OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: Rayman on November 02, 2018, 09:50:39 pm

Title: Replaced pfSense for OPNsense, IPSEC will not connect (to SonicWALL router)
Post by: Rayman on November 02, 2018, 09:50:39 pm
Hi,

I'm trying to connect a SonicWALL router with IPSEC to my new OPNsense 18.7.6 A10 appliance.

Internet is fiber from Xs4all, pppoe.

IPSEC log:
Nov 2 21:42:44 charon: 11[NET] <con2|22> sending packet: from a.a.a.a[500] to b.b.b.b[500] (80 bytes)
Nov 2 21:42:44 charon: 11[ENC] <con2|22> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Nov 2 21:42:44 charon: 11[IKE] <con2|22> no shared key found for '%any' - 'www.bbbb.nl'
Nov 2 21:42:44 charon: 11[CFG] <con2|22> selected peer config 'con2'
Nov 2 21:42:44 charon: 11[CFG] <22> looking for peer configs matching a.a.a.a[%any]...b.b.b.b[www.bbbb.nl]
Nov 2 21:42:44 charon: 11[ENC] <22> parsed IKE_AUTH request 1 [ IDi CERTREQ AUTH SA TSi TSr N(INIT_CONTACT) ]
Nov 2 21:42:44 charon: 11[NET] <22> received packet: from b.b.b.b[500] to a.a.a.a[500] (240 bytes)
Nov 2 21:42:44 charon: 11[NET] <22> sending packet: from a.a.a.a[500] to b.b.b.b[500] (440 bytes)
Nov 2 21:42:44 charon: 11[ENC] <22> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Nov 2 21:42:44 charon: 11[IKE] <22> b.b.b.b is initiating an IKE_SA
Nov 2 21:42:44 charon: 11[ENC] <22> received unknown vendor ID: 2a:67:75:d0:ad:2a:a7:88:7c:33:fe:1d:68:ba:f3:08:96:6f:00:01
Nov 2 21:42:44 charon: 11[ENC] <22> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ]
Nov 2 21:42:44 charon: 11[NET] <22> received packet: from b.b.b.b[500] to a.a.a.a[500] (444 bytes)

I copied the settings from my old pfSense router, but here the tunnel will not get up.

I have added the 3 WAN rules and 1 IPSEC to LAN rule, and applied these.

Anyone an idea?

Thanks!
Title: Re: Replaced pfSense for OPNsense, IPSEC will not connect, no shared key found
Post by: J. Lambrecht on November 02, 2018, 10:42:06 pm
Did you try setting "automatic outbound nat" under nat ?
Title: Re: Replaced pfSense for OPNsense, IPSEC will not connect, no shared key found
Post by: Rayman on November 02, 2018, 11:36:59 pm
I only had it on this setting.
Title: Re: Replaced pfSense for OPNsense, IPSEC will not connect, no shared key found
Post by: Rayman on November 05, 2018, 10:37:37 am
I've been playing around with this.

Is it possible that a certificate is in the way? It asks for a certificate in the IPSEC config, which I can't deselect. The tunnel does not use a certificate at all.

