Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - Rac00n

Pages1
#1
Virtual private networks / OpenVPN traffic to VLAN
December 06, 2023, 04:33:07 PM
I am trying to set my openVPN server via OPNsense installed in the hetzner cloud in order to get access to the hetzner's internal network.

The hertzner's internal network structure is separated by VLANs (per default https://docs.hetzner.com/cloud/networks/connect-dedi-vswitch/).

The given IPs are as follows:

Whole Network: 10.0.0.0/16

Cloud System:
10.0.0.0/24

vswitch: 10.0.0.1

OPNsense1: 10.0.0.2

OPNsense2: 10.0.0.3
--

Dedicated System:
10.0.1.0/24

DB1: 10.0.1.2
I've set up a real basic OpenVPN Server with the following network-settings:

Tunnel Network: 192.168.0.0/24
Remote Network: 10.0.0.0/24
When connected to the VPN server, I am able to ping 10.0.0.2 but I am not able to ping 10.0.0.3. OPNsense itself in turn can ping all devices via console.

Unfortunately, I can't use the bridge mode when it comes to the OpenVPN server.

So, does anyone know how to get it work within the internal hetzner network?
#2
Virtual private networks / (v23.7) Roadwarrior IKEv2 EAP-MSCHAPv2 not working - Using Ubuntu / Linux
November 17, 2023, 11:39:38 AM
Hello there,

I've followed the following guide: https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html#rw-swanctl-method1

But it's still not working plus that guide contains some mistakes/ missing parts.
For example:
1) In the section 1.3 - VPN: IPsec: Connections --> Remote Authentication, setting %any as an EAP Id is not allowed and it results in an "text validation error".

2) In the section 1.3 - VPN: IPsec: Connections --> Remote Authentication the value for "remote" is missing.
When I leave it empty, it results in an "please specify a valid network segment or address"

Nevertheless, I've set EAP Id to the user name "expert" and the value for the remote network to 0.0.0.0/0.
I've tried to capture some packets but no packets are reaching my OPNsense.
I've even tried to restart the Ipsec-VPN, but it's still not working.

Can someone recommend a tutorial, which is validated and working?


Thank you in advance

Edit: I am able to receive packets now.
The error was caused by the NetworkManager configuration.
Under Ubuntu 22.04, you have to set managed=true under [ifupdown] in /etc/NetworkManager/Networkmanager.conf
Ive already installed strongswan and libcharon-extra-plugins

The setup is as follows:
Site A:
WAN: 172.16.11.1
LAN: 192.168.1.0/24


Firewall Rules: Every interface allows every incoming and outgoing packets

Site B
WAN: 172.16.11.2
LAN: 192.168.2.0/24

Host: 192.168.2.3 --> connected to OPNsense Site B.
So, the Host on Site B is supposed to establish a connection to the OPNsense on Site A

