Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - ric91

Pages: [1]

23.1 Legacy Series / Re: Zabbix agent 5.4 deinstalled but error shown

« on: May 23, 2023, 10:15:06 am »

Selfsolved.

https://forum.opnsense.org/index.php?topic=20231 helped me out here.

At System - Firmware - Status I found the buttons for resolving plugin problems.

Still thanks for being there :-)

23.1 Legacy Series / [Solved] Zabbix agent 5.4 deinstalled but error shown

« on: May 22, 2023, 02:54:58 pm »

Hi there
After upgrading 23.1.5_4 -> 23.1.7_3 I have installed Zabbix agent 6.2. The plugin automatically deinstalled my old Zabbix agent 5.4. The log shows:

Code: [Select]

2023-05-18T20:41:27+02:00 apu2.domain.tld pkg-static 61663 - [meta sequenceId="1"] opnsense upgraded: 23.1.5_4 -> 23.1.7_3
2023-05-18T20:48:22+02:00 apu2.domain.tld pkg 66853 - [meta sequenceId="1"] os-zabbix54-agent-1.12 deinstalled
2023-05-18T20:48:22+02:00 apu2.domain.tld pkg 66853 - [meta sequenceId="2"] zabbix54-agent-5.4.12 deinstalled
2023-05-18T20:48:22+02:00 apu2.domain.tld pkg 66853 - [meta sequenceId="3"] zabbix62-agent-6.2.9 installed
2023-05-18T20:48:32+02:00 apu2.domain.tld pkg 66853 - [meta sequenceId="1"] os-zabbix62-agent-1.13_2 installed

Days later I noticed an error message at the plugin list:

Code: [Select]

os-zabbix54-agent (missing) N/A N/A N/A N/A
Info says: Sorry, plugin details are currently not available.

Additionally I noticed the Zabbix agent log ended at the time I installed Zabbix agent 6.2 and not even show an entry for stopping the agent.

Code: [Select]

# tail /var/log/zabbix/zabbix_agentd.log
 63551:20230518:204556.714 IPv6 support:          YES
 63551:20230518:204556.714 TLS support:           YES
 63551:20230518:204556.714 **************************
 63551:20230518:204556.714 using configuration file: /usr/local/etc/zabbix_agentd.conf
 63551:20230518:204556.715 agent #0 started [main process]
 64096:20230518:204556.728 agent #3 started [listener #2]
 63877:20230518:204556.730 agent #1 started [collector]
 64177:20230518:204556.730 agent #4 started [listener #3]
 63988:20230518:204556.732 agent #2 started [listener #1]
 64208:20230518:204556.732 agent #5 started [active checks #1]

Fun fact Zabbix server says Zabbix agent ist still running there in version 5.4., process list on opnsense too.

So I restarted the OPNsense device and now I see both agents installed but missing:

Code: [Select]

os-zabbix6-agent (missing)	1.13_2	50.0KiB	OPNsense	Zabbix monitoring agent	
os-zabbix54-agent (missing)	N/A	N/A	N/A	N/A

Seems I messed up some things. Is there any way to get rid of Zabbix agent 5.4 and clean install Zabbix agent 6.2?

Thanks in advance for any hint, Ric.

23.1 Legacy Series / Re: Outbound traffic on unspecified interface sent from 0.0.0.0

« on: March 01, 2023, 10:09:34 am »

Salute Franco, works perfectly.
Many thanks and best regards.

23.1 Legacy Series / Re: Outbound traffic on unspecified interface sent from 0.0.0.0

« on: March 01, 2023, 09:11:26 am »

First of all: please don't feel stressed Franco, system is running fine except of that. I'm very thankful you try to help me out there.

Done a reboot and get the same result, source address is 0.0.0.0.

Code: [Select]

root@apu2:~ # opnsense-log | grep treating
<13>1 2023-03-01T09:01:14+01:00 apu2.domain.tld opnsense 32004 - [meta sequenceId="47"] /usr/local/etc/rc.routing_configure: ROUTING: treating '46.140.98.81' as far gateway for ''

23.1 Legacy Series / Re: Outbound traffic on unspecified interface sent from 0.0.0.0

« on: February 28, 2023, 09:00:22 pm »

As a test I added an outbound NAT rule at WAN translating all sources 0.0.0.0 to WAN address and it worked.

