Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - Sven-J

Pages1 2 3 4
#1
German - Deutsch / Re: Fehler bringt System zur Absturz
September 22, 2019, 03:08:54 PM
Quote from: dominik on September 22, 2019, 01:28:48 PM
Hallo,
folgender Fehler bringt das System zum Absturz!

Code Select
configd.py: [fe6645ea-e72b-4b57-875e-824cd67502a5] Script action failed with Command '/usr/local/opnsense/scripts/filter/read_log.py /limit '100' /digest ''' returned non-zero exit status 1. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 484, in execute stdout=output_stream, stderr=error_stream) File "/usr/local/lib/python3.7/subprocess.py", line 347, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '/usr/local/opnsense/scripts/filter/read_log.py /limit '100' /digest ''' returned non-zero exit status 1.

Die Meldung wird über tausendfach ins Errorlog geschrieben wodurch der Festplatten und beim Lesen der Arbeitsspeicher überfüllt werden.

Könnt ihr euch des Problem mal annehmen? Die Firewall ist seit der Fehler existiert so ziemlich unbrauchbar. Das Aufrufen der Lobby bringt die Firewall bereits zum Abstürzen.

Ich danke euch,
Moin!

Das Forum ist kein Bugtracker! Bitte dafür ins Github gehen und dort melden!

Viele Grüße
Sven-Jendrik

Gesendet von meinem SM-N950F mit Tapatalk

#2
German - Deutsch / Re: Freischaltung MS-Teams
September 03, 2019, 01:24:05 PM
Moin!

Was ist die Frage?

Viele Grüße
Sven-Jendrik
#3
German - Deutsch / Re: IPSEC AUTHENTICATION_FAILED notify error
September 03, 2019, 11:04:54 AM
Quote from: mimugmail on September 03, 2019, 06:45:23 AM
Paar Sachen:
- Wieso respond-only wenn du bei Peer Identifier "MyAddress" hast, das ergibt keinen Sinn. Hat einer dynamische IPs?
- Wieso IKE auto? Wenn du beide Seiten kontrollierst bitte gleich v2.
- Mach den Quatsch Blowfish etc. raus, AES256, SHA256 .. das reicht, nicht zu knacken.
- PFS in P2 muss mind. 5 sein, eigentlich 14 .. ansonsten kannst du die Daten auch plain schicken (jedenfalls wenn du Angst vor Behörden hast)
- automatically ping host und "Start Immediate" beissen sich in manchen Kombinationen, z.B. Sophos-OPNsense

Moin!

Yep zu Hause habe ich ne Dynamische IP - Noch!

Wegen v2 habe ich geändert
PFS habe ich nun auch geändert sowie auch Blowfish etc. rausgeschmissen. Habe jetzt nur noch AES256, SHA256 und PFS Group14)

Disable MOBIKE war die Lösung nach dem ich das auf beiden Seiten gemacht habe, nimmt er keine Zerts mehr.
#4
German - Deutsch / Re: unbound DNS override - Port?
September 03, 2019, 10:41:00 AM
Quote from: DeepB on September 03, 2019, 07:59:02 AM
ja, das macht sinn, hätte mir auch selbst auffallen können.

Ich habe sogar bereits einen nginx reverse-proxy am laufen.

Ich muss dann aber trotzdem den DNS override service1.home.lan --> nginx-ip erstellen, ist das richtig?

danke
Daniel

YEP ;)
#5
German - Deutsch / Re: unbound DNS override - Port?
September 02, 2019, 10:36:04 PM
Moin!

So überhaupt nicht. Was du aber machen kannst  einen Webserver zum Beispiel apache als reverse Proxy nehmen da kannst du dann sagen.

Viele Grüße
Sven-Jendrik
#6
German - Deutsch / IPSEC AUTHENTICATION_FAILED notify error
September 02, 2019, 08:50:27 PM
Moin zusammen!

