OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: Julien on August 03, 2017, 01:27:48 am

Title: [SOLVED] Ipsec between two FW
Post by: Julien on August 03, 2017, 01:27:48 am: Hi Guys,
between two OPNsense Firewall have configured the IPSEC VPN as explained below
https://docs.opnsense.org/manual/how-tos/ipsec-s2s.html?highlight=ipsec

the tunnel is not coming up, I have stoped the services and even rebooted both firewalls.
Can someone please point me to the right directions ?

Log site A

Code: [Select]
Aug 3 01:24:51 charon: 02[CFG] received stroke: route 'con1' Aug 3 01:24:51 charon: 05[CFG] added configuration 'con1' Aug 3 01:24:51 charon: 05[CFG] received stroke: add connection 'con1' Aug 3 01:24:51 charon: 00[JOB] spawning 16 worker threads Aug 3 01:24:51 charon: 00[LIB] loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac gcm attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock Aug 3 01:24:51 charon: 00[CFG] loaded 0 RADIUS server configurations Aug 3 01:24:51 charon: 00[CFG] loaded IKE secret for 98.44.55.66 Aug 3 01:24:51 charon: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets' Aug 3 01:24:51 charon: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls' Aug 3 01:24:51 charon: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts' Aug 3 01:24:51 charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts' Aug 3 01:24:51 charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Log Site B

Code: [Select]
Aug 3 01:20:18 charon: 05[NET] sending packet: from IP SITE B [500] to IP SITE A[500] (36 bytes) Aug 3 01:20:18 charon: 05[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ] Aug 3 01:20:18 charon: 05[IKE] received proposals inacceptable Aug 3 01:20:18 charon: 05[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048 Aug 3 01:20:18 charon: 05[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048 Aug 3 01:20:18 charon: 05[IKE] 5.200.21.175 is initiating an IKE_SA Aug 3 01:20:18 charon: 05[IKE] 5.200.21.175 is initiating an IKE_SA Aug 3 01:20:18 charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Aug 3 01:20:18 charon: 05[NET] received packet: from IP SITE A [500] to IP SITE B[500] (466 bytes) Aug 3 01:18:12 charon: 05[CFG] received stroke: route 'con1'
Title: Re: Ipsec between two FW
Post by: Julien on August 03, 2017, 03:06:40 am: I have created a OPENVPN Tunnel and it does works.
https://docs.opnsense.org/manual/how-tos/sslvpn_s2s.html?highlight=vpn
I'll stick with the ssl tunnel as its more secure than the IPSEC.
Title: Re: [SOLVED] Ipsec between two FW
Post by: kug1977 on August 03, 2017, 10:03:49 am: Hi,

it's complain about the Algorithms ... doesn't find an acceptable algorithms proposed by the party try to connect to (in IPsec most of the time called right side).

Code: [Select]
Aug 3 01:20:18 charon: 05[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048 Aug 3 01:20:18 charon: 05[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048You have to use one of them 128bit (AES_CBC_128) or 256bit AES (AES_CBC_256) ... or make both available for selection on at least one site.

King regards,
Kay-Uwe Genz
Title: Re: [SOLVED] Ipsec between two FW
Post by: Julien on August 03, 2017, 11:07:30 am: Quote from: kug1977 on August 03, 2017, 10:03:49 am
Hi,

it's complain about the Algorithms ... doesn't find an acceptable algorithms proposed by the party try to connect to (in IPsec most of the time called right side).

Code: [Select]
Aug 3 01:20:18 charon: 05[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048 Aug 3 01:20:18 charon: 05[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048You have to use one of them 128bit (AES_CBC_128) or 256bit AES (AES_CBC_256) ... or make both available for selection in at least one side.

King regards,
Kay-Uwe Genz

Thank you for your answer,
this absolutely a good catch
do you suggest to use IPSEC over the OPENVPN ?
According to research the openvpn is faster than the IPSEC.
Can someone share his experience with us.
Title: Re: [SOLVED] Ipsec between two FW
Post by: mimugmail on August 03, 2017, 11:30:39 am: If you feel more comfortable with OpenVPN, stick to it. Only if you see a lack of performance try IPSEC, but I think you should be very fine now.
Title: Re: [SOLVED] Ipsec between two FW
Post by: kug1977 on August 03, 2017, 04:18:23 pm: Quote
do you suggest to use IPSEC over the OPENVPN ?
According to research the openvpn is faster than the IPSEC.

For site-to-site connections I prefer IPsec tunnels. For mobile Clients (aka Road warrior) I use OpenVPN. And, honestly, OPNSense has some history on break IPsec while upgrading ... hopefully that's past. So having both might by a good idea anyway.
Title: Re: [SOLVED] Ipsec between two FW
Post by: Julien on August 04, 2017, 03:47:38 am: Quote from: kug1977 on August 03, 2017, 04:18:23 pm
Quote
do you suggest to use IPSEC over the OPENVPN ?
According to research the openvpn is faster than the IPSEC.

For site-to-site connections I prefer IPsec tunnels. For mobile Clients (aka Road warrior) I use OpenVPN. And, honestly, OPNSense has some history on break IPsec while upgrading ... hopefully that's past. So having both might by a good idea anyway.

Today I've done some tests.
with IPSEC the tunnel is not really stable and is slower than the OPENVPN.
the idea behind the tunnel is office 1 can reach active directory on office 2. no remote users.
remote users are using openvpn