I will enable this rule for doing updates only as I'm unsure about collateral damages of this setting. At least I'm able to do updates now and hopefully we will found the reason for this.

23.1 Legacy Series / Re: Outbound traffic on unspecified interface sent from 0.0.0.0

« on: February 28, 2023, 08:48:32 pm »

You are right Franco, 24 hrs later the host route is gone and it looks like:

Code: [Select]

root@apu2:~ # /sbin/ping -4 -c '2' '8.8.8.8'
PING 8.8.8.8 (8.8.8.8): 56 data bytes

--- 8.8.8.8 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss

root@apu2:~ # /sbin/ping -4 -c '2' '89.149.211.205'
PING 89.149.211.205 (89.149.211.205): 56 data bytes

--- 89.149.211.205 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss

Is there anything I can do?

23.1 Legacy Series / Re: Outbound traffic on unspecified interface sent from 0.0.0.0

« on: February 27, 2023, 11:53:35 am »

We are getting nearer Franco.

I ran the shell command and restarted, after that I was able to update to OPNsense 23.1.1.

Restarted again and now I see the same thing as before: fetch timed out.

So I noticed another strange thing. When I ping 89.149.211.205 (pkg.opnsense.org) there will be 0.0.0.0 as a source and no answer. But when I ping 8.8.8.8 the source is my external interface address.

Ping has been done from console:

Code: [Select]

root@apu2:~ # /sbin/ping -4 -c '2' '89.149.211.205'
PING 89.149.211.205 (89.149.211.205): 56 data bytes
^C
--- 89.149.211.205 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss

root@apu2:~ # /sbin/ping -4 -c '2' '8.8.8.8'
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=116 time=14.665 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=116 time=13.666 ms

--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss

Packet captures are attached.

23.1 Legacy Series / Re: Outbound traffic on unspecified interface sent from 0.0.0.0

« on: February 27, 2023, 10:48:04 am »

Hi Franco, many thanks for your answer.

Default gateway switching is disabled. And updates are not working.
Is there an alternative way to do the updates?

23.1 Legacy Series / Re: Outbound traffic on unspecified interface sent from 0.0.0.0

« on: February 27, 2023, 10:21:01 am »

Might be helpful:

Code: [Select]

root@apu2:~ # ifconfig | grep 0\\.0\\.0\\.0
	syncpeer: 0.0.0.0 maxupd: 128 defer: off

root@apu2:~ # grep 0\\.0\\.0\\.0 /tmp/rules.debug
# block in log quick on igb0 inet from {10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16} to {any} label "59eaa3b97b11c51ddfce6afe4f71eeb8" # Block private networks from LAN
# block in log quick on lo0 inet from {10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16} to {any} label "9d59048c2ca76128e62ef15066bef954" # Block private networks from Loopback
# block in log quick on openvpn inet from {10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16} to {any} label "d7a184385814e3ee66552f7d862ed84a" # Block private networks from OpenVPN
block in log quick on igb1 inet from {10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16} to {any} label "1eb94a38e58994641aff378c21d5984f" # Block private networks from WAN
# block in log quick on wg0 inet from {10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16} to {any} label "665c1956a6710524f6ed96b27b8144f5" # Block private networks from WireGuard
# block in log quick on wireguard inet from {10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16} to {any} label "86b9241a331e6d4aa0c7a30c2a2ea80c" # Block private networks from WireGuard (Group)

23.1 Legacy Series / [SOLVED] Outbound traffic on unspecified interface sent from 0.0.0.0

« on: February 27, 2023, 10:18:39 am »

I've done an update to version OPNsense 23.1_6-amd64 last week. After that I noticed erros when trying to fetch new updates:

Code: [Select]

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 23.1_6 at Mon Feb 27 08:49:43 CET 2023
Fetching changelog information, please wait... fetch: transfer timed out
Updating OPNsense repository catalogue...

I have done a lot of testing, switched mirrors, slept on it two nights and found out it might be a thing like https://forum.opnsense.org/index.php?topic=29992, all traffic from unspecified interface left my opnsense with IP 0.0.0.0 (Wireshark screenshot attached).

There are no manual added entries in the NAT section, outbound NAT is set to Hybrid.
All traffic is working fine. The only remarkable thing is the stuck update function.

It would be very nice if someone could help me out to find a solutiuon for this. Please let me know what I can do to assist.

Thanks in advance, Ric.

