OPNsense Forum
International Forums => German - Deutsch => Topic started by: semi on April 27, 2022, 04:47:00 pm
-
Hallo,
ich versuche bisher erfolglos einen Site2Site Tunnel von einer Opnsense zu einer Sonicwall aufzubauen.
OPNsense 22.1.6-amd64
SITE A (19....) Opensense (Headquarter)
SITE B (18....) Sonicwall (entfernter Standort):
Opnsense LOG:
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="71"] 00[DMN] Starting IKE charon daemon (strongSwan 5.9.5, FreeBSD 13.0-STABLE, amd64)
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="72"] 00[KNL] unable to set UDP_ENCAP: Invalid argument
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="73"] 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="74"] 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="75"] 00[CFG] loaded ca certificate "C=AT, ST=xxx, L=xxx, O=xxx, E=xx@xx.com, CN=internal-ca" from '/usr/local/etc/ipsec.d/cacerts/aca4685c.0.crt'
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="76"] 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="77"] 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="78"] 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="79"] 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="80"] 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="81"] 00[CFG] loaded IKE secret for 18x.xxx.xxx.xxx
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="82"] 00[CFG] expanding file expression '/usr/local/etc/ipsec.secrets.opnsense.d/*.secrets' failed
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="83"] 00[CFG] loaded 0 RADIUS server configurations
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="84"] 00[LIB] loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac gcm drbg att
r kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam whitelist addrblock counters
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="85"] 00[JOB] spawning 16 worker threads
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="86"] 05[CFG] received stroke: add connection 'con1'
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="87"] 05[CFG] added configuration 'con1'
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="88"] 15[CFG] received stroke: initiate 'con1'
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="89"] 15[MGR] checkout IKE_SA by config
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="90"] 15[MGR] created IKE_SA (unnamed)[1]
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="91"] 15[IKE] <con1|1> queueing IKE_VENDOR task
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="92"] 15[IKE] <con1|1> queueing IKE_INIT task
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="93"] 15[IKE] <con1|1> queueing IKE_NATD task
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="94"] 15[IKE] <con1|1> queueing IKE_CERT_PRE task
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="95"] 15[IKE] <con1|1> queueing IKE_AUTH task
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="96"] 15[IKE] <con1|1> queueing IKE_CERT_POST task
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="97"] 15[IKE] <con1|1> queueing IKE_CONFIG task
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="98"] 15[IKE] <con1|1> queueing IKE_AUTH_LIFETIME task
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="99"] 15[IKE] <con1|1> queueing IKE_MOBIKE task
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="100"] 15[IKE] <con1|1> queueing CHILD_CREATE task
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="101"] 15[IKE] <con1|1> activating new tasks
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="102"] 15[IKE] <con1|1> activating IKE_VENDOR task
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="103"] 15[IKE] <con1|1> activating IKE_INIT task
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="104"] 15[IKE] <con1|1> activating IKE_NATD task
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="105"] 15[IKE] <con1|1> activating IKE_CERT_PRE task
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="106"] 15[IKE] <con1|1> activating IKE_AUTH task
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="107"] 15[IKE] <con1|1> activating IKE_CERT_POST task
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="108"] 15[IKE] <con1|1> activating IKE_CONFIG task
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="109"] 15[IKE] <con1|1> activating CHILD_CREATE task
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="110"] 15[IKE] <con1|1> activating IKE_AUTH_LIFETIME task
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="111"] 15[IKE] <con1|1> activating IKE_MOBIKE task
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="112"] 15[IKE] <con1|1> initiating IKE_SA con1[1] to 18x.xxx.xxx.xxx
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="113"] 15[IKE] <con1|1> IKE_SA con1[1] state change: CREATED => CONNECTING
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="114"] 15[IKE] <con1|1> natd_chunk => 22 bytes @ 0x0000000802c01460
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="115"] 15[IKE] <con1|1> 0: AD 13 AB 98 DB D6 B2 14 00 00 00 00 00 00 00 00 ................
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="116"] 15[IKE] <con1|1> 16: B6 49 FA 8A 01 F4 .I....
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="117"] 15[IKE] <con1|1> natd_hash => 20 bytes @ 0x0000000802c01440
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="118"] 15[IKE] <con1|1> 0: 32 DA E4 9A 2C B7 68 78 4A E2 11 74 93 A7 23 83 2...,.hxJ..t..#.
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="119"] 15[IKE] <con1|1> 16: 92 6F F3 94 .o..
