Hi!
Als ich auf der OPNsense den "Peer-Identifizierer" von "Eindeutiger Name" auf "KeyID-Tag" geändert habe (ohne den Inhalt zu ändern), bekomme ich auf der OPNsense folgendes:
2025-06-12T14:32:57 Informational charon 10[IKE] <con10|308981> deleting IKE_SA con10[308981] between 15.15.15.15[fritz.dyndns.de]...30.30.30.30[65:32:76:45:12:69:35:23:64:3a:15:14:74:3e:12:69:78:73:54:34]
2025-06-12T14:32:57 Informational charon 10[IKE] <con10|308981> received DELETE for IKE_SA con10[308981]
2025-06-12T14:32:57 Informational charon 10[ENC] <con10|308981> parsed INFORMATIONAL_V1 request 2370631154 [ HASH D ]
2025-06-12T14:32:57 Informational charon 10[NET] <con10|308981> received packet: from 30.30.30.30[39390] to 15.15.15.15[4500] (124 bytes)
2025-06-12T14:32:54 Informational charon 10[ENC] <con10|308981> parsed INFORMATIONAL_V1 response 648070960 [ HASH N(DPD_ACK) ]
2025-06-12T14:32:54 Informational charon 10[NET] <con10|308981> received packet: from 30.30.30.30[39390] to 15.15.15.15[4500] (140 bytes)
2025-06-12T14:32:54 Informational charon 10[NET] <con10|308981> sending packet: from 15.15.15.15[4500] to 30.30.30.30[39390] (140 bytes)
2025-06-12T14:32:54 Informational charon 10[ENC] <con10|308981> generating INFORMATIONAL_V1 request 648070960 [ HASH N(DPD) ]
2025-06-12T14:32:54 Informational charon 10[IKE] <con10|308981> sending DPD request
2025-06-12T14:32:49 Informational charon 06[IKE] <con10|308981> received retransmit of request with ID 3118083309, but no response to retransmit
2025-06-12T14:32:49 Informational charon 06[NET] <con10|308981> received packet: from 30.30.30.30[39390] to 15.15.15.15[4500] (1132 bytes)
2025-06-12T14:32:45 Informational charon 05[IKE] <con10|308981> received retransmit of request with ID 3118083309, but no response to retransmit
2025-06-12T14:32:45 Informational charon 05[NET] <con10|308981> received packet: from 30.30.30.30[39390] to 15.15.15.15[4500] (1132 bytes)
2025-06-12T14:32:43 Informational charon 09[NET] <con10|308981> sending packet: from 15.15.15.15[4500] to 30.30.30.30[39390] (124 bytes)
2025-06-12T14:32:43 Informational charon 09[ENC] <con10|308981> generating INFORMATIONAL_V1 request 4253349708 [ HASH N(NO_PROP) ]
2025-06-12T14:32:43 Informational charon 09[IKE] <con10|308981> no matching proposal found, sending NO_PROPOSAL_CHOSEN
2025-06-12T14:32:43 Informational charon 09[CFG] <con10|308981> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_512_256/MODP_2048/NO_EXT_SEQ
2025-06-12T14:32:43 Informational charon 09[CFG] <con10|308981> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_512_256/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_384_192/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_512_256/NO_EXT_SEQ, ESP:AES_GCM_8_128/NO_EXT_SEQ, ESP:AES_GCM_8_256/NO_EXT_SEQ, ESP:AES_GCM_12_128/NO_EXT_SEQ, ESP:AES_GCM_12_256/NO_EXT_SEQ, ESP:AES_GCM_16_128/NO_EXT_SEQ, ESP:AES_GCM_16_256/NO_EXT_SEQ, ESP:AES_CCM_8_128/NO_EXT_SEQ, ESP:AES_CCM_8_256/NO_EXT_SEQ, ESP:AES_CCM_12_128/NO_EXT_SEQ, ESP:AES_CCM_12_256/NO_EXT_SEQ, ESP:AES_CCM_16_128/NO_EXT_SEQ, ESP:AES_CCM_16_256/NO_EXT_SEQ, ESP:AES_GCM_8_128/NO_EXT_SEQ, ESP:AES_GCM_8_256/NO_EXT_SEQ, ESP:AES_GCM_12_128/NO_EXT_SEQ, ESP:AES_GCM_12_256/NO_EXT_SEQ, ESP:AES_GCM_16_128/NO_EXT_SEQ, ESP:AES_GCM_16_256/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
