OPNsense Forum
English Forums => General Discussion => Topic started by: mts on September 28, 2017, 09:25:37 pm
-
Hi guys,
i would like to connect an opnsense to ipfire by ipsec RSA.
Is there someone who maybe has an step-by-step instruction what to take care of?
How can I import the CA from ipfire (pem-format) ?
How can I export the cert from opnSense so I can import it to ipfire?
THX
mts
-
I manged to setup some first settings but I'm getting the following log:
Sep 29 20:19:53 OPNsense charon: 08[CFG] rereading secrets
Sep 29 20:19:53 OPNsense charon: 08[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Sep 29 20:19:53 OPNsense charon: 08[CFG] loaded RSA private key from '/usr/local/etc/ipsec.d/private/cert-1.key'
Sep 29 20:19:53 OPNsense charon: 08[CFG] rereading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Sep 29 20:19:53 OPNsense charon: 08[CFG] loaded ca certificate "C=DE, ST=NRW, L=Dusseldorf, O=xxxxxxxx GmbH, E=info@xxxxxxxx-gmbh.com, CN=int ernal-ca" from '/usr/local/etc/ipsec.d/cacerts/b24f4e25.0.crt'
Sep 29 20:19:53 OPNsense charon: 08[CFG] loaded ca certificate "C=DE, O=xxxxxxxx GmbH, CN=xxxxxxxx GmbH CA" from '/usr/local/etc/ipsec.d/cace rts/6113c50d.0.crt'
Sep 29 20:19:53 OPNsense charon: 08[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Sep 29 20:19:53 OPNsense charon: 08[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Sep 29 20:19:53 OPNsense charon: 08[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Sep 29 20:19:53 OPNsense charon: 08[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls'
Sep 29 20:19:53 OPNsense charon: 06[CFG] received stroke: delete connection 'con1'
Sep 29 20:19:53 OPNsense charon: 06[CFG] deleted connection 'con1'
Sep 29 20:19:53 OPNsense charon: 08[CFG] received stroke: add connection 'con1'
Sep 29 20:19:53 OPNsense charon: 08[CFG] loaded certificate "C=DE, ST=NRW, L=Dusseldorf, O=xxxxxxxx GmbH, E=info@xxxxxxxx-gmbh.com, CN=nucMar cHome-CA" from '/usr/local/etc/ipsec.d/certs/cert-1.crt'
Sep 29 20:19:53 OPNsense charon: 08[CFG] id '192.168.0.10' not confirmed by certificate, defaulting to 'C=DE, ST=NRW, L=Dusseldorf, O=NUCLE US GmbH, E=info@xxxxxxxx-gmbh.com, CN=nucMarcHome-CA'
Sep 29 20:19:53 OPNsense charon: 08[CFG] added configuration 'con1'
Sep 29 20:19:53 OPNsense charon: 06[CFG] received stroke: initiate 'con1'
Sep 29 20:19:53 OPNsense charon: 06[IKE] initiating IKE_SA con1[54] to xxx.xxx.xxx.xxx
Sep 29 20:19:53 OPNsense charon: 06[IKE] initiating IKE_SA con1[54] to xxx.xxx.xxx.xxx
Sep 29 20:19:53 OPNsense charon: 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDI R_SUP) ]
Sep 29 20:19:53 OPNsense charon: 06[NET] sending packet: from 192.168.0.10[500] to xxx.xxx.xxx.xxx[500] (714 bytes)
Sep 29 20:19:56 OPNsense charon: 06[NET] received packet: from xxx.xxx.xxx.xxx[500] to 192.168.0.10[500] (799 bytes)
Sep 29 20:19:56 OPNsense charon: 06[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N (MULT_AUTH) ]
Sep 29 20:19:56 OPNsense charon: 06[IKE] local host is behind NAT, sending keep alives
Sep 29 20:19:56 OPNsense charon: 06[IKE] received cert request for "C=DE, ST=NRW, L=Dusseldorf, O=xxxxxxxx GmbH, E=info@xxxxxxxx-gmbh.com, CN=i nternal-ca"
Sep 29 20:19:56 OPNsense charon: 06[IKE] received cert request for "C=DE, ST=NRW, L=Dusseldorf, O=xxxxxxxx GmbH, E=info@xxxxxxxx-gmbh.com, CN=i nternal-ca"
Sep 29 20:19:56 OPNsense charon: 06[IKE] received cert request for "C=DE, O=xxxxxxxx GmbH, CN=xxxxxxxx GmbH CA"
Sep 29 20:19:56 OPNsense charon: 06[IKE] received 1 cert requests for an unknown ca
Sep 29 20:19:56 OPNsense charon: 06[IKE] sending cert request for "C=DE, O=xxxxxxxx GmbH, CN=xxxxxxxx GmbH CA"
Sep 29 20:19:56 OPNsense charon: 06[IKE] authentication of 'C=DE, ST=NRW, L=Dusseldorf, O=xxxxxxxx GmbH, E=info@xxxxxxxx-gmbh.com, CN=nucMarcHo me-CA' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Sep 29 20:19:56 OPNsense charon: 06[IKE] sending end entity cert "C=DE, ST=NRW, L=Dusseldorf, O=xxxxxxxx GmbH, E=info@xxxxxxxx-gmbh.com, CN=nuc MarcHome-CA"
Sep 29 20:19:56 OPNsense charon: 06[IKE] establishing CHILD_SA con1
Sep 29 20:19:56 OPNsense charon: 06[IKE] establishing CHILD_SA con1
