Messages

Hi,

I have two problems configuring OPNsense.

My Vlans have no internet access, but the gateway on every VLAN can ping to internet.

Also my OPN can´t update anymore, every try to ping from shell ends successful with localhost (127.0.0.1), when using hostname.. but ping 1.1.1.1 works for example.

Code Select Expand

**GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 23.7.5 at Sun Oct  1 18:49:16 EEST 2023
Fetching changelog information, please wait... Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
48907755753472:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
fetch: https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/sets/changelog.txz: Authentication error
Updating OPNsense repository catalogue...
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
35076833280:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
35076833280:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
35076833280:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
35076833280:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
35076833280:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
35076833280:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://opnsense.c0urier.net/FreeBSD:13:amd64/23.7/latest/meta.txz: Authentication error
repository OPNsense has no meta file, using default settings
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
35076833280:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
35076833280:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
35076833280:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://opnsense.c0urier.net/FreeBSD:13:amd64/23.7/latest/packagesite.pkg: Authentication error
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
35076833280:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
35076833280:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
35076833280:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://opnsense.c0urier.net/FreeBSD:13:amd64/23.7/latest/packagesite.txz: Authentication error
Unable to update repository OPNsense
Error updating repositories!
pkg: Repository OPNsense cannot be opened. 'pkg update' required
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***

The setup of WAN and networks:

WAN: 185.xx.yy.2/26 GW: 185.xx.yy.1
VLAN1: 192.168.6.0/24 GW: 192.168.6.1
VLAN2: 192.168.15.0/24 GW: 192.168.15.1

NAT set to Hybrid, automatic also didn´t work.

Here the only one Firewall Rules on every VLAN:
IPv4 *   VLAN1/2 net   *   *   *   *   *

Hi,

ich habe 2 Probleme mit einer OPNsense, ich komme von Sophos UTM, daher ist das Verständnis da, aber die OPN ist doch von der Bedienung noch etwas ungewohnt.

Ich habe aktuell 2 Probleme, zum einen haben meine VLANs kein Internet, das Gateway des jeweiligen VLAN kann jedoch ins Internet pingen, aber keine Clients dahinter.

Zum anderen kann die OPNsense keine Updates mehr beziehen.. es endet mit einem Verification failure und wenn ich aus der Shell pkg.opnsense.org anpinge antwortet meine Firewall (127.0.0.1)

Code Select Expand

**GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 23.7.5 at Sun Oct  1 18:49:16 EEST 2023
Fetching changelog information, please wait... Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
48907755753472:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
fetch: https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/sets/changelog.txz: Authentication error
Updating OPNsense repository catalogue...
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
35076833280:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
35076833280:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
35076833280:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
35076833280:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
35076833280:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
35076833280:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://opnsense.c0urier.net/FreeBSD:13:amd64/23.7/latest/meta.txz: Authentication error
repository OPNsense has no meta file, using default settings
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
35076833280:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
35076833280:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
35076833280:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://opnsense.c0urier.net/FreeBSD:13:amd64/23.7/latest/packagesite.pkg: Authentication error
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
35076833280:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
35076833280:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
35076833280:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://opnsense.c0urier.net/FreeBSD:13:amd64/23.7/latest/packagesite.txz: Authentication error
Unable to update repository OPNsense
Error updating repositories!
pkg: Repository OPNsense cannot be opened. 'pkg update' required
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***

Der Netzwerkaufbau sieht so aus:

WAN: 185.xx.yy.2/26 GW: 185.xx.yy.1
VLAN1: 192.168.6.0/24 GW: 192.168.6.1
VLAN2: 192.168.15.0/24 GW: 192.168.15.1

NAT ist auf Hybrid, aber auch mit automatic funktioniert es nicht.

Ansonsten hat jedes VLAN folgende FW Rules:
IPv4 *   VLAN1/2 net   *   *   *   *   *

NAT ist bei IPsec deutlich frickliger als bei OpenVPN.

Hast Du den Mikrotik ausschließlich wegen dem Faser-SFP? Sonst tut der nichts? Dann bridge doch dort das SFP auf den Port, an dem OPNsense hängt. So bekommt OPNsense die öffentliche IPv4-Adresse direkt.