Folgendes Szenario:

Im Datacenter:

OPNsense 19.7.2-amd64
FreeBSD 11.2-RELEASE-p12-HBSD
OpenSSL 1.0.2s 28 May 2019

Zu Hause:

OPNsense 19.7.3-amd64
FreeBSD 11.2-RELEASE-p14-HBSD
OpenSSL 1.0.2s 28 May 2019

IPSEC:

Im DataCenter folgende Konfiguration:



Zu Hause folgende Konfiguration:


Nun folgendes Problem:

Logs vom Datacenter:

Code Select
Sep 2 20:27:40 charon: 05[IKE] <con2|4> received AUTHENTICATION_FAILED notify error
Sep 2 20:27:40 charon: 05[ENC] <con2|4> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Sep 2 20:27:40 charon: 05[NET] <con2|4> received packet: from 80.XXX.XXX.55[4500] to 149.XXX.XXX.178.178[4500] (80 bytes)
Sep 2 20:27:40 charon: 05[NET] <con2|4> sending packet: from 149.XXX.XXX.178.178[4500] to 80.XXX.XXX.55[4500] (116 bytes)
Sep 2 20:27:40 charon: 05[NET] <con2|4> sending packet: from 149.XXX.XXX.178.178[4500] to 80.XXX.XXX.55[4500] (1236 bytes)
Sep 2 20:27:40 charon: 05[NET] <con2|4> sending packet: from 149.XXX.XXX.178.178[4500] to 80.XXX.XXX.55[4500] (1236 bytes)
Sep 2 20:27:40 charon: 05[ENC] <con2|4> generating IKE_AUTH request 1 [ EF(3/3) ]
Sep 2 20:27:40 charon: 05[ENC] <con2|4> generating IKE_AUTH request 1 [ EF(2/3) ]
Sep 2 20:27:40 charon: 05[ENC] <con2|4> generating IKE_AUTH request 1 [ EF(1/3) ]
Sep 2 20:27:40 charon: 05[ENC] <con2|4> splitting IKE message (2448 bytes) into 3 fragments
Sep 2 20:27:40 charon: 05[ENC] <con2|4> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Sep 2 20:27:40 charon: 05[IKE] <con2|4> establishing CHILD_SA con2{11}
Sep 2 20:27:40 charon: 05[IKE] <con2|4> authentication of '149.XXX.XXX.178.178' (myself) with pre-shared key
Sep 2 20:27:40 charon: 05[IKE] <con2|4> sending cert request for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
Sep 2 20:27:40 charon: 05[IKE] <con2|4> sending cert request for "C=DE, ST=Niedersachsen, L=Nottensdorf, O=SJT CONSULTING, E=info@example.de, CN=internal-ca"
Sep 2 20:27:40 charon: 05[CFG] <con2|4> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Sep 2 20:27:40 charon: 05[ENC] <con2|4> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Sep 2 20:27:40 charon: 05[NET] <con2|4> received packet: from 80.XXX.XXX.55[500] to 149.XXX.XXX.178.178[500] (472 bytes)
Sep 2 20:27:40 charon: 05[NET] <con2|4> sending packet: from 149.XXX.XXX.178.178[500] to 80.XXX.XXX.55[500] (464 bytes)
Sep 2 20:27:40 charon: 05[ENC] <con2|4> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sep 2 20:27:40 charon: 05[IKE] <con2|4> initiating IKE_SA con2[4] to 80.XXX.XXX.55
Sep 2 20:27:40 charon: 10[CFG] received stroke: initiate 'con2'

Logs von zu Hause:

Code Select
Sep 2 20:27:40 charon: 14[NET] <3> sending packet: from 80.XXX.XXX.55[4500] to 149.XXX.XXX.178[4500] (80 bytes)
Sep 2 20:27:40 charon: 14[ENC] <3> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Sep 2 20:27:40 charon: 14[IKE] <3> peer supports MOBIKE
Sep 2 20:27:40 charon: 14[IKE] <3> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Sep 2 20:27:40 charon: 14[CFG] <3> no matching peer config found
Sep 2 20:27:40 charon: 14[CFG] <3> looking for peer configs matching 80.XXX.XXX.55[91.248.236.17]...149.XXX.XXX.178[149.XXX.XXX.178]
Sep 2 20:27:40 charon: 14[IKE] <3> received 2 cert requests for an unknown ca
Sep 2 20:27:40 charon: 14[ENC] <3> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Sep 2 20:27:40 charon: 14[ENC] <3> received fragment #2 of 3, reassembled fragmented IKE message (2448 bytes)
Sep 2 20:27:40 charon: 14[ENC] <3> parsed IKE_AUTH request 1 [ EF(2/3) ]
Sep 2 20:27:40 charon: 14[NET] <3> received packet: from 149.XXX.XXX.178[4500] to 80.XXX.XXX.55[4500] (1236 bytes)
Sep 2 20:27:40 charon: 15[ENC] <3> received fragment #3 of 3, waiting for complete IKE message
Sep 2 20:27:40 charon: 15[ENC] <3> parsed IKE_AUTH request 1 [ EF(3/3) ]
Sep 2 20:27:40 charon: 15[NET] <3> received packet: from 149.XXX.XXX.178[4500] to 80.XXX.XXX.55[4500] (116 bytes)
Sep 2 20:27:40 charon: 08[ENC] <3> received fragment #1 of 3, waiting for complete IKE message
Sep 2 20:27:40 charon: 08[ENC] <3> parsed IKE_AUTH request 1 [ EF(1/3) ]
Sep 2 20:27:40 charon: 08[NET] <3> received packet: from 149.XXX.XXX.178[4500] to 80.XXX.XXX.55[4500] (1236 bytes)
Sep 2 20:27:40 charon: 14[NET] <3> sending packet: from 80.XXX.XXX.55[500] to 149.XXX.XXX.178[500] (472 bytes)
Sep 2 20:27:40 charon: 14[ENC] <3> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Sep 2 20:27:40 charon: 14[CFG] <3> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Sep 2 20:27:40 charon: 14[IKE] <3> 149.XXX.XXX.178 is initiating an IKE_SA
Sep 2 20:27:40 charon: 14[ENC] <3> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sep 2 20:27:40 charon: 14[NET] <3> received packet: from 149.XXX.XXX.178[500] to 80.XXX.XXX.55[500] (464 bytes)


Einer ne Idee warum der hier irgendwie was mit Zerts machen will? Soll er nicht!
#7
German - Deutsch / Re: IPSEC Routing
August 28, 2019, 09:34:13 PM
Quote from: Sven-J on August 28, 2019, 08:24:52 PM
Quote from: mimugmail on August 28, 2019, 07:50:40 PM
Ach, du verwendest Multiwan und hast eine Gateway rule aktiv. Da brauchst du davor ein accept ohne Gateway

Moin!

Ne Multiwan habe ich nicht, ich habe halt 2 Nodes:

149.XXX.XXX.178 – deham01-fw CARP
149.XXX.XXX.179 - deham01-fw01
149.XXX.XXX.180 - deham01-fw02

