OPNsense Forum
International Forums => German - Deutsch => Topic started by: Sven-J on August 28, 2019, 05:21:24 pm
-
Moin zusammen!
System:
OPNsense 19.7.2-amd64
FreeBSD 11.2-RELEASE-p12-HBSD
OpenSSL 1.0.2s 28 May 2019
System beim Kunden:
Cisco ASA 5520
Ich habe folgendes Problem: ipsec ist eingerichtet
root@DEHAM01-FW01:# ipsec status
no files found matching '/usr/local/etc/strongswan.opnsense.d/*.conf'
Routed Connections:
con1-009{39}: CREATED, TUNNEL, reqid 29
con1-009{39}: 172.21.106.0/24 === 10.164.141.10/32
con1-008{38}: CREATED, TUNNEL, reqid 28
con1-008{38}: 172.21.106.0/24 === 10.164.255.17/32
con1-007{37}: CREATED, TUNNEL, reqid 27
con1-007{37}: 172.21.106.0/24 === 10.164.140.34/32
con1-006{36}: CREATED, TUNNEL, reqid 26
con1-006{36}: 172.21.106.0/24 === 172.22.112.0/24
con1-005{35}: CREATED, TUNNEL, reqid 25
con1-005{35}: 172.21.106.0/24 === 172.22.126.0/24
con1-004{34}: CREATED, TUNNEL, reqid 24
con1-004{34}: 172.21.106.0/24 === 172.22.121.0/24
con1-003{33}: CREATED, TUNNEL, reqid 23
con1-003{33}: 172.21.106.0/24 === 10.164.254.160/27
con1-002{32}: CREATED, TUNNEL, reqid 22
con1-002{32}: 172.21.106.0/24 === 10.164.254.128/27
con1-001{31}: CREATED, TUNNEL, reqid 21
con1-001{31}: 172.21.106.0/24 === 10.164.254.64/26
con1-000{30}: CREATED, TUNNEL, reqid 2
con1-000{30}: 172.21.106.0/24 === 10.164.254.32/27
Security Associations (1 up, 0 connecting):
con1-000[5]: ESTABLISHED 22 seconds ago, 149.XXX.XXX.XXX[149.XXX.XXX.XXX]...194.XXX.XXX.XXX[194.XXX.XXX.XXX]
con1-000{40}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c6f0bf35_i 0678ef9d_o
con1-000{40}: 172.21.106.0/24 === 10.164.254.32/27
con1-001{41}: INSTALLED, TUNNEL, reqid 21, ESP SPIs: ce913538_i 43cf35fc_o
con1-001{41}: 172.21.106.0/24 === 10.164.254.64/26
con1-002{42}: INSTALLED, TUNNEL, reqid 22, ESP SPIs: ca16100e_i dfdf4782_o
con1-002{42}: 172.21.106.0/24 === 10.164.254.128/27
con1-003{43}: INSTALLED, TUNNEL, reqid 23, ESP SPIs: c28ac187_i 00ce068a_o
con1-003{43}: 172.21.106.0/24 === 10.164.254.160/27
con1-004{44}: INSTALLED, TUNNEL, reqid 24, ESP SPIs: cd6d51b0_i 79565116_o
con1-004{44}: 172.21.106.0/24 === 172.22.121.0/24
con1-005{45}: INSTALLED, TUNNEL, reqid 25, ESP SPIs: cf4293ed_i 1171cabd_o
con1-005{45}: 172.21.106.0/24 === 172.22.126.0/24
con1-006{46}: INSTALLED, TUNNEL, reqid 26, ESP SPIs: cdf727dd_i 389b4373_o
con1-006{46}: 172.21.106.0/24 === 172.22.112.0/24
con1-007{47}: INSTALLED, TUNNEL, reqid 27, ESP SPIs: cfb1c13c_i fe8c444f_o
con1-007{47}: 172.21.106.0/24 === 10.164.140.34/32
con1-008{48}: INSTALLED, TUNNEL, reqid 28, ESP SPIs: cf11def8_i 6a75d7b8_o
con1-008{48}: 172.21.106.0/24 === 10.164.255.17/32
con1-009{49}: INSTALLED, TUNNEL, reqid 29, ESP SPIs: c6208dcf_i 9d008adf_o
con1-009{49}: 172.21.106.0/24 === 10.164.141.10/32
Nur irgendwie geht da nix durch den Tunnel :! Einer eine Idee?