Grüße
Maurice

Der Mikrotik ist tatsächlich nur wegen des SFP vorhanden. Problem ist, ich bin nicht vor Ort, aktuell niemand, da der Standort noch aufgebaut wird.

Wie müsste die Bridge aussehen? Am Mikrotik SFP und Port vom Sense brücken ist klar. Macht in dem Fall die Sense dann die Einwahl bzw holt sich sich per DHCP die öffentliche IP oder macht das weiterhin der Mikrotik und gibt die nur 1:1 weiter, wie im Post über dir schon als am Bespiel der Fritzbox als "Exposed Host"?

Aktuell scheint der Mikrotik die öffentliche IP einfach per DHCP zu erhalten, ohne irgendeinen Login.. ist das bei Glasfaser generell möglich oder muss ich da im System noch tiefer suchen? :D

Hi,

Ich habe ein Problem mit meiner OPNsense hinter einem Mikrotik Router mit fibre SFP module

Leider bin ich noch recht neu im Umgang mit der OPNsense, daher die Frage, ob mir hier jemanden helfen kann?

Hier der Aufbau:

Mikrotik
WAN IP 185.230.xxx.2
LAN  192.168.88.0/24

OPNsense
WAN IP 192.168.88.253
LAN  192.168.30.0/24

Nun möchte ich die WAN IP vom OPNsense per NAT/masq auf die WAN IP vom Mikrotik setzen, u.a. für IPsec.

OpenVPN arbeitet ohne Probleme in dem ich per NAT am Mikrotik 192.168.88.253 zu 185.230.xxx.2 übersetze..
Da OpenVPN also funktioniert, sollte auch ein Weg möglich sein, IPsec zum laufen zu bekommen, oder?

The wan should have public IP, thats why I want to NAT it on the OPNsense from private to public IP.
The router in front of OPNsense is a Mikrotik. May I hve to setup NAT on it to do some sort of exposed-host from Mikrotik to OPNsense?

ok, it seems to be the NATing problem.

On UTM it is possilbe to masq private WAN IP to Public IP.. is this possible on OPNsense too?

WAN private IP 192.168.88.253 / Public IP 185.230.xxx.2.. how can I translate private IP to public? The solution with virtual IP assigned to WAN interface didn´t work

so now I have found one Issue, I´ve had the WAN IP with no virtual IP for public IP, so with the private IP it couldn´t work..
but now a new Issue, "no connection has been authorized with policy=PSK"

