OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of superwinni2 »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - superwinni2

Pages: 1 ... 7 8 [9] 10 11 ... 37
121
German - Deutsch / Re: Dumme Idee? Internet via VLAN?
« on: July 25, 2021, 12:06:17 pm »
Ich glaube du hast da irgendwo etwas fehlkonfiguriert...
Nur komme ich nicht mehr mit wo genau was die ein Switch etc.
Nach doch Mal einen kleinen Netzwerkplan und schreibe dazu wie die entsprechenden Ports konfiguriert sind.

Gesendet von meinem OnePlus 8t mit Tapatalk


122
German - Deutsch / Re: Dumme Idee? Internet via VLAN?
« on: July 24, 2021, 10:45:57 pm »
Habe es so ähnlich...
Ne nach erlaubter Ausfallzeit musst halt Bedenken keinen SPOF (Single Point of failure) zu erzeugen.
Redundante Switcher, Redundante Stromversorgung (2 Phasen), redundante Kabel.
Ansonsten läuft das Setup schon ewig stabil bei mir

Gesendet von meinem OnePlus 8t mit Tapatalk


123
German - Deutsch / Re: IPSec / Fragmentierte IKE Nachrichten?
« on: July 23, 2021, 03:28:26 pm »
Danke für deine Antwort.
Da ich habe nebenbei noch weitere IPSec Verbidnungen habe bei denen das Problem nicht besteht, denke ich nicht das dies die Lösung zum Problem ist.

124
German - Deutsch / IPSec / Fragmentierte IKE Nachrichten?
« on: July 23, 2021, 10:36:35 am »
Hallo zusammen


ich hoffe mir kann jemand mit meinem Problem helfen...
Ich (198.51.100.194) versuche einen IPSec Tunnel zu 203.0.113.154 aufzubauen.
Die Verbindung an sich funktioniert. Daten gehen durch jedoch kann es auch mal sein, dass die Verbindung abbricht und ich auf meiner Seite den kompletten VPN Dienst neustarten muss damit Pakete wieder ausgetauscht werden können.
Da ich bereits mehrere IPSec VPNs habe, bricht dann natürlich immer alles für einen kurzen Augenblick ein was nicht ganz so toll ist.


Kann mir jemand sagen, warum ich fragmentierte IKE Pakete erhalte? Kann ich etwas umstellen, damit dies besser funktioniert? Liegt das Problem gar nicht an mir?

Danke und Gruß


In der Log erhalte ich folgende Nachrichten:
Code: [Select]

