Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - atom

Pages: 1 ... 8 9 [10] 11 12 ... 14

136

Virtual private networks / Re: IPSec S2S Tunnel problem

« on: June 19, 2021, 05:54:01 pm »

You're default router is 192.168.10.2 and not WAN (192.168.10.198), correct ?
Do you have a network plan ?

137

Virtual private networks / Re: IPSec S2S Tunnel problem

« on: June 19, 2021, 02:45:25 pm »

Have you marked "install policy" in phase 1 "advanced options" ?

138

Virtual private networks / Re: IPSec S2S Tunnel problem

« on: June 18, 2021, 05:43:43 pm »

Phase 1 entries are correct.
Phase 2 don´t match with the other side.

139

Virtual private networks / Re: Need help with IKEv2 IPsec to Cisco ASA

« on: June 17, 2021, 05:32:45 pm »

I had the same problem with IKEv2 and Cisco.
The SAs were automatically closed after ~30 minutes.
So I set the lifetime for each SA to 1800.

140

Virtual private networks / Re: IPSec Tunnel to Cisco is unstable

« on: April 27, 2021, 10:13:22 am »

You should use a timeserver. The IPSec log shows time jumps.

141

Virtual private networks / Re: ipsec multiple networks in phase 2

« on: April 21, 2021, 03:32:05 pm »

The SAs are correct (on both side of the tunnel):
Source    Destination    Protocol    SPI    Enc. alg.    Auth. alg.    Data
xx.xx.xx.xx    yy.yy.yy.yy    ESP    c9fd5d36    rijndael-cbc    hmac-sha1    0 B
yy.yy.yy.yy    xx.xx.xx.xx    ESP    c47ae68a    rijndael-cbc    hmac-sha1    0 B
xx.xx.xx.xx    yy.yy.yy.yy    ESP    161bc2a1    rijndael-cbc    hmac-sha1    18176 B
yy.yy.yy.yy    xx.xx.xx.xx    ESP    c9458776    rijndael-cbc    hmac-sha1    6695 B

The packets for the first network are send with the correct SPI:

Code: [Select]

14:14:19.072273 (authentic,confidential): SPI 0x161bc2a1: IP 192.168.x.x.53355 > 10.0.x.x.3210: Flags [S], seq 421378147, win 64860, options [mss 1380,nop,wscale 8,nop,nop,sackOK], length 0
14:14:19.073146 (authentic,confidential): SPI 0xc9458776: IP 10.0.x.x.3210 > 192.168.x.x.54727: Flags [S.], seq 1604342582, ack 421378148, win 8192, options [mss 1380,nop,wscale 8,nop,nop,sackOK], length 0

But the packets for the second network are send with the same SPI and not the other one:

Code: [Select]

14:14:40.298621 (authentic,confidential): SPI 0x161bc2a1: IP 192.168.x.x.53356 > 172.16.x.x.53200: Flags [S], seq 2338379155, win 64860, options [mss 1380,nop,wscale 8,nop,nop,sackOK], length 0
14:14:40.537097 (authentic,confidential): SPI 0x161bc2a1: IP 192.168.x.x.53357 > 172.16.x.x.53200: Flags [S], seq 3742114150, win 64860, options [mss 1380,nop,wscale 8,nop,nop,sackOK], length 0

142

German - Deutsch / Re: IPSec VPN zu Fritzbox

« on: April 10, 2021, 07:57:15 pm »

Mit 7.20 kann die FRITZ!Box schon deutlich mehr.

https://avm.de/service/vpn/tipps-tricks/fritzbox-mit-einem-firmen-vpn-verbinden/

143

German - Deutsch / Re: Opnsense 21.1 ipsec config

« on: April 10, 2021, 03:51:01 pm »

Bei mir ist sowohl die ipsec.conf, als auch die ipsec.secrets mit Werten gefüllt.

Und "Enable IPsec" ist gesetzt ?

144

German - Deutsch / Re: Opnsense 21.1 ipsec config

« on: April 10, 2021, 03:20:09 pm »

Hi,

ja die liegt unter /usr/local/etc .

Viele Grüße,
atom

145

Virtual private networks / Re: ipsec multiple networks in phase 2

« on: March 31, 2021, 07:15:13 pm »

We first try it with IKEv2. Then I could reach one of the other two networks, depending on "Tunnel isolation" is enabled or not.
Then we fall back to IKEv1. Then it was not possible to get the tunnel running with two networks enabled.

146

Virtual private networks / Re: ipsec multiple networks in phase 2

« on: March 31, 2021, 03:13:24 pm »

The remote side is running a Cisco ASA. I've also tried to set "Tunnel isolation".

The tunnel works before without any issue between a Lancom and the Cisco. Now I try only to switch one end of the tunnel from Lancom to OPNsense.

147

Virtual private networks / ipsec multiple networks in phase 2

« on: March 31, 2021, 02:53:35 pm »

Hello,

i have a problem with ipsec connections when I want to use more than one network remotely with the same local network phase 2.

1. network
local remote
192.168.100.0/24 10.0.0.0/24

works until add a second network

2. network
local remote
192.168.100.0/24 10.10.0.0/24

I got a 'received DELETE for ESP CHILD_SA' and then a 'closing CHILD_SA con' .

Regards,
atom

148

German - Deutsch / Re: Upgrade HA Nodes - kurze Downtime & low Risk?

« on: March 25, 2021, 04:31:36 pm »

Bei "Gateway" kommt keine Adresse aus Deinen CARP-IPs hin, sondern das nächste Gateway.

Beispiel:

WAN-FW1: 10.10.10.1
WAN-FW2. 10.10.10.2
WAN-CARP: 10.10.10.3
WAN-GW: 10.10.10.254

149

German - Deutsch / Re: Upgrade HA Nodes - kurze Downtime & low Risk?

« on: March 25, 2021, 01:45:36 pm »

Wenn Du aus Sicherheitsgründen den WAN-Zugang des Backupservers nicht für die Anmeldung öffnen willst, musst Du Dir eine Möglichkeit schaffen per ipsec, wireguard o.a. Remote auf den Backup-Server zu kommen.

150

German - Deutsch / Re: Upgrade HA Nodes - kurze Downtime & low Risk?

« on: March 25, 2021, 12:15:03 pm »

Ich kann mich direkt am Backup-Node anmelden. Dafür habe ich mir Wireguard auf dem backup-Node konfiguriert.

Pages: 1 ... 8 9 [10] 11 12 ... 14