1
17.7 Legacy Series / [Solved] IPsec (IKEv2) via OPNsense and MikroTik
« on: November 13, 2017, 11:59:45 am »
Hi! All!
There is a problem when connecting OPNsense to MikroTik.
MikroTik can not configure SA.
I made up a test stand.
Versions last, stable.
Please tell me where I'm wrong.
Scheme
MikroTik
/ip address print
/ip firewall filter print
/ip firewall nat print
/ip ipsec proposal print
/ip ipsec peer print
/ip ipsec policy print
/ip ipsec policy group print
/log print
OPNSense
/usr/local/etc/ipsec.conf
ipsec statusall
/var/log/ipsec.log
There is a problem when connecting OPNsense to MikroTik.
MikroTik can not configure SA.
I made up a test stand.
Versions last, stable.
Please tell me where I'm wrong.
Scheme
Code: [Select]
+----------+ +----------+
192.168.99.0/24 3| OPNsense |2 10.58.22.0/30 1| MikroTik | 192.168.88.0/24
+---|__________|---------------------|__________|---+
| |
2| 2|
+-------+ +-------+
| HOST1 | | HOST2 |
+-------+ +-------+
MikroTik
/ip address print
Code: [Select]
10.58.22.1/30 10.58.22.0 ether1
192.168.88.1/24 192.168.88.0 ether2-master
/ip firewall filter print
Code: [Select]
3 chain=input action=accept protocol=udp dst-port=500
4 chain=input action=accept protocol=udp dst-port=4500
5 chain=input action=accept protocol=ipsec-esp log=no
9 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
/ip firewall nat print
Code: [Select]
0 chain=srcnat action=accept src-address=192.168.88.0/24 dst-address=192.168.99.0/24
1 chain=srcnat action=masquerade out-interface=ether1
/ip ipsec proposal print
Code: [Select]
name="test" auth-algorithms=sha512 enc-algorithms=aes-256-gcm lifetime=30m pfs-group=modp2048
/ip ipsec peer print
Code: [Select]
address=10.58.22.2/32 auth-method=pre-shared-key secret="test" generate-policy=port-strict policy-template-group=test exchange-mode=ike2 send-initial-contact=yes hash-algorithm=sha512 enc-algorithm=aes-256 dh-group=modp2048 dpd-interval=2m
/ip ipsec policy print
Code: [Select]
group=test src-address=192.168.88.0/24 dst-address=192.168.99.0/24 protocol=all proposal=test template=yes
/ip ipsec policy group print
Code: [Select]
test
/log print
Code: [Select]
.....................
.....................
15:42:17 ipsec,info new ike2 SA (I): 10.58.22.1[4500]-10.58.22.2[4500] spi:9e96b25638ae0016:3cf48cce8745c6ff
15:42:17 ipsec,info peer authorized: 10.58.22.1[4500]-10.58.22.2[4500] spi:9e96b25638ae0016:3cf48cce8745c6ff
15:42:34 ipsec,error no proposal chosen
OPNSense
/usr/local/etc/ipsec.conf
Code: [Select]
# This file is automatically generated. Do not edit
config setup
uniqueids = yes
charondebug="chd 4"
conn con1
aggressive = no
fragmentation = yes
keyexchange = ikev2
mobike = yes
reauth = yes
rekey = yes
forceencaps = yes
installpolicy = yes
type = tunnel
dpdaction = none
left = 10.58.22.2
right = 10.58.22.1
leftid = 10.58.22.2
ikelifetime = 28800s
lifetime = 3600s
ike = aes256-sha512-modp2048!
leftauth = psk
rightauth = psk
rightid = 10.58.22.1
rightsubnet = 192.168.88.0/24
leftsubnet = 192.168.99.0/24
esp = aes256-sha512-modp2048,aes256gcm16-sha512-modp2048!