Aug 28 21:33:17   charon: 11[ENC] <con1-000|7> parsed INFORMATIONAL_V1 request 3770589584 [ HASH N(DPD_ACK) ]
Aug 28 21:33:17   charon: 11[NET] <con1-000|7> received packet: from 194.XXX.XXX.240[500] to 149.XXX.XXX.178[500] (92 bytes)
Aug 28 21:33:17   charon: 11[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (92 bytes)
Aug 28 21:33:17   charon: 11[ENC] <con1-000|7> generating INFORMATIONAL_V1 request 1471798028 [ HASH N(DPD) ]
Aug 28 21:33:17   charon: 11[IKE] <con1-000|7> sending DPD request
Aug 28 21:31:30   charon: 07[KNL] <con1-000|7> querying policy 10.164.255.17/32 === 172.21.106.0/24 in failed, not found
Aug 28 21:31:30   charon: 07[KNL] <con1-000|7> querying policy 10.164.140.34/32 === 172.21.106.0/24 in failed, not found
Aug 28 21:31:30   charon: 07[KNL] <con1-000|7> querying policy 172.22.112.0/24 === 172.21.106.0/24 in failed, not found
Aug 28 21:31:30   charon: 07[KNL] <con1-000|7> querying policy 172.22.126.0/24 === 172.21.106.0/24 in failed, not found
Aug 28 21:31:30   charon: 07[KNL] <con1-000|7> querying policy 172.22.121.0/24 === 172.21.106.0/24 in failed, not found
Aug 28 21:31:30   charon: 07[KNL] <con1-000|7> querying policy 10.164.254.160/27 === 172.21.106.0/24 in failed, not found
Aug 28 21:31:30   charon: 07[KNL] <con1-000|7> querying policy 10.164.254.128/27 === 172.21.106.0/24 in failed, not found
Aug 28 21:31:30   charon: 07[KNL] <con1-000|7> querying policy 10.164.254.64/26 === 172.21.106.0/24 in failed, not found
Aug 28 21:31:30   charon: 07[KNL] <con1-000|7> querying policy 10.164.254.32/27 === 172.21.106.0/24 in failed, not found
Aug 28 21:31:30   charon: 07[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (60 bytes)
Aug 28 21:31:30   charon: 07[ENC] <con1-000|7> generating QUICK_MODE request 2166131354 [ HASH ]
Aug 28 21:31:30   charon: 07[IKE] <con1-000|7> CHILD_SA con1-008{68} established with SPIs cd07a10d_i c8207bfe_o and TS 172.21.106.0/24 === 10.164.255.17/32
Aug 28 21:31:30   charon: 07[CFG] <con1-000|7> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Aug 28 21:31:30   charon: 07[ENC] <con1-000|7> parsed QUICK_MODE response 2166131354 [ HASH SA No ID ID N((24576)) ]
Aug 28 21:31:30   charon: 07[NET] <con1-000|7> received packet: from 194.XXX.XXX.240[500] to 149.XXX.XXX.178[500] (188 bytes)
Aug 28 21:31:30   charon: 07[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (1180 bytes)
Aug 28 21:31:30   charon: 07[ENC] <con1-000|7> generating QUICK_MODE request 2166131354 [ HASH SA No ID ID ]
Aug 28 21:31:30   charon: 12[CFG] received stroke: initiate 'con1-008'
Aug 28 21:31:29   charon: 09[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (60 bytes)
Aug 28 21:31:29   charon: 09[ENC] <con1-000|7> generating QUICK_MODE request 3112779887 [ HASH ]
Aug 28 21:31:29   charon: 09[IKE] <con1-000|7> CHILD_SA con1-007{67} established with SPIs c2783f4b_i 204ca29c_o and TS 172.21.106.0/24 === 10.164.140.34/32
Aug 28 21:31:29   charon: 09[CFG] <con1-000|7> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Aug 28 21:31:29   charon: 09[ENC] <con1-000|7> parsed QUICK_MODE response 3112779887 [ HASH SA No ID ID N((24576)) ]
Aug 28 21:31:29   charon: 09[NET] <con1-000|7> received packet: from 194.XXX.XXX.240[500] to 149.XXX.XXX.178[500] (188 bytes)
Aug 28 21:31:29   charon: 09[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (1180 bytes)
Aug 28 21:31:29   charon: 09[ENC] <con1-000|7> generating QUICK_MODE request 3112779887 [ HASH SA No ID ID ]
Aug 28 21:31:29   charon: 07[CFG] received stroke: initiate 'con1-007'
Aug 28 21:31:28   charon: 09[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (60 bytes)
Aug 28 21:31:28   charon: 09[ENC] <con1-000|7> generating QUICK_MODE request 2634036184 [ HASH ]
Aug 28 21:31:28   charon: 09[IKE] <con1-000|7> CHILD_SA con1-006{66} established with SPIs c8897faa_i 9090c4b0_o and TS 172.21.106.0/24 === 172.22.112.0/24
Aug 28 21:31:28   charon: 09[CFG] <con1-000|7> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Aug 28 21:31:28   charon: 09[ENC] <con1-000|7> parsed QUICK_MODE response 2634036184 [ HASH SA No ID ID N((24576)) ]
Aug 28 21:31:28   charon: 09[NET] <con1-000|7> received packet: from 194.XXX.XXX.240[500] to 149.XXX.XXX.178[500] (188 bytes)