Now, I am getting the following capture:
Code Select
14:32:52.885431 IP (tos 0x0, ttl 63, id 57826, offset 0, flags [DF], proto UDP (17), length 1124)
    192.168.2.3.54712 > 172.16.11.1.500: isakmp 2.0 msgid 00000000: parent_sa ikev2_init[I]:
    (sa: len=900
        (p: #1 protoid=isakmp transform=41 len=384
            (t: #1 type=encr id=aes (type=keylen value=0080))
            (t: #2 type=encr id=aes (type=keylen value=00c0))
            (t: #3 type=encr id=aes (type=keylen value=0100))
            (t: #4 type=encr id=#23 (type=keylen value=0080))
            (t: #5 type=encr id=#23 (type=keylen value=00c0))
            (t: #6 type=encr id=#23 (type=keylen value=0100))
            (t: #7 type=encr id=#13 (type=keylen value=0080))
            (t: #8 type=encr id=#13 (type=keylen value=00c0))
            (t: #9 type=encr id=#13 (type=keylen value=0100))
            (t: #10 type=encr id=#24 (type=keylen value=0080))
            (t: #11 type=encr id=#24 (type=keylen value=00c0))
            (t: #12 type=encr id=#24 (type=keylen value=0100))
            (t: #13 type=encr id=3des )
            (t: #14 type=integ id=#12 )
            (t: #15 type=integ id=#13 )
            (t: #16 type=integ id=#14 )
            (t: #17 type=integ id=hmac-sha )
            (t: #18 type=integ id=aes-xcbc )
            (t: #19 type=integ id=#8 )
            (t: #20 type=prf id=#5 )
            (t: #21 type=prf id=#6 )
            (t: #22 type=prf id=#7 )
            (t: #23 type=prf id=aes128_xcbc )
            (t: #24 type=prf id=#8 )
            (t: #25 type=prf id=hmac-sha )
            (t: #26 type=dh id=#31 )
            (t: #27 type=dh id=#32 )
            (t: #28 type=dh id=#19 )
            (t: #29 type=dh id=#20 )
            (t: #30 type=dh id=#21 )
            (t: #31 type=dh id=#28 )
            (t: #32 type=dh id=#29 )
            (t: #33 type=dh id=#30 )
            (t: #34 type=dh id=#1031 )
            (t: #35 type=dh id=#1032 )
            (t: #36 type=dh id=#1033 )
            (t: #37 type=dh id=modp3072 )
            (t: #38 type=dh id=modp4096 )
            (t: #39 type=dh id=modp6144 )
            (t: #40 type=dh id=modp8192 )
            (t: #41 type=dh id=modp2048 ))
        (p: #2 protoid=isakmp transform=50 len=516
            (t: #1 type=encr id=#20 (type=keylen value=0080))
            (t: #2 type=encr id=#20 (type=keylen value=00c0))
            (t: #3 type=encr id=#20 (type=keylen value=0100))
            (t: #4 type=encr id=#16 (type=keylen value=0080))
            (t: #5 type=encr id=#16 (type=keylen value=00c0))
            (t: #6 type=encr id=#16 (type=keylen value=0100))
            (t: #7 type=encr id=#28 )
            (t: #8 type=encr id=#27 (type=keylen value=0080))
            (t: #9 type=encr id=#27 (type=keylen value=00c0))
            (t: #10 type=encr id=#27 (type=keylen value=0100))
            (t: #11 type=encr id=#19 (type=keylen value=0080))
            (t: #12 type=encr id=#19 (type=keylen value=00c0))
            (t: #13 type=encr id=#19 (type=keylen value=0100))
            (t: #14 type=encr id=#18 (type=keylen value=0080))
            (t: #15 type=encr id=#18 (type=keylen value=00c0))
            (t: #16 type=encr id=#18 (type=keylen value=0100))
            (t: #17 type=encr id=#15 (type=keylen value=0080))
            (t: #18 type=encr id=#15 (type=keylen value=00c0))
            (t: #19 type=encr id=#15 (type=keylen value=0100))
            (t: #20 type=encr id=#14 (type=keylen value=0080))
            (t: #21 type=encr id=#14 (type=keylen value=00c0))
            (t: #22 type=encr id=#14 (type=keylen value=0100))
            (t: #23 type=encr id=#25 (type=keylen value=0080))
            (t: #24 type=encr id=#25 (type=keylen value=00c0))
            (t: #25 type=encr id=#25 (type=keylen value=0100))
            (t: #26 type=encr id=#26 (type=keylen value=0080))
            (t: #27 type=encr id=#26 (type=keylen value=00c0))
            (t: #28 type=encr id=#26 (type=keylen value=0100))
            (t: #29 type=prf id=#5 )
            (t: #30 type=prf id=#6 )
            (t: #31 type=prf id=#7 )
            (t: #32 type=prf id=aes128_xcbc )
            (t: #33 type=prf id=#8 )
            (t: #34 type=prf id=hmac-sha )
            (t: #35 type=dh id=#31 )
            (t: #36 type=dh id=#32 )
            (t: #37 type=dh id=#19 )
            (t: #38 type=dh id=#20 )
            (t: #39 type=dh id=#21 )
            (t: #40 type=dh id=#28 )
            (t: #41 type=dh id=#29 )
            (t: #42 type=dh id=#30 )
            (t: #43 type=dh id=#1031 )
            (t: #44 type=dh id=#1032 )
            (t: #45 type=dh id=#1033 )
            (t: #46 type=dh id=modp3072 )
            (t: #47 type=dh id=modp4096 )
            (t: #48 type=dh id=modp6144 )
            (t: #49 type=dh id=modp8192 )
            (t: #50 type=dh id=modp2048 )))
    (v2ke: len=32 group=#31)
    (nonce: len=32 data=(8dad4585a1a035b94899...0000402f00020003000400050000000800004016))
    (n: prot_id=#0 type=16388(nat_detection_source_ip))
    (n: prot_id=#0 type=16389(nat_detection_destination_ip))
    (n: prot_id=#0 type=16430(status))
    (n: prot_id=#0 type=16431(status))
    (n: prot_id=#0 type=16406(status))
14:32:52.930573 IP (tos 0x0, ttl 64, id 4271, offset 0, flags [none], proto UDP (17), length 64)
    172.16.11.1.500 > 192.168.2.3.54712: isakmp 2.0 msgid 00000000: parent_sa ikev2_init[R]:
    (n: prot_id=#0 type=14(no_protocol_chosen))

