OPNsense Forum

English Forums => General Discussion => Topic started by: alexpebody on March 18, 2018, 02:55:48 pm

Title: IPsec connection fault?
Post by: alexpebody on March 18, 2018, 02:55:48 pm

Hello. I have Zyxel Keenetic Ultra 2, i has configured IPsec protocol server, set secret key and add user for access, but cant connection sucessfully not from PC Windows 7, not from Android phone, log Zyxel is:

STARTING SERVER:

Code: [Select]

Мар 18 20:49:26ndm
Core::Syslog: the system log has been cleared.
Мар 18 20:49:29ndm
IpSec::Manager: service enabled.
Мар 18 20:49:29ndm
IpSec::Manager: crypto ike proposal "VirtualIPServer" removed.
Мар 18 20:49:29ndm
IpSec::Manager: crypto ike policy "VirtualIPServer" removed.
Мар 18 20:49:29ndm
IpSec::Manager: crypto ipsec transform-set "VirtualIPServer" removed.
Мар 18 20:49:29ndm
IpSec::Manager: crypto ipsec profile "VirtualIPServer" removed.
Мар 18 20:49:29ndm
Network::Acl: "_WEBADMIN_IPSEC_VirtualIPServer" access list removed.
Мар 18 20:49:29ndm
Network::Acl: rule accepted.
Мар 18 20:49:29ndm
IpSec::Manager: "VirtualIPServer": crypto ike proposal successfully created.
Мар 18 20:49:29ndm
IpSec::Manager: "VirtualIPServer": crypto ike policy successfully created.
Мар 18 20:49:29ndm
IpSec::Manager: "VirtualIPServer": crypto ipsec transform-set successfully created.
Мар 18 20:49:29ndm
IpSec::Manager: "VirtualIPServer": crypto ipsec profile successfully created.
Мар 18 20:49:29ndm
IpSec::Manager: Virtual IP server successfully enabled.
Мар 18 20:49:29ndm
Core::ConfigurationSaver: saving configuration...
Мар 18 20:49:31ndm
IpSec::Manager: create IPsec reconfiguration transaction...
Мар 18 20:49:31ndm
IpSec::Manager: add config for crypto map "VirtualIPServer".
Мар 18 20:49:31ndm
IpSec::Manager: IPsec reconfiguration transaction was created.
Мар 18 20:49:31ndm
IpSec::Configurator: start applying IPsec configuration.
Мар 18 20:49:31ndm
IpSec::Configurator: IPsec configuration applying is done.
Мар 18 20:49:31ndm
IpSec::IpSecNetfilter: start reloading netfilter configuration...
Мар 18 20:49:31ndm
IpSec::IpSecNetfilter: netfilter configuration reloading is done.
Мар 18 20:49:33ndm
Core::ConfigurationSaver: configuration saved.
Мар 18 20:49:33ipsec
Starting strongSwan 5.6.1 IPsec [starter]...
Мар 18 20:49:33ipsec
00[DMN] Starting IKE charon daemon (strongSwan 5.6.1, Linux 3.4.113, mips)
Мар 18 20:49:33ipsec
00[CFG] loading secrets
Мар 18 20:49:33ipsec
00[CFG] loaded IKE secret for @mykeenetic.net
Мар 18 20:49:33ipsec
00[CFG] loaded (5) secret for admin
Мар 18 20:49:33ipsec
00[CFG] starting system time check, interval: 10s
Мар 18 20:49:33ipsec
00[LIB] loaded plugins: charon random nonce openssl hmac attr kernel-netlink socket-default stroke updown eap-mschapv2 eap-dynamic xauth-generic xauth-eap error-notify systime-fix unity
Мар 18 20:49:33ipsec
00[LIB] dropped capabilities, running as uid 65534, gid 65534
Мар 18 20:49:33ipsec
04[CFG] received stroke: add connection 'VirtualIPServer'
Мар 18 20:49:33ipsec
04[CFG] adding virtual IP address pool 20.0.0.1-20.0.0.65
Мар 18 20:49:33ipsec
CONNECTION LOG:

Code: [Select]

Мар 18 20:56:54ndm
Core::Syslog: the system log has been cleared.
Мар 18 20:56:56ipsec
08[IKE] received NAT-T (RFC 3947) vendor ID
Мар 18 20:56:56ipsec
08[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Мар 18 20:56:56ipsec
08[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Мар 18 20:56:56ipsec
08[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Мар 18 20:56:56ipsec
08[IKE] received FRAGMENTATION vendor ID
Мар 18 20:56:56ipsec
08[IKE] received DPD vendor ID
Мар 18 20:56:56ipsec
08[IKE] 213.87.225.135 is initiating a Main Mode IKE_SA
Мар 18 20:56:56ipsec
08[CFG] received proposals: IKE:AES_CBC=256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024/#, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024/#, IKE:AES_CBC=256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1024/#, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/#, IKE:AES_CBC=256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024/#, IKE:AES_CBC=128/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1024/#, IKE:AES_CBC=128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024/#, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024/#, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/#, IKE:AES_CBC=128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024/#, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024/#, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/#, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024/#, IKE:DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024/#, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/#, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024/#
Мар 18 20:56:56ipsec
08[CFG] configured proposals: IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/#, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048/#, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/#, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048/#
Мар 18 20:56:56ipsec
08[CFG] selected proposal: IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/#
Мар 18 20:56:56ipsec
08[IKE] sending XAuth vendor ID
Мар 18 20:56:56ipsec
08[IKE] sending DPD vendor ID
Мар 18 20:56:56ipsec
08[IKE] sending Cisco Unity vendor ID
Мар 18 20:56:56ipsec
08[IKE] sending FRAGMENTATION vendor ID
Мар 18 20:56:56ipsec
08[IKE] sending NAT-T (RFC 3947) vendor ID
Мар 18 20:56:59ndm
UPnP::Manager: redirect and forward rules deleted: udp 61603.
Мар 18 20:56:59ndm
UPnP::Manager: redirect and forward rules deleted: tcp 61603.
Мар 18 20:56:59ipsec
10[IKE] received retransmit of request with ID 0, retransmitting response
Мар 18 20:57:02ipsec
12[IKE] received retransmit of request with ID 0, retransmitting response
Мар 18 20:57:05ipsec
04[IKE] received retransmit of request with ID 0, retransmitting response
Мар 18 20:57:08ipsec
06[IKE] received retransmit of request with ID 0, retransmitting response
Мар 18 20:57:11ipsec
08[IKE] received retransmit of request with ID 0, retransmitting response
Мар 18 20:57:14ipsec
11[IKE] received retransmit of request with ID 0, retransmitting response
Мар 18 20:57:17ipsec
13[IKE] received retransmit of request with ID 0, retransmitting response
Мар 18 20:57:20ipsec
06[IKE] received retransmit of request with ID 0, retransmitting response
Мар 18 20:57:23ipsec
08[IKE] received retransmit of request with ID 0, retransmitting response
Мар 18 20:57:26ipsec
11[JOB] deleting half open IKE_SA with 213.87.225.135 after timeout
What is wrong?

All L2TP UDP 1701, IKE UDP 500, NATT UDP 4500 is open and forwarding to Zyxel.
All firewall opened from everyone to everyone... Can't any connection from any...

So thx everyone!

Title: Re: IPsec connection fault?
Post by: mimugmail on March 18, 2018, 03:58:25 pm

And where is your OPNsense?

Title: Re: IPsec connection fault?
Post by: alexpebody on March 18, 2018, 04:05:11 pm

Sry  :)

Zyxel NDMS 2.11.C.0.0-1

Title: Re: IPsec connection fault?
Post by: alexpebody on March 21, 2018, 04:40:05 am

Was solved: Zyxel have Virtual L2TP IPSec VPN and L2TP over VPN IPSec. Need use L2TP over IPSec VPN ) because IPSec worked XAuth only.