Aug 28 21:31:28   charon: 09[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (1180 bytes)
Aug 28 21:31:28   charon: 09[ENC] <con1-000|7> generating QUICK_MODE request 2634036184 [ HASH SA No ID ID ]
Aug 28 21:31:28   charon: 07[CFG] received stroke: initiate 'con1-006'
Aug 28 21:31:27   charon: 16[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (60 bytes)
Aug 28 21:31:27   charon: 16[ENC] <con1-000|7> generating QUICK_MODE request 4116558150 [ HASH ]
Aug 28 21:31:27   charon: 16[IKE] <con1-000|7> CHILD_SA con1-005{65} established with SPIs cca56f10_i b0be49c6_o and TS 172.21.106.0/24 === 172.22.126.0/24
Aug 28 21:31:27   charon: 16[CFG] <con1-000|7> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Aug 28 21:31:27   charon: 16[ENC] <con1-000|7> parsed QUICK_MODE response 4116558150 [ HASH SA No ID ID N((24576)) ]
Aug 28 21:31:27   charon: 16[NET] <con1-000|7> received packet: from 194.XXX.XXX.240[500] to 149.XXX.XXX.178[500] (188 bytes)
Aug 28 21:31:27   charon: 16[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (1180 bytes)
Aug 28 21:31:27   charon: 16[ENC] <con1-000|7> generating QUICK_MODE request 4116558150 [ HASH SA No ID ID ]
Aug 28 21:31:27   charon: 09[CFG] received stroke: initiate 'con1-005'
Aug 28 21:31:25   charon: 16[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (60 bytes)
Aug 28 21:31:25   charon: 16[ENC] <con1-000|7> generating QUICK_MODE request 1754381864 [ HASH ]
Aug 28 21:31:25   charon: 16[IKE] <con1-000|7> CHILD_SA con1-004{64} established with SPIs c5ad7751_i c2248fed_o and TS 172.21.106.0/24 === 172.22.121.0/24
Aug 28 21:31:25   charon: 16[CFG] <con1-000|7> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Aug 28 21:31:25   charon: 16[ENC] <con1-000|7> parsed QUICK_MODE response 1754381864 [ HASH SA No ID ID N((24576)) ]
Aug 28 21:31:25   charon: 16[NET] <con1-000|7> received packet: from 194.XXX.XXX.240[500] to 149.XXX.XXX.178[500] (188 bytes)
Aug 28 21:31:25   charon: 16[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (1180 bytes)
Aug 28 21:31:25   charon: 16[ENC] <con1-000|7> generating QUICK_MODE request 1754381864 [ HASH SA No ID ID ]
Aug 28 21:31:25   charon: 09[CFG] received stroke: initiate 'con1-004'
Aug 28 21:31:24   charon: 06[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (60 bytes)
Aug 28 21:31:24   charon: 06[ENC] <con1-000|7> generating QUICK_MODE request 4002842253 [ HASH ]
Aug 28 21:31:24   charon: 06[IKE] <con1-000|7> CHILD_SA con1-003{63} established with SPIs cdc797d1_i e4d0d0f7_o and TS 172.21.106.0/24 === 10.164.254.160/27
Aug 28 21:31:24   charon: 06[CFG] <con1-000|7> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Aug 28 21:31:24   charon: 06[ENC] <con1-000|7> parsed QUICK_MODE response 4002842253 [ HASH SA No ID ID N((24576)) ]
Aug 28 21:31:24   charon: 06[NET] <con1-000|7> received packet: from 194.XXX.XXX.240[500] to 149.XXX.XXX.178[500] (188 bytes)
Aug 28 21:31:24   charon: 06[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (1180 bytes)
Aug 28 21:31:24   charon: 06[ENC] <con1-000|7> generating QUICK_MODE request 4002842253 [ HASH SA No ID ID ]
Aug 28 21:31:24   charon: 05[CFG] received stroke: initiate 'con1-003'
Aug 28 21:31:23   charon: 06[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (60 bytes)
Aug 28 21:31:23   charon: 06[ENC] <con1-000|7> generating QUICK_MODE request 916152515 [ HASH ]
Aug 28 21:31:23   charon: 06[IKE] <con1-000|7> CHILD_SA con1-002{62} established with SPIs cb7ca3f9_i 99a14889_o and TS 172.21.106.0/24 === 10.164.254.128/27
Aug 28 21:31:23   charon: 06[CFG] <con1-000|7> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Aug 28 21:31:23   charon: 06[ENC] <con1-000|7> parsed QUICK_MODE response 916152515 [ HASH SA No ID ID N((24576)) ]
Aug 28 21:31:23   charon: 06[NET] <con1-000|7> received packet: from 194.XXX.XXX.240[500] to 149.XXX.XXX.178[500] (188 bytes)
Aug 28 21:31:23   charon: 06[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (1180 bytes)
Aug 28 21:31:23   charon: 06[ENC] <con1-000|7> generating QUICK_MODE request 916152515 [ HASH SA No ID ID ]
Aug 28 21:31:23   charon: 05[CFG] received stroke: initiate 'con1-002'
Aug 28 21:31:22   charon: 06[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (60 bytes)
