1
17.7 Legacy Series / Re: IPsec (IKEv2) via OPNsense and MikroTik
« on: November 14, 2017, 06:26:42 am »
Thank you. The problem really was with "politics."
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
17.7 Legacy Series / Re: IPsec (IKEv2) via OPNsense and MikroTik
« on: November 13, 2017, 01:22:41 pm »
Hi, mimugmail.
It is template.
It must generate the necessary rule, but for some unknown reason it does not do so.
Now the situation is
I now have an idea where I'm wrong. Now I'll check.
It is template.
It must generate the necessary rule, but for some unknown reason it does not do so.
Now the situation is
Code: [Select]
/ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 XI src-address=192.168.88.0/24 src-port=any dst-address=192.168.99.0/24 dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=10.58.22.1 sa-dst-address=10.58.22.2 proposal=test ph2-count=0
1 T group=test src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=test template=yes
2 DA src-address=10.58.22.1/32 src-port=any dst-address=10.58.22.2/32 dst-port=any protocol=all action=encrypt level=unique
ipsec-protocols=esp tunnel=yes sa-src-address=10.58.22.1 sa-dst-address=10.58.22.2 proposal=test ph2-count=1
Code: [Select]
/ip ipsec installed-sa print
Flags: H - hw-aead, A - AH, E - ESP
0 E spi=0 src-address=10.58.22.1:5 dst-address=10.58.22.2:1 state=larval add-lifetime=0s/30s replay=0
Code: [Select]
/log print
18:00:37 ipsec,error no proposal chosen
18:12:40 ipsec,info killing ike2 SA: 10.58.22.1[4500]-10.58.22.2[4500] spi:0aebd3e888ffbd8c:eb3d798833168faf
18:12:45 ipsec,info new ike2 SA (I): 10.58.22.1[4500]-10.58.22.2[4500] spi:69e2d179b2a2e9f9:697e0487c7b3d3fe
18:12:45 ipsec,info peer authorized: 10.58.22.1[4500]-10.58.22.2[4500] spi:69e2d179b2a2e9f9:697e0487c7b3d3fe
Code: [Select]
Nov 13 15:13:00 OPNsense charon: 15[CFG] received stroke: add connection 'con1'
Nov 13 15:13:00 OPNsense charon: 15[CFG] added configuration 'con1'
Nov 13 15:13:00 OPNsense charon: 14[CFG] received stroke: route 'con1'
Nov 13 15:13:00 OPNsense charon: 14[CHD] CHILD_SA con1{1} state change: CREATED => ROUTED
Nov 13 15:13:02 OPNsense charon: 14[MGR] checkout IKEv2 SA by message with SPIs 69e2d179b2a2e9f9_i 0000000000000000_r
Nov 13 15:13:02 OPNsense charon: 14[MGR] created IKE_SA (unnamed)[1]
Nov 13 15:13:02 OPNsense charon: 14[NET] received packet: from 10.58.22.1[4500] to 10.58.22.2[4500] (424 bytes)
Nov 13 15:13:02 OPNsense charon: 14[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Nov 13 15:13:02 OPNsense charon: 14[IKE] 10.58.22.1 is initiating an IKE_SA
Nov 13 15:13:02 OPNsense charon: 14[IKE] 10.58.22.1 is initiating an IKE_SA
Nov 13 15:13:02 OPNsense charon: 14[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
Nov 13 15:13:02 OPNsense charon: 14[IKE] natd_chunk => 22 bytes @ 0x000005f67b2fed80
Nov 13 15:13:02 OPNsense charon: 14[IKE] 0: 69 E2 D1 79 B2 A2 E9 F9 00 00 00 00 00 00 00 00 i..y............
Nov 13 15:13:02 OPNsense charon: 14[IKE] 16: 0A 3A 16 02 11 94 .:....
Nov 13 15:13:02 OPNsense charon: 14[IKE] natd_hash => 20 bytes @ 0x000005f67b2fed60
Nov 13 15:13:02 OPNsense charon: 14[IKE] 0: CA FB B1 9B B7 EF FD FD E1 1A F1 30 E3 DC 7F 1C ...........0....
