OPNsense Forum

International Forums => German - Deutsch => Topic started by: greY on December 27, 2018, 09:03:40 pm

Title: [gelöst]IPSec Site to Site VPN mit USG nicht beständig
Post by: greY on December 27, 2018, 09:03:40 pm
Hallo,

ich habe ein IPSec S2S VPN zwischen einem Unifi USG (WAN yy.yy.yy.yy) und OPNSnese 18.7.9 (WAN xx.xx.xx.xx) - die Verbindung wir initial aufgebaut und es funktioniert soweit wie erwartet.

Problem scheint zu sein, dass eine Re-Authentication nicht funktioniert. Hat jemand etwas vergleichbares am laufen oder hat einen Hinweis?

LOG - OPNSense
Code: [Select]
Dec 27 18:22:14 charon: 14[NET] <con1|1> sending packet: from xx.xx.xx.xx[4500] to yy.yy.yy.yy[4500] (76 bytes)
Dec 27 18:22:14 charon: 14[ENC] <con1|1> generating CREATE_CHILD_SA response 1 [ N(NO_PROP) ]
Dec 27 18:22:14 charon: 14[IKE] <con1|1> failed to establish CHILD_SA, keeping IKE_SA
Dec 27 18:22:14 charon: 14[IKE] <con1|1> no acceptable proposal found
Dec 27 18:22:14 charon: 14[CFG] <con1|1> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, ESP:BLOWFISH_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, ESP:BLOWFISH_CBC_192/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, ESP:BLOWFISH_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
Dec 27 18:22:14 charon: 14[CFG] <con1|1> received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Dec 27 18:22:14 charon: 14[ENC] <con1|1> parsed CREATE_CHILD_SA request 1 [ SA No TSi TSr ]
Dec 27 18:22:14 charon: 14[NET] <con1|1> received packet: from yy.yy.yy.yy[4500] to xx.xx.xx.xx[4500] (236 bytes)
Dec 27 18:22:14 charon: 14[JOB] CHILD_SA ESP/0xca7a7672/xx.xx.xx.xx not found for rekey
Dec 27 18:22:13 charon: 14[JOB] CHILD_SA ESP/0xca7a7672/xx.xx.xx.xx not found for rekey
Dec 27 18:22:02 charon: 12[IKE] <con1|1> failed to establish CHILD_SA, keeping IKE_SA
Dec 27 18:22:02 charon: 12[IKE] <con1|1> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Dec 27 18:22:02 charon: 12[ENC] <con1|1> parsed CREATE_CHILD_SA response 225 [ N(NO_PROP) ]
Dec 27 18:22:02 charon: 12[NET] <con1|1> received packet: from yy.yy.yy.yy[4500] to xx.xx.xx.xx[4500] (76 bytes)
Dec 27 18:22:02 charon: 12[NET] <con1|1> sending packet: from xx.xx.xx.xx[4500] to yy.yy.yy.yy[4500] (588 bytes)
Dec 27 18:22:02 charon: 12[ENC] <con1|1> generating CREATE_CHILD_SA request 225 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
Dec 27 18:22:02 charon: 12[IKE] <con1|1> establishing CHILD_SA con1{223}
Dec 27 18:22:02 charon: 12[ENC] <con1|1> parsed INFORMATIONAL response 224 [ ]
Dec 27 18:22:02 charon: 12[NET] <con1|1> received packet: from yy.yy.yy.yy[4500] to xx.xx.xx.xx[4500] (76 bytes)
Dec 27 18:22:01 charon: 12[NET] <con1|1> sending packet: from xx.xx.xx.xx[4500] to yy.yy.yy.yy[4500] (76 bytes)
Dec 27 18:22:01 charon: 12[ENC] <con1|1> generating INFORMATIONAL request 224 [ ]