The hosts syslog states the following log entries:
Code Select
Nov 17 09:32:52 osboxes NetworkManager[5671]: <info>  [1700231572.2062] vpn[0x55eb24de65e0,247d6831-f193-47f2-ba4f-d92cf16a227b,"VPN 1"]: starting strongswan
Nov 17 09:32:52 osboxes NetworkManager[5671]: <info>  [1700231572.2063] audit: op="connection-activate" uuid="247d6831-f193-47f2-ba4f-d92cf16a227b" name="VPN 1" pid=5721 uid=1000 result="success"
Nov 17 09:32:52 osboxes charon-nm: 05[CFG] received initiate for NetworkManager connection VPN 1
Nov 17 09:32:52 osboxes charon-nm: 05[CFG] using gateway identity 'OPNsense'
Nov 17 09:32:52 osboxes charon-nm: 05[IKE] initiating IKE_SA VPN 1[6] to 172.16.11.1
Nov 17 09:32:52 osboxes charon-nm: 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Nov 17 09:32:52 osboxes charon-nm: 05[NET] sending packet: from 192.168.2.3[54712] to 172.16.11.1[500] (1096 bytes)
Nov 17 09:32:52 osboxes charon-nm: 06[NET] received packet: from 172.16.11.1[500] to 192.168.2.3[54712] (36 bytes)
Nov 17 09:32:52 osboxes charon-nm: 06[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
Nov 17 09:32:52 osboxes charon-nm: 06[IKE] received NO_PROPOSAL_CHOSEN notify error
Nov 17 09:32:52 osboxes NetworkManager[5671]: <warn>  [1700231572.3808] vpn[0x55eb24de65e0,247d6831-f193-47f2-ba4f-d92cf16a227b,"VPN 1"]: dbus: failure: login-failed (0)
Nov 17 09:32:52 osboxes NetworkManager[5671]: <warn>  [1700231572.3808] vpn[0x55eb24de65e0,247d6831-f193-47f2-ba4f-d92cf16a227b,"VPN 1"]: dbus: failure: connect-failed (1)
 



Update

Ive found the following How-To, and I am getting one step closer to my goal: https://newsweb.w-3.de/Tutorials/Tutorial_MobIKE.pdf

Now, the capture and the syslog look like this:

