OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: ric91 on October 15, 2018, 02:02:14 pm

Title: 18.7.4 - IPsec and macos clients not working
Post by: ric91 on October 15, 2018, 02:02:14 pm
Hi all

We use OPNsense a few years now with OpenVPN clients.

For a new customer we tried to set up IPsec access, they only use Mac-clients and so there should be no additional client software necessary.
Client is a MacBook Pro with macos 10.13.6 installed.

So we set up a new appliance (APU2) with OPNsense 18.7.4 and added IPsec as described in

https://wiki.opnsense.org/manual/how-tos/ipsec-road.html.

Despite of the missing field "Peer identifier" which has been explained here:
https://forum.opnsense.org/index.php?topic=3814.msg13466#msg13466
all setup has been done and checked twice.

But the tunnel will not come up.

The logfile looks like:

Code: [Select]
root@firewall:/ # cat /var/log/ipsec.log
Oct 15 13:42:45 firewall charon: 08[IKE] <con1|20> sending retransmit 3 of response message ID 0, seq 1
Oct 15 13:42:45 firewall charon: 08[NET] <con1|20> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (412 bytes)
Oct 15 13:42:47 firewall charon: 08[NET] <21> received packet: from 213.196.002.002[500] to 213.196.001.001[500] (762 bytes)
Oct 15 13:42:47 firewall charon: 08[ENC] <21> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received FRAGMENTATION vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received NAT-T (RFC 3947) vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received draft-ietf-ipsec-nat-t-ike vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received XAuth vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received Cisco Unity vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received DPD vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> 213.196.002.002 is initiating a Aggressive Mode IKE_SA
Oct 15 13:42:47 firewall charon: 08[CFG] <21> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Oct 15 13:42:47 firewall charon: 08[CFG] <21> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 15 13:42:47 firewall charon: 08[IKE] <21> no proposal found
Oct 15 13:42:47 firewall charon: 08[ENC] <21> generating INFORMATIONAL_V1 request 176295956 [ N(NO_PROP) ]
Oct 15 13:42:47 firewall charon: 08[NET] <21> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (56 bytes)
Oct 15 13:42:50 firewall charon: 07[NET] <22> received packet: from 213.196.002.002[500] to 213.196.001.001[500] (762 bytes)
Oct 15 13:42:50 firewall charon: 07[ENC] <22> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received FRAGMENTATION vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received NAT-T (RFC 3947) vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received draft-ietf-ipsec-nat-t-ike vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received XAuth vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received Cisco Unity vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received DPD vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> 213.196.002.002 is initiating a Aggressive Mode IKE_SA
Oct 15 13:42:50 firewall charon: 07[CFG] <22> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Oct 15 13:42:50 firewall charon: 07[CFG] <22> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 15 13:42:50 firewall charon: 07[IKE] <22> no proposal found
Oct 15 13:42:50 firewall charon: 07[ENC] <22> generating INFORMATIONAL_V1 request 1006362778 [ N(NO_PROP) ]
Oct 15 13:42:50 firewall charon: 07[NET] <22> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (56 bytes)
Oct 15 13:42:50 firewall charon: 07[JOB] <con1|20> deleting half open IKE_SA with 213.196.002.002 after timeout
Oct 15 13:42:53 firewall charon: 07[NET] <23> received packet: from 213.196.002.002[500] to 213.196.001.001[500] (762 bytes)
Oct 15 13:42:53 firewall charon: 07[ENC] <23> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received FRAGMENTATION vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received NAT-T (RFC 3947) vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received draft-ietf-ipsec-nat-t-ike vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received XAuth vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received Cisco Unity vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received DPD vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> 213.196.002.002 is initiating a Aggressive Mode IKE_SA
Oct 15 13:42:53 firewall charon: 07[CFG] <23> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Oct 15 13:42:53 firewall charon: 07[CFG] <23> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 15 13:42:53 firewall charon: 07[IKE] <23> no proposal found
Oct 15 13:42:53 firewall charon: 07[ENC] <23> generating INFORMATIONAL_V1 request 1019161556 [ N(NO_PROP) ]
Oct 15 13:42:53 firewall charon: 07[NET] <23> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (56 bytes)