Aug 28 21:31:22   charon: 06[ENC] <con1-000|7> generating QUICK_MODE request 4277161391 [ HASH ]
Aug 28 21:31:22   charon: 06[IKE] <con1-000|7> CHILD_SA con1-001{61} established with SPIs c9e22597_i f3498b93_o and TS 172.21.106.0/24 === 10.164.254.64/26
Aug 28 21:31:22   charon: 06[CFG] <con1-000|7> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Aug 28 21:31:22   charon: 06[ENC] <con1-000|7> parsed QUICK_MODE response 4277161391 [ HASH SA No ID ID N((24576)) ]
Aug 28 21:31:22   charon: 06[NET] <con1-000|7> received packet: from 194.XXX.XXX.240[500] to 149.XXX.XXX.178[500] (188 bytes)
Aug 28 21:31:22   charon: 06[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (1180 bytes)
Aug 28 21:31:22   charon: 06[ENC] <con1-000|7> generating QUICK_MODE request 4277161391 [ HASH SA No ID ID ]
Aug 28 21:31:22   charon: 05[CFG] received stroke: initiate 'con1-001'
Aug 28 21:31:20   charon: 05[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (60 bytes)
Aug 28 21:31:20   charon: 05[ENC] <con1-000|7> generating QUICK_MODE request 1401173596 [ HASH ]
Aug 28 21:31:20   charon: 05[IKE] <con1-000|7> CHILD_SA con1-000{60} established with SPIs c37da27b_i b3e0a0f0_o and TS 172.21.106.0/24 === 10.164.254.32/27
Aug 28 21:31:20   charon: 05[CFG] <con1-000|7> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Aug 28 21:31:20   charon: 05[ENC] <con1-000|7> parsed QUICK_MODE response 1401173596 [ HASH SA No ID ID N((24576)) ]
Aug 28 21:31:20   charon: 05[NET] <con1-000|7> received packet: from 194.XXX.XXX.240[500] to 149.XXX.XXX.178[500] (188 bytes)
Aug 28 21:31:20   charon: 05[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (1180 bytes)
Aug 28 21:31:20   charon: 05[ENC] <con1-000|7> generating QUICK_MODE request 1401173596 [ HASH SA No ID ID ]
Aug 28 21:31:20   charon: 05[IKE] <con1-000|7> maximum IKE_SA lifetime 28370s
Aug 28 21:31:20   charon: 05[IKE] <con1-000|7> scheduling reauthentication in 27830s
Aug 28 21:31:20   charon: 05[IKE] <con1-000|7> IKE_SA con1-000[7] established between 149.XXX.XXX.178[149.XXX.XXX.178]...194.XXX.XXX.240[194.XXX.XXX.240]
Aug 28 21:31:20   charon: 05[IKE] <con1-000|7> received DPD vendor ID
Aug 28 21:31:20   charon: 05[ENC] <con1-000|7> parsed ID_PROT response 0 [ ID HASH V ]
Aug 28 21:31:20   charon: 05[NET] <con1-000|7> received packet: from 194.XXX.XXX.240[500] to 149.XXX.XXX.178[500] (92 bytes)
Aug 28 21:31:20   charon: 05[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (108 bytes)
Aug 28 21:31:20   charon: 05[ENC] <con1-000|7> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Aug 28 21:31:20   charon: 05[ENC] <con1-000|7> received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
Aug 28 21:31:20   charon: 05[ENC] <con1-000|7> received unknown vendor ID: 36:f7:df:61:25:50:6c:8d:2d:62:e4:16:96:34:0e:e4
Aug 28 21:31:20   charon: 05[IKE] <con1-000|7> received XAuth vendor ID
Aug 28 21:31:20   charon: 05[IKE] <con1-000|7> received Cisco Unity vendor ID
Aug 28 21:31:20   charon: 05[ENC] <con1-000|7> parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
Aug 28 21:31:20   charon: 05[NET] <con1-000|7> received packet: from 194.XXX.XXX.240[500] to 149.XXX.XXX.178[500] (304 bytes)
Aug 28 21:31:20   charon: 05[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (244 bytes)
Aug 28 21:31:20   charon: 05[ENC] <con1-000|7> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Aug 28 21:31:20   charon: 05[CFG] <con1-000|7> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Aug 28 21:31:20   charon: 05[IKE] <con1-000|7> received FRAGMENTATION vendor ID
Aug 28 21:31:20   charon: 05[IKE] <con1-000|7> received NAT-T (RFC 3947) vendor ID
Aug 28 21:31:20   charon: 05[ENC] <con1-000|7> parsed ID_PROT response 0 [ SA V V ]
Aug 28 21:31:20   charon: 05[NET] <con1-000|7> received packet: from 194.XXX.XXX.240[500] to 149.XXX.XXX.178[500] (128 bytes)
Aug 28 21:31:20   charon: 05[NET] <con1-000|7> sending packet: from 149.XXX.XXX.178[500] to 194.XXX.XXX.240[500] (288 bytes)
Aug 28 21:31:20   charon: 05[ENC] <con1-000|7> generating ID_PROT request 0 [ SA V V V V V ]
Aug 28 21:31:20   charon: 05[IKE] <con1-000|7> initiating Main Mode IKE_SA con1-000[7] to 194.XXX.XXX.240
Aug 28 21:31:20   charon: 06[CFG] received stroke: initiate 'con1-000'

