OPNsense Forum
English Forums => Virtual private networks => Topic started by: that1guy on June 26, 2022, 09:15:20 am
-
Hi guys,
I'm trying to connect an Orga 6141 (Ingenico) card reader to an opnsense. The setup itself is a bit weird:
cardreader (192.168.146.3) via FritzBox 4020 behind (per definition) an unknown network -> FritzBox IPsec -> Internet -> Office FritzBox 7590. The Fritz <-> Fritz connection (to jump through the unkown network(s)) works, the 4020 has 192.168.139.207 in the office network.
As the cardreader must have an IP adress in the 192.168.139.0 network by design I created a opnsense (192.168.139.45, LAN only) in the office (192.168.139.0/24).
Log looks not so bad after some time of testing things, but since I'm not deep into IPsec I don't know how to handle
parsed INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
so I'm asking you politely for some help or hints how to debug this.
The full log:
2022-06-26T09:07:29 Informational charon 13[NET] <con1|10> sending packet: from 192.168.139.45[4500] to 192.168.139.207[4500] (65 bytes)
2022-06-26T09:07:29 Informational charon 13[ENC] <con1|10> generating INFORMATIONAL response 2 [ N(AUTH_FAILED) ]
2022-06-26T09:07:29 Informational charon 13[ENC] <con1|10> parsed INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
2022-06-26T09:07:29 Informational charon 13[NET] <con1|10> received packet: from 192.168.139.207[4500] to 192.168.139.45[4500] (65 bytes)
2022-06-26T09:07:29 Informational charon 13[NET] <con1|10> sending packet: from 192.168.139.45[4500] to 192.168.139.207[4500] (456 bytes)
2022-06-26T09:07:29 Informational charon 13[NET] <con1|10> sending packet: from 192.168.139.45[4500] to 192.168.139.207[4500] (1248 bytes)
2022-06-26T09:07:29 Informational charon 13[ENC] <con1|10> generating IKE_AUTH response 1 [ EF(2/2) ]
2022-06-26T09:07:29 Informational charon 13[ENC] <con1|10> generating IKE_AUTH response 1 [ EF(1/2) ]
2022-06-26T09:07:29 Informational charon 13[ENC] <con1|10> splitting IKE message (1639 bytes) into 2 fragments
2022-06-26T09:07:29 Informational charon 13[ENC] <con1|10> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
2022-06-26T09:07:29 Informational charon 13[IKE] <con1|10> sending end entity cert "<cert1>"
2022-06-26T09:07:29 Informational charon 13[IKE] <con1|10> authentication of '<cert1>' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
2022-06-26T09:07:29 Informational charon 13[IKE] <con1|10> peer supports MOBIKE
2022-06-26T09:07:29 Informational charon 13[IKE] <con1|10> initiating EAP_IDENTITY method (id 0x00)
2022-06-26T09:07:29 Informational charon 13[CFG] <con1|10> selected peer config 'con1'
2022-06-26T09:07:29 Informational charon 13[CFG] <10> looking for peer configs matching 192.168.139.45[%any]...192.168.139.207[192.168.146.3]
2022-06-26T09:07:29 Informational charon 13[ENC] <10> parsed IKE_AUTH request 1 [ IDi CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
2022-06-26T09:07:29 Informational charon 13[NET] <10> received packet: from 192.168.139.207[4500] to 192.168.139.45[4500] (369 bytes)
2022-06-26T09:07:29 Informational charon 13[NET] <10> sending packet: from 192.168.139.45[500] to 192.168.139.207[500] (265 bytes)
2022-06-26T09:07:29 Informational charon 13[ENC] <10> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
2022-06-26T09:07:29 Informational charon 13[IKE] <10> sending cert request for "<ca1>"
2022-06-26T09:07:29 Informational charon 13[IKE] <10> remote host is behind NAT
2022-06-26T09:07:29 Informational charon 13[CFG] <10> selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/CURVE_25519
2022-06-26T09:07:29 Informational charon 13[IKE] <10> 192.168.139.207 is initiating an IKE_SA
2022-06-26T09:07:29 Informational charon 13[ENC] <10> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
2022-06-26T09:07:29 Informational charon 13[NET] <10> received packet: from 192.168.139.207[500] to 192.168.139.45[500] (940 bytes)
2022-06-26T09:07:29 Informational charon 13[NET] <9> sending packet: from 192.168.139.45[500] to 192.168.139.207[500] (38 bytes)
2022-06-26T09:07:29 Informational charon 13[ENC] <9> generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
2022-06-26T09:07:29 Informational charon 13[IKE] <9> DH group MODP_2048 unacceptable, requesting CURVE_25519
2022-06-26T09:07:29 Informational charon 13[IKE] <9> remote host is behind NAT
2022-06-26T09:07:29 Informational charon 13[CFG] <9> selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/CURVE_25519
2022-06-26T09:07:29 Informational charon 13[IKE] <9> 192.168.139.207 is initiating an IKE_SA
2022-06-26T09:07:29 Informational charon 13[ENC] <9> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
2022-06-26T09:07:29 Informational charon 13[NET] <9> received packet: from 192.168.139.207[500] to 192.168.139.45[500] (1164 bytes)
For now it's just a testing environment, there are no other things on the opnsense. All software is latest version. There a no (!) logs on the cardreader, just "unknown error" in the status information.
Best regards, Paul
-
Issue is solved somehow, I think wrong password used.