OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of inzrust »
  • Show Posts »
  • Topics
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Topics - inzrust

Pages: [1]
1
17.7 Legacy Series / [Solved] IPsec (IKEv2) via OPNsense and MikroTik
« on: November 13, 2017, 11:59:45 am »
Hi! All!

There is a problem when connecting OPNsense to MikroTik.

MikroTik can not configure SA.
I made up a test stand.
Versions last, stable.

Please tell me where I'm wrong.

Scheme
Code: [Select]
                    +----------+                     +----------+
 192.168.99.0/24   3| OPNsense |2   10.58.22.0/30   1| MikroTik |    192.168.88.0/24
                +---|__________|---------------------|__________|---+
                |                                                   |
               2|                                                  2|
            +-------+                                           +-------+
            | HOST1 |                                           | HOST2 |
            +-------+                                           +-------+


MikroTik

/ip address print
Code: [Select]
10.58.22.1/30      10.58.22.0      ether1
192.168.88.1/24    192.168.88.0    ether2-master

/ip firewall filter print
Code: [Select]
3    chain=input action=accept protocol=udp dst-port=500

4    chain=input action=accept protocol=udp dst-port=4500

5    chain=input action=accept protocol=ipsec-esp log=no

9    ;;; defconf: drop all not coming from LAN
     chain=input action=drop in-interface-list=!LAN

/ip firewall nat print
Code: [Select]
0    chain=srcnat action=accept src-address=192.168.88.0/24 dst-address=192.168.99.0/24

1    chain=srcnat action=masquerade out-interface=ether1

/ip ipsec proposal print
Code: [Select]
name="test" auth-algorithms=sha512 enc-algorithms=aes-256-gcm lifetime=30m pfs-group=modp2048

/ip ipsec peer print
Code: [Select]
address=10.58.22.2/32 auth-method=pre-shared-key secret="test" generate-policy=port-strict policy-template-group=test exchange-mode=ike2 send-initial-contact=yes hash-algorithm=sha512 enc-algorithm=aes-256 dh-group=modp2048 dpd-interval=2m

/ip ipsec policy print
Code: [Select]
group=test src-address=192.168.88.0/24 dst-address=192.168.99.0/24 protocol=all proposal=test template=yes

/ip ipsec policy group print
Code: [Select]
test

/log print
Code: [Select]
.....................
.....................

15:42:17 ipsec,info new ike2 SA (I): 10.58.22.1[4500]-10.58.22.2[4500] spi:9e96b25638ae0016:3cf48cce8745c6ff
15:42:17 ipsec,info peer authorized: 10.58.22.1[4500]-10.58.22.2[4500] spi:9e96b25638ae0016:3cf48cce8745c6ff
15:42:34 ipsec,error no proposal chosen

OPNSense

/usr/local/etc/ipsec.conf
Code: [Select]
# This file is automatically generated. Do not edit
config setup
  uniqueids = yes
  charondebug="chd 4"

conn con1
  aggressive = no
  fragmentation = yes
  keyexchange = ikev2
  mobike = yes
  reauth = yes
  rekey = yes
  forceencaps = yes
  installpolicy = yes
  type = tunnel
  dpdaction = none
  left = 10.58.22.2
  right = 10.58.22.1
  leftid = 10.58.22.2
  ikelifetime = 28800s
  lifetime = 3600s
  ike = aes256-sha512-modp2048!
  leftauth = psk
  rightauth = psk
  rightid = 10.58.22.1
  rightsubnet = 192.168.88.0/24
  leftsubnet = 192.168.99.0/24
  esp = aes256-sha512-modp2048,aes256gcm16-sha512-modp2048!
  auto = route