Sep 29 20:19:56 OPNsense charon: 06[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TS r N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Sep 29 20:19:56 OPNsense charon: 06[ENC] splitting IKE message with length of 1694 bytes into 2 fragments
Sep 29 20:19:56 OPNsense charon: 06[ENC] generating IKE_AUTH request 1 [ EF(1/2) ]
Sep 29 20:19:56 OPNsense charon: 06[ENC] generating IKE_AUTH request 1 [ EF(2/2) ]
Sep 29 20:19:56 OPNsense charon: 06[NET] sending packet: from 192.168.0.10[4500] to xxx.xxx.xxx.xxx[4500] (1248 bytes)
Sep 29 20:19:56 OPNsense charon: 06[NET] sending packet: from 192.168.0.10[4500] to xxx.xxx.xxx.xxx[4500] (511 bytes)
Sep 29 20:19:57 OPNsense charon: 06[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 192.168.0.10[4500] (65 bytes)
Sep 29 20:19:57 OPNsense charon: 06[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Sep 29 20:19:57 OPNsense charon: 06[IKE] received AUTHENTICATION_FAILED notify error
Sep 29 20:19:58 OPNsense charon: 08[NET] received packet: from xxx.xxx.xxx.xxx[500] to 192.168.0.10[500] (1566 bytes)
Sep 29 20:19:58 OPNsense charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SU P) ]
Sep 29 20:19:58 OPNsense charon: 08[IKE] xxx.xxx.xxx.xxx is initiating an IKE_SA
Sep 29 20:19:58 OPNsense charon: 08[IKE] xxx.xxx.xxx.xxx is initiating an IKE_SA
Sep 29 20:19:58 OPNsense charon: 08[IKE] local host is behind NAT, sending keep alives
Sep 29 20:19:58 OPNsense charon: 08[IKE] sending cert request for "C=DE, ST=NRW, L=Dusseldorf, O=xxxxxxxx GmbH, E=info@xxxxxxxx-gmbh.com, CN=nu cMarcHome-CA"
Sep 29 20:19:58 OPNsense charon: 08[IKE] sending cert request for "C=NL, ST=Zuid-Holland, L=Middelharnis, O=OPNsense"
Sep 29 20:19:58 OPNsense charon: 08[IKE] sending cert request for "C=DE, ST=NRW, L=Dusseldorf, O=xxxxxxxx GmbH, E=info@xxxxxxxx-gmbh.com, CN=in ternal-ca"
Sep 29 20:19:58 OPNsense charon: 08[IKE] sending cert request for "C=DE, O=xxxxxxxx GmbH, CN=xxxxxxxx GmbH CA"
Sep 29 20:19:58 OPNsense charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_AL G) N(MULT_AUTH) ]
Sep 29 20:19:58 OPNsense charon: 08[NET] sending packet: from 192.168.0.10[500] to xxx.xxx.xxx.xxx[500] (799 bytes)
Sep 29 20:20:00 OPNsense charon: 08[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 192.168.0.10[4500] (1248 bytes)
Sep 29 20:20:00 OPNsense charon: 08[ENC] parsed IKE_AUTH request 1 [ EF(1/2) ]
Sep 29 20:20:00 OPNsense charon: 08[ENC] received fragment #1 of 2, waiting for complete IKE message
Sep 29 20:20:00 OPNsense charon: 08[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 192.168.0.10[4500] (475 bytes)
Sep 29 20:20:00 OPNsense charon: 08[ENC] parsed IKE_AUTH request 1 [ EF(2/2) ]
Sep 29 20:20:00 OPNsense charon: 08[ENC] received fragment #2 of 2, reassembling fragmented IKE message
Sep 29 20:20:00 OPNsense charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(IPCOMP_SUP) SA TSi TSr N(MOB IKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Sep 29 20:20:00 OPNsense charon: 08[IKE] received cert request for "C=DE, ST=NRW, L=Dusseldorf, O=xxxxxxxx GmbH, E=info@xxxxxxxx-gmbh.com, CN=i nternal-ca"
Sep 29 20:20:00 OPNsense charon: 08[IKE] received cert request for "C=DE, ST=NRW, L=Dusseldorf, O=xxxxxxxx GmbH, E=info@xxxxxxxx-gmbh.com, CN=i nternal-ca"
Sep 29 20:20:00 OPNsense charon: 08[IKE] received cert request for "C=DE, O=xxxxxxxx GmbH, CN=xxxxxxxx GmbH CA"
Sep 29 20:20:00 OPNsense charon: 08[IKE] received 1 cert requests for an unknown ca
Sep 29 20:20:00 OPNsense charon: 08[IKE] received end entity cert "C=DE, O=xxxxxxxx GmbH, CN=xxxxxxxx-server.com"
Sep 29 20:20:00 OPNsense charon: 08[CFG] looking for peer configs matching 192.168.0.10[C=DE, ST=NRW, L=Dusseldorf, O=xxxxxxxx GmbH, E=info@nu cleus-gmbh.com, CN=internal-ca]...xxx.xxx.xxx.xxx[C=DE, O=xxxxxxxx GmbH, CN=xxxxxxxx-server.com]
Sep 29 20:20:00 OPNsense charon: 08[CFG] no matching peer config found
Sep 29 20:20:00 OPNsense charon: 08[IKE] peer supports MOBIKE
Sep 29 20:20:00 OPNsense charon: 08[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Sep 29 20:20:00 OPNsense charon: 08[NET] sending packet: from 192.168.0.10[4500] to xxx.xxx.xxx.xxx[4500] (65 bytes)
Do you have any suggestion what's wrong?