 18 08:43:18 charon: 11[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:43:18 charon: 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
May 18 08:43:18 charon: 11[IKE] initiating IKE_SA con1[16] to 88.188.61.125
May 18 08:43:18 charon: 11[IKE] initiating IKE_SA con1[16] to 88.188.61.125
May 18 08:43:18 charon: 09[CFG] received stroke: initiate 'con1'
Title: Re: IPsec, phase 2 and routing
Post by: mimugmail on May 18, 2018, 09:55:53 AM
The it's related to your NAT device in front ... IPSEC and NAT are not the best buddies ..
Title: Re: IPsec, phase 2 and routing
Post by: FCM on May 22, 2018, 03:52:30 PM
problem resolved...
in fact the "auth failed" came from the local ID and peer ID !
At first, I let the "My IP address" and the "Peer IP address" in the authentification fields as described in the wiki.
But when I put siteA / siteB and siteB / SiteA as unique names, then the connection was established !!

Fist step done, now the phones... :)

thanks again for helping ! :)
Text only | Text with Images