OPNsense Forum
International Forums => German - Deutsch => Topic started by: superwinni2 on April 02, 2019, 03:47:10 pm
-
Hallo zusammen
ich versuche aktuell eine IPSec verbindung herzustellen....
Gleich vorweg: Der Tunnel steht es werden aber (soweit ich denke) keine Daten zurück geroutet...
Es geht darum, dass ein Externer Dienstleister auf mein Netzwerk zugreifen kann.
Meine FW hängt direkt im Öffentlichen Netz mit einer festen IP Adresse.
Die andere FW ebenso.
VPN -> IPSec -> Tunnel Settings
Phase 1:
General information
Disabled: NEIN
Connection method: Respond only (da es ein CARP Interface ist)
Key Exchange version: V1
Internet Protocol: IPv4
Interface: 1.2.3.4
Remote gateway 6.7.8.9
Description: IPSECVPN
Phase 1 proposal (Authentication)
Authentication method: Mututal PSK
Negotiation mode Main
My identifier IP Address -> Adresse von CARP
Peer identifier: Peer IP address
Pre-Shared Key: abcdefghijklmnopqrstuvwxyz
Phase 1 proposal (Algorithms)
Encryption algorithm: AES 256
Hash algorithm SHA256
DH key group 5 (1536 bits)
Lifetime: 28800
Advanced Options
Install policy: NEIN
Disable Rekey: NEIN
Disable Reauth: NEIN
Tunnel Isolation: NEIN
NAT Traversal: Enable
Disable MOBIKE: NEIN
Dead Peer Detection: NEIN
Phase2:
General information
Disabled: NEIN
Mode: Tunnel IPv4
Description: IPSECVPN
Local Network
Type:
Address: Server subnet
Remote Network
Type:
Address: Network 10.251.0.0/19 (IP Addressberech des entfernten Netzwerkes)
Phase 2 proposal (SA/Key Exchange)
Protocol: ESP
Encryption algorithms: AES 256 bit
Hash algorithms SHA256
PFS key group: 5 (1536Bit)
Lifetime: 3600 seconds
Advanced Options
Automatically ping host: LEER
Manual SPD entries: LEER
Firewall Regeln:
ESP & UDP500 & UDP4500 von extern auf die FW zulassen
Bei IPSec eingestellt, dass das entfernte Netz zu mir darf (Any Regel)
Bei Server Regeln einstellellt das alles zum entfernten Netz darf.
Laut den Logs wird auch nichts von der FW gesperrt.
Allerdings kann ich (fast) nichts von "links nach rechts" noch von "rechts nach links" senden.
Wenn der Dienstleister versucht auf meinen Server zu kommen, so sehe ich, dass das Datenpaket auf der Firewall hinein kommt und auch zugelassen wird. Der Dienstleister bekommt jedoch kein Datenpaket mehr zurück. Ich vermute, dass sich dieses "verläuft".
In den Statistiken unter VPN -> IPsec - Status Overview sehe ich folgendes:
Time : 2346
Bytes in : 144
Bytes out : 0
Nun ist die gute Frage warum das ganze...
Hoffentlich kann mir hier jemand helfen...
Danke und Gruß
-
Moin, was für eine Firewall setzt den dein Dienstleister ein?
Ich denke diese Info könnte helfen um den Fehler einzugrenzen oder sogar zu beheben.
-
Moin
ist eine Watchguard.
Habe mich gestern abend noch komplett eingelesen... Meiner Theorie zufolge sollte alles passen...
Haben es zudem mal ohne die virtuelle IP Adresse getestet... Dann auch den "My identifier" in Phase 1 auf "My Adress" geändert und natürlich dies alles an den Dienstleister weitergegeben.
VPN Tunnel steht auch bereits wieder.. Jedoch kommen noch immer nur Daten an und es werden keine gesendet...
-
Auf der console
clog -f /var/log/ipsec.log
Dann ein restart vom VPN tunnel und nach Fehlern schauen und posten.
-
Hi
danke für die Rückmeldung.
Hier der Log.. Am anfang natürlich erst der Shutdown und dann der reconnect.
