OPNsense Forum

International Forums => German - Deutsch => Topic started by: Perun on February 04, 2018, 11:10:08 pm

Title: IPsec VPN und Android Clients
Post by: Perun on February 04, 2018, 11:10:08 pm

Hallo

ich habe folgende Einstellungen für mobile clients:

Code: [Select]

conn con4
  aggressive = no
  fragmentation = yes
  keyexchange = ikev2
  mobike = yes
  reauth = yes
  rekey = yes
  forceencaps = no
  installpolicy = yes
  type = tunnel
  dpdaction = clear
  dpddelay = 10s
  dpdtimeout = 60s
  left = 192.168.40.3
  right = %any
  leftid = dync.chao5.net
  ikelifetime = 28800s
  lifetime = 3600s
  rightsourceip = 192.168.250.0/24
  ike = aes256-sha256-modp2048s256!
  leftauth = pubkey
  rightauth = pubkey
  leftcert = /usr/local/etc/ipsec.d/certs/cert-4.crt
  leftsendcert = always
  rightca = "/O=CHAO5.INT/CN=Certificate Authority/"
  rightsubnet = 192.168.250.0/24
  leftsubnet = 192.168.50.0/24
  esp = aes256-sha1-modp2048,aes256-sha256-modp2048,aes256-sha384-modp2048,aes256-sha512-modp2048,aes192-sha1-modp2048,aes192-sha256-modp2048,aes192-sha384-m
odp2048,aes192-sha512-modp2048,aes128-sha1-modp2048,aes128-sha256-modp2048,aes128-sha384-modp2048,aes128-sha512-modp2048!
  auto = add

mit ähnlichen Settings tuen alle meine Tunnel zwischen linux Strongswan...

aber hier bekomme ich folgende Meldungen und kann es nicht wirklich zuordnen was da nicht stimmt:

Code: [Select]