ipsec statusall
Code: [Select]
Status of IKE charon daemon (strongSwan 5.6.0, FreeBSD 11.0-RELEASE-p12, amd64):
  uptime: 2 minutes, since Nov 13 13:50:58 2017
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
  loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac gcm attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock
Listening IP addresses:
  192.168.99.3
  10.58.22.2
Connections:
        con1:  10.58.22.2...10.58.22.1  IKEv2
        con1:   local:  [10.58.22.2] uses pre-shared key authentication
        con1:   remote: [10.58.22.1] uses pre-shared key authentication
        con1:   child:  192.168.99.0/24 === 192.168.88.0/24 TUNNEL
Routed Connections:
        con1{1}:  ROUTED, TUNNEL, reqid 1
        con1{1}:   192.168.99.0/24 === 192.168.88.0/24
Security Associations (1 up, 0 connecting):
        con1[2]: ESTABLISHED 2 minutes ago, 10.58.22.2[10.58.22.2]...10.58.22.1[10.58.22.1]
        con1[2]: IKEv2 SPIs: 8151fd73911c4573_i ce875f1011cf37df_r*, pre-shared key reauthentication in 7 hours
        con1[2]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048

/var/log/ipsec.log
Code: [Select]
Nov 13 09:49:40 OPNsense charon: 00[IKE] sending DELETE for IKE_SA con1[1]
Nov 13 09:49:40 OPNsense charon: 00[ENC] generating INFORMATIONAL request 0 [ D ]
Nov 13 09:49:40 OPNsense charon: 00[NET] sending packet: from 10.58.22.2[4500] to 10.58.22.1[4500] (96 bytes)
Nov 13 09:49:40 OPNsense charon: 00[CHD] CHILD_SA con1{1} state change: ROUTED => DESTROYING
Nov 13 09:49:42 OPNsense charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.0, FreeBSD 11.0-RELEASE-p12, amd64)
Nov 13 09:49:42 OPNsense charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument
Nov 13 09:49:42 OPNsense charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
Nov 13 09:49:42 OPNsense charon: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Nov 13 09:49:42 OPNsense charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Nov 13 09:49:42 OPNsense charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Nov 13 09:49:42 OPNsense charon: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Nov 13 09:49:42 OPNsense charon: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
Nov 13 09:49:42 OPNsense charon: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Nov 13 09:49:42 OPNsense charon: 00[CFG]   loaded IKE secret for 10.58.22.1
Nov 13 09:49:42 OPNsense charon: 00[CFG]   loaded IKE secret for test
Nov 13 09:49:42 OPNsense charon: 00[CFG] loaded 0 RADIUS server configurations
Nov 13 09:49:42 OPNsense charon: 00[LIB] loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac gcm attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock
Nov 13 09:49:42 OPNsense charon: 00[JOB] spawning 16 worker threads
Nov 13 09:49:42 OPNsense charon: 16[CFG] received stroke: add connection 'con1'
Nov 13 09:49:42 OPNsense charon: 16[CFG] added configuration 'con1'
Nov 13 09:49:42 OPNsense charon: 16[CFG] received stroke: route 'con1'
Nov 13 09:49:42 OPNsense charon: 16[CHD] CHILD_SA con1{1} state change: CREATED => ROUTED
Nov 13 09:49:46 OPNsense charon: 16[NET] received packet: from 10.58.22.1[4500] to 10.58.22.2[4500] (424 bytes)
Nov 13 09:49:46 OPNsense charon: 16[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Nov 13 09:49:46 OPNsense charon: 16[IKE] 10.58.22.1 is initiating an IKE_SA
Nov 13 09:49:46 OPNsense charon: 16[IKE] 10.58.22.1 is initiating an IKE_SA