Jul 23 10:24:01 fw1 charon[29650]: 16[ENC] <con1|10291> fragmented IKE message is too large
Jul 23 10:24:01 fw1 charon[29650]: 15[NET] <con1|10291> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:01 fw1 charon[29650]: 07[NET] <con1|10291> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:01 fw1 charon[29650]: 07[ENC] <con1|10291> parsed CREATE_CHILD_SA request 2 [ EF(7/11) ]
Jul 23 10:24:01 fw1 charon[29650]: 07[ENC] <con1|10291> received fragment #7 of 11, waiting for complete IKE message
Jul 23 10:24:06 fw1 charon[29650]: 16[IKE] <con1|10290> deleting IKE_SA con1[10290] between 198.51.100.194[198.51.100.194]...203.0.113.154[203.0.113.154]
Jul 23 10:24:06 fw1 charon[29650]: 16[IKE] <con1|10290> sending DELETE for IKE_SA con1[10290]
Jul 23 10:24:06 fw1 charon[29650]: 16[ENC] <con1|10290> generating INFORMATIONAL request 0 [ D ]
Jul 23 10:24:06 fw1 charon[29650]: 16[NET] <con1|10290> sending packet: from 198.51.100.194[4500] to 203.0.113.154[4500] (80 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 16[NET] <10293> received packet: from 203.0.113.154[500] to 198.51.100.194[500] (1076 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 16[ENC] <10293> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <10293> 203.0.113.154 is initiating an IKE_SA
Jul 23 10:24:07 fw1 charon[29650]: 16[CFG] <10293> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jul 23 10:24:07 fw1 charon[29650]: 15[NET] <con1|10290> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (80 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 15[ENC] <con1|10290> parsed INFORMATIONAL response 0 [ ]
Jul 23 10:24:07 fw1 charon[29650]: 15[IKE] <con1|10290> IKE_SA deleted
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <10293> sending cert request for "DC=int, DC=unternehmen, DC=emea, CN=unternehmenEMEA-CA"
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <10293> sending cert request for "C=DE, ST=Baden-Wuerttemberg, L=Ortschaft, O=unternehmen, E=edv@unternehmen.de, CN=unternehmenMobile"
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <10293> sending cert request for "C=DE, ST=Baden-Wuerttemberg, L=Ortschaft, O=unternehmen, E=edv@unternehmen.de, CN=unternehmenFirewall-CA"
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <10293> sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA"
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <10293> sending cert request for "C=US, O=Let's Encrypt, CN=R3"
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <10293> sending cert request for "C=DE, ST=B-W, L=Ortschaft, O= Unternehmen, E=edv@unternehmen.de, CN=unternehmenFW-Squid"
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <10293> sending cert request for "C=US, O=(STAGING) Let's Encrypt, CN=(STAGING) Artificial Apricot R3"
Jul 23 10:24:07 fw1 charon[29650]: 16[ENC] <10293> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jul 23 10:24:07 fw1 charon[29650]: 16[NET] <10293> sending packet: from 198.51.100.194[500] to 203.0.113.154[500] (617 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 16[NET] <10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1200 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 16[ENC] <10293> parsed IKE_AUTH request 1 [ IDi CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <10293> received cert request for "C=DE, ST=Baden-Wuerttemberg, L=Ortschaft, O=unternehmen, E=edv@unternehmen.de, CN=unternehmenFirewall-CA"
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <10293> received 1 cert requests for an unknown ca
Jul 23 10:24:07 fw1 charon[29650]: 16[CFG] <10293> looking for peer configs matching 198.51.100.194[198.51.100.194]...203.0.113.154[203.0.113.154]
Jul 23 10:24:07 fw1 charon[29650]: 16[CFG] <con1|10293> selected peer config 'con1'
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <con1|10293> authentication of '203.0.113.154' with pre-shared key successful
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <con1|10293> peer supports MOBIKE
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <con1|10293> authentication of '198.51.100.194' (myself) with pre-shared key
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <con1|10291> schedule delete of duplicate IKE_SA for peer '203.0.113.154' due to uniqueness policy and suspected reauthentication
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <con1|10292> schedule delete of duplicate IKE_SA for peer '203.0.113.154' due to uniqueness policy and suspected reauthentication
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <con1|10293> IKE_SA con1[10293] established between 198.51.100.194[198.51.100.194]...203.0.113.154[203.0.113.154]
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <con1|10293> scheduling reauthentication in 2578s
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <con1|10293> maximum IKE_SA lifetime 3118s
Jul 23 10:24:07 fw1 charon[29650]: 16[CFG] <con1|10293> selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <con1|10293> CHILD_SA con1{10349} established with SPIs c4087868_i ccceaada_o and TS 192.168.20.232/29 === 192.168.190.0/24
Jul 23 10:24:07 fw1 charon[29650]: 16[ENC] <con1|10293> generating IKE_AUTH response 1 [ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Jul 23 10:24:07 fw1 charon[29650]: 16[NET] <con1|10293> sending packet: from 198.51.100.194[4500] to 203.0.113.154[4500] (336 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 16[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 16[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(1/11) ]
Jul 23 10:24:07 fw1 charon[29650]: 16[ENC] <con1|10293> received fragment #1 of 11, waiting for complete IKE message
Jul 23 10:24:07 fw1 charon[29650]: 15[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 15[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(6/11) ]