Nov 13 15:13:02 OPNsense charon: 14[IKE] 16: 77 10 4A EA w.J.
Nov 13 15:13:02 OPNsense charon: 14[IKE] natd_chunk => 22 bytes @ 0x000005f67b2fed80
Nov 13 15:13:02 OPNsense charon: 14[IKE] 0: 69 E2 D1 79 B2 A2 E9 F9 00 00 00 00 00 00 00 00 i..y............
Nov 13 15:13:02 OPNsense charon: 14[IKE] 16: 0A 3A 16 01 11 94 .:....
Nov 13 15:13:02 OPNsense charon: 14[IKE] natd_hash => 20 bytes @ 0x000005f67b2feda0
Nov 13 15:13:02 OPNsense charon: 14[IKE] 0: A2 C7 51 4B 71 33 0F 89 96 2B 94 EF AA 07 D6 F1 ..QKq3...+......
Nov 13 15:13:02 OPNsense charon: 14[IKE] 16: 18 24 D6 B4 .$..
Nov 13 15:13:02 OPNsense charon: 14[IKE] precalculated src_hash => 20 bytes @ 0x000005f67b2feda0
Nov 13 15:13:02 OPNsense charon: 14[IKE] 0: A2 C7 51 4B 71 33 0F 89 96 2B 94 EF AA 07 D6 F1 ..QKq3...+......
Nov 13 15:13:02 OPNsense charon: 14[IKE] 16: 18 24 D6 B4 .$..
Nov 13 15:13:02 OPNsense charon: 14[IKE] precalculated dst_hash => 20 bytes @ 0x000005f67b2fed60
Nov 13 15:13:02 OPNsense charon: 14[IKE] 0: CA FB B1 9B B7 EF FD FD E1 1A F1 30 E3 DC 7F 1C ...........0....
Nov 13 15:13:02 OPNsense charon: 14[IKE] 16: 77 10 4A EA w.J.
Nov 13 15:13:02 OPNsense charon: 14[IKE] received dst_hash => 20 bytes @ 0x000005f67b2fe840
Nov 13 15:13:02 OPNsense charon: 14[IKE] 0: CA FB B1 9B B7 EF FD FD E1 1A F1 30 E3 DC 7F 1C ...........0....
Nov 13 15:13:02 OPNsense charon: 14[IKE] 16: 77 10 4A EA w.J.
Nov 13 15:13:02 OPNsense charon: 14[IKE] received src_hash => 20 bytes @ 0x000005f67b2fe8c0
Nov 13 15:13:02 OPNsense charon: 14[IKE] 0: A2 C7 51 4B 71 33 0F 89 96 2B 94 EF AA 07 D6 F1 ..QKq3...+......
Nov 13 15:13:02 OPNsense charon: 14[IKE] 16: 18 24 D6 B4 .$..
Nov 13 15:13:02 OPNsense charon: 14[IKE] faking NAT situation to enforce UDP encapsulation
Nov 13 15:13:02 OPNsense charon: 14[IKE] shared Diffie Hellman secret => 256 bytes @ 0x000005f67b39a700
Nov 13 15:13:02 OPNsense charon: 14[IKE] 0: 4E 55 14 75 5C E7 9C 43 49 A0 41 51 3E A6 B1 A7 NU.u\..CI.AQ>...
Nov 13 15:13:02 OPNsense charon: 14[IKE] 16: A8 8E 45 7F D6 60 80 66 A6 C9 45 81 C7 77 CD 7A ..E..`.f..E..w.z
Nov 13 15:13:02 OPNsense charon: 14[IKE] 32: D6 D1 C6 09 5C A8 97 F4 F8 0D ED 08 AB 92 7E A9 ....\.........~.
Nov 13 15:13:02 OPNsense charon: 14[IKE] 48: 7B 13 D0 F7 3D 8E 3E EB A0 AA FA 16 75 D4 38 61 {...=.>.....u.8a
Nov 13 15:13:02 OPNsense charon: 14[IKE] 64: DF 4B 3D 13 85 64 98 73 B9 57 72 E8 6A B5 0C CC .K=..d.s.Wr.j...