Code Select
16:58:24.927059 IP (tos 0x0, ttl 63, id 63635, offset 0, flags [DF], proto UDP (17), length 1096)
    192.168.2.3.56049 > 172.16.11.1.500: isakmp 2.0 msgid 00000000: parent_sa ikev2_init[I]:
    (sa: len=648
        (p: #1 protoid=isakmp transform=30 len=272
            (t: #1 type=encr id=aes (type=keylen value=0080))
            (t: #2 type=encr id=aes (type=keylen value=00c0))
            (t: #3 type=encr id=aes (type=keylen value=0100))
            (t: #4 type=encr id=#23 (type=keylen value=0080))
            (t: #5 type=encr id=#23 (type=keylen value=00c0))
            (t: #6 type=encr id=#23 (type=keylen value=0100))
            (t: #7 type=encr id=3des )
            (t: #8 type=integ id=#12 )
            (t: #9 type=integ id=#13 )
            (t: #10 type=integ id=#14 )
            (t: #11 type=integ id=hmac-sha )
            (t: #12 type=integ id=aes-xcbc )
            (t: #13 type=prf id=#5 )
            (t: #14 type=prf id=#6 )
            (t: #15 type=prf id=#7 )
            (t: #16 type=prf id=aes128_xcbc )
            (t: #17 type=prf id=hmac-sha )
            (t: #18 type=dh id=modp2048 )
            (t: #19 type=dh id=#31 )
            (t: #20 type=dh id=#32 )
            (t: #21 type=dh id=#19 )
            (t: #22 type=dh id=#20 )
            (t: #23 type=dh id=#21 )
            (t: #24 type=dh id=#28 )
            (t: #25 type=dh id=#29 )
            (t: #26 type=dh id=#30 )
            (t: #27 type=dh id=modp3072 )
            (t: #28 type=dh id=modp4096 )
            (t: #29 type=dh id=modp6144 )
            (t: #30 type=dh id=modp8192 ))
        (p: #2 protoid=isakmp transform=37 len=376
            (t: #1 type=encr id=#20 (type=keylen value=0080))
            (t: #2 type=encr id=#20 (type=keylen value=00c0))
            (t: #3 type=encr id=#20 (type=keylen value=0100))
            (t: #4 type=encr id=#16 (type=keylen value=0080))
            (t: #5 type=encr id=#16 (type=keylen value=00c0))
            (t: #6 type=encr id=#16 (type=keylen value=0100))
            (t: #7 type=encr id=#28 )
            (t: #8 type=encr id=#19 (type=keylen value=0080))
            (t: #9 type=encr id=#19 (type=keylen value=00c0))
            (t: #10 type=encr id=#19 (type=keylen value=0100))
            (t: #11 type=encr id=#18 (type=keylen value=0080))
            (t: #12 type=encr id=#18 (type=keylen value=00c0))
            (t: #13 type=encr id=#18 (type=keylen value=0100))
            (t: #14 type=encr id=#15 (type=keylen value=0080))
            (t: #15 type=encr id=#15 (type=keylen value=00c0))
            (t: #16 type=encr id=#15 (type=keylen value=0100))
            (t: #17 type=encr id=#14 (type=keylen value=0080))
            (t: #18 type=encr id=#14 (type=keylen value=00c0))
            (t: #19 type=encr id=#14 (type=keylen value=0100))
            (t: #20 type=prf id=#5 )
            (t: #21 type=prf id=#6 )
            (t: #22 type=prf id=#7 )
            (t: #23 type=prf id=aes128_xcbc )
            (t: #24 type=prf id=hmac-sha )
            (t: #25 type=dh id=modp2048 )
            (t: #26 type=dh id=#31 )
            (t: #27 type=dh id=#32 )
            (t: #28 type=dh id=#19 )
            (t: #29 type=dh id=#20 )
            (t: #30 type=dh id=#21 )
            (t: #31 type=dh id=#28 )
            (t: #32 type=dh id=#29 )
            (t: #33 type=dh id=#30 )
            (t: #34 type=dh id=modp3072 )
            (t: #35 type=dh id=modp4096 )
            (t: #36 type=dh id=modp6144 )
            (t: #37 type=dh id=modp8192 )))
    (v2ke: len=256 group=modp2048)
    (nonce: len=32 data=(80a767aa52af027fcb2f...0000402f00020003000400050000000800004016))
    (n: prot_id=#0 type=16388(nat_detection_source_ip))
    (n: prot_id=#0 type=16389(nat_detection_destination_ip))
    (n: prot_id=#0 type=16430(status))
    (n: prot_id=#0 type=16431(status))
    (n: prot_id=#0 type=16406(status))
16:58:24.960710 IP (tos 0x0, ttl 64, id 1327, offset 0, flags [none], proto UDP (17), length 525)
    172.16.11.1.500 > 192.168.2.3.56049: isakmp 2.0 msgid 00000000: parent_sa ikev2_init[R]:
    (sa: len=44
        (p: #1 protoid=isakmp transform=4 len=44
            (t: #1 type=encr id=aes (type=keylen value=0100))
            (t: #2 type=integ id=#12 )
            (t: #3 type=prf id=#5 )
            (t: #4 type=dh id=modp2048 )))
    (v2ke: len=256 group=modp2048)
    (nonce: len=32 data=(54c8a93f75e4fdbd0d64...0004000529000008000040220000000800004014))
    (n: prot_id=#0 type=16388(nat_detection_source_ip))
    (n: prot_id=#0 type=16389(nat_detection_destination_ip))
    (v2cr: len=21)
    (n: prot_id=#0 type=16430(status))
    (n: prot_id=#0 type=16431(status))
    (n: prot_id=#0 type=16418(status))
    (n: prot_id=#0 type=16404(status))
16:58:24.965356 IP (tos 0x0, ttl 63, id 63644, offset 0, flags [DF], proto UDP (17), length 496)
    192.168.2.3.46164 > 172.16.11.1.4500: NONESP-encap: isakmp 2.0 msgid 00000001: child_sa  ikev2_auth[I]:
    (v2e: len=432)
16:58:24.973444 IP (tos 0x0, ttl 64, id 31524, offset 0, flags [none], proto UDP (17), length 1268)
    172.16.11.1.4500 > 192.168.2.3.46164: NONESP-encap: isakmp 2.0 msgid 00000001: child_sa  ikev2_auth[R]:
    (#53) [|v2IDr]
16:58:24.973461 IP (tos 0x0, ttl 64, id 50748, offset 0, flags [none], proto UDP (17), length 372)
    172.16.11.1.4500 > 192.168.2.3.46164: NONESP-encap: isakmp 2.0 msgid 00000001: child_sa  ikev2_auth[R]:
    (#53)
16:58:24.976016 IP (tos 0x0, ttl 63, id 63646, offset 0, flags [DF], proto UDP (17), length 112)
    192.168.2.3.46164 > 172.16.11.1.4500: NONESP-encap: isakmp 2.0 msgid 00000002: child_sa  inf2[I]:
    (v2e: len=48)
16:58:24.979287 IP (tos 0x0, ttl 64, id 18822, offset 0, flags [none], proto UDP (17), length 112)
    172.16.11.1.4500 > 192.168.2.3.46164: NONESP-encap: isakmp 2.0 msgid 00000002: child_sa  inf2[R]:
    (v2e: len=48)