Jul 23 10:24:07 fw1 charon[29650]: 15[ENC] <con1|10293> received fragment #6 of 11, waiting for complete IKE message
Jul 23 10:24:07 fw1 charon[29650]: 09[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 09[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(5/11) ]
Jul 23 10:24:07 fw1 charon[29650]: 09[ENC] <con1|10293> received fragment #5 of 11, waiting for complete IKE message
Jul 23 10:24:07 fw1 charon[29650]: 06[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 06[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(4/11) ]
Jul 23 10:24:07 fw1 charon[29650]: 06[ENC] <con1|10293> received fragment #4 of 11, waiting for complete IKE message
Jul 23 10:24:07 fw1 charon[29650]: 08[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 08[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(3/11) ]
Jul 23 10:24:07 fw1 charon[29650]: 08[ENC] <con1|10293> received fragment #3 of 11, waiting for complete IKE message
Jul 23 10:24:07 fw1 charon[29650]: 14[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 14[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(2/11) ]
Jul 23 10:24:07 fw1 charon[29650]: 14[ENC] <con1|10293> received fragment #2 of 11, waiting for complete IKE message
Jul 23 10:24:07 fw1 charon[29650]: 08[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 08[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(7/11) ]
Jul 23 10:24:07 fw1 charon[29650]: 08[ENC] <con1|10293> received fragment #7 of 11, waiting for complete IKE message
Jul 23 10:24:07 fw1 charon[29650]: 14[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (180 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 14[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(11/11) ]
Jul 23 10:24:07 fw1 charon[29650]: 14[ENC] <con1|10293> received fragment #11 of 11, waiting for complete IKE message
Jul 23 10:24:07 fw1 charon[29650]: 16[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 16[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(10/11) ]
Jul 23 10:24:07 fw1 charon[29650]: 16[ENC] <con1|10293> received fragment #10 of 11, waiting for complete IKE message
Jul 23 10:24:07 fw1 charon[29650]: 15[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 15[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(9/11) ]
Jul 23 10:24:07 fw1 charon[29650]: 15[ENC] <con1|10293> fragmented IKE message is too large
Jul 23 10:24:07 fw1 charon[29650]: 09[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 09[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(8/11) ]
Jul 23 10:24:07 fw1 charon[29650]: 09[ENC] <con1|10293> received fragment #8 of 11, waiting for complete IKE message
Jul 23 10:24:07 fw1 charon[29650]: 15[IKE] <con1|10292> sending DPD request
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <con1|10291> deleting IKE_SA con1[10291] between 198.51.100.194[198.51.100.194]...203.0.113.154[203.0.113.154]
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <con1|10291> sending DELETE for IKE_SA con1[10291]
Jul 23 10:24:07 fw1 charon[29650]: 15[ENC] <con1|10292> generating INFORMATIONAL request 0 [ ]
Jul 23 10:24:07 fw1 charon[29650]: 16[ENC] <con1|10291> generating INFORMATIONAL request 0 [ D ]
Jul 23 10:24:07 fw1 charon[29650]: 15[NET] <con1|10292> sending packet: from 198.51.100.194[4500] to 203.0.113.154[4500] (80 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 16[NET] <con1|10291> sending packet: from 198.51.100.194[4500] to 203.0.113.154[4500] (80 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 16[NET] <con1|10292> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (80 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 16[ENC] <con1|10292> parsed INFORMATIONAL response 0 [ ]
Jul 23 10:24:07 fw1 charon[29650]: 16[NET] <10294> received packet: from 203.0.113.154[500] to 198.51.100.194[500] (1076 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 16[ENC] <10294> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <10294> 203.0.113.154 is initiating an IKE_SA
Jul 23 10:24:07 fw1 charon[29650]: 16[CFG] <10294> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jul 23 10:24:07 fw1 charon[29650]: 15[NET] <con1|10291> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (80 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 15[ENC] <con1|10291> parsed INFORMATIONAL response 0 [ ]
Jul 23 10:24:07 fw1 charon[29650]: 15[IKE] <con1|10291> IKE_SA deleted
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <10294> sending cert request for "DC=int, DC=unternehmen, DC=emea, CN=unternehmenEMEA-CA"
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <10294> sending cert request for "C=DE, ST=Baden-Wuerttemberg, L=Ortschaft, O=unternehmen, E=edv@unternehmen.de, CN=unternehmenMobile"
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <10294> sending cert request for "C=DE, ST=Baden-Wuerttemberg, L=Ortschaft, O=unternehmen, E=edv@unternehmen.de, CN=unternehmenFirewall-CA"
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <10294> sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA"
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <10294> sending cert request for "C=US, O=Let's Encrypt, CN=R3"
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <10294> sending cert request for "C=DE, ST=B-W, L=Ortschaft, O= Unternehmen, E=edv@unternehmen.de, CN=unternehmenFW-Squid"
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <10294> sending cert request for "C=US, O=(STAGING) Let's Encrypt, CN=(STAGING) Artificial Apricot R3"
Jul 23 10:24:07 fw1 charon[29650]: 16[ENC] <10294> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jul 23 10:24:07 fw1 charon[29650]: 16[NET] <10294> sending packet: from 198.51.100.194[500] to 203.0.113.154[500] (617 bytes)