Nov 13 15:13:02 OPNsense charon: 14[IKE] 80: D1 8D 0B 7B F3 4C DF 0F 39 4F 10 45 BA CA B9 02 ...{.L..9O.E....
Nov 13 15:13:02 OPNsense charon: 14[IKE] 96: 61 66 EC 4A 9A 18 26 0C E1 7B 1B 0A 29 6D FC 4A af.J..&..{..)m.J
Nov 13 15:13:02 OPNsense charon: 14[IKE] 112: 2A 5A 89 05 7C D3 F2 2E 47 B7 20 0F 4B E1 A8 D8 *Z..|...G. .K...
Nov 13 15:13:02 OPNsense charon: 14[IKE] 128: 5B 73 53 CB 06 80 F2 DB 07 E5 68 20 91 D9 44 7A [sS.......h ..Dz
Nov 13 15:13:02 OPNsense charon: 14[IKE] 144: A3 B7 21 3D 06 9E 4D 15 D5 9F D0 16 68 68 9D 0D ..!=..M.....hh..
Nov 13 15:13:02 OPNsense charon: 14[IKE] 160: 1B 7C 01 54 2B 98 D8 EC A0 90 D9 15 D2 E2 6F 02 .|.T+.........o.
Nov 13 15:13:02 OPNsense charon: 14[IKE] 176: 49 41 AB 22 D2 02 A9 58 24 C4 35 F1 3C 5A 5A DA IA."...X$.5.<ZZ.
Nov 13 15:13:02 OPNsense charon: 14[IKE] 192: B7 96 2E 8F 65 4C BC 2E 32 97 60 A0 A0 E7 EA FA ....eL..2.`.....
Nov 13 15:13:02 OPNsense charon: 14[IKE] 208: 55 F7 6F CF 11 D5 0E 47 9F A1 88 43 96 20 21 DD U.o....G...C. !.
Nov 13 15:13:02 OPNsense charon: 14[IKE] 224: 26 D8 03 19 CB 6B FA BC 52 9D 92 B8 AE D9 81 3A &....k..R......:
Nov 13 15:13:02 OPNsense charon: 14[IKE] 240: 8A 04 3D EF 12 60 6E 3C FF 66 64 D9 51 55 DE F6 ..=..`n<.fd.QU..
Nov 13 15:13:02 OPNsense charon: 14[IKE] SKEYSEED => 64 bytes @ 0x000005f67b340300
Nov 13 15:13:02 OPNsense charon: 14[IKE] 0: 8A FD EC FB 20 56 CE 28 F6 3B 88 E2 51 C0 CC 58 .... V.(.;..Q..X
Nov 13 15:13:02 OPNsense charon: 14[IKE] 16: 58 04 F8 BF 4C 0B B0 93 45 6F 64 17 1F 47 B3 EF X...L...Eod..G..
Nov 13 15:13:02 OPNsense charon: 14[IKE] 32: D2 E6 6F DC 98 28 E6 9D 7C 15 19 07 E5 E4 57 A1 ..o..(..|.....W.
Nov 13 15:13:02 OPNsense charon: 14[IKE] 48: A6 D0 95 E3 6D 40 4B 9D 7E 5E D1 6B 9F BC 35 E8 ....m@K.~^.k..5.
Nov 13 15:13:02 OPNsense charon: 14[IKE] Sk_d secret => 64 bytes @ 0x000005f67b340240
Nov 13 15:13:02 OPNsense charon: 14[IKE] 0: 5A 20 62 F0 3D BD C7 38 71 55 22 A9 A5 34 DB 0C Z b.=..8qU"..4..
Nov 13 15:13:02 OPNsense charon: 14[IKE] 16: 0E 2C D5 AB 95 B5 B7 D9 E9 9B BE 85 47 03 C9 54 .,..........G..T
Nov 13 15:13:02 OPNsense charon: 14[IKE] 32: D6 7A 70 99 89 D0 AB 3E F2 C6 C1 C6 A7 FA CD 9C .zp....>........
Nov 13 15:13:02 OPNsense charon: 14[IKE] 48: 02 99 42 E9 28 BF 61 A7 17 CC 85 D6 34 0F DD 86 ..B.(.a.....4...