Logfile:
Nov 5 10:07:18 charon: 15[NET] <41> sending packet: from a.a.a.a[500] to b.b.b.b[500] (80 bytes)
Nov 5 10:07:18 charon: 15[ENC] <41> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Nov 5 10:07:18 charon: 15[CFG] <41> no matching peer config found
Nov 5 10:07:18 charon: 15[CFG] <41> looking for peer configs matching a.a.a.a[%any]...b.b.b.b[www.bbbb.nl]
Nov 5 10:07:18 charon: 15[ENC] <41> parsed IKE_AUTH request 1 [ IDi CERTREQ AUTH SA TSi TSr N(INIT_CONTACT) ]
Nov 5 10:07:18 charon: 15[NET] <41> received packet: from b.b.b.b[500] to a.a.a.a[500] (272 bytes)
Nov 5 10:07:18 charon: 15[NET] <41> sending packet: from a.a.a.a[500] to b.b.b.b[500] (465 bytes)
Nov 5 10:07:18 charon: 15[ENC] <41> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Nov 5 10:07:18 charon: 15[IKE] <41> sending cert request for "CN=internal-opnsense-ca"
Nov 5 10:07:18 charon: 15[IKE] <41> b.b.b.b is initiating an IKE_SA
Nov 5 10:07:18 charon: 15[ENC] <41> received unknown vendor ID: 2a:67:75:d0:ad:2a:a7:88:7c:33:fe:1d:68:ba:f3:08:96:6f:00:01
Nov 5 10:07:18 charon: 15[ENC] <41> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ]
Nov 5 10:07:18 charon: 15[NET] <41> received packet: from b.b.b.b[500] to a.a.a.a[500] (444 bytes)
Nov 5 09:46:09 charon: 15[NET] <40> sending packet: from a.a.a.a[500] to b.b.b.b[500] (80 bytes)
Nov 5 09:46:09 charon: 15[ENC] <40> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Nov 5 09:46:09 charon: 15[CFG] <40> no matching peer config found
Nov 5 09:46:09 charon: 15[CFG] <40> looking for peer configs matching a.a.a.a[%any]...b.b.b.b[www.bbbb.nl]
Nov 5 09:46:09 charon: 15[ENC] <40> parsed IKE_AUTH request 1 [ IDi CERTREQ AUTH SA TSi TSr N(INIT_CONTACT) ]
Nov 5 09:46:09 charon: 15[NET] <40> received packet: from b.b.b.b[500] to a.a.a.a[500] (272 bytes)
Nov 5 09:46:09 charon: 15[NET] <40> sending packet: from a.a.a.a[500] to b.b.b.b[500] (465 bytes)
Nov 5 09:46:09 charon: 15[ENC] <40> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Nov 5 09:46:09 charon: 15[IKE] <40> sending cert request for "CN=internal-opnsense-ca"
Nov 5 09:46:09 charon: 15[IKE] <40> b.b.b.b is initiating an IKE_SA
Nov 5 09:46:09 charon: 15[ENC] <40> received unknown vendor ID: 2a:67:75:d0:ad:2a:a7:88:7c:33:fe:1d:68:ba:f3:08:96:6f:00:01
Nov 5 09:46:09 charon: 15[ENC] <40> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ]
Nov 5 09:46:09 charon: 15[NET] <40> received packet: from b.b.b.b[500] to a.a.a.a[500] (444 bytes)
Nov 5 09:41:45 charon: 15[IKE] <con3|39> received INVALID_SYNTAX notify error
Nov 5 09:41:45 charon: 15[ENC] <con3|39> parsed IKE_AUTH response 1 [ N(INVAL_SYN) ]
Nov 5 09:41:45 charon: 15[NET] <con3|39> received packet: from b.b.b.b[500] to a.a.a.a[500] (80 bytes)
Nov 5 09:41:45 charon: 15[NET] <con3|39> sending packet: from a.a.a.a[500] to b.b.b.b[500] (496 bytes)
Nov 5 09:41:45 charon: 15[ENC] <con3|39> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Nov 5 09:41:45 charon: 15[IKE] <con3|39> establishing CHILD_SA con3{3}
Nov 5 09:41:45 charon: 15[IKE] <con3|39> authentication of (certificate id) (myself) with pre-shared key
Nov 5 09:41:45 charon: 15[IKE] <con3|39> sending cert request for "CN=internal-opnsense-ca"
Nov 5 09:41:45 charon: 15[ENC] <con3|39> received unknown vendor ID: 2a:67:75:d0:ad:2a:a7:88:7c:33:fe:1d:68:ba:f3:08:96:6f:00:01
Nov 5 09:41:45 charon: 15[ENC] <con3|39> parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ N(NATD_S_IP) N(NATD_D_IP) V ]
Nov 5 09:41:45 charon: 15[NET] <con3|39> received packet: from b.b.b.b[500] to a.a.a.a[500] (449 bytes)
Nov 5 09:41:45 charon: 15[NET] <con3|39> sending packet: from a.a.a.a[500] to b.b.b.b[500] (464 bytes)
Nov 5 09:41:45 charon: 15[ENC] <con3|39> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Nov 5 09:41:45 charon: 15[IKE] <con3|39> initiating IKE_SA con3[39] to b.b.b.b
Nov 5 09:41:45 charon: 15[CFG] received stroke: initiate 'con3'
Nov 5 09:41:45 charon: 14[CFG] added configuration 'con3'
Nov 5 09:41:45 charon: 14[CFG] id 'a.a.a.a' not confirmed by certificate, defaulting to 'certificate id'
Nov 5 09:41:45 charon: 14[CFG] loaded certificate "certificate id" from '/usr/local/etc/ipsec.d/certs/cert-3.crt'
Nov 5 09:41:45 charon: 14[CFG] received stroke: add connection 'con3'
Nov 5 09:41:45 charon: 15[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls'
Nov 5 09:41:45 charon: 15[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Nov 5 09:41:45 charon: 15[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Nov 5 09:41:45 charon: 15[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Nov 5 09:41:45 charon: 15[CFG] loaded ca certificate "CN=internal-opnsense-ca" from '/usr/local/etc/ipsec.d/cacerts/63707b99.0.crt'
Title: Re: Replaced pfSense for OPNsense, IPSEC will not connect (to SonicWALL router)
Post by: mimugmail on November 05, 2018, 11:01:28 am
Can you post screenshots of your tunnel setup?
Title: Re: Replaced pfSense for OPNsense, IPSEC will not connect (to SonicWALL router)
Post by: Rayman on November 05, 2018, 12:12:10 pm
Hi,

