Messages

Selfsolved.

https://forum.opnsense.org/index.php?topic=20231 helped me out here.

At System - Firmware - Status I found the buttons for resolving plugin problems.

Still thanks for being there :-)

Hi there
After upgrading 23.1.5_4 -> 23.1.7_3 I have installed Zabbix agent 6.2. The plugin automatically deinstalled my old Zabbix agent 5.4. The log shows:

Code Select Expand

2023-05-18T20:41:27+02:00 apu2.domain.tld pkg-static 61663 - [meta sequenceId="1"] opnsense upgraded: 23.1.5_4 -> 23.1.7_3
2023-05-18T20:48:22+02:00 apu2.domain.tld pkg 66853 - [meta sequenceId="1"] os-zabbix54-agent-1.12 deinstalled
2023-05-18T20:48:22+02:00 apu2.domain.tld pkg 66853 - [meta sequenceId="2"] zabbix54-agent-5.4.12 deinstalled
2023-05-18T20:48:22+02:00 apu2.domain.tld pkg 66853 - [meta sequenceId="3"] zabbix62-agent-6.2.9 installed
2023-05-18T20:48:32+02:00 apu2.domain.tld pkg 66853 - [meta sequenceId="1"] os-zabbix62-agent-1.13_2 installed

Days later I noticed an error message at the plugin list:

Code Select Expand

os-zabbix54-agent (missing) N/A N/A N/A N/A

Info says: Sorry, plugin details are currently not available.

Additionally I noticed the Zabbix agent log ended at the time I installed Zabbix agent 6.2 and not even show an entry for stopping the agent.

Code Select Expand

# tail /var/log/zabbix/zabbix_agentd.log
63551:20230518:204556.714 IPv6 support:          YES
63551:20230518:204556.714 TLS support:           YES
63551:20230518:204556.714 **************************
63551:20230518:204556.714 using configuration file: /usr/local/etc/zabbix_agentd.conf
63551:20230518:204556.715 agent #0 started [main process]
64096:20230518:204556.728 agent #3 started [listener #2]
63877:20230518:204556.730 agent #1 started [collector]
64177:20230518:204556.730 agent #4 started [listener #3]
63988:20230518:204556.732 agent #2 started [listener #1]
64208:20230518:204556.732 agent #5 started [active checks #1]

Fun fact Zabbix server says Zabbix agent ist still running there in version 5.4., process list on opnsense too.

So I restarted the OPNsense device and now I see both agents installed but missing:

Code Select Expand

os-zabbix6-agent (missing) 1.13_2 50.0KiB OPNsense Zabbix monitoring agent
os-zabbix54-agent (missing) N/A N/A N/A N/A

Seems I messed up some things. Is there any way to get rid of Zabbix agent 5.4 and clean install Zabbix agent 6.2?

Thanks in advance for any hint, Ric.

Salute Franco, works perfectly.
Many thanks and best regards.

First of all: please don't feel stressed Franco, system is running fine except of that. I'm very thankful you try to help me out there.

Done a reboot and get the same result, source address is 0.0.0.0.

Code Select Expand

root@apu2:~ # opnsense-log | grep treating
<13>1 2023-03-01T09:01:14+01:00 apu2.domain.tld opnsense 32004 - [meta sequenceId="47"] /usr/local/etc/rc.routing_configure: ROUTING: treating '46.140.98.81' as far gateway for ''

As a test I added an outbound NAT rule at WAN translating all sources 0.0.0.0 to WAN address and it worked.

I will enable this rule for doing updates only as I'm unsure about collateral damages of this setting. At least I'm able to do updates now and hopefully we will found the reason for this.

You are right Franco, 24 hrs later the host route is gone and it looks like:

Code Select Expand

root@apu2:~ # /sbin/ping -4 -c '2' '8.8.8.8'
PING 8.8.8.8 (8.8.8.8): 56 data bytes

--- 8.8.8.8 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss

root@apu2:~ # /sbin/ping -4 -c '2' '89.149.211.205'
PING 89.149.211.205 (89.149.211.205): 56 data bytes

--- 89.149.211.205 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss

Is there anything I can do?