Nov 13 15:13:02 OPNsense charon: 14[IKE] Sk_ai secret => 64 bytes @ 0x000005f67b3402c0
Nov 13 15:13:02 OPNsense charon: 14[IKE] 0: BF 2E 0F 2D C3 66 3F 73 57 BE C2 32 4B 28 1E 04 ...-.f?sW..2K(..
Nov 13 15:13:02 OPNsense charon: 14[IKE] 16: 5D 72 B7 81 09 1C 31 FA 86 49 40 BC 0B 30 95 2C ]r....1..I@..0.,
Nov 13 15:13:02 OPNsense charon: 14[IKE] 32: A3 A1 C8 98 AF 48 57 DD EB C2 5E 0A 53 16 A5 0F .....HW...^.S...
Nov 13 15:13:02 OPNsense charon: 14[IKE] 48: 65 5A AE 30 B7 FF 61 D3 61 13 5B FD 44 17 09 4D eZ.0..a.a.[.D..M
Nov 13 15:13:02 OPNsense charon: 14[IKE] Sk_ar secret => 64 bytes @ 0x000005f67b340300
Nov 13 15:13:02 OPNsense charon: 14[IKE] 0: 71 09 B5 F7 41 61 4F 45 32 C6 30 89 A2 11 2B C5 q...AaOE2.0...+.
Nov 13 15:13:02 OPNsense charon: 14[IKE] 16: 81 9E 94 33 47 3C 58 32 CD 2B 5A 18 0A 02 0E 33 ...3G<X2.+Z....3
Nov 13 15:13:02 OPNsense charon: 14[IKE] 32: D3 33 A3 67 99 AC F8 55 2F AB 89 40 54 EB B3 7F .3.g...U/..@T...
Nov 13 15:13:02 OPNsense charon: 14[IKE] 48: 0E 9E 6E 4F 7E 47 71 B2 B3 87 5D 3C 32 8F FA 52 ..nO~Gq...]<2..R
Nov 13 15:13:02 OPNsense charon: 14[IKE] Sk_ei secret => 32 bytes @ 0x000005f67b2fed80
Nov 13 15:13:02 OPNsense charon: 14[IKE] 0: 59 9C CC 46 01 34 25 E8 B8 28 A4 14 C1 B3 DB 28 Y..F.4%..(.....(
Nov 13 15:13:02 OPNsense charon: 14[IKE] 16: 1C 08 EC 20 92 02 75 45 44 4E 8B 92 EE AD CE 3C ... ..uEDN.....<
Nov 13 15:13:02 OPNsense charon: 14[IKE] Sk_er secret => 32 bytes @ 0x000005f67b2fedc0
Nov 13 15:13:02 OPNsense charon: 14[IKE] 0: A7 D9 54 DD C7 2B 0F 1B 3C A7 77 F7 59 8E FF 6B ..T..+..<.w.Y..k
Nov 13 15:13:02 OPNsense charon: 14[IKE] 16: F4 96 48 4C 74 38 0E 36 7B 14 75 0C 41 23 70 05 ..HLt8.6{.u.A#p.
Nov 13 15:13:02 OPNsense charon: 14[IKE] Sk_pi secret => 64 bytes @ 0x000005f67b340300
Nov 13 15:13:02 OPNsense charon: 14[IKE] 0: 5C D7 1C 66 DF 6A 88 FB 50 5B 85 9E 82 A7 75 B8 \..f.j..P[....u.
Nov 13 15:13:02 OPNsense charon: 14[IKE] 16: 1C 98 FB 9E 5B DB 32 36 2C 70 FB 75 9E 30 46 DD ....[.26,p.u.0F.
Nov 13 15:13:02 OPNsense charon: 14[IKE] 32: 41 8B EA 2F B0 3E 1B 01 73 D6 1D 7D AA FF E2 02 A../.>..s..}....