auto = route
ipsec statusall
Code: [Select]
Status of IKE charon daemon (strongSwan 5.6.0, FreeBSD 11.0-RELEASE-p12, amd64):
uptime: 2 minutes, since Nov 13 13:50:58 2017
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac gcm attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock
Listening IP addresses:
192.168.99.3
10.58.22.2
Connections:
con1: 10.58.22.2...10.58.22.1 IKEv2
con1: local: [10.58.22.2] uses pre-shared key authentication
con1: remote: [10.58.22.1] uses pre-shared key authentication
con1: child: 192.168.99.0/24 === 192.168.88.0/24 TUNNEL
Routed Connections:
con1{1}: ROUTED, TUNNEL, reqid 1
con1{1}: 192.168.99.0/24 === 192.168.88.0/24
Security Associations (1 up, 0 connecting):
con1[2]: ESTABLISHED 2 minutes ago, 10.58.22.2[10.58.22.2]...10.58.22.1[10.58.22.1]
con1[2]: IKEv2 SPIs: 8151fd73911c4573_i ce875f1011cf37df_r*, pre-shared key reauthentication in 7 hours
con1[2]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
/var/log/ipsec.log
Code: [Select]
Nov 13 09:49:40 OPNsense charon: 00[IKE] sending DELETE for IKE_SA con1[1]
Nov 13 09:49:40 OPNsense charon: 00[ENC] generating INFORMATIONAL request 0 [ D ]
Nov 13 09:49:40 OPNsense charon: 00[NET] sending packet: from 10.58.22.2[4500] to 10.58.22.1[4500] (96 bytes)
Nov 13 09:49:40 OPNsense charon: 00[CHD] CHILD_SA con1{1} state change: ROUTED => DESTROYING
Nov 13 09:49:42 OPNsense charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.0, FreeBSD 11.0-RELEASE-p12, amd64)
Nov 13 09:49:42 OPNsense charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument
Nov 13 09:49:42 OPNsense charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
Nov 13 09:49:42 OPNsense charon: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Nov 13 09:49:42 OPNsense charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Nov 13 09:49:42 OPNsense charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Nov 13 09:49:42 OPNsense charon: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Nov 13 09:49:42 OPNsense charon: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
Nov 13 09:49:42 OPNsense charon: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Nov 13 09:49:42 OPNsense charon: 00[CFG] loaded IKE secret for 10.58.22.1
Nov 13 09:49:42 OPNsense charon: 00[CFG] loaded IKE secret for test
Nov 13 09:49:42 OPNsense charon: 00[CFG] loaded 0 RADIUS server configurations
Nov 13 09:49:42 OPNsense charon: 00[LIB] loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac gcm attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock
Nov 13 09:49:42 OPNsense charon: 00[JOB] spawning 16 worker threads
Nov 13 09:49:42 OPNsense charon: 16[CFG] received stroke: add connection 'con1'
Nov 13 09:49:42 OPNsense charon: 16[CFG] added configuration 'con1'
Nov 13 09:49:42 OPNsense charon: 16[CFG] received stroke: route 'con1'
Nov 13 09:49:42 OPNsense charon: 16[CHD] CHILD_SA con1{1} state change: CREATED => ROUTED
Nov 13 09:49:46 OPNsense charon: 16[NET] received packet: from 10.58.22.1[4500] to 10.58.22.2[4500] (424 bytes)
Nov 13 09:49:46 OPNsense charon: 16[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Nov 13 09:49:46 OPNsense charon: 16[IKE] 10.58.22.1 is initiating an IKE_SA
Nov 13 09:49:46 OPNsense charon: 16[IKE] 10.58.22.1 is initiating an IKE_SA