Code Select
Nov 17 11:54:02 osboxes NetworkManager[3697]: <info>  [1700240042.0788] vpn[0x55fc4b1486a0,820d3a8d-85e7-451a-a270-b9b1a79a93a5,"VPN 1"]: starting strongswan
Nov 17 11:54:02 osboxes NetworkManager[3697]: <info>  [1700240042.0876] audit: op="connection-activate" uuid="820d3a8d-85e7-451a-a270-b9b1a79a93a5" name="VPN 1" pid=2511 uid=1000 result="success"
Nov 17 11:54:02 osboxes charon-nm: 00[DMN] Starting charon NetworkManager backend (strongSwan 5.9.5)
Nov 17 11:54:02 osboxes charon-nm: 00[LIB] providers loaded by OpenSSL: legacy default
Nov 17 11:54:02 osboxes systemd-udevd[4028]: Using default interface naming scheme 'v249'.
Nov 17 11:54:02 osboxes NetworkManager[3697]: <info>  [1700240042.1406] manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/4)
Nov 17 11:54:02 osboxes charon-nm: 00[LIB] created TUN device: tun0
Nov 17 11:54:02 osboxes charon-nm: 00[LIB] loaded plugins: nm-backend charon-nm aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg kernel-netlink socket-default bypass-lan eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap
Nov 17 11:54:02 osboxes charon-nm: 00[LIB] dropped capabilities, running as uid 0, gid 0
Nov 17 11:54:02 osboxes charon-nm: 00[JOB] spawning 16 worker threads
Nov 17 11:54:02 osboxes charon-nm: 06[IKE] installed bypass policy for 169.254.0.0/16
Nov 17 11:54:02 osboxes charon-nm: 06[IKE] installed bypass policy for 192.168.2.0/24
Nov 17 11:54:02 osboxes charon-nm: 06[IKE] installed bypass policy for ::1/128
Nov 17 11:54:02 osboxes charon-nm: 05[CFG] received initiate for NetworkManager connection VPN 1
Nov 17 11:54:02 osboxes charon-nm: 05[CFG] using gateway identity 'OPNsense'
Nov 17 11:54:02 osboxes charon-nm: 05[IKE] initiating IKE_SA VPN 1[1] to 172.16.11.1
Nov 17 11:54:02 osboxes charon-nm: 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Nov 17 11:54:02 osboxes charon-nm: 05[NET] sending packet: from 192.168.2.3[52021] to 172.16.11.1[500] (844 bytes)
Nov 17 11:54:02 osboxes charon-nm: 10[NET] received packet: from 172.16.11.1[500] to 192.168.2.3[52021] (38 bytes)
Nov 17 11:54:02 osboxes charon-nm: 10[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Nov 17 11:54:02 osboxes charon-nm: 10[IKE] peer didn't accept DH group CURVE_25519, it requested MODP_2048
Nov 17 11:54:02 osboxes charon-nm: 10[IKE] initiating IKE_SA VPN 1[1] to 172.16.11.1
Nov 17 11:54:02 osboxes charon-nm: 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Nov 17 11:54:02 osboxes charon-nm: 10[NET] sending packet: from 192.168.2.3[52021] to 172.16.11.1[500] (1068 bytes)
Nov 17 11:54:02 osboxes charon-nm: 11[NET] received packet: from 172.16.11.1[500] to 192.168.2.3[52021] (497 bytes)
Nov 17 11:54:02 osboxes charon-nm: 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Nov 17 11:54:02 osboxes charon-nm: 11[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Nov 17 11:54:02 osboxes charon-nm: 11[IKE] received cert request for "C=AD, ST=a, L=a, O=a, E=a, CN=OPNsense"
Nov 17 11:54:02 osboxes charon-nm: 11[IKE] sending cert request for "C=AD, ST=a, L=a, O=a, E=a, CN=OPNsense"
Nov 17 11:54:02 osboxes charon-nm: 11[IKE] establishing CHILD_SA VPN 1{1}
Nov 17 11:54:02 osboxes charon-nm: 11[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS NBNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Nov 17 11:54:02 osboxes charon-nm: 11[NET] sending packet: from 192.168.2.3[41234] to 172.16.11.1[4500] (464 bytes)
Nov 17 11:54:02 osboxes charon-nm: 12[NET] received packet: from 172.16.11.1[4500] to 192.168.2.3[41234] (1236 bytes)
Nov 17 11:54:02 osboxes charon-nm: 12[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
Nov 17 11:54:02 osboxes charon-nm: 12[ENC] received fragment #1 of 2, waiting for complete IKE message
Nov 17 11:54:02 osboxes charon-nm: 12[NET] received packet: from 172.16.11.1[4500] to 192.168.2.3[41234] (340 bytes)
Nov 17 11:54:02 osboxes charon-nm: 12[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
Nov 17 11:54:02 osboxes charon-nm: 12[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1504 bytes)
Nov 17 11:54:02 osboxes charon-nm: 12[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Nov 17 11:54:02 osboxes charon-nm: 12[IKE] received end entity cert "C=AD, ST=a, L=a, O=a, E=a, CN=OPNsense"
Nov 17 11:54:02 osboxes charon-nm: 12[IKE] no trusted RSA public key found for '172.16.11.1'
Nov 17 11:54:02 osboxes charon-nm: 12[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Nov 17 11:54:02 osboxes charon-nm: 12[NET] sending packet: from 192.168.2.3[41234] to 172.16.11.1[4500] (80 bytes)
Nov 17 11:54:02 osboxes NetworkManager[3697]: <warn>  [1700240042.3979] vpn[0x55fc4b1486a0,820d3a8d-85e7-451a-a270-b9b1a79a93a5,"VPN 1"]: dbus: failure: connect-failed (1)
Nov 17 11:54:02 osboxes NetworkManager[3697]: <warn>  [1700240042.3986] vpn[0x55fc4b1486a0,820d3a8d-85e7-451a-a270-b9b1a79a93a5,"VPN 1"]: dbus: failure: connect-failed (1)