Dec 27 18:22:01 charon: 12[KNL] <con1|1> unable to delete SAD entry with SPI c62702d8: No such process (3)
Dec 27 18:22:01 charon: 12[KNL] <con1|1> unable to delete SAD entry with SPI ca7a7672: No such process (3)
Dec 27 18:22:01 charon: 12[IKE] <con1|1> CHILD_SA closed
Dec 27 18:22:01 charon: 12[IKE] <con1|1> received DELETE for ESP CHILD_SA with SPI c62702d8
Dec 27 18:22:01 charon: 12[ENC] <con1|1> parsed INFORMATIONAL response 223 [ D ]
Dec 27 18:22:01 charon: 12[NET] <con1|1> received packet: from yy.yy.yy.yy[4500] to xx.xx.xx.xx[4500] (76 bytes)
Dec 27 18:22:01 charon: 12[KNL] creating delete job for CHILD_SA ESP/0xc62702d8/yy.yy.yy.yy
Dec 27 18:22:01 charon: 12[NET] <con1|1> sending packet: from xx.xx.xx.xx[4500] to yy.yy.yy.yy[4500] (76 bytes)
Dec 27 18:22:01 charon: 12[ENC] <con1|1> generating INFORMATIONAL request 223 [ D ]
Dec 27 18:22:01 charon: 12[IKE] <con1|1> scheduling CHILD_SA recreate after hard expire
Dec 27 18:22:01 charon: 12[IKE] <con1|1> sending DELETE for ESP CHILD_SA with SPI ca7a7672
Dec 27 18:22:01 charon: 12[IKE] <con1|1> closing expired CHILD_SA con1{1} with SPIs ca7a7672_i c62702d8_o and TS 10.0.0.0/24 === 10.0.10.0/24
Dec 27 18:22:01 charon: 07[KNL] creating delete job for CHILD_SA ESP/0xca7a7672/xx.xx.xx.xx
Dec 27 18:22:00 charon: 07[IKE] <con1|1> CHILD_SA rekeying failed, trying again in 14 seconds
Dec 27 18:22:00 charon: 07[IKE] <con1|1> failed to establish CHILD_SA, keeping IKE_SA
Dec 27 18:22:00 charon: 07[IKE] <con1|1> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Dec 27 18:22:00 charon: 07[ENC] <con1|1> parsed CREATE_CHILD_SA response 222 [ N(NO_PROP) ]
Dec 27 18:22:00 charon: 07[NET] <con1|1> received packet: from yy.yy.yy.yy[4500] to xx.xx.xx.xx[4500] (76 bytes)
Dec 27 18:21:59 charon: 07[NET] <con1|1> sending packet: from xx.xx.xx.xx[4500] to yy.yy.yy.yy[4500] (604 bytes)
Dec 27 18:21:59 charon: 07[ENC] <con1|1> generating CREATE_CHILD_SA request 222 [ N(REKEY_SA) N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
Dec 27 18:21:59 charon: 07[IKE] <con1|1> establishing CHILD_SA con1{222} reqid 1
Dec 27 18:21:58 charon: 12[IKE] <con1|1> CHILD_SA rekeying failed, trying again in 15 seconds
Dec 27 18:21:58 charon: 12[IKE] <con1|1> failed to establish CHILD_SA, keeping IKE_SA
Dec 27 18:21:58 charon: 12[IKE] <con1|1> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Dec 27 18:21:58 charon: 12[ENC] <con1|1> parsed CREATE_CHILD_SA response 221 [ N(NO_PROP) ]
Dec 27 18:21:58 charon: 12[NET] <con1|1> received packet: from yy.yy.yy.yy[4500] to xx.xx.xx.xx[4500] (76 bytes)
Dec 27 18:21:58 charon: 12[NET] <con1|1> sending packet: from xx.xx.xx.xx[4500] to yy.yy.yy.yy[4500] (604 bytes)
Dec 27 18:21:58 charon: 12[ENC] <con1|1> generating CREATE_CHILD_SA request 221 [ N(REKEY_SA) N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
Dec 27 18:21:58 charon: 12[IKE] <con1|1> establishing CHILD_SA con1{221} reqid 1

