1
German - Deutsch / IPSEC AUTHENTICATION_FAILED notify error
« on: September 02, 2019, 08:50:27 pm »
Moin zusammen!
Folgendes Szenario:
Im Datacenter:
OPNsense 19.7.2-amd64
FreeBSD 11.2-RELEASE-p12-HBSD
OpenSSL 1.0.2s 28 May 2019
Zu Hause:
OPNsense 19.7.3-amd64
FreeBSD 11.2-RELEASE-p14-HBSD
OpenSSL 1.0.2s 28 May 2019
IPSEC:
Im DataCenter folgende Konfiguration:
Zu Hause folgende Konfiguration:
Nun folgendes Problem:
Logs vom Datacenter:
Logs von zu Hause:
Einer ne Idee warum der hier irgendwie was mit Zerts machen will? Soll er nicht!
Folgendes Szenario:
Im Datacenter:
OPNsense 19.7.2-amd64
FreeBSD 11.2-RELEASE-p12-HBSD
OpenSSL 1.0.2s 28 May 2019
Zu Hause:
OPNsense 19.7.3-amd64
FreeBSD 11.2-RELEASE-p14-HBSD
OpenSSL 1.0.2s 28 May 2019
IPSEC:
Im DataCenter folgende Konfiguration:
Zu Hause folgende Konfiguration:
Nun folgendes Problem:
Logs vom Datacenter:
Code: [Select]
Sep 2 20:27:40 charon: 05[IKE] <con2|4> received AUTHENTICATION_FAILED notify error
Sep 2 20:27:40 charon: 05[ENC] <con2|4> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Sep 2 20:27:40 charon: 05[NET] <con2|4> received packet: from 80.XXX.XXX.55[4500] to 149.XXX.XXX.178.178[4500] (80 bytes)
Sep 2 20:27:40 charon: 05[NET] <con2|4> sending packet: from 149.XXX.XXX.178.178[4500] to 80.XXX.XXX.55[4500] (116 bytes)
Sep 2 20:27:40 charon: 05[NET] <con2|4> sending packet: from 149.XXX.XXX.178.178[4500] to 80.XXX.XXX.55[4500] (1236 bytes)
Sep 2 20:27:40 charon: 05[NET] <con2|4> sending packet: from 149.XXX.XXX.178.178[4500] to 80.XXX.XXX.55[4500] (1236 bytes)
Sep 2 20:27:40 charon: 05[ENC] <con2|4> generating IKE_AUTH request 1 [ EF(3/3) ]
Sep 2 20:27:40 charon: 05[ENC] <con2|4> generating IKE_AUTH request 1 [ EF(2/3) ]
Sep 2 20:27:40 charon: 05[ENC] <con2|4> generating IKE_AUTH request 1 [ EF(1/3) ]
Sep 2 20:27:40 charon: 05[ENC] <con2|4> splitting IKE message (2448 bytes) into 3 fragments
Sep 2 20:27:40 charon: 05[ENC] <con2|4> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Sep 2 20:27:40 charon: 05[IKE] <con2|4> establishing CHILD_SA con2{11}
Sep 2 20:27:40 charon: 05[IKE] <con2|4> authentication of '149.XXX.XXX.178.178' (myself) with pre-shared key
Sep 2 20:27:40 charon: 05[IKE] <con2|4> sending cert request for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
Sep 2 20:27:40 charon: 05[IKE] <con2|4> sending cert request for "C=DE, ST=Niedersachsen, L=Nottensdorf, O=SJT CONSULTING, E=info@example.de, CN=internal-ca"
Sep 2 20:27:40 charon: 05[CFG] <con2|4> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Sep 2 20:27:40 charon: 05[ENC] <con2|4> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Sep 2 20:27:40 charon: 05[NET] <con2|4> received packet: from 80.XXX.XXX.55[500] to 149.XXX.XXX.178.178[500] (472 bytes)
Sep 2 20:27:40 charon: 05[NET] <con2|4> sending packet: from 149.XXX.XXX.178.178[500] to 80.XXX.XXX.55[500] (464 bytes)
Sep 2 20:27:40 charon: 05[ENC] <con2|4> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sep 2 20:27:40 charon: 05[IKE] <con2|4> initiating IKE_SA con2[4] to 80.XXX.XXX.55
Sep 2 20:27:40 charon: 10[CFG] received stroke: initiate 'con2'
Logs von zu Hause:
Code: [Select]
Sep 2 20:27:40 charon: 14[NET] <3> sending packet: from 80.XXX.XXX.55[4500] to 149.XXX.XXX.178[4500] (80 bytes)
Sep 2 20:27:40 charon: 14[ENC] <3> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Sep 2 20:27:40 charon: 14[IKE] <3> peer supports MOBIKE
Sep 2 20:27:40 charon: 14[IKE] <3> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Sep 2 20:27:40 charon: 14[CFG] <3> no matching peer config found
Sep 2 20:27:40 charon: 14[CFG] <3> looking for peer configs matching 80.XXX.XXX.55[91.248.236.17]...149.XXX.XXX.178[149.XXX.XXX.178]
Sep 2 20:27:40 charon: 14[IKE] <3> received 2 cert requests for an unknown ca
Sep 2 20:27:40 charon: 14[ENC] <3> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Sep 2 20:27:40 charon: 14[ENC] <3> received fragment #2 of 3, reassembled fragmented IKE message (2448 bytes)
Sep 2 20:27:40 charon: 14[ENC] <3> parsed IKE_AUTH request 1 [ EF(2/3) ]
Sep 2 20:27:40 charon: 14[NET] <3> received packet: from 149.XXX.XXX.178[4500] to 80.XXX.XXX.55[4500] (1236 bytes)
Sep 2 20:27:40 charon: 15[ENC] <3> received fragment #3 of 3, waiting for complete IKE message
Sep 2 20:27:40 charon: 15[ENC] <3> parsed IKE_AUTH request 1 [ EF(3/3) ]
Sep 2 20:27:40 charon: 15[NET] <3> received packet: from 149.XXX.XXX.178[4500] to 80.XXX.XXX.55[4500] (116 bytes)
Sep 2 20:27:40 charon: 08[ENC] <3> received fragment #1 of 3, waiting for complete IKE message
Sep 2 20:27:40 charon: 08[ENC] <3> parsed IKE_AUTH request 1 [ EF(1/3) ]
Sep 2 20:27:40 charon: 08[NET] <3> received packet: from 149.XXX.XXX.178[4500] to 80.XXX.XXX.55[4500] (1236 bytes)
Sep 2 20:27:40 charon: 14[NET] <3> sending packet: from 80.XXX.XXX.55[500] to 149.XXX.XXX.178[500] (472 bytes)
Sep 2 20:27:40 charon: 14[ENC] <3> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Sep 2 20:27:40 charon: 14[CFG] <3> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Sep 2 20:27:40 charon: 14[IKE] <3> 149.XXX.XXX.178 is initiating an IKE_SA
Sep 2 20:27:40 charon: 14[ENC] <3> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sep 2 20:27:40 charon: 14[NET] <3> received packet: from 149.XXX.XXX.178[500] to 80.XXX.XXX.55[500] (464 bytes)
Einer ne Idee warum der hier irgendwie was mit Zerts machen will? Soll er nicht!