OPNsense Forum

International Forums => German - Deutsch => Topic started by: guest16192 on August 19, 2017, 07:00:23 pm

Title: [Gelöst] IPsec IKEv2 & Android
Post by: guest16192 on August 19, 2017, 07:00:23 pm

Hallo zusammen,

wie im Titel schon zu erahnen ist, möchte ich IPsec mit IKEv2 einrichten, damit ich mit meinem Android Smartphone (Android 7) mich verbinden kann.

Habe im Forum bereits diesen Eintrag gefunden OpnSense:https://forum.opnsense.org/index.php?topic=4324.msg16350#msg16350 (https://forum.opnsense.org/index.php?topic=4324.msg16350#msg16350) der auf PFSense:https://forum.pfsense.org/index.php?topic=106433.0 (https://forum.pfsense.org/index.php?topic=106433.0) verweist.

Leider wird im OpnSense nur auf https://docs.opnsense.org/manual/how-tos/ipsec-road.html (https://docs.opnsense.org/manual/how-tos/ipsec-road.html), welcher nur für IKEv1 ausgelegt ist(?)


Großteil des Aufbaus scheint bereits zu funktionieren, aber irgendwo verschluckt er sich.
Log eines Verbindungsaufbaus:

Code: [Select]

Aug 19 18:45:42 charon: 15[NET] sending packet: from 192.168.xxx[4500] to 192.168.xxx[48342] (65 bytes)
Aug 19 18:45:42 charon: 15[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Aug 19 18:45:42 charon: 15[IKE] peer supports MOBIKE
Aug 19 18:45:42 charon: 15[CFG] no alternative config found
Aug 19 18:45:42 charon: 15[CFG] selected peer config 'con1' inacceptable: non-matching authentication done
Aug 19 18:45:42 charon: 15[CFG] constraint requires EAP_TLS, but EAP_NAK was used
Aug 19 18:45:42 charon: 15[IKE] authentication of '[User-Cert]' with RSA_EMSA_PKCS1_SHA2_384 successful
Aug 19 18:45:42 charon: 15[CFG] reached self-signed root ca with a path length of 0
Aug 19 18:45:42 charon: 15[CFG] certificate status is not available
Aug 19 18:45:42 charon: 15[CFG] checking certificate status of "[User-Cert]"
Aug 19 18:45:42 charon: 15[CFG] using trusted ca certificate "[CA-Cert]"
Aug 19 18:45:42 charon: 15[CFG] using certificate "[User-Cert]"
Aug 19 18:45:42 charon: 15[CFG] selected peer config 'con1'
Aug 19 18:45:42 charon: 15[CFG] looking for peer configs matching 192.168.xxx[%any]...192.168.xxx[[User-Cert]]
Aug 19 18:45:42 charon: 15[IKE] received end entity cert "[User-Cert]"
Aug 19 18:45:42 charon: 15[IKE] received cert request for "[CA-Cert]"
Aug 19 18:45:42 charon: 15[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Aug 19 18:45:42 charon: 15[ENC] received fragment #1 of 3, reassembling fragmented IKE message
Aug 19 18:45:42 charon: 15[ENC] parsed IKE_AUTH request 1 [ EF(1/3) ]
Aug 19 18:45:42 charon: 15[NET] received packet: from 192.168.xxx[48342] to 192.168.xxx[4500] (1248 bytes)
Aug 19 18:45:42 charon: 16[ENC] received fragment #3 of 3, waiting for complete IKE message
Aug 19 18:45:42 charon: 16[ENC] parsed IKE_AUTH request 1 [ EF(3/3) ]
Aug 19 18:45:42 charon: 16[NET] received packet: from 192.168.xxx[48342] to 192.168.xxx[4500] (247 bytes)
Aug 19 18:45:42 charon: 14[ENC] received fragment #2 of 3, waiting for complete IKE message
Aug 19 18:45:42 charon: 14[ENC] parsed IKE_AUTH request 1 [ EF(2/3) ]
Aug 19 18:45:42 charon: 14[NET] received packet: from 192.168.xxx[48342] to 192.168.xxx[4500] (1248 bytes)
Aug 19 18:45:42 charon: 15[NET] sending packet: from 192.168.xxx[500] to 192.168.xxx[42285] (523 bytes)
Aug 19 18:45:42 charon: 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Aug 19 18:45:42 charon: 15[IKE] sending cert request for "[CA-Cert]"
Aug 19 18:45:42 charon: 15[IKE] sending cert request for "[Andere-CA]"
Aug 19 18:45:42 charon: 15[IKE] sending cert request for "[Andere-CA]"
Aug 19 18:45:42 charon: 15[IKE] remote host is behind NAT
Aug 19 18:45:42 charon: 15[IKE] 192.168.xxx is initiating an IKE_SA
Aug 19 18:45:42 charon: 15[IKE] 192.168.xxx is initiating an IKE_SA
Aug 19 18:45:42 charon: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 19 18:45:42 charon: 15[NET] received packet: from 192.168.xxx[42285] to 192.168.xxx[500] (660 bytes)
Aug 19 18:45:41 charon: 15[NET] sending packet: from 192.168.xxx[500] to 192.168.xxx[42285] (38 bytes)
Aug 19 18:45:41 charon: 15[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Aug 19 18:45:41 charon: 15[IKE] DH group MODP_2048_256 inacceptable, requesting MODP_2048
Aug 19 18:45:41 charon: 15[IKE] remote host is behind NAT
Aug 19 18:45:41 charon: 15[IKE] 192.168.xxx is initiating an IKE_SA
Aug 19 18:45:41 charon: 15[IKE] 192.168.xxx is initiating an IKE_SA
Aug 19 18:45:41 charon: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 19 18:45:41 charon: 15[NET] received packet: from 192.168.xxx[42285] to 192.168.xxx[500] (660 bytes)
Edit:
Ok, wenn man die falsche Authentication method wählt ist klar dass nichts geht. Richte ausgewählt und es geht wie es soll :)