Tunnel gelöscht und neuangelegt dann ging es ...
-
Anbei Screen 1
-
Anbei Screen2
-
Firewall alles erlaubt?
-
Firewall alles erlaubt?
Also die Logs source 172.21.106.0 dest: 10.164.254. port 22 sagen alles grün.
Nur wenn ich ein traceroute mache, will der ins internet....
-
Ach, du verwendest Multiwan und hast eine Gateway rule aktiv. Da brauchst du davor ein accept ohne Gateway
-
Ach, du verwendest Multiwan und hast eine Gateway rule aktiv. Da brauchst du davor ein accept ohne Gateway
Moin!
Ne Multiwan habe ich nicht, ich habe halt 2 Nodes:
149.XXX.XXX.178 – deham01-fw CARP
149.XXX.XXX.179 - deham01-fw01
149.XXX.XXX.180 - deham01-fw02
-
Ach, du verwendest Multiwan und hast eine Gateway rule aktiv. Da brauchst du davor ein accept ohne Gateway
Moin!
Ne Multiwan habe ich nicht, ich habe halt 2 Nodes:
149.XXX.XXX.178 – deham01-fw CARP
149.XXX.XXX.179 - deham01-fw01
149.XXX.XXX.180 - deham01-fw02
Aug 28 21:33:17 charon: 11[ENC] <con1-000|7> parsed INFORMATIONAL_V1 request 3770589584 [ HASH N(DPD_ACK) ]
Aug 28 21:33:17 charon: 11[NET] <con1-000|7> received packet: from 194.XXX.XXX.240[500] to 149.XXX.XXX.178[500] (92 bytes)
Aug 28 21:33:17 charon: 11[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (92 bytes)
Aug 28 21:33:17 charon: 11[ENC] <con1-000|7> generating INFORMATIONAL_V1 request 1471798028 [ HASH N(DPD) ]
Aug 28 21:33:17 charon: 11[IKE] <con1-000|7> sending DPD request
Aug 28 21:31:30 charon: 07[KNL] <con1-000|7> querying policy 10.164.255.17/32 === 172.21.106.0/24 in failed, not found
Aug 28 21:31:30 charon: 07[KNL] <con1-000|7> querying policy 10.164.140.34/32 === 172.21.106.0/24 in failed, not found
Aug 28 21:31:30 charon: 07[KNL] <con1-000|7> querying policy 172.22.112.0/24 === 172.21.106.0/24 in failed, not found
Aug 28 21:31:30 charon: 07[KNL] <con1-000|7> querying policy 172.22.126.0/24 === 172.21.106.0/24 in failed, not found
Aug 28 21:31:30 charon: 07[KNL] <con1-000|7> querying policy 172.22.121.0/24 === 172.21.106.0/24 in failed, not found
Aug 28 21:31:30 charon: 07[KNL] <con1-000|7> querying policy 10.164.254.160/27 === 172.21.106.0/24 in failed, not found
Aug 28 21:31:30 charon: 07[KNL] <con1-000|7> querying policy 10.164.254.128/27 === 172.21.106.0/24 in failed, not found
Aug 28 21:31:30 charon: 07[KNL] <con1-000|7> querying policy 10.164.254.64/26 === 172.21.106.0/24 in failed, not found
Aug 28 21:31:30 charon: 07[KNL] <con1-000|7> querying policy 10.164.254.32/27 === 172.21.106.0/24 in failed, not found
Aug 28 21:31:30 charon: 07[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (60 bytes)
Aug 28 21:31:30 charon: 07[ENC] <con1-000|7> generating QUICK_MODE request 2166131354 [ HASH ]
Aug 28 21:31:30 charon: 07[IKE] <con1-000|7> CHILD_SA con1-008{68} established with SPIs cd07a10d_i c8207bfe_o and TS 172.21.106.0/24 === 10.164.255.17/32
Aug 28 21:31:30 charon: 07[CFG] <con1-000|7> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Aug 28 21:31:30 charon: 07[ENC] <con1-000|7> parsed QUICK_MODE response 2166131354 [ HASH SA No ID ID N((24576)) ]
Aug 28 21:31:30 charon: 07[NET] <con1-000|7> received packet: from 194.XXX.XXX.240[500] to 149.XXX.XXX.178[500] (188 bytes)
Aug 28 21:31:30 charon: 07[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (1180 bytes)
Aug 28 21:31:30 charon: 07[ENC] <con1-000|7> generating QUICK_MODE request 2166131354 [ HASH SA No ID ID ]