We are getting nearer Franco.

I ran the shell command and restarted, after that I was able to update  to OPNsense 23.1.1.

Restarted again and now I see the same thing as before: fetch timed out.

So I noticed another strange thing. When I ping 89.149.211.205 (pkg.opnsense.org) there will be 0.0.0.0 as a source and no answer. But when I ping 8.8.8.8 the source is my external interface address.

Ping has been done from console:

Code Select Expand

root@apu2:~ # /sbin/ping -4 -c '2' '89.149.211.205'
PING 89.149.211.205 (89.149.211.205): 56 data bytes
^C
--- 89.149.211.205 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss

root@apu2:~ # /sbin/ping -4 -c '2' '8.8.8.8'
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=116 time=14.665 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=116 time=13.666 ms

--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss

Packet captures are attached.

Hi Franco, many thanks for your answer.

Default gateway switching is disabled. And updates are not working.
Is there an alternative way to do the updates?

Might be helpful:

Code Select Expand

root@apu2:~ # ifconfig | grep 0\\.0\\.0\\.0
syncpeer: 0.0.0.0 maxupd: 128 defer: off

root@apu2:~ # grep 0\\.0\\.0\\.0 /tmp/rules.debug
# block in log quick on igb0 inet from {10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16} to {any} label "59eaa3b97b11c51ddfce6afe4f71eeb8" # Block private networks from LAN
# block in log quick on lo0 inet from {10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16} to {any} label "9d59048c2ca76128e62ef15066bef954" # Block private networks from Loopback
# block in log quick on openvpn inet from {10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16} to {any} label "d7a184385814e3ee66552f7d862ed84a" # Block private networks from OpenVPN
block in log quick on igb1 inet from {10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16} to {any} label "1eb94a38e58994641aff378c21d5984f" # Block private networks from WAN
# block in log quick on wg0 inet from {10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16} to {any} label "665c1956a6710524f6ed96b27b8144f5" # Block private networks from WireGuard
# block in log quick on wireguard inet from {10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16} to {any} label "86b9241a331e6d4aa0c7a30c2a2ea80c" # Block private networks from WireGuard (Group)

[unspecified]

I've done an update to version OPNsense 23.1_6-amd64 last week. After that I noticed erros when trying to fetch new updates:

Code Select Expand

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 23.1_6 at Mon Feb 27 08:49:43 CET 2023
Fetching changelog information, please wait... fetch: transfer timed out
Updating OPNsense repository catalogue...

I have done a lot of testing, switched mirrors, slept on it two nights and found out it might be a thing like https://forum.opnsense.org/index.php?topic=29992, all traffic from unspecified interface left my opnsense with IP 0.0.0.0 (Wireshark screenshot attached).

There are no manual added entries in the NAT section, outbound NAT is set to Hybrid.
All traffic is working fine. The only remarkable thing is the stuck update function.

It would be very nice if someone could help me out to find a solutiuon for this. Please let me know what I can do to assist.

Thanks in advance, Ric.

That's a real painful one. Thanks for open my eyes!

:D

I noticed the same error on two devices running on APU2.

I have this error too:

Code Select Expand

py37-markupsafe has a missing dependency: python37
py37-markupsafe has a missing dependency: py37-setuptools
py37-markupsafe is missing a required shared library: libpython3.7m.so.1.0
>>> Missing package dependencies were detected.
>>> Found 2 issue(s) in the package database.
pkg-static: No packages available to install matching 'python37' have been found in the repositories
pkg-static: No packages available to install matching 'py37-setuptools' have been found in the repositories
>>> Summary of actions performed:
python37 dependency failed to be fixed
py37-setuptools dependency failed to be fixed
>>> There are still missing dependencies.
>>> Try fixing them manually.