Apr 3 08:17:17 Firewall charon: 00[DMN] signal of type SIGINT received. Shutting down
Apr 3 08:17:17 Firewall charon: 00[IKE] <con1|10> closing CHILD_SA con1{3} with SPIs c6bfd67a_i (768 bytes) c076b541_o (0 bytes) and TS 10.40.20.0/24 === 10.251.0.0/19
Apr 3 08:17:17 Firewall charon: 00[IKE] <con1|10> sending DELETE for ESP CHILD_SA with SPI c6bfd67a
Apr 3 08:17:17 Firewall charon: 00[ENC] <con1|10> generating INFORMATIONAL_V1 request 1788568366 [ HASH D ]
Apr 3 08:17:17 Firewall charon: 00[NET] <con1|10> sending packet: from 1.2.3.4[500] to 6.7.8.9[500] (92 bytes)
Apr 3 08:17:17 Firewall charon: 00[IKE] <con1|10> closing CHILD_SA con1{4} with SPIs ca1fe803_i (65844 bytes) 17b787a8_o (0 bytes) and TS 10.40.20.0/24 === 10.251.0.0/19
Apr 3 08:17:17 Firewall charon: 00[IKE] <con1|10> sending DELETE for ESP CHILD_SA with SPI ca1fe803
Apr 3 08:17:17 Firewall charon: 00[ENC] <con1|10> generating INFORMATIONAL_V1 request 335947869 [ HASH D ]
Apr 3 08:17:17 Firewall charon: 00[NET] <con1|10> sending packet: from 1.2.3.4[500] to 6.7.8.9[500] (92 bytes)
Apr 3 08:17:17 Firewall charon: 00[IKE] <con1|10> deleting IKE_SA con1[10] between 1.2.3.4[1.2.3.4]...6.7.8.9[6.7.8.9]
Apr 3 08:17:17 Firewall charon: 00[IKE] <con1|10> sending DELETE for IKE_SA con1[10]
Apr 3 08:17:17 Firewall charon: 00[ENC] <con1|10> generating INFORMATIONAL_V1 request 622505411 [ HASH D ]
Apr 3 08:17:17 Firewall charon: 00[NET] <con1|10> sending packet: from 1.2.3.4[500] to 6.7.8.9[500] (108 bytes)
Apr 3 08:17:19 Firewall charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.2, FreeBSD 11.2-RELEASE-p9-HBSD, amd64)
Apr 3 08:17:19 Firewall charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument
Apr 3 08:17:19 Firewall charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
Apr 3 08:17:19 Firewall charon: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Apr 3 08:17:19 Firewall charon: 00[CFG] loaded ca certificate "C=DE, O=xyz, CN=OPNsense-CA" from '/usr/local/etc/ipsec.d/cacerts/93757000.0.crt'
Apr 3 08:17:19 Firewall charon: 00[CFG] loaded ca certificate "C=DE, O=xyz, CN=xyz Group Root CA" from '/usr/local/etc/ipsec.d/cacerts/cd86db1c.0.crt'
Apr 3 08:17:19 Firewall charon: 00[CFG] loaded ca certificate "C=DE, ST=BW, L=Ort, O=xyz, E=support.it@xyz.com, CN=OPNsense-RootCA" from '/usr/local/etc/ipsec.d/cacerts/d4bca99d.0.crt'
Apr 3 08:17:19 Firewall charon: 00[CFG] loaded ca certificate "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3" from '/usr/local/etc/ipsec.d/cacerts/4f06f81d.0.crt'
Apr 3 08:17:19 Firewall charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Apr 3 08:17:19 Firewall charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Apr 3 08:17:19 Firewall charon: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Apr 3 08:17:19 Firewall charon: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
Apr 3 08:17:19 Firewall charon: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Apr 3 08:17:19 Firewall charon: 00[CFG] loaded IKE secret for 6.7.8.9
Apr 3 08:17:19 Firewall charon: 00[CFG] loaded 0 RADIUS server configurations