Aug 28 21:31:30 charon: 12[CFG] received stroke: initiate 'con1-008'
Aug 28 21:31:29 charon: 09[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (60 bytes)
Aug 28 21:31:29 charon: 09[ENC] <con1-000|7> generating QUICK_MODE request 3112779887 [ HASH ]
Aug 28 21:31:29 charon: 09[IKE] <con1-000|7> CHILD_SA con1-007{67} established with SPIs c2783f4b_i 204ca29c_o and TS 172.21.106.0/24 === 10.164.140.34/32
Aug 28 21:31:29 charon: 09[CFG] <con1-000|7> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Aug 28 21:31:29 charon: 09[ENC] <con1-000|7> parsed QUICK_MODE response 3112779887 [ HASH SA No ID ID N((24576)) ]
Aug 28 21:31:29 charon: 09[NET] <con1-000|7> received packet: from 194.XXX.XXX.240[500] to 149.XXX.XXX.178[500] (188 bytes)
Aug 28 21:31:29 charon: 09[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (1180 bytes)
Aug 28 21:31:29 charon: 09[ENC] <con1-000|7> generating QUICK_MODE request 3112779887 [ HASH SA No ID ID ]
Aug 28 21:31:29 charon: 07[CFG] received stroke: initiate 'con1-007'
Aug 28 21:31:28 charon: 09[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (60 bytes)
Aug 28 21:31:28 charon: 09[ENC] <con1-000|7> generating QUICK_MODE request 2634036184 [ HASH ]
Aug 28 21:31:28 charon: 09[IKE] <con1-000|7> CHILD_SA con1-006{66} established with SPIs c8897faa_i 9090c4b0_o and TS 172.21.106.0/24 === 172.22.112.0/24
Aug 28 21:31:28 charon: 09[CFG] <con1-000|7> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Aug 28 21:31:28 charon: 09[ENC] <con1-000|7> parsed QUICK_MODE response 2634036184 [ HASH SA No ID ID N((24576)) ]
Aug 28 21:31:28 charon: 09[NET] <con1-000|7> received packet: from 194.XXX.XXX.240[500] to 149.XXX.XXX.178[500] (188 bytes)
Aug 28 21:31:28 charon: 09[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (1180 bytes)
Aug 28 21:31:28 charon: 09[ENC] <con1-000|7> generating QUICK_MODE request 2634036184 [ HASH SA No ID ID ]
Aug 28 21:31:28 charon: 07[CFG] received stroke: initiate 'con1-006'
Aug 28 21:31:27 charon: 16[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (60 bytes)
Aug 28 21:31:27 charon: 16[ENC] <con1-000|7> generating QUICK_MODE request 4116558150 [ HASH ]
Aug 28 21:31:27 charon: 16[IKE] <con1-000|7> CHILD_SA con1-005{65} established with SPIs cca56f10_i b0be49c6_o and TS 172.21.106.0/24 === 172.22.126.0/24
Aug 28 21:31:27 charon: 16[CFG] <con1-000|7> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Aug 28 21:31:27 charon: 16[ENC] <con1-000|7> parsed QUICK_MODE response 4116558150 [ HASH SA No ID ID N((24576)) ]
Aug 28 21:31:27 charon: 16[NET] <con1-000|7> received packet: from 194.XXX.XXX.240[500] to 149.XXX.XXX.178[500] (188 bytes)
Aug 28 21:31:27 charon: 16[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (1180 bytes)
Aug 28 21:31:27 charon: 16[ENC] <con1-000|7> generating QUICK_MODE request 4116558150 [ HASH SA No ID ID ]
Aug 28 21:31:27 charon: 09[CFG] received stroke: initiate 'con1-005'
Aug 28 21:31:25 charon: 16[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (60 bytes)
Aug 28 21:31:25 charon: 16[ENC] <con1-000|7> generating QUICK_MODE request 1754381864 [ HASH ]
Aug 28 21:31:25 charon: 16[IKE] <con1-000|7> CHILD_SA con1-004{64} established with SPIs c5ad7751_i c2248fed_o and TS 172.21.106.0/24 === 172.22.121.0/24