Hier noch mal die Logs von eben
#8
German - Deutsch / Re: IPSEC Routing
August 28, 2019, 08:24:52 PM
Quote from: mimugmail on August 28, 2019, 07:50:40 PM
Ach, du verwendest Multiwan und hast eine Gateway rule aktiv. Da brauchst du davor ein accept ohne Gateway

Moin!

Ne Multiwan habe ich nicht, ich habe halt 2 Nodes:

149.XXX.XXX.178 – deham01-fw CARP
149.XXX.XXX.179 - deham01-fw01
149.XXX.XXX.180 - deham01-fw02


#9
German - Deutsch / Re: IPSEC Routing
August 28, 2019, 06:55:57 PM
Quote from: mimugmail on August 28, 2019, 06:52:58 PM
Firewall alles erlaubt?

Also die Logs source 172.21.106.0 dest: 10.164.254. port 22 sagen alles grün.

Nur wenn ich ein traceroute mache, will der ins internet....

#10
German - Deutsch / Re: IPSEC Routing
August 28, 2019, 05:46:39 PM
Anbei Screen2
#11
German - Deutsch / Re: IPSEC Routing
August 28, 2019, 05:46:22 PM
Anbei Screen 1
#12
German - Deutsch / [solved]IPSEC Routing
August 28, 2019, 05:21:24 PM
Moin zusammen!

System:

OPNsense 19.7.2-amd64
FreeBSD 11.2-RELEASE-p12-HBSD
OpenSSL 1.0.2s 28 May 2019

System beim Kunden:

Cisco ASA 5520

Ich habe folgendes Problem: ipsec ist eingerichtet

Code Select
root@DEHAM01-FW01:# ipsec status
no files found matching '/usr/local/etc/strongswan.opnsense.d/*.conf'
Routed Connections:
    con1-009{39}:  CREATED, TUNNEL, reqid 29
    con1-009{39}:   172.21.106.0/24 === 10.164.141.10/32
    con1-008{38}:  CREATED, TUNNEL, reqid 28
    con1-008{38}:   172.21.106.0/24 === 10.164.255.17/32
    con1-007{37}:  CREATED, TUNNEL, reqid 27
    con1-007{37}:   172.21.106.0/24 === 10.164.140.34/32
    con1-006{36}:  CREATED, TUNNEL, reqid 26
    con1-006{36}:   172.21.106.0/24 === 172.22.112.0/24
    con1-005{35}:  CREATED, TUNNEL, reqid 25
    con1-005{35}:   172.21.106.0/24 === 172.22.126.0/24
    con1-004{34}:  CREATED, TUNNEL, reqid 24
    con1-004{34}:   172.21.106.0/24 === 172.22.121.0/24
    con1-003{33}:  CREATED, TUNNEL, reqid 23
    con1-003{33}:   172.21.106.0/24 === 10.164.254.160/27
    con1-002{32}:  CREATED, TUNNEL, reqid 22
    con1-002{32}:   172.21.106.0/24 === 10.164.254.128/27
    con1-001{31}:  CREATED, TUNNEL, reqid 21
    con1-001{31}:   172.21.106.0/24 === 10.164.254.64/26
    con1-000{30}:  CREATED, TUNNEL, reqid 2
    con1-000{30}:   172.21.106.0/24 === 10.164.254.32/27
Security Associations (1 up, 0 connecting):
    con1-000[5]: ESTABLISHED 22 seconds ago, 149.XXX.XXX.XXX[149.XXX.XXX.XXX]...194.XXX.XXX.XXX[194.XXX.XXX.XXX]
    con1-000{40}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c6f0bf35_i 0678ef9d_o
    con1-000{40}:   172.21.106.0/24 === 10.164.254.32/27
    con1-001{41}:  INSTALLED, TUNNEL, reqid 21, ESP SPIs: ce913538_i 43cf35fc_o
    con1-001{41}:   172.21.106.0/24 === 10.164.254.64/26
    con1-002{42}:  INSTALLED, TUNNEL, reqid 22, ESP SPIs: ca16100e_i dfdf4782_o
    con1-002{42}:   172.21.106.0/24 === 10.164.254.128/27
    con1-003{43}:  INSTALLED, TUNNEL, reqid 23, ESP SPIs: c28ac187_i 00ce068a_o
    con1-003{43}:   172.21.106.0/24 === 10.164.254.160/27
    con1-004{44}:  INSTALLED, TUNNEL, reqid 24, ESP SPIs: cd6d51b0_i 79565116_o
    con1-004{44}:   172.21.106.0/24 === 172.22.121.0/24
    con1-005{45}:  INSTALLED, TUNNEL, reqid 25, ESP SPIs: cf4293ed_i 1171cabd_o
    con1-005{45}:   172.21.106.0/24 === 172.22.126.0/24
    con1-006{46}:  INSTALLED, TUNNEL, reqid 26, ESP SPIs: cdf727dd_i 389b4373_o
    con1-006{46}:   172.21.106.0/24 === 172.22.112.0/24
    con1-007{47}:  INSTALLED, TUNNEL, reqid 27, ESP SPIs: cfb1c13c_i fe8c444f_o
    con1-007{47}:   172.21.106.0/24 === 10.164.140.34/32
    con1-008{48}:  INSTALLED, TUNNEL, reqid 28, ESP SPIs: cf11def8_i 6a75d7b8_o
    con1-008{48}:   172.21.106.0/24 === 10.164.255.17/32
    con1-009{49}:  INSTALLED, TUNNEL, reqid 29, ESP SPIs: c6208dcf_i 9d008adf_o
    con1-009{49}:   172.21.106.0/24 === 10.164.141.10/32