LOG USG:
Code: [Select]
Dec 27 18:01:17 04[KNL] creating delete job for ESP CHILD_SA with SPI c2691399 and reqid {9}
Dec 27 18:01:18 14[KNL] creating acquire job for policy 10.0.10.248/32[udp/53190] === 10.0.0.1/32[udp/domain] with reqid {9}
Dec 27 18:01:18 09[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 18:04:03 03[KNL] creating delete job for ESP CHILD_SA with SPI c54b5f4e and reqid {9}
Dec 27 18:04:07 07[KNL] creating acquire job for policy 10.0.10.248/32[udp/53190] === 10.0.0.1/32[udp/domain] with reqid {9}
Dec 27 18:04:07 06[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 18:06:52 06[KNL] creating delete job for ESP CHILD_SA with SPI c7b48a1a and reqid {9}
Dec 27 18:06:58 13[KNL] creating acquire job for policy 10.0.10.35/32[udp/57351] === 10.0.0.2/32[udp/ldap] with reqid {9}
Dec 27 18:06:58 05[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 18:09:43 16[KNL] creating delete job for ESP CHILD_SA with SPI ca2da94e and reqid {9}
Dec 27 18:09:46 14[KNL] creating acquire job for policy 10.0.10.247/32[udp/43198] === 10.0.0.1/32[udp/domain] with reqid {9}
Dec 27 18:09:46 03[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 18:12:31 03[KNL] creating delete job for ESP CHILD_SA with SPI c17c60b9 and reqid {9}
Dec 27 18:12:34 01[KNL] creating acquire job for policy 10.0.10.10/32[udp/ntp] === 10.0.0.2/32[udp/ntp] with reqid {9}
Dec 27 18:12:34 07[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 18:15:19 04[KNL] creating delete job for ESP CHILD_SA with SPI c18b1a25 and reqid {9}
Dec 27 18:15:21 09[KNL] creating acquire job for policy 10.0.10.10/32[tcp/53470] === 10.0.0.10/32[tcp/webmin] with reqid {9}
Dec 27 18:15:21 14[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 18:18:06 14[KNL] creating delete job for ESP CHILD_SA with SPI cf80d564 and reqid {9}
Dec 27 18:18:06 03[KNL] creating acquire job for policy 10.0.10.36/32[udp/65109] === 10.0.0.4/32[udp/domain] with reqid {9}
Dec 27 18:18:06 07[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 18:20:51 06[KNL] creating delete job for ESP CHILD_SA with SPI caf65c20 and reqid {9}
Dec 27 18:20:57 13[KNL] creating acquire job for policy 10.0.10.2/32[tcp/63902] === 10.0.0.2/32[tcp/loc-srv] with reqid {9}
Dec 27 18:20:57 05[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 18:23:42 16[KNL] creating delete job for ESP CHILD_SA with SPI cb037b0d and reqid {9}
Dec 27 18:23:43 14[KNL] creating acquire job for policy 10.0.10.2/32[tcp/63918] === 10.0.0.2/32[tcp/ldap] with reqid {9}
Dec 27 18:23:43 11[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 18:26:28 14[KNL] creating delete job for ESP CHILD_SA with SPI c752c11f and reqid {9}
Dec 27 18:26:30 07[KNL] creating acquire job for policy 10.0.10.2/32[tcp/63932] === 10.0.0.2/32[tcp/loc-srv] with reqid {9}
Dec 27 18:26:30 01[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 18:29:15 13[KNL] creating delete job for ESP CHILD_SA with SPI c322f689 and reqid {9}
Dec 27 18:29:17 16[KNL] creating acquire job for policy 10.0.10.35/32[udp/61295] === 10.0.0.4/32[udp/domain] with reqid {9}
Dec 27 18:29:17 16[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 18:32:02 04[KNL] creating delete job for ESP CHILD_SA with SPI cf7ba97e and reqid {9}
Dec 27 18:32:04 09[KNL] creating acquire job for policy 10.0.10.249/32[udp/42332] === 10.0.0.1/32[udp/domain] with reqid {9}
Dec 27 18:32:04 11[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 18:34:49 16[KNL] creating delete job for ESP CHILD_SA with SPI c17d055c and reqid {9}
Dec 27 18:34:55 14[KNL] creating acquire job for policy 10.0.10.36/32[udp/62771] === 10.0.0.4/32[udp/domain] with reqid {9}
Dec 27 18:34:55 07[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 18:37:40 05[KNL] creating delete job for ESP CHILD_SA with SPI c7f33e28 and reqid {9}
Dec 27 18:37:42 09[KNL] creating acquire job for policy 10.0.10.2/32[tcp/63971] === 10.0.0.2/32[tcp/loc-srv] with reqid {9}
Dec 27 18:37:42 13[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 18:40:27 13[KNL] creating delete job for ESP CHILD_SA with SPI c005197d and reqid {9}
Dec 27 18:40:28 11[KNL] creating acquire job for policy 10.0.10.35/32[udp/50850] === 10.0.0.4/32[udp/domain] with reqid {9}