Apr 3 08:17:19 Firewall charon: 00[LIB] loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac gcm attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam whitelist addrblock counters
Apr 3 08:17:19 Firewall charon: 00[JOB] spawning 16 worker threads
Apr 3 08:17:19 Firewall charon: 16[CFG] received stroke: add connection 'con1'
Apr 3 08:17:19 Firewall charon: 16[CFG] added configuration 'con1'
Apr 3 08:17:26 Firewall charon: 10[CFG] received stroke: initiate 'con1'
Apr 3 08:17:26 Firewall charon: 13[IKE] <con1|1> initiating Main Mode IKE_SA con1[1] to 6.7.8.9
Apr 3 08:17:26 Firewall charon: 13[ENC] <con1|1> generating ID_PROT request 0 [ SA V V V V V ]
Apr 3 08:17:26 Firewall charon: 13[NET] <con1|1> sending packet: from 1.2.3.4[500] to 6.7.8.9[500] (180 bytes)
Apr 3 08:17:26 Firewall charon: 13[NET] <con1|1> received packet: from 6.7.8.9[500] to 1.2.3.4[500] (200 bytes)
Apr 3 08:17:26 Firewall charon: 13[ENC] <con1|1> parsed ID_PROT response 0 [ SA V V V V ]
Apr 3 08:17:26 Firewall charon: 13[IKE] <con1|1> received XAuth vendor ID
Apr 3 08:17:26 Firewall charon: 13[IKE] <con1|1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Apr 3 08:17:26 Firewall charon: 13[IKE] <con1|1> received DPD vendor ID
Apr 3 08:17:26 Firewall charon: 13[ENC] <con1|1> received unknown vendor ID: bf:c2:2e:98:56:ba:99:36:11:c1:1e:48:a6:d2:08:07:a9:5b:ed:b3:93:02:6a:49:e6:0f:ac:32:7b:b9:60:1b:56:6b:34:39:4d:54:49:75:4d:53:34:7a:49:45:4a:4f:50:54:55:34:4e:6a:41:78:4f:41:3d:3d
Apr 3 08:17:26 Firewall charon: 13[CFG] <con1|1> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
Apr 3 08:17:26 Firewall charon: 13[ENC] <con1|1> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Apr 3 08:17:26 Firewall charon: 13[NET] <con1|1> sending packet: from 1.2.3.4[500] to 6.7.8.9[500] (332 bytes)
Apr 3 08:17:26 Firewall charon: 13[NET] <con1|1> received packet: from 6.7.8.9[500] to 1.2.3.4[500] (308 bytes)
Apr 3 08:17:26 Firewall charon: 13[ENC] <con1|1> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Apr 3 08:17:26 Firewall charon: 13[ENC] <con1|1> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Apr 3 08:17:26 Firewall charon: 13[NET] <con1|1> sending packet: from 1.2.3.4[500] to 6.7.8.9[500] (108 bytes)
Apr 3 08:17:26 Firewall charon: 13[NET] <con1|1> received packet: from 6.7.8.9[500] to 1.2.3.4[500] (76 bytes)
Apr 3 08:17:26 Firewall charon: 13[ENC] <con1|1> parsed ID_PROT response 0 [ ID HASH ]
Apr 3 08:17:26 Firewall charon: 13[IKE] <con1|1> IKE_SA con1[1] established between 1.2.3.4[1.2.3.4]...6.7.8.9[6.7.8.9]
Apr 3 08:17:26 Firewall charon: 13[IKE] <con1|1> scheduling reauthentication in 28109s
Apr 3 08:17:26 Firewall charon: 13[IKE] <con1|1> maximum IKE_SA lifetime 28649s
Apr 3 08:17:26 Firewall charon: 13[ENC] <con1|1> generating QUICK_MODE request 2800853545 [ HASH SA No KE ID ID ]
Apr 3 08:17:26 Firewall charon: 13[NET] <con1|1> sending packet: from 1.2.3.4[500] to 6.7.8.9[500] (396 bytes)
Apr 3 08:17:26 Firewall charon: 13[NET] <con1|1> received packet: from 6.7.8.9[500] to 1.2.3.4[500] (396 bytes)