Nur irgendwie geht da nix durch den Tunnel :! Einer eine Idee?


Tunnel gelöscht und neuangelegt dann ging es ...

#13
German - Deutsch / [SOLVED] Update 19.1.5 Zertifikat login nicht mehr möglich
April 07, 2019, 09:24:03 PM
Moin zusammen,

habe gerade mein Backup-Node aktualisiert auf 19.1.5 und nun krieg ich diese tolle Meldung:

normally uses encryption to protect your information. When Google Chrome tried to connect to deham01-fw02.XXXXX.de this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be deham01-fw02.XXXX.de, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged.

You cannot visit deham01-fw02.XXXX.de right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.

Das Zertifikat was aktiv ist, ist von opnsense heute ausgestellt worden...

Eine ne Idee wie ich über SSH das richtige Zertifikat wieder laden tue?

Danke!

LG
Sven-Jendrik


// Gelöst, konnte mich mit dem edge einloggen :D
#14
German - Deutsch / Re: HA - Sync: Firwallregeln werden falsch übertragen
March 27, 2019, 05:45:39 PM
Quote from: almo on March 27, 2019, 04:56:42 PM
Zusammen gefasst.

Auf Server 2 alle Interfaces bis auf MGMLAN löschen. Danach sollte er ja beim Anlegen der Interface mit opt1, opt2 und opt3 zählen ?

Oder gibt es einen anderen weg irgendwie über Anpassungen auf Shell / Dateiebene aus dem opt2 ixl2_vlan809 ein wan, ixl2_vlan809 zu machen. Und die opt3 dann zu opt2 auf Server 1?

/Think Gut das ich noch keine weiteren VLANs angelegt habe ....

LAGINT Schnittstelle (opt1, lagg0)   
MGMLAN Schnittstelle (lan, bge0)
Die kannst du beide behalten, sind ja identisch ;)

über CLI muss ich gestehen hab ich es nicht gemacht, da ja opnsense selbst sagt Änderungen am besten nur über die GUI / API
#15
German - Deutsch / Re: Spezielle Routing Aufgabe: Umsetzung möglich?
March 27, 2019, 05:42:58 PM
Was mir einfällt ist einen festen Admin PC in das Netz stellen und dem dann immer ne zusätzliche IP aus dem jeweiligen Netz geben so habe ich das gemacht aber über Routing wird das nur gehen wenn du entweder statische routen setzen tust oder auf der Firewall dann vlans pflegen tust und du die jeweiligen clients dann in das vlan packst.

Gesendet von meinem SM-N950F mit Tapatalk

Pages1 2 3 4