I attached the OPNsense screenshots.

Kind regards,
Ray
Title: Re: Replaced pfSense for OPNsense, IPSEC will not connect (to SonicWALL router)
Post by: Rayman on November 05, 2018, 01:04:40 pm
Hi,

These are the screenshots of the SonicWALL. I left out the network tab. It only shows names of the local and remote networks, but they are the full /24 local and remote network.

Ray
Title: Re: Replaced pfSense for OPNsense, IPSEC will not connect (to SonicWALL router)
Post by: Rayman on November 05, 2018, 01:21:39 pm
I think it's definately the certificate which is presented to the SonicWALL. In the SonicWALL log I see the following error:

IKEv2 initiator: Proposed IKE ID mismatch. In the data it shows the data of the certificate, which I don't want to use...

So, is it possible to configure OPNsense to NOT use a certificate for IPSEC?
Title: Re: Replaced pfSense for OPNsense, IPSEC will not connect (to SonicWALL router)
Post by: jmirakul on November 05, 2018, 01:30:27 pm
Hi,

I have a similar problem with certificates and IPsec settings. After the initial creation of IPSEC Phase 1 everything is ok. However, after the first update of IPSEC Phase 1, the tunnel started to use the certificate as Local ID and the tunnel can no longer be established. Everything is seen on VPN: IPsec: Status Overview
where under Local ID instead of an IP address appears: C = D, ST = South Holland, L = Middelharnis, O = OPNsense
After that, I could not find a regular way (using webGUI) to remove this certificate from the settings.
The only way I found it is: download xml configuration and manually delete <certref> 58b76f2b66944 </ certref> from ipsec phase 1 settings. This XML tag always appears after the first webGUI settings update of ipsec phase 1.
Very strange.
Title: Re: Replaced pfSense for OPNsense, IPSEC will not connect (to SonicWALL router)
Post by: Rayman on November 05, 2018, 01:32:49 pm
Hi,

Thanks for you reply!

You are totally right! Thank you very much!

After removing the cert from the config, tunnel did come up right away!

It would be better if the cert was removable from the gui of course. Maybe a dev can pick this up?
Title: Re: Replaced pfSense for OPNsense, IPSEC will not connect (to SonicWALL router)
Post by: franco on November 05, 2018, 02:23:30 pm
There is no maybe... only https://github.com/opnsense/core/issues :)


Cheers,
Franco
Title: Re: Replaced pfSense for OPNsense, IPSEC will not connect (to SonicWALL router)
Post by: Rayman on November 05, 2018, 02:57:08 pm
Hi Franco,

Did not know this, I'll create an issue there.