Apr 3 08:17:26 Firewall charon: 13[ENC] <con1|1> parsed QUICK_MODE response 2800853545 [ HASH SA No KE ID ID N((24576)) ]
Apr 3 08:17:26 Firewall charon: 13[CFG] <con1|1> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_1536/NO_EXT_SEQ
Apr 3 08:17:26 Firewall charon: 13[IKE] <con1|1> CHILD_SA con1{1} established with SPIs ca4c9de8_i e448f5c5_o and TS 10.40.20.0/24 === 10.251.0.0/19
Apr 3 08:17:26 Firewall charon: 13[ENC] <con1|1> generating QUICK_MODE request 2800853545 [ HASH ]
Apr 3 08:17:26 Firewall charon: 13[NET] <con1|1> sending packet: from 1.2.3.4[500] to 6.7.8.9[500] (76 bytes)
Apr 3 08:17:33 Firewall charon: 10[NET] <con1|1> received packet: from 6.7.8.9[500] to 1.2.3.4[500] (108 bytes)
Apr 3 08:17:33 Firewall charon: 10[ENC] <con1|1> parsed INFORMATIONAL_V1 request 2412544763 [ HASH N(DPD) ]
Apr 3 08:17:33 Firewall charon: 10[ENC] <con1|1> generating INFORMATIONAL_V1 request 1190477729 [ HASH N(DPD_ACK) ]
Apr 3 08:17:33 Firewall charon: 10[NET] <con1|1> sending packet: from 1.2.3.4[500] to 6.7.8.9[500] (108 bytes)
-
Hiern och nen kleiner Nachtrag:
Apr 3 08:42:14 Firewall charon: 13[KNL] <con1|1> querying policy 10.251.0.0/19 === 10.40.20.0/24 in failed, not found
Apr 3 08:47:34 Firewall charon: 09[NET] <con1|1> received packet: from 6.7.8.9[500] to 1.2.3.4[500] (364 bytes)
Apr 3 08:47:34 Firewall charon: 09[ENC] <con1|1> parsed QUICK_MODE request 3368225970 [ HASH SA No ID ID KE ]
Apr 3 08:47:34 Firewall charon: 09[CFG] <con1|1> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_1536/NO_EXT_SEQ
Apr 3 08:47:34 Firewall charon: 09[IKE] <con1|1> detected rekeying of CHILD_SA con1{1}
Apr 3 08:47:34 Firewall charon: 09[ENC] <con1|1> generating QUICK_MODE response 3368225970 [ HASH SA No KE ID ID ]
Apr 3 08:47:34 Firewall charon: 09[NET] <con1|1> sending packet: from 1.2.3.4[500] to 6.7.8.9[500] (396 bytes)
Apr 3 08:47:34 Firewall charon: 09[NET] <con1|1> received packet: from 6.7.8.9[500] to 1.2.3.4[500] (76 bytes)
Apr 3 08:47:34 Firewall charon: 09[ENC] <con1|1> parsed QUICK_MODE request 3368225970 [ HASH ]
Apr 3 08:47:34 Firewall charon: 09[IKE] <con1|1> CHILD_SA con1{2} established with SPIs c834b5a2_i 83e093c0_o and TS 10.40.20.0/24 === 10.251.0.0/19
Apr 3 08:59:33 Firewall charon: 16[KNL] creating rekey job for CHILD_SA ESP/0xe448f5c5/6.7.8.9
Apr 3 09:00:38 Firewall charon: 16[KNL] creating rekey job for CHILD_SA ESP/0xca4c9de8/1.2.3.4
Apr 3 09:17:27 Firewall charon: 07[KNL] creating delete job for CHILD_SA ESP/0xca4c9de8/1.2.3.4
Apr 3 09:17:27 Firewall charon: 07[KNL] creating delete job for CHILD_SA ESP/0xe448f5c5/6.7.8.9
Apr 3 09:17:27 Firewall charon: 16[IKE] <con1|1> closing expired CHILD_SA con1{1} with SPIs ca4c9de8_i e448f5c5_o and TS 10.40.20.0/24 === 10.251.0.0/19
Apr 3 09:17:27 Firewall charon: 16[KNL] <con1|1> unable to delete SAD entry with SPI ca4c9de8: No such process (3)
Apr 3 09:17:27 Firewall charon: 16[KNL] <con1|1> unable to delete SAD entry with SPI e448f5c5: No such process (3)
Apr 3 09:17:27 Firewall charon: 16[IKE] <con1|1> sending DELETE for ESP CHILD_SA with SPI ca4c9de8