Jul 23 10:24:08 fw1 charon[29650]: 16[NET] <10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1200 bytes)
Jul 23 10:24:08 fw1 charon[29650]: 16[ENC] <10294> parsed IKE_AUTH request 1 [ IDi CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jul 23 10:24:08 fw1 charon[29650]: 16[IKE] <10294> received cert request for "C=DE, ST=Baden-Wuerttemberg, L=Ortschaft, O=unternehmen, E=edv@unternehmen.de, CN=unternehmenFirewall-CA"
Jul 23 10:24:08 fw1 charon[29650]: 16[IKE] <10294> received 1 cert requests for an unknown ca
Jul 23 10:24:08 fw1 charon[29650]: 16[CFG] <10294> looking for peer configs matching 198.51.100.194[198.51.100.194]...203.0.113.154[203.0.113.154]
Jul 23 10:24:08 fw1 charon[29650]: 16[CFG] <con1|10294> selected peer config 'con1'
Jul 23 10:24:08 fw1 charon[29650]: 16[IKE] <con1|10294> authentication of '203.0.113.154' with pre-shared key successful
Jul 23 10:24:08 fw1 charon[29650]: 16[IKE] <con1|10294> peer supports MOBIKE
Jul 23 10:24:08 fw1 charon[29650]: 16[IKE] <con1|10294> authentication of '198.51.100.194' (myself) with pre-shared key
Jul 23 10:24:08 fw1 charon[29650]: 16[IKE] <con1|10292> schedule delete of duplicate IKE_SA for peer '203.0.113.154' due to uniqueness policy and suspected reauthentication
Jul 23 10:24:08 fw1 charon[29650]: 16[IKE] <con1|10293> schedule delete of duplicate IKE_SA for peer '203.0.113.154' due to uniqueness policy and suspected reauthentication
Jul 23 10:24:08 fw1 charon[29650]: 16[IKE] <con1|10294> IKE_SA con1[10294] established between 198.51.100.194[198.51.100.194]...203.0.113.154[203.0.113.154]
Jul 23 10:24:08 fw1 charon[29650]: 16[IKE] <con1|10294> scheduling reauthentication in 2524s
Jul 23 10:24:08 fw1 charon[29650]: 16[IKE] <con1|10294> maximum IKE_SA lifetime 3064s
Jul 23 10:24:08 fw1 charon[29650]: 16[CFG] <con1|10294> selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
Jul 23 10:24:08 fw1 charon[29650]: 16[IKE] <con1|10294> CHILD_SA con1{10350} established with SPIs c3ea32ff_i c4d27627_o and TS 192.168.20.232/29 === 192.168.190.0/24
Jul 23 10:24:08 fw1 charon[29650]: 16[ENC] <con1|10294> generating IKE_AUTH response 1 [ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Jul 23 10:24:08 fw1 charon[29650]: 16[NET] <con1|10294> sending packet: from 198.51.100.194[4500] to 203.0.113.154[4500] (336 bytes)
Jul 23 10:24:08 fw1 charon[29650]: 16[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:08 fw1 charon[29650]: 16[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(1/11) ]
Jul 23 10:24:08 fw1 charon[29650]: 16[ENC] <con1|10294> received fragment #1 of 11, waiting for complete IKE message
Jul 23 10:24:08 fw1 charon[29650]: 09[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:08 fw1 charon[29650]: 09[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(3/11) ]
Jul 23 10:24:08 fw1 charon[29650]: 09[ENC] <con1|10294> received fragment #3 of 11, waiting for complete IKE message
Jul 23 10:24:08 fw1 charon[29650]: 14[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:08 fw1 charon[29650]: 14[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(2/11) ]
Jul 23 10:24:08 fw1 charon[29650]: 14[ENC] <con1|10294> received fragment #2 of 11, waiting for complete IKE message
Jul 23 10:24:08 fw1 charon[29650]: 14[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:08 fw1 charon[29650]: 14[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(4/11) ]
Jul 23 10:24:08 fw1 charon[29650]: 14[ENC] <con1|10294> received fragment #4 of 11, waiting for complete IKE message
Jul 23 10:24:08 fw1 charon[29650]: 09[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:08 fw1 charon[29650]: 09[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(6/11) ]
Jul 23 10:24:08 fw1 charon[29650]: 09[ENC] <con1|10294> received fragment #6 of 11, waiting for complete IKE message
Jul 23 10:24:08 fw1 charon[29650]: 16[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:08 fw1 charon[29650]: 16[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(5/11) ]
Jul 23 10:24:08 fw1 charon[29650]: 16[ENC] <con1|10294> received fragment #5 of 11, waiting for complete IKE message
Jul 23 10:24:08 fw1 charon[29650]: 08[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (180 bytes)
Jul 23 10:24:08 fw1 charon[29650]: 08[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(11/11) ]
Jul 23 10:24:08 fw1 charon[29650]: 08[ENC] <con1|10294> received fragment #11 of 11, waiting for complete IKE message
Jul 23 10:24:08 fw1 charon[29650]: 05[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:08 fw1 charon[29650]: 05[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(10/11) ]
Jul 23 10:24:08 fw1 charon[29650]: 05[ENC] <con1|10294> received fragment #10 of 11, waiting for complete IKE message
Jul 23 10:24:08 fw1 charon[29650]: 13[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:08 fw1 charon[29650]: 13[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(9/11) ]
Jul 23 10:24:08 fw1 charon[29650]: 13[ENC] <con1|10294> received fragment #9 of 11, waiting for complete IKE message
Jul 23 10:24:08 fw1 charon[29650]: 14[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:08 fw1 charon[29650]: 14[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(8/11) ]
Jul 23 10:24:08 fw1 charon[29650]: 14[ENC] <con1|10294> fragmented IKE message is too large
Jul 23 10:24:08 fw1 charon[29650]: 09[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:08 fw1 charon[29650]: 09[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(7/11) ]
Jul 23 10:24:08 fw1 charon[29650]: 09[ENC] <con1|10294> received fragment #7 of 11, waiting for complete IKE message
Jul 23 10:24:11 fw1 charon[29650]: 13[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:11 fw1 charon[29650]: 13[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(1/11) ]