2025-06-12T14:32:43 Informational charon 09[ENC] <con10|308981> parsed QUICK_MODE request 3118083309 [ HASH SA No ID ID ]
2025-06-12T14:32:43 Informational charon 09[NET] <con10|308981> received packet: from 30.30.30.30[39390] to 15.15.15.15[4500] (1132 bytes)
2025-06-12T14:32:42 Informational charon 06[IKE] <con10|308981> received NO_PROPOSAL_CHOSEN error notify
2025-06-12T14:32:42 Informational charon 06[ENC] <con10|308981> parsed INFORMATIONAL_V1 request 473474286 [ HASH N(NO_PROP) ]
2025-06-12T14:32:42 Informational charon 06[NET] <con10|308981> received packet: from 30.30.30.30[39390] to 15.15.15.15[4500] (124 bytes)
2025-06-12T14:32:42 Informational charon 06[NET] <con10|308981> sending packet: from 15.15.15.15[4500] to 30.30.30.30[39390] (492 bytes)
2025-06-12T14:32:42 Informational charon 06[ENC] <con10|308981> generating QUICK_MODE request 259796168 [ HASH SA No KE ID ID ]
2025-06-12T14:32:42 Informational charon 06[IKE] <con10|308981> received NO_PROPOSAL_CHOSEN error notify
2025-06-12T14:32:42 Informational charon 06[IKE] <con10|308981> remote endpoint changed from 30.30.30.30[4500] to 30.30.30.30[39390]
2025-06-12T14:32:42 Informational charon 06[ENC] <con10|308981> parsed INFORMATIONAL_V1 request 44268975 [ HASH N(NO_PROP) ]
2025-06-12T14:32:42 Informational charon 06[NET] <con10|308981> received packet: from 30.30.30.30[39390] to 15.15.15.15[4500] (124 bytes)
2025-06-12T14:32:42 Informational charon 06[IKE] <con10|308981> queueing TRANSACTION request as tasks still active
2025-06-12T14:32:42 Informational charon 06[NET] <con10|308981> received packet: from 30.30.30.30[39390] to 15.15.15.15[4500] (124 bytes)
2025-06-12T14:32:42 Informational charon 06[NET] <con10|308981> sending packet: from 15.15.15.15[4500] to 30.30.30.30[4500] (492 bytes)
2025-06-12T14:32:42 Informational charon 06[ENC] <con10|308981> generating QUICK_MODE request 2533247892 [ HASH SA No KE ID ID ]
2025-06-12T14:32:42 Informational charon 06[NET] <con10|308981> sending packet: from 15.15.15.15[4500] to 30.30.30.30[4500] (236 bytes)
2025-06-12T14:32:42 Informational charon 06[ENC] <con10|308981> generating AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
2025-06-12T14:32:42 Informational charon 06[IKE] <con10|308981> maximum IKE_SA lifetime 14586s
2025-06-12T14:32:42 Informational charon 06[IKE] <con10|308981> scheduling rekeying in 13146s
2025-06-12T14:32:42 Informational charon 06[IKE] <con10|308981> IKE_SA con10[308981] established between 15.15.15.15[fritz.dyndns.de]...30.30.30.30[65:32:76:45:12:69:35:23:64:3a:15:14:74:3e:12:69:78:73:54:34]
2025-06-12T14:32:42 Informational charon 06[IKE] <con10|308981> remote host is behind NAT
2025-06-12T14:32:42 Informational charon 06[CFG] <con10|308981> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
2025-06-12T14:32:42 Informational charon 06[ENC] <con10|308981> received unknown vendor ID: a3:42:3c:23:54:49:3f:3a:23:ee:7f:3b:2a:64:f5:2b
2025-06-12T14:32:42 Informational charon 06[IKE] <con10|308981> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
2025-06-12T14:32:42 Informational charon 06[IKE] <con10|308981> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
2025-06-12T14:32:42 Informational charon 06[IKE] <con10|308981> received NAT-T (RFC 3947) vendor ID