Apr 3 09:17:27 Firewall charon: 16[ENC] <con1|1> generating INFORMATIONAL_V1 request 1419566519 [ HASH D ]
Apr 3 09:17:27 Firewall charon: 16[NET] <con1|1> sending packet: from 1.2.3.4[500] to 6.7.8.9[500] (92 bytes)
Apr 3 09:17:27 Firewall charon: 15[JOB] CHILD_SA ESP/0xe448f5c5/6.7.8.9 not found for delete
Apr 3 09:17:36 Firewall charon: 15[NET] <con1|1> received packet: from 6.7.8.9[500] to 1.2.3.4[500] (92 bytes)
Apr 3 09:17:36 Firewall charon: 15[ENC] <con1|1> parsed INFORMATIONAL_V1 request 4181719154 [ HASH D ]
Apr 3 09:17:36 Firewall charon: 15[IKE] <con1|1> received DELETE for ESP CHILD_SA with SPI e448f5c5
Apr 3 09:17:36 Firewall charon: 15[IKE] <con1|1> CHILD_SA not found, ignored
Apr 3 09:19:18 Firewall charon: 15[NET] <con1|1> received packet: from 6.7.8.9[500] to 1.2.3.4[500] (108 bytes)
Apr 3 09:19:18 Firewall charon: 15[ENC] <con1|1> parsed INFORMATIONAL_V1 request 3083741685 [ HASH N(DPD) ]
Apr 3 09:19:18 Firewall charon: 15[ENC] <con1|1> generating INFORMATIONAL_V1 request 3066852446 [ HASH N(DPD_ACK) ]
Apr 3 09:19:18 Firewall charon: 15[NET] <con1|1> sending packet: from 1.2.3.4[500] to 6.7.8.9[500] (108 bytes)
Apr 3 09:19:39 Firewall charon: 15[NET] <con1|1> received packet: from 6.7.8.9[500] to 1.2.3.4[500] (108 bytes)
Apr 3 09:19:39 Firewall charon: 15[ENC] <con1|1> parsed INFORMATIONAL_V1 request 3766535468 [ HASH N(DPD) ]
Apr 3 09:19:39 Firewall charon: 15[ENC] <con1|1> generating INFORMATIONAL_V1 request 1222143153 [ HASH N(DPD_ACK) ]
Apr 3 09:19:39 Firewall charon: 15[NET] <con1|1> sending packet: from 1.2.3.4[500] to 6.7.8.9[500] (108 bytes)
Apr 3 09:20:00 Firewall charon: 15[NET] <con1|1> received packet: from 6.7.8.9[500] to 1.2.3.4[500] (108 bytes)
Apr 3 09:20:00 Firewall charon: 15[ENC] <con1|1> parsed INFORMATIONAL_V1 request 3933273391 [ HASH N(DPD) ]
Apr 3 09:20:00 Firewall charon: 15[ENC] <con1|1> generating INFORMATIONAL_V1 request 3124359170 [ HASH N(DPD_ACK) ]
Apr 3 09:20:00 Firewall charon: 15[NET] <con1|1> sending packet: from 1.2.3.4[500] to 6.7.8.9[500] (108 bytes)
Apr 3 09:20:21 Firewall charon: 15[NET] <con1|1> received packet: from 6.7.8.9[500] to 1.2.3.4[500] (108 bytes)
Apr 3 09:20:21 Firewall charon: 15[ENC] <con1|1> parsed INFORMATIONAL_V1 request 2434883876 [ HASH N(DPD) ]
Apr 3 09:20:21 Firewall charon: 15[ENC] <con1|1> generating INFORMATIONAL_V1 request 803787408 [ HASH N(DPD_ACK) ]
Apr 3 09:20:21 Firewall charon: 15[NET] <con1|1> sending packet: from 1.2.3.4[500] to 6.7.8.9[500] (108 bytes)
Apr 3 09:20:42 Firewall charon: 15[NET] <con1|1> received packet: from 6.7.8.9[500] to 1.2.3.4[500] (108 bytes)
Apr 3 09:20:42 Firewall charon: 15[ENC] <con1|1> parsed INFORMATIONAL_V1 request 2965538176 [ HASH N(DPD) ]
Apr 3 09:20:42 Firewall charon: 15[ENC] <con1|1> generating INFORMATIONAL_V1 request 3692622526 [ HASH N(DPD_ACK) ]
Apr 3 09:20:42 Firewall charon: 15[NET] <con1|1> sending packet: from 1.2.3.4[500] to 6.7.8.9[500] (108 bytes)
Apr 3 09:21:03 Firewall charon: 15[NET] <con1|1> received packet: from 6.7.8.9[500] to 1.2.3.4[500] (108 bytes)
Apr 3 09:21:03 Firewall charon: 15[ENC] <con1|1> parsed INFORMATIONAL_V1 request 3083345406 [ HASH N(DPD) ]