But when I try to remove it won't work:

Code Select Expand

# pkg remove p37-markupsafe
No packages matched for pattern 'p37-markupsafe'

Checking integrity... done (0 conflicting)
1 packages requested for removal: 0 locked, 1 missing

Anything I can do here?
Thanks for your help.

[Local Configuration:]

Maybe my experiences can be useful as I done a lot of testing witihn the last weeks with Wireguard and iOS devices.

I set up my OPNsense firewall ( version 19.7.8 ) as shown on the manual and couldn't get the all-traffic-thing running. I've done a lot of debugging and found the wg0-interface gone as soon as I assign the interface as shown in step 2c at the manual.

Let me be a bit more detailed. My transfer network is 10.10.10.0 for Wireguard. My local part has 10.10.10.1 as an ip address. The iOS device is on 10.10.10.2.
My internal LAN network is 192.168.10.0.
I can ping 10.10.10.1 and 10.10.10.2 at the firewall, also paket tracing is possible, so I assume routing works.
When I enable the first step in 2c (assigning an interface) the routing stops. I can no longer ping any of the 10.10.10-addresses.
So I skip the first step in step 2c (assigning an interface to wg0) and all is working fine.

The setup now looks as follows:

Local Configuration:
Name: HomeCloud
Public Key: <Server Public Key>
Private Key: (hidden)
Listen Port: 51820
DNS Server: 192.168.10.1
Tunnel Address: 10.10.10.1/24
Peers: <Client 1>
Disable Routes: <Unchecked>

Endpoint:
Name: <Client 1>
Public Key: <Client 1 Public Key>
Allowed IPs:
10.10.10.2/32 - <Client 1 Address>

List Configuration Output:
interface: wg0
  public key: (hidden)
  private key: (hidden)
  listening port: 51820

peer: <Client 1 Public Key>
  allowed ips: 10.10.10.2/32

Client Settings (Phone):
Interface
Name: HomeCloud
Public Key: <Client Public Key>
Addresses: 10.10.10.2/32
DNS Servers: 192.168.10.1

Peer
Public Key: <Server Public Key>
Endpoint: vpn.example.com:51820
Allowed IPs: 192.168.10.0/24,0.0.0.0/0
Persistent Keepalive: off

Firewall
NAT -> Port Forward
NO RULES

NAT -> Outbound
WAN   WireGuard net   *  *  *   WAN address   *   NO   Wireguard_Outbound

Rules -> WAN
IPv4   UDP  *  *   WAN address   51820  *  *   Wireguard_Inbound

Interfaces
No interface setup for wg0

System -> Gateway -> Single
No gateway set

So notice the differences, marked as underlined above.
Additionally do not use 0.0.0.0 as a address range at the Allowed IPs within the endpoint configuration, this will route all your firewall traffic to your endpoint.

Hi all

We use OPNsense a few years now with OpenVPN clients.

For a new customer we tried to set up IPsec access, they only use Mac-clients and so there should be no additional client software necessary.
Client is a MacBook Pro with macos 10.13.6 installed.

So we set up a new appliance (APU2) with OPNsense 18.7.4 and added IPsec as described in

https://wiki.opnsense.org/manual/how-tos/ipsec-road.html.

Despite of the missing field "Peer identifier" which has been explained here:
https://forum.opnsense.org/index.php?topic=3814.msg13466#msg13466
all setup has been done and checked twice.

But the tunnel will not come up.