Nov 13 09:49:46 OPNsense charon: 16[IKE] faking NAT situation to enforce UDP encapsulation
Nov 13 09:49:46 OPNsense charon: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Nov 13 09:49:46 OPNsense charon: 16[NET] sending packet: from 10.58.22.2[4500] to 10.58.22.1[4500] (440 bytes)
Nov 13 09:49:46 OPNsense charon: 16[NET] received packet: from 10.58.22.1[4500] to 10.58.22.2[4500] (432 bytes)
Nov 13 09:49:46 OPNsense charon: 16[ENC] parsed IKE_AUTH request 1 [ IDi AUTH N(INIT_CONTACT) SA TSi TSr N(USE_TRANSP) ]
Nov 13 09:49:46 OPNsense charon: 16[CFG] looking for peer configs matching 10.58.22.2[%any]...10.58.22.1[10.58.22.1]
Nov 13 09:49:46 OPNsense charon: 16[CFG] selected peer config 'con1'
Nov 13 09:49:46 OPNsense charon: 16[IKE] authentication of '10.58.22.1' with pre-shared key successful
Nov 13 09:49:46 OPNsense charon: 16[IKE] authentication of '10.58.22.2' (myself) with pre-shared key
Nov 13 09:49:46 OPNsense charon: 16[IKE] IKE_SA con1[1] established between 10.58.22.2[10.58.22.2]...10.58.22.1[10.58.22.1]
Nov 13 09:49:46 OPNsense charon: 16[IKE] IKE_SA con1[1] established between 10.58.22.2[10.58.22.2]...10.58.22.1[10.58.22.1]
Nov 13 09:49:46 OPNsense charon: 16[IKE] scheduling reauthentication in 28209s
Nov 13 09:49:46 OPNsense charon: 16[IKE] maximum IKE_SA lifetime 28749s
Nov 13 09:49:46 OPNsense charon: 16[IKE] traffic selectors 10.58.22.2/32 === 10.58.22.1/32 inacceptable
Nov 13 09:49:46 OPNsense charon: 16[IKE] failed to establish CHILD_SA, keeping IKE_SA
Nov 13 09:49:46 OPNsense charon: 16[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(TS_UNACCEPT) ]
Nov 13 09:49:46 OPNsense charon: 16[NET] sending packet: from 10.58.22.2[4500] to 10.58.22.1[4500] (192 bytes)
Nov 13 09:49:55 OPNsense charon: 16[KNL] creating acquire job for policy 10.58.22.2/32 === 10.58.22.1/32 with reqid {1}
Nov 13 09:49:55 OPNsense charon: 16[IKE] establishing CHILD_SA con1{2} reqid 1
Nov 13 09:49:55 OPNsense charon: 16[IKE] establishing CHILD_SA con1{2} reqid 1
Nov 13 09:49:55 OPNsense charon: 16[ENC] generating CREATE_CHILD_SA request 0 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
Nov 13 09:49:55 OPNsense charon: 16[NET] sending packet: from 10.58.22.2[4500] to 10.58.22.1[4500] (576 bytes)
Nov 13 09:49:56 OPNsense charon: 13[NET] received packet: from 10.58.22.1[4500] to 10.58.22.2[4500] (496 bytes)
Nov 13 09:49:56 OPNsense charon: 13[ENC] parsed CREATE_CHILD_SA request 2 [ No KE SA TSi TSr ]
Nov 13 09:49:56 OPNsense charon: 13[IKE] traffic selectors 10.58.22.2/32 === 10.58.22.1/32 inacceptable
Nov 13 09:49:56 OPNsense charon: 13[IKE] failed to establish CHILD_SA, keeping IKE_SA
Nov 13 09:49:56 OPNsense charon: 13[ENC] generating CREATE_CHILD_SA response 2 [ N(TS_UNACCEPT) ]
Nov 13 09:49:56 OPNsense charon: 13[NET] sending packet: from 10.58.22.2[4500] to 10.58.22.1[4500] (96 bytes)
Nov 13 09:49:56 OPNsense charon: 16[NET] received packet: from 10.58.22.1[4500] to 10.58.22.2[4500] (240 bytes)
Nov 13 09:49:56 OPNsense charon: 16[ENC] parsed CREATE_CHILD_SA response 0 [ N(NO_PROP) ]
Nov 13 09:49:56 OPNsense charon: 16[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Nov 13 09:49:56 OPNsense charon: 16[IKE] failed to establish CHILD_SA, keeping IKE_SA
Nov 13 09:49:56 OPNsense charon: 16[CHD] CHILD_SA con1{2} state change: CREATED => DESTROYING