Nov 13 15:13:02 OPNsense charon: 14[IKE] 48: 4A 78 A2 B2 66 6D D4 04 3A A3 4B F5 06 37 D6 35 Jx..fm..:.K..7.5
Nov 13 15:13:02 OPNsense charon: 14[IKE] Sk_pr secret => 64 bytes @ 0x000005f67b3402c0
I now have an idea where I'm wrong. Now I'll check.
3
17.7 Legacy Series / [Solved] IPsec (IKEv2) via OPNsense and MikroTik
« on: November 13, 2017, 11:59:45 am »
Hi! All!
There is a problem when connecting OPNsense to MikroTik.
MikroTik can not configure SA.
I made up a test stand.
Versions last, stable.
Please tell me where I'm wrong.
Scheme
MikroTik
/ip address print
/ip firewall filter print
/ip firewall nat print
/ip ipsec proposal print
/ip ipsec peer print
/ip ipsec policy print
/ip ipsec policy group print
/log print
OPNSense
/usr/local/etc/ipsec.conf
ipsec statusall
/var/log/ipsec.log
There is a problem when connecting OPNsense to MikroTik.
MikroTik can not configure SA.
I made up a test stand.
Versions last, stable.
Please tell me where I'm wrong.
Scheme
Code: [Select]
+----------+ +----------+
192.168.99.0/24 3| OPNsense |2 10.58.22.0/30 1| MikroTik | 192.168.88.0/24
+---|__________|---------------------|__________|---+
| |
2| 2|
+-------+ +-------+
| HOST1 | | HOST2 |
+-------+ +-------+
MikroTik
/ip address print
Code: [Select]
10.58.22.1/30 10.58.22.0 ether1
192.168.88.1/24 192.168.88.0 ether2-master
/ip firewall filter print
Code: [Select]
3 chain=input action=accept protocol=udp dst-port=500
4 chain=input action=accept protocol=udp dst-port=4500
5 chain=input action=accept protocol=ipsec-esp log=no
9 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
/ip firewall nat print
Code: [Select]
0 chain=srcnat action=accept src-address=192.168.88.0/24 dst-address=192.168.99.0/24
1 chain=srcnat action=masquerade out-interface=ether1
/ip ipsec proposal print
Code: [Select]
name="test" auth-algorithms=sha512 enc-algorithms=aes-256-gcm lifetime=30m pfs-group=modp2048
/ip ipsec peer print
Code: [Select]
address=10.58.22.2/32 auth-method=pre-shared-key secret="test" generate-policy=port-strict policy-template-group=test exchange-mode=ike2 send-initial-contact=yes hash-algorithm=sha512 enc-algorithm=aes-256 dh-group=modp2048 dpd-interval=2m
/ip ipsec policy print
Code: [Select]
group=test src-address=192.168.88.0/24 dst-address=192.168.99.0/24 protocol=all proposal=test template=yes
/ip ipsec policy group print
Code: [Select]
test
/log print
Code: [Select]
.....................
.....................
15:42:17 ipsec,info new ike2 SA (I): 10.58.22.1[4500]-10.58.22.2[4500] spi:9e96b25638ae0016:3cf48cce8745c6ff
15:42:17 ipsec,info peer authorized: 10.58.22.1[4500]-10.58.22.2[4500] spi:9e96b25638ae0016:3cf48cce8745c6ff
15:42:34 ipsec,error no proposal chosen
OPNSense
/usr/local/etc/ipsec.conf
Code: [Select]
# This file is automatically generated. Do not edit
config setup
uniqueids = yes
charondebug="chd 4"
conn con1
aggressive = no
fragmentation = yes
keyexchange = ikev2
mobike = yes
reauth = yes
rekey = yes
forceencaps = yes
installpolicy = yes
type = tunnel
dpdaction = none
left = 10.58.22.2
right = 10.58.22.1
leftid = 10.58.22.2
ikelifetime = 28800s
lifetime = 3600s
ike = aes256-sha512-modp2048!
leftauth = psk
rightauth = psk
rightid = 10.58.22.1
rightsubnet = 192.168.88.0/24
leftsubnet = 192.168.99.0/24
esp = aes256-sha512-modp2048,aes256gcm16-sha512-modp2048!