22.1 Legacy Series / Re: py37-markupsafe still exist after 22.1 update

« on: March 30, 2022, 10:47:39 am »

That's a real painful one. Thanks for open my eyes!

22.1 Legacy Series / Re: py37-markupsafe still exist after 22.1 update

« on: March 25, 2022, 06:28:13 pm »

I noticed the same error on two devices running on APU2.

22.1 Legacy Series / Re: py37-markupsafe still exist after 22.1 update

« on: March 25, 2022, 05:52:11 pm »

I have this error too:

Code: [Select]

py37-markupsafe has a missing dependency: python37
py37-markupsafe has a missing dependency: py37-setuptools
py37-markupsafe is missing a required shared library: libpython3.7m.so.1.0
>>> Missing package dependencies were detected.
>>> Found 2 issue(s) in the package database.
pkg-static: No packages available to install matching 'python37' have been found in the repositories
pkg-static: No packages available to install matching 'py37-setuptools' have been found in the repositories
>>> Summary of actions performed:
python37 dependency failed to be fixed
py37-setuptools dependency failed to be fixed
>>> There are still missing dependencies.
>>> Try fixing them manually.

But when I try to remove it won't work:

Code: [Select]

# pkg remove p37-markupsafe
No packages matched for pattern 'p37-markupsafe'

Checking integrity... done (0 conflicting)
1 packages requested for removal: 0 locked, 1 missing

Anything I can do here?
Thanks for your help.

19.7 Legacy Series / Re: Some troubles with my wireguard setup - changes between 19.1 and 19.7?

« on: January 02, 2020, 11:03:44 am »

Maybe my experiences can be useful as I done a lot of testing witihn the last weeks with Wireguard and iOS devices.

I set up my OPNsense firewall ( version 19.7.8 ) as shown on the manual and couldn't get the all-traffic-thing running. I've done a lot of debugging and found the wg0-interface gone as soon as I assign the interface as shown in step 2c at the manual.

Let me be a bit more detailed. My transfer network is 10.10.10.0 for Wireguard. My local part has 10.10.10.1 as an ip address. The iOS device is on 10.10.10.2.
My internal LAN network is 192.168.10.0.
I can ping 10.10.10.1 and 10.10.10.2 at the firewall, also paket tracing is possible, so I assume routing works.
When I enable the first step in 2c (assigning an interface) the routing stops. I can no longer ping any of the 10.10.10-addresses.
So I skip the first step in step 2c (assigning an interface to wg0) and all is working fine.

The setup now looks as follows:

Local Configuration:
Name: HomeCloud
Public Key: <Server Public Key>
Private Key: (hidden)
Listen Port: 51820
DNS Server: 192.168.10.1
Tunnel Address: 10.10.10.1/24
Peers: <Client 1>
Disable Routes: <Unchecked>

Endpoint:
Name: <Client 1>
Public Key: <Client 1 Public Key>
Allowed IPs:
10.10.10.2/32 - <Client 1 Address>

List Configuration Output:
interface: wg0
public key: (hidden)
private key: (hidden)
listening port: 51820

peer: <Client 1 Public Key>
allowed ips: 10.10.10.2/32

Client Settings (Phone):
Interface
Name: HomeCloud
Public Key: <Client Public Key>
Addresses: 10.10.10.2/32
DNS Servers: 192.168.10.1

Peer
Public Key: <Server Public Key>
Endpoint: vpn.example.com:51820
Allowed IPs: 192.168.10.0/24,0.0.0.0/0
Persistent Keepalive: off

Firewall
NAT -> Port Forward
NO RULES

NAT -> Outbound
WAN WireGuard net * * * WAN address * NO Wireguard_Outbound

Rules -> WAN
IPv4 UDP * * WAN address 51820 * * Wireguard_Inbound

Interfaces
No interface setup for wg0

System -> Gateway -> Single
No gateway set

So notice the differences, marked as underlined above.
Additionally do not use 0.0.0.0 as a address range at the Allowed IPs within the endpoint configuration, this will route all your firewall traffic to your endpoint.

18.7 Legacy Series / 18.7.4 - IPsec and macos clients not working

« on: October 15, 2018, 02:02:14 pm »

Hi all

We use OPNsense a few years now with OpenVPN clients.

For a new customer we tried to set up IPsec access, they only use Mac-clients and so there should be no additional client software necessary.
Client is a MacBook Pro with macos 10.13.6 installed.