2025-06-12T14:32:42 Informational charon 06[IKE] <con10|308981> received DPD vendor ID
2025-06-12T14:32:42 Informational charon 06[IKE] <con10|308981> received XAuth vendor ID
2025-06-12T14:32:42 Informational charon 06[ENC] <con10|308981> parsed AGGRESSIVE response 0 [ SA KE No ID HASH N((24576)) V V V V V V NAT-D NAT-D ]
2025-06-12T14:32:42 Informational charon 06[NET] <con10|308981> received packet: from 30.30.30.30[500] to 15.15.15.15[500] (744 bytes)
2025-06-12T14:32:41 Informational charon 08[NET] <con10|308981> sending packet: from 15.15.15.15[500] to 30.30.30.30[500] (501 bytes)
2025-06-12T14:32:41 Informational charon 08[ENC] <con10|308981> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
2025-06-12T14:32:41 Informational charon 08[IKE] <con10|308981> initiating Aggressive Mode IKE_SA con10[308981] to 30.30.30.30
2025-06-11T21:57:43 Informational charon 07[ENC] <275429> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
2025-06-01T07:01:05 Informational charon 14[ENC] <con3|4196> generating INFORMATIONAL_V1 request 3089818789 [ HASH N(DPD_ACK) ]
Ich frage mich, ob es besser aussieht!
P.S.: Die FRITZ!Box sagt jetzt: IKE-Error 0x2005 - internal error
Ich hoffe, es sieht besser aus!
Da ich in der Anleitung von AVM gelesen habe, in Phase 2 wird kein DH verwendet, sondern das DH vom Phase 1 verwendet, habe ich es mal deaktiviert.
Ich habe in P2 auf der OPNsense DH auf "Aus" gestellt - jetzt konnte die Verbindung erfolgreich hergestellt werden! =D
Habe es dann wohl doch geschafft! :)
Danke fürs Lesen! :)
Grüße! Gutfred!
P.S.: Ich habe den Log von der OPNsense hier mal gepostet - vielleicht hilft dies mal jemand weiter! :)
Als ich auf der OPNsense den "Peer-Identifizierer" von "Eindeutiger Name" auf "KeyID-Tag" geändert habe (ohne den Inhalt zu ändern), bekomme ich auf der OPNsense folgendes:
2025-06-12T14:32:57 Informational charon 10[IKE] <con10|308981> deleting IKE_SA con10[308981] between 15.15.15.15[fritz.dyndns.de]...30.30.30.30[65:32:76:45:12:69:35:23:64:3a:15:14:74:3e:12:69:78:73:54:34]
2025-06-12T14:32:57 Informational charon 10[IKE] <con10|308981> received DELETE for IKE_SA con10[308981]
2025-06-12T14:32:57 Informational charon 10[ENC] <con10|308981> parsed INFORMATIONAL_V1 request 2370631154 [ HASH D ]
2025-06-12T14:32:57 Informational charon 10[NET] <con10|308981> received packet: from 30.30.30.30[39390] to 15.15.15.15[4500] (124 bytes)
2025-06-12T14:32:54 Informational charon 10[ENC] <con10|308981> parsed INFORMATIONAL_V1 response 648070960 [ HASH N(DPD_ACK) ]
2025-06-12T14:32:54 Informational charon 10[NET] <con10|308981> received packet: from 30.30.30.30[39390] to 15.15.15.15[4500] (140 bytes)
2025-06-12T14:32:54 Informational charon 10[NET] <con10|308981> sending packet: from 15.15.15.15[4500] to 30.30.30.30[39390] (140 bytes)
2025-06-12T14:32:54 Informational charon 10[ENC] <con10|308981> generating INFORMATIONAL_V1 request 648070960 [ HASH N(DPD) ]
2025-06-12T14:32:54 Informational charon 10[IKE] <con10|308981> sending DPD request
2025-06-12T14:32:49 Informational charon 06[IKE] <con10|308981> received retransmit of request with ID 3118083309, but no response to retransmit
2025-06-12T14:32:49 Informational charon 06[NET] <con10|308981> received packet: from 30.30.30.30[39390] to 15.15.15.15[4500] (1132 bytes)