Code Select Expand

2023:09:03-14:20:14 fw01 pluto[30529]: |af+type: OAKLEY_AUTHENTICATION_METHOD
2023:09:03-14:20:14 fw01 pluto[30529]: | length/value: 1
2023:09:03-14:20:14 fw01 pluto[30529]: | ******parse ISAKMP Oakley attribute:
2023:09:03-14:20:14 fw01 pluto[30529]: | af+type: OAKLEY_LIFE_TYPE
2023:09:03-14:20:14 fw01 pluto[30529]: | length/value: 1
2023:09:03-14:20:14 fw01 pluto[30529]: | ******parse ISAKMP Oakley attribute:
2023:09:03-14:20:14 fw01 pluto[30529]: | af+type: OAKLEY_LIFE_DURATION
2023:09:03-14:20:14 fw01 pluto[30529]: | length/value: 31680
2023:09:03-14:20:14 fw01 pluto[30529]: | preparse_isakmp_policy: peer requests PSK authentication
2023:09:03-14:20:14 fw01 pluto[30529]: packet from 185.32.xxx.2:263: initial Main Mode message received on 212.144.xxx.34:500 but no connection has been authorized with policy=PSK
2023:09:03-14:20:35 fw01 pluto[30529]: |
2023:09:03-14:20:35 fw01 pluto[30529]: | *received 40 bytes from 185.32.xxx.2:500 on eth4
2023:09:03-14:20:35 fw01 pluto[30529]: | **parse ISAKMP Message:
2023:09:03-14:20:35 fw01 pluto[30529]: | initiator cookie:
2023:09:03-14:20:35 fw01 pluto[30529]: | 3b c5 b5 fc d6 1b 00 f5
2023:09:03-14:20:35 fw01 pluto[30529]: | responder cookie:
2023:09:03-14:20:35 fw01 pluto[30529]: | cc 39 11 b9 d1 3a 21 b8
2023:09:03-14:20:35 fw01 pluto[30529]: | next payload type: ISAKMP_NEXT_N
2023:09:03-14:20:35 fw01 pluto[30529]: | ISAKMP version: ISAKMP Version 1.0
2023:09:03-14:20:35 fw01 pluto[30529]: | exchange type: ISAKMP_XCHG_INFO
2023:09:03-14:20:35 fw01 pluto[30529]: | flags: none
2023:09:03-14:20:35 fw01 pluto[30529]: | message ID: eb e0 75 f2
2023:09:03-14:20:35 fw01 pluto[30529]: | length: 40
2023:09:03-14:20:35 fw01 pluto[30529]: | ***parse ISAKMP Notification Payload:
2023:09:03-14:20:35 fw01 pluto[30529]: | next payload type: ISAKMP_NEXT_NONE
2023:09:03-14:20:35 fw01 pluto[30529]: | length: 12
2023:09:03-14:20:35 fw01 pluto[30529]: | DOI: ISAKMP_DOI_IPSEC
2023:09:03-14:20:35 fw01 pluto[30529]: | protocol ID: 1
2023:09:03-14:20:35 fw01 pluto[30529]: | SPI size: 0
2023:09:03-14:20:35 fw01 pluto[30529]: | Notify Message Type: NO_PROPOSAL_CHOSEN
2023:09:03-14:20:35 fw01 pluto[30529]: packet from 185.32.xxx.2:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
2023:09:03-14:20:35 fw01 pluto[30529]: | info:

Code Select Expand

[meta sequenceId="2729"] 08[ENC] <7cc9a15f-b7e6-411f-ad32-89b748b67332|1> generating ID_PROT request 0 [ SA V V V V V ]
[meta sequenceId="2730"] 08[NET] <7cc9a15f-b7e6-411f-ad32-89b748b67332|1> sending packet: from 185.32.xxx.2[500] to 212.144.xxx.34[500] (180 bytes)
[meta sequenceId="2731"] 04[NET] error writing to socket: Can't assign requested address
[meta sequenceId="2732"] 08[IKE] <7cc9a15f-b7e6-411f-ad32-89b748b67332|1> sending retransmit 1 of request message ID 0, seq 1
[meta sequenceId="2733"] 08[NET] <7cc9a15f-b7e6-411f-ad32-89b748b67332|1> sending packet: from 185.32.xxx.2[500] to 212.144.xxx.34[500] (180 bytes)
[meta sequenceId="2734"] 04[NET] error writing to socket: Can't assign requested address
[meta sequenceId="2735"] 08[IKE] <7cc9a15f-b7e6-411f-ad32-89b748b67332|1> sending retransmit 2 of request message ID 0, seq 1
[meta sequenceId="2736"] 08[NET] <7cc9a15f-b7e6-411f-ad32-89b748b67332|1> sending packet: from 185.32.xxx.2[500] to 212.144.xxx.34[500] (180 bytes)
[meta sequenceId="2737"] 04[NET] error writing to socket: Can't assign requested address
[meta sequenceId="2738"] 08[NET] <125> received packet: from 212.144.xxx.34[500] to 192.168.88.253[500] (256 bytes)
[meta sequenceId="2739"] 08[ENC] <125> parsed ID_PROT request 0 [ SA V V V V V V V V V ]
[meta sequenceId="2740"] 08[IKE] <125> no IKE config found for 192.168.88.253...212.144.xxx.34, sending NO_PROPOSAL_CHOSEN
[meta sequenceId="2741"] 08[ENC] <125> generating INFORMATIONAL_V1 request 1957370062 [ N(NO_PROP) ]
[meta sequenceId="2742"] 08[NET] <125> sending packet: from 192.168.88.253[500] to 212.144.xxx.34[500] (40 bytes)

Hi,

ich habe es nun nach deiner Config versucht, aber erhalte noch immer den gleichen Fehler.