Jul 23 10:24:11 fw1 charon[29650]: 13[ENC] <con1|10293> received fragment #1 of 11, waiting for complete IKE message
Jul 23 10:24:11 fw1 charon[29650]: 14[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:11 fw1 charon[29650]: 14[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(3/11) ]
Jul 23 10:24:11 fw1 charon[29650]: 14[ENC] <con1|10293> received fragment #3 of 11, waiting for complete IKE message
Jul 23 10:24:11 fw1 charon[29650]: 05[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:11 fw1 charon[29650]: 05[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(2/11) ]
Jul 23 10:24:11 fw1 charon[29650]: 05[ENC] <con1|10293> received fragment #2 of 11, waiting for complete IKE message
Jul 23 10:24:11 fw1 charon[29650]: 05[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:11 fw1 charon[29650]: 05[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(6/11) ]
Jul 23 10:24:11 fw1 charon[29650]: 05[ENC] <con1|10293> received fragment #6 of 11, waiting for complete IKE message
Jul 23 10:24:11 fw1 charon[29650]: 08[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:11 fw1 charon[29650]: 08[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(5/11) ]
Jul 23 10:24:11 fw1 charon[29650]: 08[ENC] <con1|10293> received fragment #5 of 11, waiting for complete IKE message
Jul 23 10:24:11 fw1 charon[29650]: 14[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:11 fw1 charon[29650]: 14[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(4/11) ]
Jul 23 10:24:11 fw1 charon[29650]: 14[ENC] <con1|10293> received fragment #4 of 11, waiting for complete IKE message
Jul 23 10:24:11 fw1 charon[29650]: 05[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:11 fw1 charon[29650]: 05[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(9/11) ]
Jul 23 10:24:11 fw1 charon[29650]: 05[ENC] <con1|10293> received fragment #9 of 11, waiting for complete IKE message
Jul 23 10:24:11 fw1 charon[29650]: 16[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (180 bytes)
Jul 23 10:24:11 fw1 charon[29650]: 16[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(11/11) ]
Jul 23 10:24:11 fw1 charon[29650]: 16[ENC] <con1|10293> received fragment #11 of 11, waiting for complete IKE message
Jul 23 10:24:11 fw1 charon[29650]: 13[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:11 fw1 charon[29650]: 13[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(8/11) ]
Jul 23 10:24:11 fw1 charon[29650]: 13[ENC] <con1|10293> received duplicate fragment #8
Jul 23 10:24:11 fw1 charon[29650]: 14[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:11 fw1 charon[29650]: 14[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(10/11) ]
Jul 23 10:24:11 fw1 charon[29650]: 14[ENC] <con1|10293> fragmented IKE message is too large
Jul 23 10:24:11 fw1 charon[29650]: 08[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:11 fw1 charon[29650]: 08[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(7/11) ]
Jul 23 10:24:11 fw1 charon[29650]: 08[ENC] <con1|10293> received fragment #7 of 11, waiting for complete IKE message
Jul 23 10:24:12 fw1 charon[29650]: 14[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:12 fw1 charon[29650]: 14[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(1/11) ]
Jul 23 10:24:12 fw1 charon[29650]: 14[ENC] <con1|10294> received fragment #1 of 11, waiting for complete IKE message
Jul 23 10:24:12 fw1 charon[29650]: 08[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:12 fw1 charon[29650]: 08[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(3/11) ]
Jul 23 10:24:12 fw1 charon[29650]: 08[ENC] <con1|10294> received fragment #3 of 11, waiting for complete IKE message
Jul 23 10:24:12 fw1 charon[29650]: 13[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:12 fw1 charon[29650]: 13[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(2/11) ]
Jul 23 10:24:12 fw1 charon[29650]: 13[ENC] <con1|10294> received fragment #2 of 11, waiting for complete IKE message
Jul 23 10:24:12 fw1 charon[29650]: 13[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:12 fw1 charon[29650]: 13[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(6/11) ]
Jul 23 10:24:12 fw1 charon[29650]: 13[ENC] <con1|10294> received fragment #6 of 11, waiting for complete IKE message
Jul 23 10:24:12 fw1 charon[29650]: 14[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:12 fw1 charon[29650]: 14[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(4/11) ]
Jul 23 10:24:12 fw1 charon[29650]: 14[ENC] <con1|10294> received fragment #4 of 11, waiting for complete IKE message
Jul 23 10:24:12 fw1 charon[29650]: 05[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:12 fw1 charon[29650]: 05[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(5/11) ]
Jul 23 10:24:12 fw1 charon[29650]: 05[ENC] <con1|10294> received fragment #5 of 11, waiting for complete IKE message
Jul 23 10:24:12 fw1 charon[29650]: 16[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:12 fw1 charon[29650]: 16[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(7/11) ]
Jul 23 10:24:12 fw1 charon[29650]: 16[ENC] <con1|10294> received duplicate fragment #7
Jul 23 10:24:12 fw1 charon[29650]: 10[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (180 bytes)
Jul 23 10:24:12 fw1 charon[29650]: 10[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(11/11) ]
Jul 23 10:24:12 fw1 charon[29650]: 10[ENC] <con1|10294> received fragment #11 of 11, waiting for complete IKE message
Jul 23 10:24:12 fw1 charon[29650]: 05[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:12 fw1 charon[29650]: 05[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(10/11) ]
Jul 23 10:24:12 fw1 charon[29650]: 05[ENC] <con1|10294> received fragment #10 of 11, waiting for complete IKE message