Aug 28 21:31:25 charon: 16[CFG] <con1-000|7> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Aug 28 21:31:25 charon: 16[ENC] <con1-000|7> parsed QUICK_MODE response 1754381864 [ HASH SA No ID ID N((24576)) ]
Aug 28 21:31:25 charon: 16[NET] <con1-000|7> received packet: from 194.XXX.XXX.240[500] to 149.XXX.XXX.178[500] (188 bytes)
Aug 28 21:31:25 charon: 16[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (1180 bytes)
Aug 28 21:31:25 charon: 16[ENC] <con1-000|7> generating QUICK_MODE request 1754381864 [ HASH SA No ID ID ]
Aug 28 21:31:25 charon: 09[CFG] received stroke: initiate 'con1-004'
Aug 28 21:31:24 charon: 06[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (60 bytes)
Aug 28 21:31:24 charon: 06[ENC] <con1-000|7> generating QUICK_MODE request 4002842253 [ HASH ]
Aug 28 21:31:24 charon: 06[IKE] <con1-000|7> CHILD_SA con1-003{63} established with SPIs cdc797d1_i e4d0d0f7_o and TS 172.21.106.0/24 === 10.164.254.160/27
Aug 28 21:31:24 charon: 06[CFG] <con1-000|7> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Aug 28 21:31:24 charon: 06[ENC] <con1-000|7> parsed QUICK_MODE response 4002842253 [ HASH SA No ID ID N((24576)) ]
Aug 28 21:31:24 charon: 06[NET] <con1-000|7> received packet: from 194.XXX.XXX.240[500] to 149.XXX.XXX.178[500] (188 bytes)
Aug 28 21:31:24 charon: 06[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (1180 bytes)
Aug 28 21:31:24 charon: 06[ENC] <con1-000|7> generating QUICK_MODE request 4002842253 [ HASH SA No ID ID ]
Aug 28 21:31:24 charon: 05[CFG] received stroke: initiate 'con1-003'
Aug 28 21:31:23 charon: 06[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (60 bytes)
Aug 28 21:31:23 charon: 06[ENC] <con1-000|7> generating QUICK_MODE request 916152515 [ HASH ]
Aug 28 21:31:23 charon: 06[IKE] <con1-000|7> CHILD_SA con1-002{62} established with SPIs cb7ca3f9_i 99a14889_o and TS 172.21.106.0/24 === 10.164.254.128/27
Aug 28 21:31:23 charon: 06[CFG] <con1-000|7> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Aug 28 21:31:23 charon: 06[ENC] <con1-000|7> parsed QUICK_MODE response 916152515 [ HASH SA No ID ID N((24576)) ]
Aug 28 21:31:23 charon: 06[NET] <con1-000|7> received packet: from 194.XXX.XXX.240[500] to 149.XXX.XXX.178[500] (188 bytes)
Aug 28 21:31:23 charon: 06[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (1180 bytes)
Aug 28 21:31:23 charon: 06[ENC] <con1-000|7> generating QUICK_MODE request 916152515 [ HASH SA No ID ID ]
Aug 28 21:31:23 charon: 05[CFG] received stroke: initiate 'con1-002'
Aug 28 21:31:22 charon: 06[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (60 bytes)
Aug 28 21:31:22 charon: 06[ENC] <con1-000|7> generating QUICK_MODE request 4277161391 [ HASH ]
Aug 28 21:31:22 charon: 06[IKE] <con1-000|7> CHILD_SA con1-001{61} established with SPIs c9e22597_i f3498b93_o and TS 172.21.106.0/24 === 10.164.254.64/26
Aug 28 21:31:22 charon: 06[CFG] <con1-000|7> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Aug 28 21:31:22 charon: 06[ENC] <con1-000|7> parsed QUICK_MODE response 4277161391 [ HASH SA No ID ID N((24576)) ]
Aug 28 21:31:22 charon: 06[NET] <con1-000|7> received packet: from 194.XXX.XXX.240[500] to 149.XXX.XXX.178[500] (188 bytes)
Aug 28 21:31:22 charon: 06[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (1180 bytes)
Aug 28 21:31:22 charon: 06[ENC] <con1-000|7> generating QUICK_MODE request 4277161391 [ HASH SA No ID ID ]