Oct 15 13:42:57 firewall charon: 07[NET] <24> received packet: from 213.196.002.002[500] to 213.196.001.001[500] (762 bytes)
Oct 15 13:42:57 firewall charon: 07[ENC] <24> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received FRAGMENTATION vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received NAT-T (RFC 3947) vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received XAuth vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received Cisco Unity vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received DPD vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> 213.196.002.002 is initiating a Aggressive Mode IKE_SA
Oct 15 13:42:57 firewall charon: 07[CFG] <24> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Oct 15 13:42:57 firewall charon: 07[CFG] <24> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 15 13:42:57 firewall charon: 07[IKE] <24> no proposal found
Oct 15 13:42:57 firewall charon: 07[ENC] <24> generating INFORMATIONAL_V1 request 2026880497 [ N(NO_PROP) ]
Oct 15 13:42:57 firewall charon: 07[NET] <24> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (56 bytes)
Oct 15 13:42:57 firewall charon: 07[NET] <25> received packet: from 213.196.002.002[500] to 213.196.001.001[500] (762 bytes)
Oct 15 13:42:57 firewall charon: 07[ENC] <25> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received FRAGMENTATION vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received NAT-T (RFC 3947) vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received draft-ietf-ipsec-nat-t-ike vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received XAuth vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received Cisco Unity vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received DPD vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> 213.196.002.002 is initiating a Aggressive Mode IKE_SA
Oct 15 13:42:57 firewall charon: 07[CFG] <25> looking for XAuthInitPSK peer configs matching 213.196.001.001...213.196.002.002[expert]
Oct 15 13:42:57 firewall charon: 07[CFG] <25> selected peer config "con1"
Oct 15 13:42:57 firewall charon: 07[ENC] <con1|25> generating AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ]
Oct 15 13:42:57 firewall charon: 07[NET] <con1|25> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (412 bytes)
Oct 15 13:43:00 firewall charon: 07[NET] <con1|25> received packet: from 213.196.002.002[500] to 213.196.001.001[500] (762 bytes)
Oct 15 13:43:00 firewall charon: 07[IKE] <con1|25> received retransmit of request with ID 0, retransmitting response
Oct 15 13:43:00 firewall charon: 07[NET] <con1|25> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (412 bytes)
Oct 15 13:43:01 firewall charon: 07[IKE] <con1|25> sending retransmit 1 of response message ID 0, seq 1
Oct 15 13:43:01 firewall charon: 07[NET] <con1|25> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (412 bytes)
Oct 15 13:43:03 firewall charon: 07[NET] <con1|25> received packet: from 213.196.002.002[500] to 213.196.001.001[500] (762 bytes)
Oct 15 13:43:03 firewall charon: 07[IKE] <con1|25> received retransmit of request with ID 0, retransmitting response
Oct 15 13:43:03 firewall charon: 07[NET] <con1|25> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (412 bytes)
Oct 15 13:43:06 firewall charon: 07[NET] <con1|25> received packet: from 213.196.002.002[500] to 213.196.001.001[500] (762 bytes)
Oct 15 13:43:06 firewall charon: 07[IKE] <con1|25> received retransmit of request with ID 0, retransmitting response
Oct 15 13:43:06 firewall charon: 07[NET] <con1|25> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (412 bytes)
Oct 15 13:43:08 firewall charon: 07[IKE] <con1|25> sending retransmit 2 of response message ID 0, seq 1
Oct 15 13:43:08 firewall charon: 07[NET] <con1|25> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (412 bytes)
Oct 15 13:43:21 firewall charon: 07[IKE] <con1|25> sending retransmit 3 of response message ID 0, seq 1
Oct 15 13:43:21 firewall charon: 07[NET] <con1|25> sending packet: from 213.196.001.001[500] to 213.196.184.130[500] (412 bytes)
Oct 15 13:43:27 firewall charon: 06[JOB] <con1|25> deleting half open IKE_SA with 213.196.002.002 after timeout

The config file looks like:
Code: [Select]
cat /usr/local/etc/ipsec.conf
# This file is automatically generated. Do not edit
config setup
  uniqueids = yes
  charondebug=""

conn con1
  aggressive = yes
  fragmentation = yes
  keyexchange = ikev1
  mobike = yes
  reauth = yes
  rekey = yes
  forceencaps = no
  installpolicy = yes
  type = tunnel
  dpdaction = none
  left = 213.196.001.001
  right = %any
  leftid = 213.196.001.001
  ikelifetime = 28800s
  lifetime = 3600s
  rightsourceip = 10.8.4.0/24
  ike = aes256-sha1-modp1024!
  leftauth = psk
  rightauth = psk
  rightauth2 = xauth-generic
  leftsubnet = 192.168.7.0/24
  esp = aes256-sha1!
  auto = add

Is there any way to get IPsec working in 18.7.4?

Thanks a lot for your help.