So we set up a new appliance (APU2) with OPNsense 18.7.4 and added IPsec as described in

https://wiki.opnsense.org/manual/how-tos/ipsec-road.html.

Despite of the missing field "Peer identifier" which has been explained here:
https://forum.opnsense.org/index.php?topic=3814.msg13466#msg13466
all setup has been done and checked twice.

But the tunnel will not come up.

The logfile looks like:

Code: [Select]

root@firewall:/ # cat /var/log/ipsec.log
Oct 15 13:42:45 firewall charon: 08[IKE] <con1|20> sending retransmit 3 of response message ID 0, seq 1
Oct 15 13:42:45 firewall charon: 08[NET] <con1|20> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (412 bytes)
Oct 15 13:42:47 firewall charon: 08[NET] <21> received packet: from 213.196.002.002[500] to 213.196.001.001[500] (762 bytes)
Oct 15 13:42:47 firewall charon: 08[ENC] <21> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received FRAGMENTATION vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received NAT-T (RFC 3947) vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received draft-ietf-ipsec-nat-t-ike vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received XAuth vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received Cisco Unity vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received DPD vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> 213.196.002.002 is initiating a Aggressive Mode IKE_SA
Oct 15 13:42:47 firewall charon: 08[CFG] <21> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Oct 15 13:42:47 firewall charon: 08[CFG] <21> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 15 13:42:47 firewall charon: 08[IKE] <21> no proposal found
Oct 15 13:42:47 firewall charon: 08[ENC] <21> generating INFORMATIONAL_V1 request 176295956 [ N(NO_PROP) ]
Oct 15 13:42:47 firewall charon: 08[NET] <21> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (56 bytes)
Oct 15 13:42:50 firewall charon: 07[NET] <22> received packet: from 213.196.002.002[500] to 213.196.001.001[500] (762 bytes)
Oct 15 13:42:50 firewall charon: 07[ENC] <22> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received FRAGMENTATION vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received NAT-T (RFC 3947) vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received draft-ietf-ipsec-nat-t-ike vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received XAuth vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received Cisco Unity vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received DPD vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> 213.196.002.002 is initiating a Aggressive Mode IKE_SA
Oct 15 13:42:50 firewall charon: 07[CFG] <22> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Oct 15 13:42:50 firewall charon: 07[CFG] <22> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 15 13:42:50 firewall charon: 07[IKE] <22> no proposal found
Oct 15 13:42:50 firewall charon: 07[ENC] <22> generating INFORMATIONAL_V1 request 1006362778 [ N(NO_PROP) ]
Oct 15 13:42:50 firewall charon: 07[NET] <22> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (56 bytes)
Oct 15 13:42:50 firewall charon: 07[JOB] <con1|20> deleting half open IKE_SA with 213.196.002.002 after timeout
Oct 15 13:42:53 firewall charon: 07[NET] <23> received packet: from 213.196.002.002[500] to 213.196.001.001[500] (762 bytes)
Oct 15 13:42:53 firewall charon: 07[ENC] <23> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received FRAGMENTATION vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received NAT-T (RFC 3947) vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received draft-ietf-ipsec-nat-t-ike vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received XAuth vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received Cisco Unity vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received DPD vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> 213.196.002.002 is initiating a Aggressive Mode IKE_SA
Oct 15 13:42:53 firewall charon: 07[CFG] <23> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Oct 15 13:42:53 firewall charon: 07[CFG] <23> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 15 13:42:53 firewall charon: 07[IKE] <23> no proposal found
Oct 15 13:42:53 firewall charon: 07[ENC] <23> generating INFORMATIONAL_V1 request 1019161556 [ N(NO_PROP) ]
Oct 15 13:42:53 firewall charon: 07[NET] <23> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (56 bytes)
Oct 15 13:42:57 firewall charon: 07[NET] <24> received packet: from 213.196.002.002[500] to 213.196.001.001[500] (762 bytes)
