Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - that1guy

Pages1
#1
Virtual private networks / no route to host/IPsec IP on opnsense
July 21, 2022, 02:41:57 PM
Hi guys,

I have a cardreader (Ingenico/Orga 6141, behind a FritzBox, IP 192.168.146.3) connected to an opnsense with IPsec - the cardreader got the IP 172.20.1.1 on the opnsense from  Virtual IPv4 Address Pool 172.20.1.0/30. VPN log looks good, the cardreader says "connected".

I can't ping the 172.20.1.1 from opnsense (192.168.139.51):

(default gateway is an FritzBox with IP 192.168.139.254; I added a static route there for 172.20.1.0/255.255.255.252 to 192.168.139.51)

Code Select

Enter a host name or IP address: 172.20.1.1

PING 172.20.1.1 (172.20.1.1): 56 data bytes
92 bytes from 192.168.139.254: Redirect Host(New addr: 192.168.139.51)
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
4  5  00 0054 138b   0 0000  3f  01 6f2d 192.168.139.51  172.20.1.1

92 bytes from 192.168.139.254: Redirect Host(New addr: 192.168.139.51)
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
4  5  00 0054 138b   0 0000  3d  01 712d 192.168.139.51  172.20.1.1

92 bytes from 192.168.139.254: Redirect Host(New addr: 192.168.139.51)
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
4  5  00 0054 138b   0 0000  3b  01 732d 192.168.139.51  172.20.1.1

92 bytes from 192.168.139.254: Redirect Host(New addr: 192.168.139.51)
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
4  5  00 0054 138b   0 0000  39  01 752d 192.168.139.51  172.20.1.1

92 bytes from 192.168.139.254: Redirect Host(New addr: 192.168.139.51)
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
4  5  00 0054 138b   0 0000  37  01 772d 192.168.139.51  172.20.1.1

92 bytes from 192.168.139.254: Redirect Host(New addr: 192.168.139.51)
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
4  5  00 0054 138b   0 0000  35  01 792d 192.168.139.51  172.20.1.1

92 bytes from 192.168.139.254: Redirect Host(New addr: 192.168.139.51)
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
4  5  00 0054 138b   0 0000  33  01 7b2d 192.168.139.51  172.20.1.1

92 bytes from 192.168.139.254: Redirect Host(New addr: 192.168.139.51)
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
4  5  00 0054 138b   0 0000  31  01 7d2d 192.168.139.51  172.20.1.1

92 bytes from 192.168.139.254: Redirect Host(New addr: 192.168.139.51)
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
4  5  00 0054 138b   0 0000  2f  01 7f2d 192.168.139.51  172.20.1.1

92 bytes from 192.168.139.51: Time to live exceeded
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
4  5  00 0054 138b   0 0000  01  01 ad2d 192.168.139.51  172.20.1.1

92 bytes from 192.168.139.51: Time to live exceeded
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
4  5  00 0054 ec09   0 0000  01  01 d4ae 192.168.139.51  172.20.1.1


It looks like there's no route to 172.20.1.0/30:
Code Select

# /usr/bin/nc -v -w 10 -4 '172.20.1.1' '4742'
nc: connect to 172.20.1.1 port 4742 (tcp) failed: No route to host


That's what I can confirm from System: Routes: Status.

Can somebody please give me a hint? I already had a working configuration in the PoC opnsense and I'm now in the preparing of the prod-opnsense but can't see the missing thing by comparing both (very similar) configurations. Is there any problem with 172.20.1.0/30 as private net? (I only have one (1) VPN-client for each opnsense)

Best regards, Paul
#2
Virtual private networks / Re: Static mappings for ipsec mobile client users
June 29, 2022, 09:01:00 AM
I'm also interested in static IP adresses for IPsec clients; did you find a solution?
#3
Virtual private networks / Re: IPsec-connection from cardreader
June 27, 2022, 01:57:22 PM
Issue is solved somehow, I think wrong password used.
#4
Virtual private networks / IPsec-connection from cardreader
June 26, 2022, 09:15:20 AM
Hi guys,

I'm trying to connect an Orga 6141 (Ingenico) card reader to an opnsense. The setup itself is a bit weird:

cardreader (192.168.146.3) via FritzBox 4020 behind (per definition) an unknown network -> FritzBox IPsec -> Internet -> Office FritzBox 7590. The Fritz <-> Fritz connection (to jump through the unkown network(s)) works, the 4020 has 192.168.139.207 in the office network.

As the cardreader must have an IP adress in the 192.168.139.0 network by design I created a opnsense (192.168.139.45, LAN only) in the office (192.168.139.0/24).

