OPNsense Forum
Archive => 18.7 Legacy Series => Topic started by: Rayman on November 02, 2018, 09:50:39 pm
-
Hi,
I'm trying to connect a SonicWALL router with IPSEC to my new OPNsense 18.7.6 A10 appliance.
Internet is fiber from Xs4all, pppoe.
IPSEC log:
Nov 2 21:42:44 charon: 11[NET] <con2|22> sending packet: from a.a.a.a[500] to b.b.b.b[500] (80 bytes)
Nov 2 21:42:44 charon: 11[ENC] <con2|22> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Nov 2 21:42:44 charon: 11[IKE] <con2|22> no shared key found for '%any' - 'www.bbbb.nl'
Nov 2 21:42:44 charon: 11[CFG] <con2|22> selected peer config 'con2'
Nov 2 21:42:44 charon: 11[CFG] <22> looking for peer configs matching a.a.a.a[%any]...b.b.b.b[www.bbbb.nl]
Nov 2 21:42:44 charon: 11[ENC] <22> parsed IKE_AUTH request 1 [ IDi CERTREQ AUTH SA TSi TSr N(INIT_CONTACT) ]
Nov 2 21:42:44 charon: 11[NET] <22> received packet: from b.b.b.b[500] to a.a.a.a[500] (240 bytes)
Nov 2 21:42:44 charon: 11[NET] <22> sending packet: from a.a.a.a[500] to b.b.b.b[500] (440 bytes)
Nov 2 21:42:44 charon: 11[ENC] <22> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Nov 2 21:42:44 charon: 11[IKE] <22> b.b.b.b is initiating an IKE_SA
Nov 2 21:42:44 charon: 11[ENC] <22> received unknown vendor ID: 2a:67:75:d0:ad:2a:a7:88:7c:33:fe:1d:68:ba:f3:08:96:6f:00:01
Nov 2 21:42:44 charon: 11[ENC] <22> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ]
Nov 2 21:42:44 charon: 11[NET] <22> received packet: from b.b.b.b[500] to a.a.a.a[500] (444 bytes)
I copied the settings from my old pfSense router, but here the tunnel will not get up.
I have added the 3 WAN rules and 1 IPSEC to LAN rule, and applied these.
Anyone an idea?
Thanks!
-
Did you try setting "automatic outbound nat" under nat ?
-
I only had it on this setting.
-
I've been playing around with this.
Is it possible that a certificate is in the way? It asks for a certificate in the IPSEC config, which I can't deselect. The tunnel does not use a certificate at all.
Logfile:
Nov 5 10:07:18 charon: 15[NET] <41> sending packet: from a.a.a.a[500] to b.b.b.b[500] (80 bytes)
Nov 5 10:07:18 charon: 15[ENC] <41> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Nov 5 10:07:18 charon: 15[CFG] <41> no matching peer config found
Nov 5 10:07:18 charon: 15[CFG] <41> looking for peer configs matching a.a.a.a[%any]...b.b.b.b[www.bbbb.nl]
Nov 5 10:07:18 charon: 15[ENC] <41> parsed IKE_AUTH request 1 [ IDi CERTREQ AUTH SA TSi TSr N(INIT_CONTACT) ]
Nov 5 10:07:18 charon: 15[NET] <41> received packet: from b.b.b.b[500] to a.a.a.a[500] (272 bytes)
Nov 5 10:07:18 charon: 15[NET] <41> sending packet: from a.a.a.a[500] to b.b.b.b[500] (465 bytes)
Nov 5 10:07:18 charon: 15[ENC] <41> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Nov 5 10:07:18 charon: 15[IKE] <41> sending cert request for "CN=internal-opnsense-ca"
Nov 5 10:07:18 charon: 15[IKE] <41> b.b.b.b is initiating an IKE_SA
Nov 5 10:07:18 charon: 15[ENC] <41> received unknown vendor ID: 2a:67:75:d0:ad:2a:a7:88:7c:33:fe:1d:68:ba:f3:08:96:6f:00:01
Nov 5 10:07:18 charon: 15[ENC] <41> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ]
Nov 5 10:07:18 charon: 15[NET] <41> received packet: from b.b.b.b[500] to a.a.a.a[500] (444 bytes)
Nov 5 09:46:09 charon: 15[NET] <40> sending packet: from a.a.a.a[500] to b.b.b.b[500] (80 bytes)
Nov 5 09:46:09 charon: 15[ENC] <40> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Nov 5 09:46:09 charon: 15[CFG] <40> no matching peer config found