Apr 3 09:21:03 Firewall charon: 15[ENC] <con1|1> generating INFORMATIONAL_V1 request 3467772997 [ HASH N(DPD_ACK) ]
Apr 3 09:21:03 Firewall charon: 15[NET] <con1|1> sending packet: from 1.2.3.4[500] to 6.7.8.9[500] (108 bytes)
-
Sieht gut aus, dann auf der Console:
tcpdump -n -i enc0
-
Dann kommt folgendes bei raus:
10:40:51.838565 (authentic,confidential): SPI 0xc5d642d2: IP 10.251.11.118.51117 > 10.40.20.107.8080: Flags [S], seq 3950932660, win 64240, options [mss 1398,nop,nop,sackOK], length 0
10:40:51.839413 (authentic,confidential): SPI 0xc5d642d2: IP 10.251.11.118.51118 > 10.40.20.107.8080: Flags [S], seq 1790102382, win 64240, options [mss 1398,nop,nop,sackOK], length 0
10:40:52.090195 (authentic,confidential): SPI 0xc5d642d2: IP 10.251.11.118.51119 > 10.40.20.107.8080: Flags [S], seq 587958692, win 64240, options [mss 1398,nop,nop,sackOK], length 0
10:40:54.840006 (authentic,confidential): SPI 0xc5d642d2: IP 10.251.11.118.51118 > 10.40.20.107.8080: Flags [S], seq 1790102382, win 64240, options [mss 1398,nop,nop,sackOK], length 0
10:40:54.840495 (authentic,confidential): SPI 0xc5d642d2: IP 10.251.11.118.51117 > 10.40.20.107.8080: Flags [S], seq 3950932660, win 64240, options [mss 1398,nop,nop,sackOK], length 0
10:40:55.090348 (authentic,confidential): SPI 0xc5d642d2: IP 10.251.11.118.51119 > 10.40.20.107.8080: Flags [S], seq 587958692, win 64240, options [mss 1398,nop,nop,sackOK], length 0
10:41:00.840389 (authentic,confidential): SPI 0xc5d642d2: IP 10.251.11.118.51117 > 10.40.20.107.8080: Flags [S], seq 3950932660, win 64240, options [mss 1398,nop,nop,sackOK], length 0
10:41:00.840426 (authentic,confidential): SPI 0xc5d642d2: IP 10.251.11.118.51118 > 10.40.20.107.8080: Flags [S], seq 1790102382, win 64240, options [mss 1398,nop,nop,sackOK], length 0
10:41:01.104136 (authentic,confidential): SPI 0xc5d642d2: IP 10.251.11.118.51119 > 10.40.20.107.8080: Flags [S], seq 587958692, win 64240, options [mss 1398,nop,nop,sackOK], length 0
-
Was mir zudem noch aufgefallen ist...
Auf der anderen Seite hängt (wie sich durch 8080 schon vermuten lässe) ein Webserver...
Hier habe ich keinen Eintag in die AccessLog...
Kommt das Paket überhaupt wirklich auf dem Server an? Oder msus ich da noch eine Portweiterleitung oder ähnliches machen?
-
Also 10.251.11 ist remote, du bist 10.40.20 .. also entweder ist es geblockt (schau mal Livelog und Regeln im Tab IPSec), oder du guckst mit tcpdump an anderen interface, dazu brauch ich nen ifconfig
-
Genau :)
Also in den FW Regeln hab ich in IPSec folgende Regeln drin:
IPv4 ICMP 10.251.0.0/19 * 10.40.20.107 * *
IPv4 TCP/UDP 10.251.0.0/19 * 10.40.20.107 8080 *
Die Regeln waren schon die ganze Zeit aktiv. Wurden also NICHT erst eben hinzugefügt :)
Öhm.. aktuell hängen hier ca. 20 Interfaces dran.. von welchem bräuchtest denn den Ifconfig?
Zudem ahbe ich einen "entfernten" Syslog server indem mein kompletter Verkehr gelogt wird ob es die FW zulässt oder nicht.. Weder in der Livelog noch in der entfernten Log ein roter Eintrag der geblockt wird.