Aug 28 21:31:22 charon: 05[CFG] received stroke: initiate 'con1-001'
Aug 28 21:31:20 charon: 05[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (60 bytes)
Aug 28 21:31:20 charon: 05[ENC] <con1-000|7> generating QUICK_MODE request 1401173596 [ HASH ]
Aug 28 21:31:20 charon: 05[IKE] <con1-000|7> CHILD_SA con1-000{60} established with SPIs c37da27b_i b3e0a0f0_o and TS 172.21.106.0/24 === 10.164.254.32/27
Aug 28 21:31:20 charon: 05[CFG] <con1-000|7> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Aug 28 21:31:20 charon: 05[ENC] <con1-000|7> parsed QUICK_MODE response 1401173596 [ HASH SA No ID ID N((24576)) ]
Aug 28 21:31:20 charon: 05[NET] <con1-000|7> received packet: from 194.XXX.XXX.240[500] to 149.XXX.XXX.178[500] (188 bytes)
Aug 28 21:31:20 charon: 05[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (1180 bytes)
Aug 28 21:31:20 charon: 05[ENC] <con1-000|7> generating QUICK_MODE request 1401173596 [ HASH SA No ID ID ]
Aug 28 21:31:20 charon: 05[IKE] <con1-000|7> maximum IKE_SA lifetime 28370s
Aug 28 21:31:20 charon: 05[IKE] <con1-000|7> scheduling reauthentication in 27830s
Aug 28 21:31:20 charon: 05[IKE] <con1-000|7> IKE_SA con1-000[7] established between 149.XXX.XXX.178[149.XXX.XXX.178]...194.XXX.XXX.240[194.XXX.XXX.240]
Aug 28 21:31:20 charon: 05[IKE] <con1-000|7> received DPD vendor ID
Aug 28 21:31:20 charon: 05[ENC] <con1-000|7> parsed ID_PROT response 0 [ ID HASH V ]
Aug 28 21:31:20 charon: 05[NET] <con1-000|7> received packet: from 194.XXX.XXX.240[500] to 149.XXX.XXX.178[500] (92 bytes)
Aug 28 21:31:20 charon: 05[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (108 bytes)
Aug 28 21:31:20 charon: 05[ENC] <con1-000|7> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Aug 28 21:31:20 charon: 05[ENC] <con1-000|7> received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
Aug 28 21:31:20 charon: 05[ENC] <con1-000|7> received unknown vendor ID: 36:f7:df:61:25:50:6c:8d:2d:62:e4:16:96:34:0e:e4
Aug 28 21:31:20 charon: 05[IKE] <con1-000|7> received XAuth vendor ID
Aug 28 21:31:20 charon: 05[IKE] <con1-000|7> received Cisco Unity vendor ID
Aug 28 21:31:20 charon: 05[ENC] <con1-000|7> parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
Aug 28 21:31:20 charon: 05[NET] <con1-000|7> received packet: from 194.XXX.XXX.240[500] to 149.XXX.XXX.178[500] (304 bytes)
Aug 28 21:31:20 charon: 05[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (244 bytes)
Aug 28 21:31:20 charon: 05[ENC] <con1-000|7> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Aug 28 21:31:20 charon: 05[CFG] <con1-000|7> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Aug 28 21:31:20 charon: 05[IKE] <con1-000|7> received FRAGMENTATION vendor ID
Aug 28 21:31:20 charon: 05[IKE] <con1-000|7> received NAT-T (RFC 3947) vendor ID
Aug 28 21:31:20 charon: 05[ENC] <con1-000|7> parsed ID_PROT response 0 [ SA V V ]
Aug 28 21:31:20 charon: 05[NET] <con1-000|7> received packet: from 194.XXX.XXX.240[500] to 149.XXX.XXX.178[500] (128 bytes)
Aug 28 21:31:20 charon: 05[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (288 bytes)
Aug 28 21:31:20 charon: 05[ENC] <con1-000|7> generating ID_PROT request 0 [ SA V V V V V ]
Aug 28 21:31:20 charon: 05[IKE] <con1-000|7> initiating Main Mode IKE_SA con1-000[7] to 194.XXX.XXX.240
Aug 28 21:31:20 charon: 06[CFG] received stroke: initiate 'con1-000'
Hier noch mal die Logs von eben