Thanks,
Ray
Title: Re: Replaced pfSense for OPNsense, IPSEC will not connect (to SonicWALL router)
Post by: franco on November 05, 2018, 02:59:03 pm
Much appreciated, thanks!
Title: Re: Replaced pfSense for OPNsense, IPSEC will not connect (to SonicWALL router)
Post by: Rayman on November 05, 2018, 03:44:05 pm
@jmirakul

This was checked by Ad.

When using Internet Explorer (which I did), the certificate field is shown and the certificate data is in the config xml file.

When another browser is used (I've tried FireFox), the certificate fields are not even in the GUI, and xml file is correct then.

Kind regards,
Ray
Title: Re: Replaced pfSense for OPNsense, IPSEC will not connect (to SonicWALL router)
Post by: jmirakul on November 05, 2018, 03:49:38 pm
Yes, I saw.  :)
Everything works fine with FireFox but failed with Safari on OS X in my case.

Title: Re: Replaced pfSense for OPNsense, IPSEC will not connect (to SonicWALL router)
Post by: franco on November 06, 2018, 11:36:17 pm
Keeping this under observation... browsers shouldn't do this, but maybe we need to be more vivid in enforcement.

Long-term this is no issue, the MVC/API code should not be affected by this issue. Worst case saving fails, but that's what the browser gets for disabling JS. ;)


Cheers,
Franco
Title: Re: Replaced pfSense for OPNsense, IPSEC will not connect (to SonicWALL router)
Post by: space-hunter on January 30, 2019, 10:02:37 am
Hi, thanks for this info !

I run in the same error. I tried to configure a side2side vpn with IExplorer. After a few hours and reading this post, I know why :-)
After saving the setting with IE, this error is showing in VPN log File.

Jan 30 09:33:09 charon: 10[NET] <con1-000|8> sending packet: from 192.168.20.40[500] to 192.168.22.132[500] (84 bytes)
Jan 30 09:33:09 charon: 10[ENC] <con1-000|8> generating INFORMATIONAL_V1 request 4075737163 [ HASH D ]
Jan 30 09:33:09 charon: 10[IKE] <con1-000|8> sending DELETE for IKE_SA con1-000[8]
Jan 30 09:33:09 charon: 10[IKE] <con1-000|8> deleting IKE_SA con1-000[8] between 192.168.20.40[C=NL, ST=Zuid-Holland, L=Middelharnis, O=OPNsense]...192.168.22.132[192.168.22.132]
Jan 30 09:33:09 charon: 10[CFG] <con1-000|8> constraint check failed: peer not authenticated by CA 'C=DE, ST=Bavaria, L=xx, O=xx, E=xx@xx, CN=CA_xx'
Jan 30 09:33:09 charon: 10[IKE] <con1-000|8> received DPD vendor ID
Jan 30 09:33:09 charon: 10[ENC] <con1-000|8> parsed ID_PROT response 0 [ ID HASH V ]
Jan 30 09:33:09 charon: 10[NET] <con1-000|8> received packet: from 192.168.22.132[500] to 192.168.20.40[500] (84 bytes)

and this is the main part the file /usr/local/etc/ipsec.conf
  ike = 3des-sha1-modp1024!
  leftauth = psk
  rightauth = psk
  leftcert = /usr/local/etc/ipsec.d/certs/cert-1.crt
  leftsendcert = always
  rightca = "/C=DE/ST=xxx/L=xxx/O=xxx /emailAddress=xxx/CN=xxx/"
  rightid = 192.168.22.132
  rightsubnet = 192.168.22.192/28
  leftsubnet = 192.168.7.0/24
  esp = aes256-sha1-modp1024,3des-sha1-modp1024!


After saving the setting with Chrome, everything works as expected.

With IExplorer, 'My Certificate' and 'My Certificate Authority' fields are showing up, and I can not remove this setting.
With Chrome, this fields are not showing up.

OPNsense 18.7.9-amd64
IE 11.1563.15063.0
Chrome 71.0.3578.98

Title: Re: Replaced pfSense for OPNsense, IPSEC will not connect (to SonicWALL router)
Post by: franco on January 30, 2019, 12:20:17 pm
It will be fixed for IE in 19.1 tomorrow.


Cheers,
Franco