ifconfig enc0
enc0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 1536
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: enc
ifconfig re0 (WAN)
re0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=2018<VLAN_MTU,VLAN_HWTAGGING,WOL_MAGIC>
ether 00:xx:xy:xz:yx:yz
hwaddr 00:xx:xy:xz:yx:yz
inet 1.2.3.4 netmask 0xfffffff0 broadcast 1.2.3.15
inet 1.2.3.5 netmask 0xfffffff0 broadcast 1.2.3.15 vhid 1
inet 1.2.3.6 netmask 0xfffffff0 broadcast 1.2.3.15 vhid 5
inet 1.2.3.7 netmask 0xfffffff0 broadcast 1.2.3.15 vhid 6
inet 1.2.3.8 netmask 0xfffffff0 broadcast 1.2.3.15 vhid 7
inet 1.2.3.9 netmask 0xfffffff0 broadcast 1.2.3.15 vhid 8
inet 1.2.3.10 netmask 0xfffffff0 broadcast 1.2.3.15 vhid 9
inet 1.2.3.11 netmask 0xfffffff0 broadcast 1.2.3.15 vhid 10
inet 1.2.3.12 netmask 0xfffffff0 broadcast 1.2.3.15 vhid 11
inet 1.2.3.13 netmask 0xfffffff0 broadcast 1.2.3.15 vhid 12
inet 1.2.3.14 netmask 0xfffffff0 broadcast 1.2.3.15 vhid 13
inet6 fe80::2e0:4cff:fe68:18f%re0 prefixlen 64 scopeid 0x2
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
carp: MASTER vhid 1 advbase 1 advskew 0
carp: MASTER vhid 5 advbase 1 advskew 0
carp: MASTER vhid 6 advbase 1 advskew 0
carp: MASTER vhid 7 advbase 1 advskew 0
carp: MASTER vhid 8 advbase 1 advskew 0
carp: MASTER vhid 9 advbase 1 advskew 0
carp: MASTER vhid 10 advbase 1 advskew 0
carp: MASTER vhid 11 advbase 1 advskew 0
carp: MASTER vhid 12 advbase 1 advskew 0
carp: MASTER vhid 13 advbase 1 advskew 0
ifconfig em0 (Server interface)
em0_vlan200: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 00:ab:bc:cd:ef:fe
inet6 00:ab:bc:cd:ef:fe:f5e8%em0_vlan200 prefixlen 64 scopeid 0x17
inet 10.40.20.20 netmask 0xffffff00 broadcast 10.40.20.255
inet 10.40.20.1 netmask 0xffffff00 broadcast 10.40.20.255 vhid 200
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
vlan: 200 vlanpcp: 0 parent interface: em0
carp: MASTER vhid 200 advbase 1 advskew 0
groups: vlan
-
tcpdump net 10.251.0.0/16 -n -i em0_vlan200
Wenn du dann nichts siehst ist es geblockt, wenn es raus geht liegts am Server
-
Also wenn die Ausgabe ist nun:
12:56:31.962429 IP 10.251.11.118.62301 > 10.40.20.107.8080: Flags [S], seq 2260522750, win 64240, options [mss 1398,nop,nop,sackOK], length 0
12:56:31.963200 IP 10.40.20.107.8080 > 10.251.11.118.62301: Flags [S.], seq 393913053, ack 2260522751, win 8192, options [mss 1460,nop,nop,sackOK], length 0
12:56:31.963832 IP 10.251.11.118.62302 > 10.40.20.107.8080: Flags [S], seq 3811639012, win 64240, options [mss 1398,nop,nop,sackOK], length 0
12:56:31.964290 IP 10.40.20.107.8080 > 10.251.11.118.62302: Flags [S.], seq 3186900093, ack 3811639013, win 8192, options [mss 1460,nop,nop,sackOK], length 0
12:56:32.213998 IP 10.251.11.118.62303 > 10.40.20.107.8080: Flags [S], seq 1589449303, win 64240, options [mss 1398,nop,nop,sackOK], length 0
12:56:32.214537 IP 10.40.20.107.8080 > 10.251.11.118.62303: Flags [S.], seq 1476060131, ack 1589449304, win 8192, options [mss 1460,nop,nop,sackOK], length 0
12:56:34.963098 IP 10.251.11.118.62301 > 10.40.20.107.8080: Flags [S], seq 2260522750, win 64240, options [mss 1398,nop,nop,sackOK], length 0
12:56:34.964120 IP 10.251.11.118.62302 > 10.40.20.107.8080: Flags [S], seq 3811639012, win 64240, options [mss 1398,nop,nop,sackOK], length 0
12:56:34.968869 IP 10.40.20.107.8080 > 10.251.11.118.62302: Flags [S.], seq 3186900093, ack 3811639013, win 8192, options [mss 1460,nop,nop,sackOK], length 0
12:56:34.968882 IP 10.40.20.107.8080 > 10.251.11.118.62301: Flags [S.], seq 393913053, ack 2260522751, win 8192, options [mss 1460,nop,nop,sackOK], length 0
12:56:35.214113 IP 10.251.11.118.62303 > 10.40.20.107.8080: Flags [S], seq 1589449303, win 64240, options [mss 1398,nop,nop,sackOK], length 0