The logfile looks like:

Code Select Expand


root@firewall:/ # cat /var/log/ipsec.log
Oct 15 13:42:45 firewall charon: 08[IKE] <con1|20> sending retransmit 3 of response message ID 0, seq 1
Oct 15 13:42:45 firewall charon: 08[NET] <con1|20> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (412 bytes)
Oct 15 13:42:47 firewall charon: 08[NET] <21> received packet: from 213.196.002.002[500] to 213.196.001.001[500] (762 bytes)
Oct 15 13:42:47 firewall charon: 08[ENC] <21> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received FRAGMENTATION vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received NAT-T (RFC 3947) vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received draft-ietf-ipsec-nat-t-ike vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received XAuth vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received Cisco Unity vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received DPD vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> 213.196.002.002 is initiating a Aggressive Mode IKE_SA
Oct 15 13:42:47 firewall charon: 08[CFG] <21> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Oct 15 13:42:47 firewall charon: 08[CFG] <21> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 15 13:42:47 firewall charon: 08[IKE] <21> no proposal found
Oct 15 13:42:47 firewall charon: 08[ENC] <21> generating INFORMATIONAL_V1 request 176295956 [ N(NO_PROP) ]
Oct 15 13:42:47 firewall charon: 08[NET] <21> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (56 bytes)
Oct 15 13:42:50 firewall charon: 07[NET] <22> received packet: from 213.196.002.002[500] to 213.196.001.001[500] (762 bytes)
Oct 15 13:42:50 firewall charon: 07[ENC] <22> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received FRAGMENTATION vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received NAT-T (RFC 3947) vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received draft-ietf-ipsec-nat-t-ike vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received XAuth vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received Cisco Unity vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received DPD vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> 213.196.002.002 is initiating a Aggressive Mode IKE_SA
Oct 15 13:42:50 firewall charon: 07[CFG] <22> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Oct 15 13:42:50 firewall charon: 07[CFG] <22> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 15 13:42:50 firewall charon: 07[IKE] <22> no proposal found
Oct 15 13:42:50 firewall charon: 07[ENC] <22> generating INFORMATIONAL_V1 request 1006362778 [ N(NO_PROP) ]
Oct 15 13:42:50 firewall charon: 07[NET] <22> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (56 bytes)
Oct 15 13:42:50 firewall charon: 07[JOB] <con1|20> deleting half open IKE_SA with 213.196.002.002 after timeout
Oct 15 13:42:53 firewall charon: 07[NET] <23> received packet: from 213.196.002.002[500] to 213.196.001.001[500] (762 bytes)
Oct 15 13:42:53 firewall charon: 07[ENC] <23> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received FRAGMENTATION vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received NAT-T (RFC 3947) vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received draft-ietf-ipsec-nat-t-ike vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received XAuth vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received Cisco Unity vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received DPD vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> 213.196.002.002 is initiating a Aggressive Mode IKE_SA
Oct 15 13:42:53 firewall charon: 07[CFG] <23> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Oct 15 13:42:53 firewall charon: 07[CFG] <23> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 15 13:42:53 firewall charon: 07[IKE] <23> no proposal found
Oct 15 13:42:53 firewall charon: 07[ENC] <23> generating INFORMATIONAL_V1 request 1019161556 [ N(NO_PROP) ]
Oct 15 13:42:53 firewall charon: 07[NET] <23> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (56 bytes)
Oct 15 13:42:57 firewall charon: 07[NET] <24> received packet: from 213.196.002.002[500] to 213.196.001.001[500] (762 bytes)
Oct 15 13:42:57 firewall charon: 07[ENC] <24> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received FRAGMENTATION vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received NAT-T (RFC 3947) vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received XAuth vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received Cisco Unity vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received DPD vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> 213.196.002.002 is initiating a Aggressive Mode IKE_SA