Nov 5 09:46:09 charon: 15[CFG] <40> looking for peer configs matching a.a.a.a[%any]...b.b.b.b[www.bbbb.nl]
Nov 5 09:46:09 charon: 15[ENC] <40> parsed IKE_AUTH request 1 [ IDi CERTREQ AUTH SA TSi TSr N(INIT_CONTACT) ]
Nov 5 09:46:09 charon: 15[NET] <40> received packet: from b.b.b.b[500] to a.a.a.a[500] (272 bytes)
Nov 5 09:46:09 charon: 15[NET] <40> sending packet: from a.a.a.a[500] to b.b.b.b[500] (465 bytes)
Nov 5 09:46:09 charon: 15[ENC] <40> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Nov 5 09:46:09 charon: 15[IKE] <40> sending cert request for "CN=internal-opnsense-ca"
Nov 5 09:46:09 charon: 15[IKE] <40> b.b.b.b is initiating an IKE_SA
Nov 5 09:46:09 charon: 15[ENC] <40> received unknown vendor ID: 2a:67:75:d0:ad:2a:a7:88:7c:33:fe:1d:68:ba:f3:08:96:6f:00:01
Nov 5 09:46:09 charon: 15[ENC] <40> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ]
Nov 5 09:46:09 charon: 15[NET] <40> received packet: from b.b.b.b[500] to a.a.a.a[500] (444 bytes)
Nov 5 09:41:45 charon: 15[IKE] <con3|39> received INVALID_SYNTAX notify error
Nov 5 09:41:45 charon: 15[ENC] <con3|39> parsed IKE_AUTH response 1 [ N(INVAL_SYN) ]
Nov 5 09:41:45 charon: 15[NET] <con3|39> received packet: from b.b.b.b[500] to a.a.a.a[500] (80 bytes)
Nov 5 09:41:45 charon: 15[NET] <con3|39> sending packet: from a.a.a.a[500] to b.b.b.b[500] (496 bytes)
Nov 5 09:41:45 charon: 15[ENC] <con3|39> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Nov 5 09:41:45 charon: 15[IKE] <con3|39> establishing CHILD_SA con3{3}
Nov 5 09:41:45 charon: 15[IKE] <con3|39> authentication of (certificate id) (myself) with pre-shared key
Nov 5 09:41:45 charon: 15[IKE] <con3|39> sending cert request for "CN=internal-opnsense-ca"
Nov 5 09:41:45 charon: 15[ENC] <con3|39> received unknown vendor ID: 2a:67:75:d0:ad:2a:a7:88:7c:33:fe:1d:68:ba:f3:08:96:6f:00:01
Nov 5 09:41:45 charon: 15[ENC] <con3|39> parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ N(NATD_S_IP) N(NATD_D_IP) V ]
Nov 5 09:41:45 charon: 15[NET] <con3|39> received packet: from b.b.b.b[500] to a.a.a.a[500] (449 bytes)
Nov 5 09:41:45 charon: 15[NET] <con3|39> sending packet: from a.a.a.a[500] to b.b.b.b[500] (464 bytes)
Nov 5 09:41:45 charon: 15[ENC] <con3|39> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Nov 5 09:41:45 charon: 15[IKE] <con3|39> initiating IKE_SA con3[39] to b.b.b.b
Nov 5 09:41:45 charon: 15[CFG] received stroke: initiate 'con3'
Nov 5 09:41:45 charon: 14[CFG] added configuration 'con3'
Nov 5 09:41:45 charon: 14[CFG] id 'a.a.a.a' not confirmed by certificate, defaulting to 'certificate id'
Nov 5 09:41:45 charon: 14[CFG] loaded certificate "certificate id" from '/usr/local/etc/ipsec.d/certs/cert-3.crt'
Nov 5 09:41:45 charon: 14[CFG] received stroke: add connection 'con3'
Nov 5 09:41:45 charon: 15[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls'
Nov 5 09:41:45 charon: 15[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Nov 5 09:41:45 charon: 15[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Nov 5 09:41:45 charon: 15[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Nov 5 09:41:45 charon: 15[CFG] loaded ca certificate "CN=internal-opnsense-ca" from '/usr/local/etc/ipsec.d/cacerts/63707b99.0.crt'
-
Can you post screenshots of your tunnel setup?
-
Hi,
I attached the OPNsense screenshots.
Kind regards,
Ray
-
Hi,
These are the screenshots of the SonicWALL. I left out the network tab. It only shows names of the local and remote networks, but they are the full /24 local and remote network.