Jul 23 10:24:12 fw1 charon[29650]: 13[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:12 fw1 charon[29650]: 13[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(9/11) ]
Jul 23 10:24:12 fw1 charon[29650]: 13[ENC] <con1|10294> fragmented IKE message is too large
Jul 23 10:24:12 fw1 charon[29650]: 14[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:12 fw1 charon[29650]: 14[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(8/11) ]
Jul 23 10:24:12 fw1 charon[29650]: 14[ENC] <con1|10294> received fragment #8 of 11, waiting for complete IKE message
Jul 23 10:24:17 fw1 charon[29650]: 05[IKE] <con1|10292> deleting IKE_SA con1[10292] between 198.51.100.194[198.51.100.194]...203.0.113.154[203.0.113.154]
Jul 23 10:24:17 fw1 charon[29650]: 05[IKE] <con1|10292> sending DELETE for IKE_SA con1[10292]
Jul 23 10:24:17 fw1 charon[29650]: 05[ENC] <con1|10292> generating INFORMATIONAL request 1 [ D ]
Jul 23 10:24:17 fw1 charon[29650]: 05[NET] <con1|10292> sending packet: from 198.51.100.194[4500] to 203.0.113.154[4500] (80 bytes)
Jul 23 10:24:17 fw1 charon[29650]: 05[NET] <con1|10292> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (80 bytes)
Jul 23 10:24:17 fw1 charon[29650]: 05[ENC] <con1|10292> parsed INFORMATIONAL response 1 [ ]
Jul 23 10:24:17 fw1 charon[29650]: 13[NET] <10295> received packet: from 203.0.113.154[500] to 198.51.100.194[500] (1076 bytes)
Jul 23 10:24:17 fw1 charon[29650]: 05[IKE] <con1|10292> IKE_SA deleted
Jul 23 10:24:17 fw1 charon[29650]: 13[ENC] <10295> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jul 23 10:24:17 fw1 charon[29650]: 13[IKE] <10295> 203.0.113.154 is initiating an IKE_SA
Jul 23 10:24:17 fw1 charon[29650]: 13[CFG] <10295> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jul 23 10:24:17 fw1 charon[29650]: 13[IKE] <10295> sending cert request for "DC=int, DC=unternehmen, DC=emea, CN=unternehmenEMEA-CA"
Jul 23 10:24:17 fw1 charon[29650]: 13[IKE] <10295> sending cert request for "C=DE, ST=Baden-Wuerttemberg, L=Ortschaft, O=unternehmen, E=edv@unternehmen.de, CN=unternehmenMobile"
Jul 23 10:24:17 fw1 charon[29650]: 13[IKE] <10295> sending cert request for "C=DE, ST=Baden-Wuerttemberg, L=Ortschaft, O=unternehmen, E=edv@unternehmen.de, CN=unternehmenFirewall-CA"
Jul 23 10:24:17 fw1 charon[29650]: 13[IKE] <10295> sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA"
Jul 23 10:24:17 fw1 charon[29650]: 13[IKE] <10295> sending cert request for "C=US, O=Let's Encrypt, CN=R3"
Jul 23 10:24:17 fw1 charon[29650]: 13[IKE] <10295> sending cert request for "C=DE, ST=B-W, L=Ortschaft, O= Unternehmen, E=edv@unternehmen.de, CN=unternehmenFW-Squid"
Jul 23 10:24:17 fw1 charon[29650]: 13[IKE] <10295> sending cert request for "C=US, O=(STAGING) Let's Encrypt, CN=(STAGING) Artificial Apricot R3"
Jul 23 10:24:17 fw1 charon[29650]: 13[ENC] <10295> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jul 23 10:24:17 fw1 charon[29650]: 13[NET] <10295> sending packet: from 198.51.100.194[500] to 203.0.113.154[500] (617 bytes)
Jul 23 10:24:17 fw1 charon[29650]: 13[NET] <10295> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1200 bytes)
Jul 23 10:24:17 fw1 charon[29650]: 13[ENC] <10295> parsed IKE_AUTH request 1 [ IDi CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jul 23 10:24:17 fw1 charon[29650]: 13[IKE] <10295> received cert request for "C=DE, ST=Baden-Wuerttemberg, L=Ortschaft, O=unternehmen, E=edv@unternehmen.de, CN=unternehmenFirewall-CA"
Jul 23 10:24:17 fw1 charon[29650]: 13[IKE] <10295> received 1 cert requests for an unknown ca
Jul 23 10:24:17 fw1 charon[29650]: 13[CFG] <10295> looking for peer configs matching 198.51.100.194[198.51.100.194]...203.0.113.154[203.0.113.154]
Jul 23 10:24:17 fw1 charon[29650]: 13[CFG] <con1|10295> selected peer config 'con1'
Jul 23 10:24:17 fw1 charon[29650]: 13[IKE] <con1|10295> authentication of '203.0.113.154' with pre-shared key successful
Jul 23 10:24:17 fw1 charon[29650]: 13[IKE] <con1|10295> peer supports MOBIKE
Jul 23 10:24:17 fw1 charon[29650]: 13[IKE] <con1|10295> authentication of '198.51.100.194' (myself) with pre-shared key
Jul 23 10:24:17 fw1 charon[29650]: 13[IKE] <con1|10293> schedule delete of duplicate IKE_SA for peer '203.0.113.154' due to uniqueness policy and suspected reauthentication
Jul 23 10:24:17 fw1 charon[29650]: 13[IKE] <con1|10294> schedule delete of duplicate IKE_SA for peer '203.0.113.154' due to uniqueness policy and suspected reauthentication
Jul 23 10:24:17 fw1 charon[29650]: 13[IKE] <con1|10295> IKE_SA con1[10295] established between 198.51.100.194[198.51.100.194]...203.0.113.154[203.0.113.154]
Jul 23 10:24:17 fw1 charon[29650]: 13[IKE] <con1|10295> scheduling reauthentication in 2976s
Jul 23 10:24:17 fw1 charon[29650]: 13[IKE] <con1|10295> maximum IKE_SA lifetime 3516s
Jul 23 10:24:17 fw1 charon[29650]: 13[CFG] <con1|10295> selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
Jul 23 10:24:17 fw1 charon[29650]: 13[IKE] <con1|10295> CHILD_SA con1{10351} established with SPIs c30732fe_i c86a9fe5_o and TS 192.168.20.232/29 === 192.168.190.0/24
Jul 23 10:24:17 fw1 charon[29650]: 13[ENC] <con1|10295> generating IKE_AUTH response 1 [ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Jul 23 10:24:17 fw1 charon[29650]: 13[NET] <con1|10295> sending packet: from 198.51.100.194[4500] to 203.0.113.154[4500] (336 bytes)
Jul 23 10:24:18 fw1 charon[29650]: 10[IKE] <con1|10293> deleting IKE_SA con1[10293] between 198.51.100.194[198.51.100.194]...203.0.113.154[203.0.113.154]
Jul 23 10:24:18 fw1 charon[29650]: 10[IKE] <con1|10293> sending DELETE for IKE_SA con1[10293]
Jul 23 10:24:18 fw1 charon[29650]: 10[ENC] <con1|10293> generating INFORMATIONAL request 0 [ D ]
Jul 23 10:24:18 fw1 charon[29650]: 10[NET] <con1|10293> sending packet: from 198.51.100.194[4500] to 203.0.113.154[4500] (80 bytes)