12:56:35.218862 IP 10.40.20.107.8080 > 10.251.11.118.62303: Flags [S.], seq 1476060131, ack 1589449304, win 8192, options [mss 1460,nop,nop,sackOK], length 0
12:56:40.964275 IP 10.251.11.118.62301 > 10.40.20.107.8080: Flags [S], seq 2260522750, win 64240, options [mss 1398,nop,nop,sackOK], length 0
12:56:40.965545 IP 10.251.11.118.62302 > 10.40.20.107.8080: Flags [S], seq 3811639012, win 64240, options [mss 1398,nop,nop,sackOK], length 0
12:56:40.968857 IP 10.40.20.107.8080 > 10.251.11.118.62301: Flags [S.], seq 393913053, ack 2260522751, win 8192, options [mss 1460,nop,nop,sackOK], length 0
12:56:40.968875 IP 10.40.20.107.8080 > 10.251.11.118.62302: Flags [S.], seq 3186900093, ack 3811639013, win 8192, options [mss 1460,nop,nop,sackOK], length 0
12:56:41.214489 IP 10.251.11.118.62303 > 10.40.20.107.8080: Flags [S], seq 1589449303, win 64240, options [mss 1398,nop,nop,sackOK], length 0
12:56:41.218910 IP 10.40.20.107.8080 > 10.251.11.118.62303: Flags [S.], seq 1476060131, ack 1589449304, win 8192, options [mss 1460,nop,nop,sackOK], length 0
12:56:52.968690 IP 10.40.20.107.8080 > 10.251.11.118.62302: Flags [R], seq 3186900094, win 0, length 0
12:56:52.984468 IP 10.40.20.107.8080 > 10.251.11.118.62301: Flags [R], seq 393913054, win 0, length 0
12:56:53.092135 IP 10.251.11.118.62332 > 10.40.20.107.8080: Flags [S], seq 165767855, win 64240, options [mss 1398,nop,nop,sackOK], length 0
12:56:53.092760 IP 10.40.20.107.8080 > 10.251.11.118.62332: Flags [S.], seq 749818019, ack 165767856, win 8192, options [mss 1460,nop,nop,sackOK], length 0
12:56:53.218710 IP 10.40.20.107.8080 > 10.251.11.118.62303: Flags [R], seq 1476060132, win 0, length 0
12:56:56.092626 IP 10.251.11.118.62332 > 10.40.20.107.8080: Flags [S], seq 165767855, win 64240, options [mss 1398,nop,nop,sackOK], length 0
12:56:56.093723 IP 10.40.20.107.8080 > 10.251.11.118.62332: Flags [S.], seq 749818019, ack 165767856, win 8192, options [mss 1460,nop,nop,sackOK], length 0
Somit sehe ich etwas.. also wir es nicht geblockt.. somit liegt es am Server?
Also unter Server verstehe ich meinen WebServer?
Richtig? :D
-
Du hast eine Gatewayrule auf dem Netz aktiv dass deine Pakete am Tunnel vorbei routet.
-
Sprich unter System -> Routes -> Configuration?
Hier habe ich eine paar statische Routen definiert.. aber keine die in dem Berech liegen...
Sprich
10.100.111.0/24
10.100.49.0/24
172.20.2.7/25
172.20.2.0/24
werden statisch geroutet...
Ja ich weiß die letzten beiden ist eine davon "unnötig"...
Wo kann ich dies einsehen bzw auslesen? Mir ist nicht bewusst das ich sonst noch etwas anderes drin hätte...
Habe unter Gateways den Router meines ISP drin und diesen als Default gekennzeichnet... Liegt es daran?
-
Firewall rules tab von VLAN200 .. Screenshot bitte
-
Wie gewünscht :)
Siehe Anhang
-
Advanced Options
Install policy: JA
!!
Da gabs mit 19.1.4 n Update was den default auf NEIN setzt, bitte anhakeln, dann gehts.
-
Habe den Haken gesetzt und so wie es aussieht funktioniert es nun..
Zumindest sehe ich schonmals bei den IPSec Stats dass Daten nach draussen gesendet werden....
Die Endgültige Bestätigung erhalte ich erst morgen, wenn der Dienstleister versucht darauf zuzugreifen.
Herzlichen Dank!!!
Ich hab mir noch gedacht, dass es sicher irgend ein blöder Haken ist...
-
Ist mit 19.1.5 wieder "normal". Betrifft nur neue Phase 1 Einträge die auf 19.1.4 erstellt werden.
Grüsse
Franco
-
Da ich aktuell noch auf 19.1.4 bin...
JACKPOT :D
Gesendet von meinem LG-H815 mit Tapatalk
-
:) Sooo Nun ahbe ich auch die Bestätigung. :)
Es funktioniert ohne Probleme. 8)
Somit für die Menschen die ebenfalls das Problem haben und die IPSec VPN Verbindung auf 19.1.4 konfiguriert haben:
Haken bei "Install Policy" in der VPN Phase 1 aktivieren!!!!
-
Oder heute 19.1.5 installieren wenn es raus kommt :)