Dec 27 18:40:28 03[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 18:43:13 01[KNL] creating delete job for ESP CHILD_SA with SPI c5d2257e and reqid {9}
Dec 27 18:43:13 15[KNL] creating acquire job for policy 10.0.10.10/32[tcp/44374] === 10.0.0.10/32[tcp/webmin] with reqid {9}
Dec 27 18:43:13 06[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 18:45:58 14[KNL] creating delete job for ESP CHILD_SA with SPI cf48c9d0 and reqid {9}
Dec 27 18:46:10 05[KNL] creating acquire job for policy 10.0.10.10/32[tcp/45756] === 10.0.0.10/32[tcp/webmin] with reqid {9}
Dec 27 18:46:10 13[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 18:48:55 14[KNL] creating delete job for ESP CHILD_SA with SPI c03f73ae and reqid {9}
Dec 27 18:48:56 04[KNL] creating acquire job for policy 10.0.10.2/32[tcp/64015] === 10.0.0.2/32[tcp/loc-srv] with reqid {9}
Dec 27 18:48:56 05[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 18:51:41 16[KNL] creating delete job for ESP CHILD_SA with SPI c512e977 and reqid {9}
Dec 27 18:52:19 07[KNL] creating acquire job for policy 10.0.10.247/32[udp/43198] === 10.0.0.1/32[udp/domain] with reqid {9}
Dec 27 18:52:19 06[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 18:55:04 15[KNL] creating delete job for ESP CHILD_SA with SPI c70209a6 and reqid {9}
Dec 27 18:55:07 05[KNL] creating acquire job for policy 10.0.10.10/32[tcp/52598] === 10.0.0.10/32[tcp/webmin] with reqid {9}
Dec 27 18:55:07 09[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 18:55:40 01[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> deleting IKE_SA peer-xx.xx.xx.xx-tunnel-0[3] between yy.yy.yy.yy[yy.yy.yy.yy]...xx.xx.xx.xx[xx.xx.xx.xx]
Dec 27 18:55:40 01[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> IKE_SA deleted
Dec 27 18:55:42 06[IKE] <4> xx.xx.xx.xx is initiating an IKE_SA
Dec 27 18:55:42 07[IKE] <peer-xx.xx.xx.xx-tunnel-0|4> IKE_SA peer-xx.xx.xx.xx-tunnel-0[4] established between yy.yy.yy.yy[yy.yy.yy.yy]...xx.xx.xx.xx[xx.xx.xx.xx]
Dec 27 18:55:42 07[IKE] <peer-xx.xx.xx.xx-tunnel-0|4> CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9} established with SPIs c62702d8_i ca7a7672_o and TS 10.0.10.0/24 === 10.0.0.0/24
Dec 27 18:57:52 03[KNL] creating delete job for ESP CHILD_SA with SPI cf4db89e and reqid {9}
Dec 27 19:25:44 16[IKE] <peer-xx.xx.xx.xx-tunnel-0|4> closing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9} with SPIs c62702d8_i (649276 bytes) ca7a7672_o (10290589 bytes) and TS 10.0.10.0/24 === 10.0.0.0/24
Dec 27 19:25:56 04[KNL] creating acquire job for policy 10.0.10.249/32[udp/42332] === 10.0.0.1/32[udp/domain] with reqid {9}
Dec 27 19:25:56 09[IKE] <peer-xx.xx.xx.xx-tunnel-0|4> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 19:28:41 13[KNL] creating delete job for ESP CHILD_SA with SPI c83837e9 and reqid {9}
Dec 27 19:28:55 05[KNL] creating acquire job for policy 10.0.10.247/32[udp/43198] === 10.0.0.1/32[udp/domain] with reqid {9}
Dec 27 19:28:55 01[IKE] <peer-xx.xx.xx.xx-tunnel-0|4> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 19:28:59 11[IKE] <peer-xx.xx.xx.xx-tunnel-0|4> deleting IKE_SA peer-xx.xx.xx.xx-tunnel-0[4] between yy.yy.yy.yy[yy.yy.yy.yy]...xx.xx.xx.xx[xx.xx.xx.xx]
Dec 27 19:28:59 11[IKE] <peer-xx.xx.xx.xx-tunnel-0|4> IKE_SA deleted
Dec 27 19:29:01 06[IKE] <5> xx.xx.xx.xx is initiating an IKE_SA
Dec 27 19:29:01 14[IKE] <peer-xx.xx.xx.xx-tunnel-0|5> IKE_SA peer-xx.xx.xx.xx-tunnel-0[5] established between yy.yy.yy.yy[yy.yy.yy.yy]...xx.xx.xx.xx[xx.xx.xx.xx]
Dec 27 19:29:01 14[IKE] <peer-xx.xx.xx.xx-tunnel-0|5> CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9} established with SPIs c5c0811a_i c0da16a2_o and TS 10.0.10.0/24 === 10.0.0.0/24

Die Verbindung funktioniert wieder für einge Minuten, wenn der VPN Server an der OPNSense neu gestartet wird.

VG
Title: Re: IPSec Site to Site VPN mit USG nicht beständig
Post by: greY on December 29, 2018, 02:14:05 pm
...hat sich irgendwie gelöst, habe die ursprüngliche Verbindung geklont und diese bleibt nun auch nach 24h bestehen!
Evtl. ein Bug, da die erste Konfiguration mit der Version 18.1 gemacht wurde und die zweite mit 18.7
Title: Re: [gelöst]IPSec Site to Site VPN mit USG nicht beständig
Post by: xyz on January 02, 2019, 05:04:41 pm
Habe das selbe Problem, gibt es hierzu eine andere Löung, als alle VPNs neu zu erstellen?