Oct 15 13:42:57 firewall charon: 07[ENC] <24> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received FRAGMENTATION vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received NAT-T (RFC 3947) vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received XAuth vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received Cisco Unity vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received DPD vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> 213.196.002.002 is initiating a Aggressive Mode IKE_SA
Oct 15 13:42:57 firewall charon: 07[CFG] <24> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Oct 15 13:42:57 firewall charon: 07[CFG] <24> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 15 13:42:57 firewall charon: 07[IKE] <24> no proposal found
Oct 15 13:42:57 firewall charon: 07[ENC] <24> generating INFORMATIONAL_V1 request 2026880497 [ N(NO_PROP) ]
Oct 15 13:42:57 firewall charon: 07[NET] <24> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (56 bytes)
Oct 15 13:42:57 firewall charon: 07[NET] <25> received packet: from 213.196.002.002[500] to 213.196.001.001[500] (762 bytes)
Oct 15 13:42:57 firewall charon: 07[ENC] <25> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received FRAGMENTATION vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received NAT-T (RFC 3947) vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received draft-ietf-ipsec-nat-t-ike vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received XAuth vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received Cisco Unity vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received DPD vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> 213.196.002.002 is initiating a Aggressive Mode IKE_SA
Oct 15 13:42:57 firewall charon: 07[CFG] <25> looking for XAuthInitPSK peer configs matching 213.196.001.001...213.196.002.002[expert]
Oct 15 13:42:57 firewall charon: 07[CFG] <25> selected peer config "con1"
Oct 15 13:42:57 firewall charon: 07[ENC] <con1|25> generating AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ]
Oct 15 13:42:57 firewall charon: 07[NET] <con1|25> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (412 bytes)
Oct 15 13:43:00 firewall charon: 07[NET] <con1|25> received packet: from 213.196.002.002[500] to 213.196.001.001[500] (762 bytes)
Oct 15 13:43:00 firewall charon: 07[IKE] <con1|25> received retransmit of request with ID 0, retransmitting response
Oct 15 13:43:00 firewall charon: 07[NET] <con1|25> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (412 bytes)
Oct 15 13:43:01 firewall charon: 07[IKE] <con1|25> sending retransmit 1 of response message ID 0, seq 1
Oct 15 13:43:01 firewall charon: 07[NET] <con1|25> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (412 bytes)
Oct 15 13:43:03 firewall charon: 07[NET] <con1|25> received packet: from 213.196.002.002[500] to 213.196.001.001[500] (762 bytes)
Oct 15 13:43:03 firewall charon: 07[IKE] <con1|25> received retransmit of request with ID 0, retransmitting response
Oct 15 13:43:03 firewall charon: 07[NET] <con1|25> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (412 bytes)
Oct 15 13:43:06 firewall charon: 07[NET] <con1|25> received packet: from 213.196.002.002[500] to 213.196.001.001[500] (762 bytes)
Oct 15 13:43:06 firewall charon: 07[IKE] <con1|25> received retransmit of request with ID 0, retransmitting response
Oct 15 13:43:06 firewall charon: 07[NET] <con1|25> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (412 bytes)
Oct 15 13:43:08 firewall charon: 07[IKE] <con1|25> sending retransmit 2 of response message ID 0, seq 1
Oct 15 13:43:08 firewall charon: 07[NET] <con1|25> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (412 bytes)
Oct 15 13:43:21 firewall charon: 07[IKE] <con1|25> sending retransmit 3 of response message ID 0, seq 1
Oct 15 13:43:21 firewall charon: 07[NET] <con1|25> sending packet: from 213.196.001.001[500] to 213.196.184.130[500] (412 bytes)
Oct 15 13:43:27 firewall charon: 06[JOB] <con1|25> deleting half open IKE_SA with 213.196.002.002 after timeout

The config file looks like:

Code: [Select]

cat /usr/local/etc/ipsec.conf
# This file is automatically generated. Do not edit
config setup
  uniqueids = yes
  charondebug=""

conn con1
  aggressive = yes
  fragmentation = yes
  keyexchange = ikev1
  mobike = yes
  reauth = yes
  rekey = yes
  forceencaps = no
  installpolicy = yes
  type = tunnel
  dpdaction = none
  left = 213.196.001.001
  right = %any
  leftid = 213.196.001.001
  ikelifetime = 28800s
  lifetime = 3600s
  rightsourceip = 10.8.4.0/24
  ike = aes256-sha1-modp1024!
  leftauth = psk
  rightauth = psk
  rightauth2 = xauth-generic
  leftsubnet = 192.168.7.0/24
  esp = aes256-sha1!
  auto = add

Is there any way to get IPsec working in 18.7.4?

Thanks a lot for your help.

Pages: [1]