auto = route
ipsec statusall
Code: [Select]
Status of IKE charon daemon (strongSwan 5.6.0, FreeBSD 11.0-RELEASE-p12, amd64):
uptime: 2 minutes, since Nov 13 13:50:58 2017
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac gcm attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock
Listening IP addresses:
192.168.99.3
10.58.22.2
Connections:
con1: 10.58.22.2...10.58.22.1 IKEv2
con1: local: [10.58.22.2] uses pre-shared key authentication
con1: remote: [10.58.22.1] uses pre-shared key authentication
con1: child: 192.168.99.0/24 === 192.168.88.0/24 TUNNEL
Routed Connections:
con1{1}: ROUTED, TUNNEL, reqid 1
con1{1}: 192.168.99.0/24 === 192.168.88.0/24
Security Associations (1 up, 0 connecting):
con1[2]: ESTABLISHED 2 minutes ago, 10.58.22.2[10.58.22.2]...10.58.22.1[10.58.22.1]
con1[2]: IKEv2 SPIs: 8151fd73911c4573_i ce875f1011cf37df_r*, pre-shared key reauthentication in 7 hours
con1[2]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
/var/log/ipsec.log
Code: [Select]
Nov 13 09:49:40 OPNsense charon: 00[IKE] sending DELETE for IKE_SA con1[1]
Nov 13 09:49:40 OPNsense charon: 00[ENC] generating INFORMATIONAL request 0 [ D ]
Nov 13 09:49:40 OPNsense charon: 00[NET] sending packet: from 10.58.22.2[4500] to 10.58.22.1[4500] (96 bytes)
Nov 13 09:49:40 OPNsense charon: 00[CHD] CHILD_SA con1{1} state change: ROUTED => DESTROYING
Nov 13 09:49:42 OPNsense charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.0, FreeBSD 11.0-RELEASE-p12, amd64)
Nov 13 09:49:42 OPNsense charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument
Nov 13 09:49:42 OPNsense charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
Nov 13 09:49:42 OPNsense charon: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Nov 13 09:49:42 OPNsense charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Nov 13 09:49:42 OPNsense charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Nov 13 09:49:42 OPNsense charon: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Nov 13 09:49:42 OPNsense charon: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
Nov 13 09:49:42 OPNsense charon: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Nov 13 09:49:42 OPNsense charon: 00[CFG] loaded IKE secret for 10.58.22.1
Nov 13 09:49:42 OPNsense charon: 00[CFG] loaded IKE secret for test
Nov 13 09:49:42 OPNsense charon: 00[CFG] loaded 0 RADIUS server configurations
Nov 13 09:49:42 OPNsense charon: 00[LIB] loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac gcm attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock
Nov 13 09:49:42 OPNsense charon: 00[JOB] spawning 16 worker threads
Nov 13 09:49:42 OPNsense charon: 16[CFG] received stroke: add connection 'con1'
Nov 13 09:49:42 OPNsense charon: 16[CFG] added configuration 'con1'
Nov 13 09:49:42 OPNsense charon: 16[CFG] received stroke: route 'con1'
Nov 13 09:49:42 OPNsense charon: 16[CHD] CHILD_SA con1{1} state change: CREATED => ROUTED
Nov 13 09:49:46 OPNsense charon: 16[NET] received packet: from 10.58.22.1[4500] to 10.58.22.2[4500] (424 bytes)
Nov 13 09:49:46 OPNsense charon: 16[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Nov 13 09:49:46 OPNsense charon: 16[IKE] 10.58.22.1 is initiating an IKE_SA
Nov 13 09:49:46 OPNsense charon: 16[IKE] 10.58.22.1 is initiating an IKE_SA