Update

I've got it working with strongswan for Android.
The next step is to study more about strongswan for Linux-Systems.

So, the mobile VPN works!
#3
Virtual private networks / Re: S2S tunnel established - there goes no traffic through the tunnel
November 15, 2023, 09:45:56 PM
I really don't know why it is working now.
But i had restarted the vpn and it seems working now.
The "time" column  under VPN -> IPSec -> Status Overview had been increasing when i pinged the subnet.

Edit: I even am able to ping the whole subnet of each site now
#4
Virtual private networks / S2S tunnel established - there goes no traffic through the tunnel
November 15, 2023, 08:46:01 PM
Hi there,

I've followed the following guide: https://docs.opnsense.org/manual/how-tos/ipsec-s2s.html

Only differences:
Site A:
WAN: 172.16.11.1
LAN: 192.168.1.0/24

Tunnel-Settings Phase 2:
Mode: Tunnel IPv4
Local Network: LAN Subnet
Remote Network: 192.168.2.0/24

Firewall Rules: Every interface allows every incoming and outgoing packets

Site B
WAN: 172.16.11.2
LAN: 192.168.2.0/24

Tunnel-Settings Phase 2:
Mode: Tunnel IPv4
Local Network: LAN Subnet
Remote Network: 192.168.1.0/24

Firewall Rules: Every interface allows every incoming and outgoing packets

The tunnel is established. But there goes no traffic through the tunnel.
I can ping the LAN's interface 192.168.1.1 and 192.168.2.1 but I can't reach the whole subnet.
And if I ping 192.168.1.1 and 192.168.2.1, it doesn't goes through the tunnel.

Thank you for your help in advance
Pages1