Log looks not so bad after some time of testing things, but since I'm not deep into IPsec I don't know how to handle

Code Select
parsed INFORMATIONAL request 2 [ N(AUTH_FAILED) ]

so I'm asking you politely for some help or hints how to debug this.

The full log:

Code Select

2022-06-26T09:07:29 Informational charon 13[NET] <con1|10> sending packet: from 192.168.139.45[4500] to 192.168.139.207[4500] (65 bytes)
2022-06-26T09:07:29 Informational charon 13[ENC] <con1|10> generating INFORMATIONAL response 2 [ N(AUTH_FAILED) ]
2022-06-26T09:07:29 Informational charon 13[ENC] <con1|10> parsed INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
2022-06-26T09:07:29 Informational charon 13[NET] <con1|10> received packet: from 192.168.139.207[4500] to 192.168.139.45[4500] (65 bytes)
2022-06-26T09:07:29 Informational charon 13[NET] <con1|10> sending packet: from 192.168.139.45[4500] to 192.168.139.207[4500] (456 bytes)
2022-06-26T09:07:29 Informational charon 13[NET] <con1|10> sending packet: from 192.168.139.45[4500] to 192.168.139.207[4500] (1248 bytes)
2022-06-26T09:07:29 Informational charon 13[ENC] <con1|10> generating IKE_AUTH response 1 [ EF(2/2) ]
2022-06-26T09:07:29 Informational charon 13[ENC] <con1|10> generating IKE_AUTH response 1 [ EF(1/2) ]
2022-06-26T09:07:29 Informational charon 13[ENC] <con1|10> splitting IKE message (1639 bytes) into 2 fragments
2022-06-26T09:07:29 Informational charon 13[ENC] <con1|10> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
2022-06-26T09:07:29 Informational charon 13[IKE] <con1|10> sending end entity cert "<cert1>"
2022-06-26T09:07:29 Informational charon 13[IKE] <con1|10> authentication of '<cert1>' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
2022-06-26T09:07:29 Informational charon 13[IKE] <con1|10> peer supports MOBIKE
2022-06-26T09:07:29 Informational charon 13[IKE] <con1|10> initiating EAP_IDENTITY method (id 0x00)
2022-06-26T09:07:29 Informational charon 13[CFG] <con1|10> selected peer config 'con1'
2022-06-26T09:07:29 Informational charon 13[CFG] <10> looking for peer configs matching 192.168.139.45[%any]...192.168.139.207[192.168.146.3]
2022-06-26T09:07:29 Informational charon 13[ENC] <10> parsed IKE_AUTH request 1 [ IDi CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
2022-06-26T09:07:29 Informational charon 13[NET] <10> received packet: from 192.168.139.207[4500] to 192.168.139.45[4500] (369 bytes)
2022-06-26T09:07:29 Informational charon 13[NET] <10> sending packet: from 192.168.139.45[500] to 192.168.139.207[500] (265 bytes)
2022-06-26T09:07:29 Informational charon 13[ENC] <10> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
2022-06-26T09:07:29 Informational charon 13[IKE] <10> sending cert request for "<ca1>"
2022-06-26T09:07:29 Informational charon 13[IKE] <10> remote host is behind NAT
2022-06-26T09:07:29 Informational charon 13[CFG] <10> selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/CURVE_25519
2022-06-26T09:07:29 Informational charon 13[IKE] <10> 192.168.139.207 is initiating an IKE_SA
2022-06-26T09:07:29 Informational charon 13[ENC] <10> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
2022-06-26T09:07:29 Informational charon 13[NET] <10> received packet: from 192.168.139.207[500] to 192.168.139.45[500] (940 bytes)
2022-06-26T09:07:29 Informational charon 13[NET] <9> sending packet: from 192.168.139.45[500] to 192.168.139.207[500] (38 bytes)
2022-06-26T09:07:29 Informational charon 13[ENC] <9> generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
2022-06-26T09:07:29 Informational charon 13[IKE] <9> DH group MODP_2048 unacceptable, requesting CURVE_25519
2022-06-26T09:07:29 Informational charon 13[IKE] <9> remote host is behind NAT
2022-06-26T09:07:29 Informational charon 13[CFG] <9> selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/CURVE_25519
2022-06-26T09:07:29 Informational charon 13[IKE] <9> 192.168.139.207 is initiating an IKE_SA
2022-06-26T09:07:29 Informational charon 13[ENC] <9> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
2022-06-26T09:07:29 Informational charon 13[NET] <9> received packet: from 192.168.139.207[500] to 192.168.139.45[500] (1164 bytes)


For now it's just a testing environment, there are no other things on the opnsense. All software is latest version. There a no (!) logs on the cardreader, just "unknown error" in the status information.

Best regards, Paul


Pages1