Jul 23 10:24:18 fw1 charon[29650]: 10[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (80 bytes)
Jul 23 10:24:18 fw1 charon[29650]: 10[ENC] <con1|10293> parsed INFORMATIONAL response 0 [ ]
Jul 23 10:24:18 fw1 charon[29650]: 10[IKE] <con1|10293> IKE_SA deleted
Jul 23 10:24:18 fw1 charon[29650]: 13[NET] <10296> received packet: from 203.0.113.154[500] to 198.51.100.194[500] (1076 bytes)
Jul 23 10:24:18 fw1 charon[29650]: 13[ENC] <10296> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jul 23 10:24:18 fw1 charon[29650]: 13[IKE] <10296> 203.0.113.154 is initiating an IKE_SA
Jul 23 10:24:18 fw1 charon[29650]: 13[CFG] <10296> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jul 23 10:24:18 fw1 charon[29650]: 13[IKE] <10296> sending cert request for "DC=int, DC=unternehmen, DC=emea, CN=unternehmenEMEA-CA"
Jul 23 10:24:18 fw1 charon[29650]: 13[IKE] <10296> sending cert request for "C=DE, ST=Baden-Wuerttemberg, L=Ortschaft, O=unternehmen, E=edv@unternehmen.de, CN=unternehmenMobile"
Jul 23 10:24:18 fw1 charon[29650]: 13[IKE] <10296> sending cert request for "C=DE, ST=Baden-Wuerttemberg, L=Ortschaft, O=unternehmen, E=edv@unternehmen.de, CN=unternehmenFirewall-CA"
Jul 23 10:24:18 fw1 charon[29650]: 13[IKE] <10296> sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA"
Jul 23 10:24:18 fw1 charon[29650]: 13[IKE] <10296> sending cert request for "C=US, O=Let's Encrypt, CN=R3"
Jul 23 10:24:18 fw1 charon[29650]: 13[IKE] <10296> sending cert request for "C=DE, ST=B-W, L=Ortschaft, O= Unternehmen, E=edv@unternehmen.de, CN=unternehmenFW-Squid"
Jul 23 10:24:18 fw1 charon[29650]: 13[IKE] <10296> sending cert request for "C=US, O=(STAGING) Let's Encrypt, CN=(STAGING) Artificial Apricot R3"
Jul 23 10:24:18 fw1 charon[29650]: 13[ENC] <10296> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jul 23 10:24:18 fw1 charon[29650]: 13[NET] <10296> sending packet: from 198.51.100.194[500] to 203.0.113.154[500] (617 bytes)
Jul 23 10:24:18 fw1 charon[29650]: 10[NET] <10296> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1200 bytes)
Jul 23 10:24:18 fw1 charon[29650]: 10[ENC] <10296> parsed IKE_AUTH request 1 [ IDi CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jul 23 10:24:18 fw1 charon[29650]: 10[IKE] <10296> received cert request for "C=DE, ST=Baden-Wuerttemberg, L=Ortschaft, O=unternehmen, E=edv@unternehmen.de, CN=unternehmenFirewall-CA"
Jul 23 10:24:18 fw1 charon[29650]: 10[IKE] <10296> received 1 cert requests for an unknown ca
Jul 23 10:24:18 fw1 charon[29650]: 10[CFG] <10296> looking for peer configs matching 198.51.100.194[198.51.100.194]...203.0.113.154[203.0.113.154]
Jul 23 10:24:18 fw1 charon[29650]: 10[CFG] <con1|10296> selected peer config 'con1'
Jul 23 10:24:18 fw1 charon[29650]: 10[IKE] <con1|10296> authentication of '203.0.113.154' with pre-shared key successful
Jul 23 10:24:18 fw1 charon[29650]: 10[IKE] <con1|10296> peer supports MOBIKE
Jul 23 10:24:18 fw1 charon[29650]: 10[IKE] <con1|10296> authentication of '198.51.100.194' (myself) with pre-shared key
Jul 23 10:24:18 fw1 charon[29650]: 10[IKE] <con1|10294> schedule delete of duplicate IKE_SA for peer '203.0.113.154' due to uniqueness policy and suspected reauthentication
Jul 23 10:24:18 fw1 charon[29650]: 10[IKE] <con1|10295> schedule delete of duplicate IKE_SA for peer '203.0.113.154' due to uniqueness policy and suspected reauthentication
Jul 23 10:24:18 fw1 charon[29650]: 10[IKE] <con1|10296> IKE_SA con1[10296] established between 198.51.100.194[198.51.100.194]...203.0.113.154[203.0.113.154]
Jul 23 10:24:18 fw1 charon[29650]: 10[IKE] <con1|10296> scheduling reauthentication in 2708s
Jul 23 10:24:18 fw1 charon[29650]: 10[IKE] <con1|10296> maximum IKE_SA lifetime 3248s
Jul 23 10:24:18 fw1 charon[29650]: 10[CFG] <con1|10296> selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
Jul 23 10:24:18 fw1 charon[29650]: 10[IKE] <con1|10296> CHILD_SA con1{10352} established with SPIs c93ef0ab_i c8195350_o and TS 192.168.20.232/29 === 192.168.190.0/24
Jul 23 10:24:18 fw1 charon[29650]: 10[ENC] <con1|10296> generating IKE_AUTH response 1 [ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Jul 23 10:24:18 fw1 charon[29650]: 10[NET] <con1|10296> sending packet: from 198.51.100.194[4500] to 203.0.113.154[4500] (336 bytes)
Jul 23 10:24:19 fw1 charon[29650]: 10[NET] <con1|10296> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:19 fw1 charon[29650]: 10[ENC] <con1|10296> parsed CREATE_CHILD_SA request 2 [ EF(1/11) ]
Jul 23 10:24:19 fw1 charon[29650]: 10[ENC] <con1|10296> received fragment #1 of 11, waiting for complete IKE message
Jul 23 10:24:19 fw1 charon[29650]: 07[NET] <con1|10296> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:19 fw1 charon[29650]: 07[ENC] <con1|10296> parsed CREATE_CHILD_SA request 2 [ EF(6/11) ]
Jul 23 10:24:19 fw1 charon[29650]: 07[ENC] <con1|10296> received fragment #6 of 11, waiting for complete IKE message
Jul 23 10:24:19 fw1 charon[29650]: 08[NET] <con1|10296> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:19 fw1 charon[29650]: 08[ENC] <con1|10296> parsed CREATE_CHILD_SA request 2 [ EF(10/11) ]
Jul 23 10:24:19 fw1 charon[29650]: 08[ENC] <con1|10296> received fragment #10 of 11, waiting for complete IKE message
Jul 23 10:24:19 fw1 charon[29650]: 09[NET] <con1|10296> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:19 fw1 charon[29650]: 09[ENC] <con1|10296> parsed CREATE_CHILD_SA request 2 [ EF(9/11) ]
Jul 23 10:24:19 fw1 charon[29650]: 09[ENC] <con1|10296> received fragment #9 of 11, waiting for complete IKE message
Jul 23 10:24:19 fw1 charon[29650]: 15[NET] <con1|10296> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:19 fw1 charon[29650]: 15[ENC] <con1|10296> parsed CREATE_CHILD_SA request 2 [ EF(8/11) ]