Ray
-
I think it's definately the certificate which is presented to the SonicWALL. In the SonicWALL log I see the following error:
IKEv2 initiator: Proposed IKE ID mismatch. In the data it shows the data of the certificate, which I don't want to use...
So, is it possible to configure OPNsense to NOT use a certificate for IPSEC?
-
Hi,
I have a similar problem with certificates and IPsec settings. After the initial creation of IPSEC Phase 1 everything is ok. However, after the first update of IPSEC Phase 1, the tunnel started to use the certificate as Local ID and the tunnel can no longer be established. Everything is seen on VPN: IPsec: Status Overview
where under Local ID instead of an IP address appears: C = D, ST = South Holland, L = Middelharnis, O = OPNsense
After that, I could not find a regular way (using webGUI) to remove this certificate from the settings.
The only way I found it is: download xml configuration and manually delete <certref> 58b76f2b66944 </ certref> from ipsec phase 1 settings. This XML tag always appears after the first webGUI settings update of ipsec phase 1.
Very strange.
-
Hi,
Thanks for you reply!
You are totally right! Thank you very much!
After removing the cert from the config, tunnel did come up right away!
It would be better if the cert was removable from the gui of course. Maybe a dev can pick this up?
-
There is no maybe... only https://github.com/opnsense/core/issues :)
Cheers,
Franco
-
Hi Franco,
Did not know this, I'll create an issue there.
Thanks,
Ray
-
Much appreciated, thanks!
-
@jmirakul
This was checked by Ad.
When using Internet Explorer (which I did), the certificate field is shown and the certificate data is in the config xml file.
When another browser is used (I've tried FireFox), the certificate fields are not even in the GUI, and xml file is correct then.
Kind regards,
Ray
-
Yes, I saw. :)
Everything works fine with FireFox but failed with Safari on OS X in my case.
-
Keeping this under observation... browsers shouldn't do this, but maybe we need to be more vivid in enforcement.
Long-term this is no issue, the MVC/API code should not be affected by this issue. Worst case saving fails, but that's what the browser gets for disabling JS. ;)
Cheers,
Franco
-
Hi, thanks for this info !
I run in the same error. I tried to configure a side2side vpn with IExplorer. After a few hours and reading this post, I know why :-)
After saving the setting with IE, this error is showing in VPN log File.
Jan 30 09:33:09 charon: 10[NET] <con1-000|8> sending packet: from 192.168.20.40[500] to 192.168.22.132[500] (84 bytes)
Jan 30 09:33:09 charon: 10[ENC] <con1-000|8> generating INFORMATIONAL_V1 request 4075737163 [ HASH D ]
Jan 30 09:33:09 charon: 10[IKE] <con1-000|8> sending DELETE for IKE_SA con1-000[8]
Jan 30 09:33:09 charon: 10[IKE] <con1-000|8> deleting IKE_SA con1-000[8] between 192.168.20.40[C=NL, ST=Zuid-Holland, L=Middelharnis, O=OPNsense]...192.168.22.132[192.168.22.132]
Jan 30 09:33:09 charon: 10[CFG] <con1-000|8> constraint check failed: peer not authenticated by CA 'C=DE, ST=Bavaria, L=xx, O=xx, E=xx@xx, CN=CA_xx'
Jan 30 09:33:09 charon: 10[IKE] <con1-000|8> received DPD vendor ID
Jan 30 09:33:09 charon: 10[ENC] <con1-000|8> parsed ID_PROT response 0 [ ID HASH V ]
Jan 30 09:33:09 charon: 10[NET] <con1-000|8> received packet: from 192.168.22.132[500] to 192.168.20.40[500] (84 bytes)
and this is the main part the file /usr/local/etc/ipsec.conf
ike = 3des-sha1-modp1024!
leftauth = psk
rightauth = psk
leftcert = /usr/local/etc/ipsec.d/certs/cert-1.crt
leftsendcert = always
rightca = "/C=DE/ST=xxx/L=xxx/O=xxx /emailAddress=xxx/CN=xxx/"
rightid = 192.168.22.132
rightsubnet = 192.168.22.192/28
leftsubnet = 192.168.7.0/24
esp = aes256-sha1-modp1024,3des-sha1-modp1024!
After saving the setting with Chrome, everything works as expected.
With IExplorer, 'My Certificate' and 'My Certificate Authority' fields are showing up, and I can not remove this setting.
With Chrome, this fields are not showing up.
OPNsense 18.7.9-amd64
IE 11.1563.15063.0
Chrome 71.0.3578.98
-
It will be fixed for IE in 19.1 tomorrow.
Cheers,
Franco