Hier die config des OPNSense:

Code Select Expand

# This file is automatically generated. Do not edit
connections {
    7cc9a15f-b7e6-411f-ad32-89b748b67332 {
        proposals = aes256-sha256-modp2048
        unique = replace
        aggressive = no
        version = 1
        mobike = no
        local_addrs = 185.32.xxx.2
        remote_addrs = 212.144.xxx.34
        encap = no
        rekey_time = 28800
        send_certreq = no
        keyingtries = 0
        local-dc55fd10-ae2f-4528-abbe-xxxxxxxxxxxx {
            round = 0
            auth = psk
            id = 185.32.xxx.2
        }
        remote-a701c8e0-8a2f-4301-9bb6-xxxxxxxxxxxx {
            round = 0
            auth = psk
            id = 212.144.xxx.34
        }
        children {
            212f8e76-5c22-4df2-a0e1-xxxxxxxxxxxx {
                reqid = 130
                esp_proposals = aes256-sha256-modp2048
                sha256_96 = no
                start_action = start
                close_action = none
                dpd_action = clear
                mode = tunnel
                policies = yes
                local_ts = 192.168.30.0/24,192.168.60.0/24,172.16.3.0/24,192.168.88.0/24
                remote_ts = 192.168.10.0/24,192.168.20.0/24,192.168.111.0/24
                rekey_time = 3600
                updown = /usr/local/opnsense/scripts/ipsec/updown_event.py --connection_child 212f8e76-5c22-4df2-a0e1-e32bc299f6ef
            }
        }
    }
}
pools {
}
secrets {
    ike-1eb47195-1c2f-4b1c-a528-942b4504cf38 {
        id-0 = 185.32.xxx.2
        id-1 = 212.144.xxx.34
        secret = xxxxxxxxxxxx
}
}

Hier die Config der Sophos Policy:
IKE encryption AES 256
IKE authentication alogrithm SHA2 256
IKE SA lifetime 28800
IKE DH group group 14 MODP2048
IPsec encryption algorithm AES 256
IPsec authentication algorithm SHA2 256
IPsec Lifetime 3600
IPsec PFS group group 14 MODP2048
Strict policy off
compression off

Hast du noch eine Idee, woran es hängen könnte?

Hi,

I try to get an IPsec Tunnel between a UTM (9.716) and ONSense 23.7.3

The log on UTM shows:

Code Select Expand

initiator cookie:
01 d6 0b 09 e4 37 be 33
responder cookie:
00 00 00 00 00 00 00 00
next payload type: ISAKMP_NEXT_SA
ISAKMP version: ISAKMP Version 1.0
exchange type: ISAKMP_XCHG_IDPROT
flags: none
message ID: 00 00 00 00
***emit ISAKMP Security Association Payload:
next payload type: ISAKMP_NEXT_VID
DOI: ISAKMP_DOI_IPSEC
****emit IPsec DOI SIT:
IPsec DOI SIT: SIT_IDENTITY_ONLY
****emit ISAKMP Proposal Payload:
next payload type: ISAKMP_NEXT_NONE
proposal number: 0
protocol ID: PROTO_ISAKMP
SPI size: 0
number of transforms: 1
*****emit ISAKMP Transform Payload (ISAKMP):
next payload type: ISAKMP_NEXT_NONE
transform number: 0
transform ID: KEY_IKE
******emit ISAKMP Oakley attribute:
af+type: OAKLEY_LIFE_TYPE
length/value: 1
[1 is OAKLEY_LIFE_SECONDS]
******emit ISAKMP Oakley attribute:
af+type: OAKLEY_LIFE_DURATION
length/value: 7800
******emit ISAKMP Oakley attribute:
af+type: OAKLEY_ENCRYPTION_ALGORITHM
length/value: 7
[7 is AES_CBC]
******emit ISAKMP Oakley attribute:
af+type: OAKLEY_HASH_ALGORITHM
length/value: 1
[1 is HMAC_MD5]
******emit ISAKMP Oakley attribute:
af+type: OAKLEY_KEY_LENGTH
length/value: 256
******emit ISAKMP Oakley attribute:
af+type: OAKLEY_AUTHENTICATION_METHOD
length/value: 1
[1 is pre-shared key]
******emit ISAKMP Oakley attribute:
af+type: OAKLEY_GROUP_DESCRIPTION
length/value: 5
[5 is MODP_1536]
emitting length of ISAKMP Transform Payload (ISAKMP): 36
emitting length of ISAKMP Proposal Payload: 44
emitting length of ISAKMP Security Association Payload: 56
out_vendorid(): sending [strongSwan]
***emit ISAKMP Vendor ID Payload:
next payload type: ISAKMP_NEXT_VID
emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
V_ID 88 2f e5 6d 6f d2 0d bc 22 51 61 3b 2e be 5b eb
emitting length of ISAKMP Vendor ID Payload: 20
out_vendorid(): sending [Cisco-Unity]
***emit ISAKMP Vendor ID Payload:
next payload type: ISAKMP_NEXT_VID
emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
V_ID 12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00
emitting length of ISAKMP Vendor ID Payload: 20
out_vendorid(): sending [XAUTH]
***emit ISAKMP Vendor ID Payload:
next payload type: ISAKMP_NEXT_VID
emitting 8 raw bytes of V_ID into ISAKMP Vendor ID Payload
V_ID 09 00 26 89 df d6 b7 12
emitting length of ISAKMP Vendor ID Payload: 12
out_vendorid(): sending [Dead Peer Detection]
***emit ISAKMP Vendor ID Payload:
next payload type: ISAKMP_NEXT_VID
emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
V_ID af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
emitting length of ISAKMP Vendor ID Payload: 20
out_vendorid(): sending [RFC 3947]
***emit ISAKMP Vendor ID Payload:
next payload type: ISAKMP_NEXT_VID
emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
V_ID 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f
emitting length of ISAKMP Vendor ID Payload: 20
out_vendorid(): sending [draft-ietf-ipsec-nat-t-ike-03]
***emit ISAKMP Vendor ID Payload:
next payload type: ISAKMP_NEXT_VID
emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
V_ID 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56
emitting length of ISAKMP Vendor ID Payload: 20
out_vendorid(): sending [draft-ietf-ipsec-nat-t-ike-02]
***emit ISAKMP Vendor ID Payload:
next payload type: ISAKMP_NEXT_VID
emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
V_ID cd 60 46 43 35 df 21 f8 7c fd b2 fc 68 b6 a4 48
emitting length of ISAKMP Vendor ID Payload: 20
out_vendorid(): sending [draft-ietf-ipsec-nat-t-ike-02_n]
***emit ISAKMP Vendor ID Payload:
next payload type: ISAKMP_NEXT_VID
emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
V_ID 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
emitting length of ISAKMP Vendor ID Payload: 20
out_vendorid(): sending [draft-ietf-ipsec-nat-t-ike-00]
***emit ISAKMP Vendor ID Payload:
next payload type: ISAKMP_NEXT_NONE
emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
V_ID 44 85 15 2d 18 b6 bb cd 0b e8 a8 46 95 79 dd cc
emitting length of ISAKMP Vendor ID Payload: 20
emitting length of ISAKMP Message: 256
HA System: can not delete ha_state #10
2023:09:02-16:42:26 fw01 pluto[12839]: |
*received 40 bytes from 185.x.x.2:500 on eth4
**parse ISAKMP Message:
initiator cookie:
01 d6 0b 09 e4 37 be 33
responder cookie:
b0 25 be f0 20 51 d5 15
next payload type: ISAKMP_NEXT_N
ISAKMP version: ISAKMP Version 1.0
exchange type: ISAKMP_XCHG_INFO
flags: none
message ID: c3 c7 7c b7
length: 40
***parse ISAKMP Notification Payload:
next payload type: ISAKMP_NEXT_NONE
length: 12
DOI: ISAKMP_DOI_IPSEC
protocol ID: 1
SPI size: 0
Notify Message Type: NO_PROPOSAL_CHOSEN
packet from 185.x.x.2:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
info:

what is the problem? I´m new to OPNSense, just managed UTM or XG until now and these IPsec Tunnels were working fine