Feb  4 23:09:33 cerber charon: 09[NET] received packet: from 31.17.57.154[61045] to 192.168.40.3[500] (660 bytes)
Feb  4 23:09:33 cerber charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Feb  4 23:09:33 cerber charon: 09[IKE] 31.17.57.154 is initiating an IKE_SA
Feb  4 23:09:33 cerber charon: 09[IKE] 31.17.57.154 is initiating an IKE_SA
Feb  4 23:09:33 cerber charon: 09[IKE] local host is behind NAT, sending keep alives
Feb  4 23:09:33 cerber charon: 09[IKE] remote host is behind NAT
Feb  4 23:09:33 cerber charon: 09[IKE] sending cert request for "O=CHAO5.INT, CN=Certificate Authority"
Feb  4 23:09:33 cerber charon: 09[IKE] sending cert request for "CN=Fake LE Intermediate X1"
Feb  4 23:09:33 cerber charon: 09[IKE] sending cert request for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
Feb  4 23:09:33 cerber charon: 09[IKE] sending cert request for "C=DE, ST=Berlin, L=Berlin, O=chao5, E=perun@chao5.net, CN=internal-ca"
Feb  4 23:09:33 cerber charon: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Feb  4 23:09:33 cerber charon: 09[NET] sending packet: from 192.168.40.3[500] to 31.17.57.154[61045] (551 bytes)
Feb  4 23:09:34 cerber charon: 09[NET] received packet: from 31.17.57.154[61046] to 192.168.40.3[4500] (532 bytes)
Feb  4 23:09:34 cerber charon: 09[ENC] parsed IKE_AUTH request 1 [ EF(1/4) ]
Feb  4 23:09:34 cerber charon: 09[ENC] received fragment #1 of 4, waiting for complete IKE message
Feb  4 23:09:34 cerber charon: 09[NET] received packet: from 31.17.57.154[61046] to 192.168.40.3[4500] (532 bytes)
Feb  4 23:09:34 cerber charon: 09[ENC] parsed IKE_AUTH request 1 [ EF(2/4) ]
Feb  4 23:09:34 cerber charon: 09[ENC] received fragment #2 of 4, waiting for complete IKE message
Feb  4 23:09:34 cerber charon: 08[NET] received packet: from 31.17.57.154[61046] to 192.168.40.3[4500] (484 bytes)
Feb  4 23:09:34 cerber charon: 08[ENC] parsed IKE_AUTH request 1 [ EF(4/4) ]
Feb  4 23:09:34 cerber charon: 08[ENC] received fragment #4 of 4, waiting for complete IKE message
Feb  4 23:09:34 cerber charon: 06[NET] received packet: from 31.17.57.154[61046] to 192.168.40.3[4500] (532 bytes)
Feb  4 23:09:34 cerber charon: 06[ENC] parsed IKE_AUTH request 1 [ EF(3/4) ]
Feb  4 23:09:34 cerber charon: 06[ENC] received fragment #3 of 4, reassembling fragmented IKE message
Feb  4 23:09:34 cerber charon: 06[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Feb  4 23:09:34 cerber charon: 06[IKE] received end entity cert "O=CHAO5.INT, CN=handy-marlena.vpn"
Feb  4 23:09:34 cerber charon: 06[CFG] looking for peer configs matching 192.168.40.3[%any]...31.17.57.154[O=CHAO5.INT, CN=handy-marlena.vpn]
Feb  4 23:09:34 cerber charon: 06[CFG] selected peer config 'con4'
Feb  4 23:09:34 cerber charon: 06[CFG]   using certificate "O=CHAO5.INT, CN=handy-marlena.vpn"
Feb  4 23:09:34 cerber charon: 06[CFG]   using trusted ca certificate "O=CHAO5.INT, CN=Certificate Authority"
Feb  4 23:09:34 cerber charon: 06[CFG] checking certificate status of "O=CHAO5.INT, CN=handy-marlena.vpn"
Feb  4 23:09:34 cerber charon: 06[CFG]   requesting ocsp status from 'http://ipa-ca.chao5.int/ca/ocsp' ...
Feb  4 23:09:34 cerber charon: 06[LIB] unable to fetch from http://ipa-ca.chao5.int/ca/ocsp, no capable fetcher found
Feb  4 23:09:34 cerber charon: 06[CFG] ocsp request to http://ipa-ca.chao5.int/ca/ocsp failed
Feb  4 23:09:34 cerber charon: 06[CFG] ocsp check failed, fallback to crl
Feb  4 23:09:34 cerber charon: 06[CFG]   fetching crl from 'http://ipa-ca.chao5.int/ipa/crl/MasterCRL.bin' ...
Feb  4 23:09:34 cerber charon: 06[LIB] unable to fetch from http://ipa-ca.chao5.int/ipa/crl/MasterCRL.bin, no capable fetcher found
Feb  4 23:09:34 cerber charon: 06[CFG] crl fetching failed
Feb  4 23:09:34 cerber charon: 06[CFG] certificate status is not available
Feb  4 23:09:34 cerber charon: 06[CFG]   reached self-signed root ca with a path length of 0
Feb  4 23:09:34 cerber charon: 06[IKE] authentication of 'O=CHAO5.INT, CN=handy-marlena.vpn' with RSA_EMSA_PKCS1_SHA2_256 successful
Feb  4 23:09:34 cerber charon: 06[IKE] peer supports MOBIKE
Feb  4 23:09:34 cerber charon: 06[IKE] authentication of 'dync.chao5.net' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Feb  4 23:09:34 cerber charon: 06[IKE] IKE_SA con4[48] established between 192.168.40.3[dync.chao5.net]...31.17.57.154[O=CHAO5.INT, CN=handy-marlena.vpn]
Feb  4 23:09:34 cerber charon: 06[IKE] IKE_SA con4[48] established between 192.168.40.3[dync.chao5.net]...31.17.57.154[O=CHAO5.INT, CN=handy-marlena.vpn]
Feb  4 23:09:34 cerber charon: 06[IKE] scheduling reauthentication in 28135s
Feb  4 23:09:34 cerber charon: 06[IKE] maximum IKE_SA lifetime 28675s
Feb  4 23:09:34 cerber charon: 06[IKE] sending end entity cert "O=CHAO5.INT, CN=dync.chao5.net"
Feb  4 23:09:34 cerber charon: 06[IKE] peer requested virtual IP %any
Feb  4 23:09:34 cerber charon: 06[CFG] reassigning offline lease to 'O=CHAO5.INT, CN=handy-marlena.vpn'
Feb  4 23:09:34 cerber charon: 06[IKE] assigning virtual IP 192.168.250.1 to peer 'O=CHAO5.INT, CN=handy-marlena.vpn'
Feb  4 23:09:34 cerber charon: 06[IKE] CHILD_SA con4{52} established with SPIs c802b32d_i c9ec3747_o and TS 192.168.50.0/24 === 192.168.250.0/24
Feb  4 23:09:34 cerber charon: 06[IKE] CHILD_SA con4{52} established with SPIs c802b32d_i c9ec3747_o and TS 192.168.50.0/24 === 192.168.250.0/24
Feb  4 23:09:34 cerber charon: 06[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR SUBNET DNS DNS U_DEFDOM U_SPLITDNS U_PFS) N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Feb  4 23:09:34 cerber charon: 06[ENC] splitting IKE message with length of 1824 bytes into 2 fragments
Feb  4 23:09:34 cerber charon: 06[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Feb  4 23:09:34 cerber charon: 06[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Feb  4 23:09:34 cerber charon: 06[NET] sending packet: from 192.168.40.3[4500] to 31.17.57.154[61046] (1236 bytes)
Feb  4 23:09:34 cerber charon: 06[NET] sending packet: from 192.168.40.3[4500] to 31.17.57.154[61046] (660 bytes)
Feb  4 23:09:34 cerber charon: 06[NET] received packet: from 31.17.57.154[61046] to 192.168.40.3[4500] (80 bytes)
Feb  4 23:09:34 cerber charon: 06[ENC] parsed INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Feb  4 23:09:34 cerber charon: 06[IKE] received DELETE for IKE_SA con4[48]
Feb  4 23:09:34 cerber charon: 06[IKE] deleting IKE_SA con4[48] between 192.168.40.3[dync.chao5.net]...31.17.57.154[O=CHAO5.INT, CN=handy-marlena.vpn]
Feb  4 23:09:34 cerber charon: 06[IKE] deleting IKE_SA con4[48] between 192.168.40.3[dync.chao5.net]...31.17.57.154[O=CHAO5.INT, CN=handy-marlena.vpn]
Feb  4 23:09:34 cerber charon: 06[IKE] IKE_SA deleted
Feb  4 23:09:34 cerber charon: 06[IKE] IKE_SA deleted
Feb  4 23:09:34 cerber charon: 06[ENC] generating INFORMATIONAL response 2 [ ]
Feb  4 23:09:34 cerber charon: 06[NET] sending packet: from 192.168.40.3[4500] to 31.17.57.154[61046] (80 bytes)
Feb  4 23:09:34 cerber charon: 06[CFG] lease 192.168.250.1 by 'O=CHAO5.INT, CN=handy-marlena.vpn' went offline

Kann jemand helfen? stehe irgendwie aufm Schlauch...

Greetz