Oct 15 13:42:57 firewall charon: 07[CFG] <24> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Oct 15 13:42:57 firewall charon: 07[CFG] <24> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 15 13:42:57 firewall charon: 07[IKE] <24> no proposal found
Oct 15 13:42:57 firewall charon: 07[ENC] <24> generating INFORMATIONAL_V1 request 2026880497 [ N(NO_PROP) ]
Oct 15 13:42:57 firewall charon: 07[NET] <24> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (56 bytes)
Oct 15 13:42:57 firewall charon: 07[NET] <25> received packet: from 213.196.002.002[500] to 213.196.001.001[500] (762 bytes)
Oct 15 13:42:57 firewall charon: 07[ENC] <25> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received FRAGMENTATION vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received NAT-T (RFC 3947) vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received draft-ietf-ipsec-nat-t-ike vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received XAuth vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received Cisco Unity vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received DPD vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> 213.196.002.002 is initiating a Aggressive Mode IKE_SA
Oct 15 13:42:57 firewall charon: 07[CFG] <25> looking for XAuthInitPSK peer configs matching 213.196.001.001...213.196.002.002[expert]
Oct 15 13:42:57 firewall charon: 07[CFG] <25> selected peer config "con1"
Oct 15 13:42:57 firewall charon: 07[ENC] <con1|25> generating AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ]
Oct 15 13:42:57 firewall charon: 07[NET] <con1|25> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (412 bytes)
Oct 15 13:43:00 firewall charon: 07[NET] <con1|25> received packet: from 213.196.002.002[500] to 213.196.001.001[500] (762 bytes)
Oct 15 13:43:00 firewall charon: 07[IKE] <con1|25> received retransmit of request with ID 0, retransmitting response
Oct 15 13:43:00 firewall charon: 07[NET] <con1|25> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (412 bytes)
Oct 15 13:43:01 firewall charon: 07[IKE] <con1|25> sending retransmit 1 of response message ID 0, seq 1
Oct 15 13:43:01 firewall charon: 07[NET] <con1|25> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (412 bytes)
Oct 15 13:43:03 firewall charon: 07[NET] <con1|25> received packet: from 213.196.002.002[500] to 213.196.001.001[500] (762 bytes)
Oct 15 13:43:03 firewall charon: 07[IKE] <con1|25> received retransmit of request with ID 0, retransmitting response
Oct 15 13:43:03 firewall charon: 07[NET] <con1|25> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (412 bytes)
Oct 15 13:43:06 firewall charon: 07[NET] <con1|25> received packet: from 213.196.002.002[500] to 213.196.001.001[500] (762 bytes)
Oct 15 13:43:06 firewall charon: 07[IKE] <con1|25> received retransmit of request with ID 0, retransmitting response
Oct 15 13:43:06 firewall charon: 07[NET] <con1|25> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (412 bytes)
Oct 15 13:43:08 firewall charon: 07[IKE] <con1|25> sending retransmit 2 of response message ID 0, seq 1
Oct 15 13:43:08 firewall charon: 07[NET] <con1|25> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (412 bytes)
Oct 15 13:43:21 firewall charon: 07[IKE] <con1|25> sending retransmit 3 of response message ID 0, seq 1
Oct 15 13:43:21 firewall charon: 07[NET] <con1|25> sending packet: from 213.196.001.001[500] to 213.196.184.130[500] (412 bytes)
Oct 15 13:43:27 firewall charon: 06[JOB] <con1|25> deleting half open IKE_SA with 213.196.002.002 after timeout


The config file looks like:

Code Select Expand


cat /usr/local/etc/ipsec.conf
# This file is automatically generated. Do not edit
config setup
  uniqueids = yes
  charondebug=""

conn con1
  aggressive = yes
  fragmentation = yes
  keyexchange = ikev1
  mobike = yes
  reauth = yes
  rekey = yes
  forceencaps = no
  installpolicy = yes
  type = tunnel
  dpdaction = none
  left = 213.196.001.001
  right = %any
  leftid = 213.196.001.001
  ikelifetime = 28800s
  lifetime = 3600s
  rightsourceip = 10.8.4.0/24
  ike = aes256-sha1-modp1024!
  leftauth = psk
  rightauth = psk
  rightauth2 = xauth-generic
  leftsubnet = 192.168.7.0/24
  esp = aes256-sha1!
  auto = add


Is there any way to get IPsec working in 18.7.4?

Thanks a lot for your help.