Nov 13 09:49:46 OPNsense charon: 16[IKE] faking NAT situation to enforce UDP encapsulation
Nov 13 09:49:46 OPNsense charon: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Nov 13 09:49:46 OPNsense charon: 16[NET] sending packet: from 10.58.22.2[4500] to 10.58.22.1[4500] (440 bytes)
Nov 13 09:49:46 OPNsense charon: 16[NET] received packet: from 10.58.22.1[4500] to 10.58.22.2[4500] (432 bytes)
Nov 13 09:49:46 OPNsense charon: 16[ENC] parsed IKE_AUTH request 1 [ IDi AUTH N(INIT_CONTACT) SA TSi TSr N(USE_TRANSP) ]
Nov 13 09:49:46 OPNsense charon: 16[CFG] looking for peer configs matching 10.58.22.2[%any]...10.58.22.1[10.58.22.1]
Nov 13 09:49:46 OPNsense charon: 16[CFG] selected peer config 'con1'
Nov 13 09:49:46 OPNsense charon: 16[IKE] authentication of '10.58.22.1' with pre-shared key successful
Nov 13 09:49:46 OPNsense charon: 16[IKE] authentication of '10.58.22.2' (myself) with pre-shared key
Nov 13 09:49:46 OPNsense charon: 16[IKE] IKE_SA con1[1] established between 10.58.22.2[10.58.22.2]...10.58.22.1[10.58.22.1]
Nov 13 09:49:46 OPNsense charon: 16[IKE] IKE_SA con1[1] established between 10.58.22.2[10.58.22.2]...10.58.22.1[10.58.22.1]
Nov 13 09:49:46 OPNsense charon: 16[IKE] scheduling reauthentication in 28209s
Nov 13 09:49:46 OPNsense charon: 16[IKE] maximum IKE_SA lifetime 28749s
Nov 13 09:49:46 OPNsense charon: 16[IKE] traffic selectors 10.58.22.2/32 === 10.58.22.1/32 inacceptable
Nov 13 09:49:46 OPNsense charon: 16[IKE] failed to establish CHILD_SA, keeping IKE_SA
Nov 13 09:49:46 OPNsense charon: 16[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(TS_UNACCEPT) ]
Nov 13 09:49:46 OPNsense charon: 16[NET] sending packet: from 10.58.22.2[4500] to 10.58.22.1[4500] (192 bytes)
Nov 13 09:49:55 OPNsense charon: 16[KNL] creating acquire job for policy 10.58.22.2/32 === 10.58.22.1/32 with reqid {1}
Nov 13 09:49:55 OPNsense charon: 16[IKE] establishing CHILD_SA con1{2} reqid 1
Nov 13 09:49:55 OPNsense charon: 16[IKE] establishing CHILD_SA con1{2} reqid 1
Nov 13 09:49:55 OPNsense charon: 16[ENC] generating CREATE_CHILD_SA request 0 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
Nov 13 09:49:55 OPNsense charon: 16[NET] sending packet: from 10.58.22.2[4500] to 10.58.22.1[4500] (576 bytes)
Nov 13 09:49:56 OPNsense charon: 13[NET] received packet: from 10.58.22.1[4500] to 10.58.22.2[4500] (496 bytes)
Nov 13 09:49:56 OPNsense charon: 13[ENC] parsed CREATE_CHILD_SA request 2 [ No KE SA TSi TSr ]
Nov 13 09:49:56 OPNsense charon: 13[IKE] traffic selectors 10.58.22.2/32 === 10.58.22.1/32 inacceptable
Nov 13 09:49:56 OPNsense charon: 13[IKE] failed to establish CHILD_SA, keeping IKE_SA
Nov 13 09:49:56 OPNsense charon: 13[ENC] generating CREATE_CHILD_SA response 2 [ N(TS_UNACCEPT) ]
Nov 13 09:49:56 OPNsense charon: 13[NET] sending packet: from 10.58.22.2[4500] to 10.58.22.1[4500] (96 bytes)
Nov 13 09:49:56 OPNsense charon: 16[NET] received packet: from 10.58.22.1[4500] to 10.58.22.2[4500] (240 bytes)
Nov 13 09:49:56 OPNsense charon: 16[ENC] parsed CREATE_CHILD_SA response 0 [ N(NO_PROP) ]
Nov 13 09:49:56 OPNsense charon: 16[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Nov 13 09:49:56 OPNsense charon: 16[IKE] failed to establish CHILD_SA, keeping IKE_SA
Nov 13 09:49:56 OPNsense charon: 16[CHD] CHILD_SA con1{2} state change: CREATED => DESTROYING

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2