2025-06-12T14:32:45 Informational charon 05[IKE] <con10|308981> received retransmit of request with ID 3118083309, but no response to retransmit
2025-06-12T14:32:45 Informational charon 05[NET] <con10|308981> received packet: from 30.30.30.30[39390] to 15.15.15.15[4500] (1132 bytes)
2025-06-12T14:32:43 Informational charon 09[NET] <con10|308981> sending packet: from 15.15.15.15[4500] to 30.30.30.30[39390] (124 bytes)
2025-06-12T14:32:43 Informational charon 09[ENC] <con10|308981> generating INFORMATIONAL_V1 request 4253349708 [ HASH N(NO_PROP) ]
2025-06-12T14:32:43 Informational charon 09[IKE] <con10|308981> no matching proposal found, sending NO_PROPOSAL_CHOSEN
2025-06-12T14:32:43 Informational charon 09[CFG] <con10|308981> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_512_256/MODP_2048/NO_EXT_SEQ
2025-06-12T14:32:43 Informational charon 09[CFG] <con10|308981> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_512_256/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_384_192/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_512_256/NO_EXT_SEQ, ESP:AES_GCM_8_128/NO_EXT_SEQ, ESP:AES_GCM_8_256/NO_EXT_SEQ, ESP:AES_GCM_12_128/NO_EXT_SEQ, ESP:AES_GCM_12_256/NO_EXT_SEQ, ESP:AES_GCM_16_128/NO_EXT_SEQ, ESP:AES_GCM_16_256/NO_EXT_SEQ, ESP:AES_CCM_8_128/NO_EXT_SEQ, ESP:AES_CCM_8_256/NO_EXT_SEQ, ESP:AES_CCM_12_128/NO_EXT_SEQ, ESP:AES_CCM_12_256/NO_EXT_SEQ, ESP:AES_CCM_16_128/NO_EXT_SEQ, ESP:AES_CCM_16_256/NO_EXT_SEQ, ESP:AES_GCM_8_128/NO_EXT_SEQ, ESP:AES_GCM_8_256/NO_EXT_SEQ, ESP:AES_GCM_12_128/NO_EXT_SEQ, ESP:AES_GCM_12_256/NO_EXT_SEQ, ESP:AES_GCM_16_128/NO_EXT_SEQ, ESP:AES_GCM_16_256/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
2025-06-12T14:32:43 Informational charon 09[ENC] <con10|308981> parsed QUICK_MODE request 3118083309 [ HASH SA No ID ID ]
2025-06-12T14:32:43 Informational charon 09[NET] <con10|308981> received packet: from 30.30.30.30[39390] to 15.15.15.15[4500] (1132 bytes)
2025-06-12T14:32:42 Informational charon 06[IKE] <con10|308981> received NO_PROPOSAL_CHOSEN error notify
2025-06-12T14:32:42 Informational charon 06[ENC] <con10|308981> parsed INFORMATIONAL_V1 request 473474286 [ HASH N(NO_PROP) ]
2025-06-12T14:32:42 Informational charon 06[NET] <con10|308981> received packet: from 30.30.30.30[39390] to 15.15.15.15[4500] (124 bytes)
2025-06-12T14:32:42 Informational charon 06[NET] <con10|308981> sending packet: from 15.15.15.15[4500] to 30.30.30.30[39390] (492 bytes)
2025-06-12T14:32:42 Informational charon 06[ENC] <con10|308981> generating QUICK_MODE request 259796168 [ HASH SA No KE ID ID ]
2025-06-12T14:32:42 Informational charon 06[IKE] <con10|308981> received NO_PROPOSAL_CHOSEN error notify
2025-06-12T14:32:42 Informational charon 06[IKE] <con10|308981> remote endpoint changed from 30.30.30.30[4500] to 30.30.30.30[39390]
2025-06-12T14:32:42 Informational charon 06[ENC] <con10|308981> parsed INFORMATIONAL_V1 request 44268975 [ HASH N(NO_PROP) ]
2025-06-12T14:32:42 Informational charon 06[NET] <con10|308981> received packet: from 30.30.30.30[39390] to 15.15.15.15[4500] (124 bytes)
2025-06-12T14:32:42 Informational charon 06[IKE] <con10|308981> queueing TRANSACTION request as tasks still active
2025-06-12T14:32:42 Informational charon 06[NET] <con10|308981> received packet: from 30.30.30.30[39390] to 15.15.15.15[4500] (124 bytes)