125
German - Deutsch / Re: HA mit unterschiedlicher Hardware
« on: July 17, 2021, 02:05:04 pm »
Ja geht auch mit unterschiedlicher Hardware. Kann muss eben beachten, das die Interfaces gleich gemappt sind.

Alternativ könnte man auch überlegen einen Hypervisor wir ProxMox davor zu schalten der die unterschiedlichen Interfaces managed.

Gesendet von meinem OnePlus 8t mit Tapatalk


126
German - Deutsch / Re: Rules Import aus Backup
« on: July 14, 2021, 10:46:36 pm »
Dann würde ich zuerst virtuelle Adapter ersten (VLANs oder so) und dann entsprechend Regel für Regel Anlagen

Gesendet von meinem OnePlus 8t mit Tapatalk


127
German - Deutsch / Re: Rules Import aus Backup
« on: July 14, 2021, 08:21:09 pm »
Klar.
Einfach beim Import über die GUI nur die Regeln wiederherstellen.

Gesendet von meinem OnePlus 8t mit Tapatalk


128
German - Deutsch / Re: Netflix Disney+ Amazon Streaming Regel
« on: June 17, 2021, 11:52:46 am »
Ich mache dies so, dass mein Fernseher beispielsweise komplett ins Internet darf...
Ich fange nicht noch an zu sortieren, da vieles ja so oder so über (viele) Contentserver läuft und nicht über irgendeinen bestimmten einzelnen Server.


Alternative wäre vielleicht noch ein transparenter Proxy

129
German - Deutsch / Re: HAProxy mit OPNsense 21.1.6-amd64 FreeBSD 12.1-RELEASE-p16-HBSD OpenSSL 1.1.1k 2
« on: June 16, 2021, 10:46:29 pm »
Ganz grundlegend.. was ist dein Ziel?
Nur ein  realer Server und von extern soll nur beispielsweise OWA erreicht werden wenn der URL "OWA.domain.com" lautet UND im Pfad "2fowa" steht?
Für owa habe ich bisher immer die Bedingung "Pfad startet mit /owa" genommen und im Frontend kein Standart BackendPool ausgewählt. Dann ist so schon an sich solch etwas wie ECP mit einem "404 Not Found" versehen. Sicherheitshalber kann man noch eine Regel machen in der etwas steht wie "Wenn Pfad startet mit /ecp dann http forbidden" wie es genau heißt weiß ich gerade aus dem Kopf nicht... Wenn es nicht findest dann gib nochmals Bescheid.

Klingt das nach der Lösung die du suchst?

Falls nicht... Warum hälst du dich an dem "2fowa" auf?

Gesendet von meinem OnePlus 8t mit Tapatalk


130
German - Deutsch / Re: arbeitet OPNsense eigentlich (auch) nach dem Whitelist-Prinzip
« on: June 15, 2021, 05:16:22 pm »
Standartmäßig sperrt OPNsense alles...
Somit ist alles was man einrichtet die Whitelist.

Gesendet von meinem OnePlus 8t mit Tapatalk


131
German - Deutsch / Re: E-Mail Server kommuniziert mit falscher IP-Adresse nach außen (Multi Public IP)
« on: June 11, 2021, 01:08:04 pm »
Einfach eine Standard Firewall Regel Anlagen und ganz unten bei "Gateway" das entsprechende Gateway abgeben.
Wenn du in der Regel die Richtung von In zu Out geändert hast, dann ist das falsch :)

Gesendet von meinem OnePlus 8t mit Tapatalk


132
German - Deutsch / Re: E-Mail Server kommuniziert mit falscher IP-Adresse nach außen (Multi Public IP)
« on: June 10, 2021, 04:14:41 pm »
Quote from: Adolar on June 10, 2021, 03:49:38 pm
Was hat denn der Browsercache damit zu tun?

Hier geht es um Firewall - ich habe 2x public ip ranges welche im cluster auf opnsense betrieben werden und der mailserver mit einer falschen ip nach aussen geht.


Was der BrowserCache damit zu tun hat? Je nachdem wie genau du deine Konfiguration kontrollierst, kann es auch gut sein, dass dein Browser dir keine aktuellen Informationen vorgaukelt.


Falls nicht, dann wie lfirewall1243 geschrieben hat das Gateway fest in der Regel zuordnen und ein passendes Outbound NAT  machen.

133
German - Deutsch / Re: E-Mail Server kommuniziert mit falscher IP-Adresse nach außen (Multi Public IP)
« on: June 10, 2021, 02:33:08 pm »
Outbound NAT sollte eigentlich das richtige sein.

Was mich oft auf die Palme bringt: Browser Cache

134
German - Deutsch / Re: Hardware-Beratung (Thomas-Krenn)
« on: June 09, 2021, 01:14:22 pm »
Also ich habe zuhause eine 400/12 Leitung und dort hat die Haupt FW "nur" 1 GB RAM und die Backup sogar nur 512 MB. Reicht locker Bandbreitenprobleme habe ich nur dank der "langsamen" Internetleitung.
Aktuelle Nutzung kann ich gerade nicht sagen. Aber dort langweilt sich der RAM auch nur :)



In meiner Firmenumgebung mit DualWAN (250/250 & 100/40), HAProxy, BIND, IPSec, OpenVPN, DHCP Server, Traffic Shaper hat die FW 8 GB und davon sind 528 MB aktuell in Benutzung.




PS. je nach Netzwerkstruktur, kann man ja eine 2. Firewall im absoluten LowBudget Bereich kaufen, dass man zumindest "ein paar Tropfen" der Internetleitung hat.
Habe ich auch schon gemacht, einfach einen alten PC mit vielen Netzwerkkarten so konfiguriert, dass diese im Notfall übernehmen kann. Hat mich damals ~100€ für die Netzwerkkarten gekostet und als "Server" war es dann eben eine alte Mühle aus dem Schrank mit 2 Kernen damit wir nicht abgeschottet sind. Lieber langsam als gar nichts.

135
German - Deutsch / Re: Hardware-Beratung (Thomas-Krenn)
« on: June 09, 2021, 12:54:46 pm »

Ich würde mich für solch etwas entscheiden:
https://www.thomas-krenn.com/loadproduct?id=yeb221e07868428eb&lang=de


Wichtig wäre mir eher eine hohe Taktrate als viele Kerne.
Was du bedenken solltest wäre noch Thema Hardwaresupport und/oder Redundanz (was die Kosten dann natürlich verdoppelt)

Pages: 1 ... 7 8 [9] 10 11 ... 37
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2