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="120"] 15[IKE] <con1|1> natd_chunk => 22 bytes @ 0x0000000802c01420
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="121"] 15[IKE] <con1|1> 0: AD 13 AB 98 DB D6 B2 14 00 00 00 00 00 00 00 00 ................
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="122"] 15[IKE] <con1|1> 16: C2 32 AD 2C 01 F4 .2.,..
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="123"] 15[IKE] <con1|1> natd_hash => 20 bytes @ 0x0000000802c01400
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="124"] 15[IKE] <con1|1> 0: 2A B6 D3 BD 75 BE EE 5A 71 65 DC B1 C8 C6 A6 4E *...u..Zqe.....N
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="125"] 15[IKE] <con1|1> 16: 14 8E 6C 7C ..l|
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="126"] 15[ENC] <con1|1> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="127"] 15[NET] <con1|1> sending packet: from 19x.xxx.xxx.xxx[500] to 18x.xxx.xxx.xxx[500] (464 bytes)
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="128"] 15[MGR] <con1|1> checkin IKE_SA con1[1]
<30>1 2022-04-27T12:57:40+02:00 firewall charon 22907 - [meta sequenceId="129"] 15[MGR] <con1|1> checkin of IKE_SA successful
<30>1 2022-04-27T12:57:41+02:00 firewall charon 22907 - [meta sequenceId="130"] 16[MGR] checkout IKEv2 SA by message with SPIs ad13ab98dbd6b214_i 0000000000000000_r
<30>1 2022-04-27T12:57:41+02:00 firewall charon 22907 - [meta sequenceId="131"] 16[MGR] IKE_SA con1[1] successfully checked out
<30>1 2022-04-27T12:57:41+02:00 firewall charon 22907 - [meta sequenceId="132"] 16[NET] <con1|1> received packet: from 18x.xxx.xxx.xxx[500] to 19x.xxx.xxx.xxx[500] (36 bytes)
<30>1 2022-04-27T12:57:41+02:00 firewall charon 22907 - [meta sequenceId="133"] 16[ENC] <con1|1> parsed IKE_SA_INIT response 0 [ N(INVAL_SYN) ]
<30>1 2022-04-27T12:57:41+02:00 firewall charon 22907 - [meta sequenceId="134"] 16[IKE] <con1|1> received INVALID_SYNTAX notify error
<30>1 2022-04-27T12:57:41+02:00 firewall charon 22907 - [meta sequenceId="135"] 16[MGR] <con1|1> checkin and destroy IKE_SA con1[1]
<30>1 2022-04-27T12:57:41+02:00 firewall charon 22907 - [meta sequenceId="136"] 16[IKE] <con1|1> IKE_SA con1[1] state change: CONNECTING => DESTROYING
<30>1 2022-04-27T12:57:41+02:00 firewall charon 22907 - [meta sequenceId="137"] 16[MGR] checkin and destroy of IKE_SA successful
<30>1 2022-04-27T12:57:44+02:00 firewall charon 22907 - [meta sequenceId="138"] 16[MGR] checkout IKEv2 SA with SPIs ad13ab98dbd6b214_i 0000000000000000_r
<30>1 2022-04-27T12:57:44+02:00 firewall charon 22907 - [meta sequenceId="139"] 16[MGR] IKE_SA checkout not successful
Fehler auf der Sonicwall (Site B):
payload processing failed (ohne weitere Details)
Screenshots von der Opnsense anonymisiert und anhängt. Sonicwall Screens kann ich aktuell nicht erstellen, reiche ich falls notwendig gerne nach.
Die Settings sollten gegengleich korrekt sein.
Kann jemand den Fehler eingrenzen?
Vielen Dank im Vorraus!
lg
michael
-
Einstellungen 2. Teil
-
Einstellungen 3. Teil
-
Wenn ich testhalber satt Key Exchange Version (IKE): V1 statt V2 und Negiation Mode: Main einstelle, klappt der Tunnelaufbau mit sonst unveränderten Einstellungen problemlos...
Bei V2 kann kommt dier Fehler:
IKEv2 Payload processing error
VPN Policy: xxxx VPN; Type: KEY Payload
-
Update: Problem gelöst nach Update auf die neuerste Firmware 7.0.1-5052. Die zuvor installierte Version 7.0.1-5018 war schon veraltet (Juli 2021) und wurde offenbar vorher nicht aktualisiert.