2025-06-12T14:32:42 Informational charon 06[NET] <con10|308981> sending packet: from 15.15.15.15[4500] to 30.30.30.30[4500] (492 bytes)
2025-06-12T14:32:42 Informational charon 06[ENC] <con10|308981> generating QUICK_MODE request 2533247892 [ HASH SA No KE ID ID ]
2025-06-12T14:32:42 Informational charon 06[NET] <con10|308981> sending packet: from 15.15.15.15[4500] to 30.30.30.30[4500] (236 bytes)
2025-06-12T14:32:42 Informational charon 06[ENC] <con10|308981> generating AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
2025-06-12T14:32:42 Informational charon 06[IKE] <con10|308981> maximum IKE_SA lifetime 14586s
2025-06-12T14:32:42 Informational charon 06[IKE] <con10|308981> scheduling rekeying in 13146s
2025-06-12T14:32:42 Informational charon 06[IKE] <con10|308981> IKE_SA con10[308981] established between 15.15.15.15[fritz.dyndns.de]...30.30.30.30[65:32:76:45:12:69:35:23:64:3a:15:14:74:3e:12:69:78:73:54:34]
2025-06-12T14:32:42 Informational charon 06[IKE] <con10|308981> remote host is behind NAT
2025-06-12T14:32:42 Informational charon 06[CFG] <con10|308981> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
2025-06-12T14:32:42 Informational charon 06[ENC] <con10|308981> received unknown vendor ID: a3:42:3c:23:54:49:3f:3a:23:ee:7f:3b:2a:64:f5:2b
2025-06-12T14:32:42 Informational charon 06[IKE] <con10|308981> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
2025-06-12T14:32:42 Informational charon 06[IKE] <con10|308981> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
2025-06-12T14:32:42 Informational charon 06[IKE] <con10|308981> received NAT-T (RFC 3947) vendor ID
2025-06-12T14:32:42 Informational charon 06[IKE] <con10|308981> received DPD vendor ID
2025-06-12T14:32:42 Informational charon 06[IKE] <con10|308981> received XAuth vendor ID
2025-06-12T14:32:42 Informational charon 06[ENC] <con10|308981> parsed AGGRESSIVE response 0 [ SA KE No ID HASH N((24576)) V V V V V V NAT-D NAT-D ]
2025-06-12T14:32:42 Informational charon 06[NET] <con10|308981> received packet: from 30.30.30.30[500] to 15.15.15.15[500] (744 bytes)
2025-06-12T14:32:41 Informational charon 08[NET] <con10|308981> sending packet: from 15.15.15.15[500] to 30.30.30.30[500] (501 bytes)
2025-06-12T14:32:41 Informational charon 08[ENC] <con10|308981> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
2025-06-12T14:32:41 Informational charon 08[IKE] <con10|308981> initiating Aggressive Mode IKE_SA con10[308981] to 30.30.30.30
2025-06-11T21:57:43 Informational charon 07[ENC] <275429> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
2025-06-01T07:01:05 Informational charon 14[ENC] <con3|4196> generating INFORMATIONAL_V1 request 3089818789 [ HASH N(DPD_ACK) ]
Ich frage mich, ob es besser aussieht!
P.S.: Die FRITZ!Box sagt jetzt: IKE-Error 0x2005 - internal error
Ich hoffe, es sieht besser aus!
Da ich in der Anleitung von AVM gelesen habe, in Phase 2 wird kein DH verwendet, sondern das DH vom Phase 1 verwendet, habe ich es mal deaktiviert.
Ich habe in P2 auf der OPNsense DH auf "Aus" gestellt - jetzt konnte die Verbindung erfolgreich hergestellt werden! =D
Habe es dann wohl doch geschafft! :)
Danke fürs Lesen! :)
Grüße! Gutfred!
P.S.: Ich habe den Log von der OPNsense hier mal gepostet - vielleicht hilft dies mal jemand weiter! :)