Nov 13 09:49:46 OPNsense charon: 16[IKE] faking NAT situation to enforce UDP encapsulation
Nov 13 09:49:46 OPNsense charon: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Nov 13 09:49:46 OPNsense charon: 16[NET] sending packet: from 10.58.22.2[4500] to 10.58.22.1[4500] (440 bytes)
Nov 13 09:49:46 OPNsense charon: 16[NET] received packet: from 10.58.22.1[4500] to 10.58.22.2[4500] (432 bytes)
Nov 13 09:49:46 OPNsense charon: 16[ENC] parsed IKE_AUTH request 1 [ IDi AUTH N(INIT_CONTACT) SA TSi TSr N(USE_TRANSP) ]
Nov 13 09:49:46 OPNsense charon: 16[CFG] looking for peer configs matching 10.58.22.2[%any]...10.58.22.1[10.58.22.1]
Nov 13 09:49:46 OPNsense charon: 16[CFG] selected peer config 'con1'
Nov 13 09:49:46 OPNsense charon: 16[IKE] authentication of '10.58.22.1' with pre-shared key successful
Nov 13 09:49:46 OPNsense charon: 16[IKE] authentication of '10.58.22.2' (myself) with pre-shared key
Nov 13 09:49:46 OPNsense charon: 16[IKE] IKE_SA con1[1] established between 10.58.22.2[10.58.22.2]...10.58.22.1[10.58.22.1]
Nov 13 09:49:46 OPNsense charon: 16[IKE] IKE_SA con1[1] established between 10.58.22.2[10.58.22.2]...10.58.22.1[10.58.22.1]
Nov 13 09:49:46 OPNsense charon: 16[IKE] scheduling reauthentication in 28209s
Nov 13 09:49:46 OPNsense charon: 16[IKE] maximum IKE_SA lifetime 28749s
Nov 13 09:49:46 OPNsense charon: 16[IKE] traffic selectors 10.58.22.2/32 === 10.58.22.1/32 inacceptable
Nov 13 09:49:46 OPNsense charon: 16[IKE] failed to establish CHILD_SA, keeping IKE_SA
Nov 13 09:49:46 OPNsense charon: 16[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(TS_UNACCEPT) ]
Nov 13 09:49:46 OPNsense charon: 16[NET] sending packet: from 10.58.22.2[4500] to 10.58.22.1[4500] (192 bytes)
Nov 13 09:49:55 OPNsense charon: 16[KNL] creating acquire job for policy 10.58.22.2/32 === 10.58.22.1/32 with reqid {1}
Nov 13 09:49:55 OPNsense charon: 16[IKE] establishing CHILD_SA con1{2} reqid 1
Nov 13 09:49:55 OPNsense charon: 16[IKE] establishing CHILD_SA con1{2} reqid 1
Nov 13 09:49:55 OPNsense charon: 16[ENC] generating CREATE_CHILD_SA request 0 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
Nov 13 09:49:55 OPNsense charon: 16[NET] sending packet: from 10.58.22.2[4500] to 10.58.22.1[4500] (576 bytes)
Nov 13 09:49:56 OPNsense charon: 13[NET] received packet: from 10.58.22.1[4500] to 10.58.22.2[4500] (496 bytes)
Nov 13 09:49:56 OPNsense charon: 13[ENC] parsed CREATE_CHILD_SA request 2 [ No KE SA TSi TSr ]
Nov 13 09:49:56 OPNsense charon: 13[IKE] traffic selectors 10.58.22.2/32 === 10.58.22.1/32 inacceptable
Nov 13 09:49:56 OPNsense charon: 13[IKE] failed to establish CHILD_SA, keeping IKE_SA
Nov 13 09:49:56 OPNsense charon: 13[ENC] generating CREATE_CHILD_SA response 2 [ N(TS_UNACCEPT) ]
Nov 13 09:49:56 OPNsense charon: 13[NET] sending packet: from 10.58.22.2[4500] to 10.58.22.1[4500] (96 bytes)
Nov 13 09:49:56 OPNsense charon: 16[NET] received packet: from 10.58.22.1[4500] to 10.58.22.2[4500] (240 bytes)
Nov 13 09:49:56 OPNsense charon: 16[ENC] parsed CREATE_CHILD_SA response 0 [ N(NO_PROP) ]
Nov 13 09:49:56 OPNsense charon: 16[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Nov 13 09:49:56 OPNsense charon: 16[IKE] failed to establish CHILD_SA, keeping IKE_SA
Nov 13 09:49:56 OPNsense charon: 16[CHD] CHILD_SA con1{2} state change: CREATED => DESTROYING
Pages: [1]