OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • International Forums »
  • German - Deutsch »
  • IPSec / Fragmentierte IKE Nachrichten?
« previous next »
  • Print
Pages: [1]

Author Topic: IPSec / Fragmentierte IKE Nachrichten?  (Read 1641 times)

superwinni2

  • Hero Member
  • *****
  • Posts: 546
  • Karma: 24
  • Netzwerk der Kindheit? - Draussen
    • View Profile
IPSec / Fragmentierte IKE Nachrichten?
« on: July 23, 2021, 10:36:35 am »
Hallo zusammen


ich hoffe mir kann jemand mit meinem Problem helfen...
Ich (198.51.100.194) versuche einen IPSec Tunnel zu 203.0.113.154 aufzubauen.
Die Verbindung an sich funktioniert. Daten gehen durch jedoch kann es auch mal sein, dass die Verbindung abbricht und ich auf meiner Seite den kompletten VPN Dienst neustarten muss damit Pakete wieder ausgetauscht werden können.
Da ich bereits mehrere IPSec VPNs habe, bricht dann natürlich immer alles für einen kurzen Augenblick ein was nicht ganz so toll ist.


Kann mir jemand sagen, warum ich fragmentierte IKE Pakete erhalte? Kann ich etwas umstellen, damit dies besser funktioniert? Liegt das Problem gar nicht an mir?

Danke und Gruß


In der Log erhalte ich folgende Nachrichten:
Code: [Select]

Jul 23 10:24:01 fw1 charon[29650]: 16[ENC] <con1|10291> fragmented IKE message is too large
Jul 23 10:24:01 fw1 charon[29650]: 15[NET] <con1|10291> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:01 fw1 charon[29650]: 07[NET] <con1|10291> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:01 fw1 charon[29650]: 07[ENC] <con1|10291> parsed CREATE_CHILD_SA request 2 [ EF(7/11) ]
Jul 23 10:24:01 fw1 charon[29650]: 07[ENC] <con1|10291> received fragment #7 of 11, waiting for complete IKE message
Jul 23 10:24:06 fw1 charon[29650]: 16[IKE] <con1|10290> deleting IKE_SA con1[10290] between 198.51.100.194[198.51.100.194]...203.0.113.154[203.0.113.154]
Jul 23 10:24:06 fw1 charon[29650]: 16[IKE] <con1|10290> sending DELETE for IKE_SA con1[10290]
Jul 23 10:24:06 fw1 charon[29650]: 16[ENC] <con1|10290> generating INFORMATIONAL request 0 [ D ]
Jul 23 10:24:06 fw1 charon[29650]: 16[NET] <con1|10290> sending packet: from 198.51.100.194[4500] to 203.0.113.154[4500] (80 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 16[NET] <10293> received packet: from 203.0.113.154[500] to 198.51.100.194[500] (1076 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 16[ENC] <10293> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <10293> 203.0.113.154 is initiating an IKE_SA
Jul 23 10:24:07 fw1 charon[29650]: 16[CFG] <10293> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jul 23 10:24:07 fw1 charon[29650]: 15[NET] <con1|10290> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (80 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 15[ENC] <con1|10290> parsed INFORMATIONAL response 0 [ ]
Jul 23 10:24:07 fw1 charon[29650]: 15[IKE] <con1|10290> IKE_SA deleted
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <10293> sending cert request for "DC=int, DC=unternehmen, DC=emea, CN=unternehmenEMEA-CA"
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <10293> sending cert request for "C=DE, ST=Baden-Wuerttemberg, L=Ortschaft, O=unternehmen, E=edv@unternehmen.de, CN=unternehmenMobile"
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <10293> sending cert request for "C=DE, ST=Baden-Wuerttemberg, L=Ortschaft, O=unternehmen, E=edv@unternehmen.de, CN=unternehmenFirewall-CA"
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <10293> sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA"
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <10293> sending cert request for "C=US, O=Let's Encrypt, CN=R3"
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <10293> sending cert request for "C=DE, ST=B-W, L=Ortschaft, O= Unternehmen, E=edv@unternehmen.de, CN=unternehmenFW-Squid"
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <10293> sending cert request for "C=US, O=(STAGING) Let's Encrypt, CN=(STAGING) Artificial Apricot R3"
Jul 23 10:24:07 fw1 charon[29650]: 16[ENC] <10293> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jul 23 10:24:07 fw1 charon[29650]: 16[NET] <10293> sending packet: from 198.51.100.194[500] to 203.0.113.154[500] (617 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 16[NET] <10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1200 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 16[ENC] <10293> parsed IKE_AUTH request 1 [ IDi CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <10293> received cert request for "C=DE, ST=Baden-Wuerttemberg, L=Ortschaft, O=unternehmen, E=edv@unternehmen.de, CN=unternehmenFirewall-CA"
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <10293> received 1 cert requests for an unknown ca
Jul 23 10:24:07 fw1 charon[29650]: 16[CFG] <10293> looking for peer configs matching 198.51.100.194[198.51.100.194]...203.0.113.154[203.0.113.154]
Jul 23 10:24:07 fw1 charon[29650]: 16[CFG] <con1|10293> selected peer config 'con1'
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <con1|10293> authentication of '203.0.113.154' with pre-shared key successful
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <con1|10293> peer supports MOBIKE
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <con1|10293> authentication of '198.51.100.194' (myself) with pre-shared key
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <con1|10291> schedule delete of duplicate IKE_SA for peer '203.0.113.154' due to uniqueness policy and suspected reauthentication
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <con1|10292> schedule delete of duplicate IKE_SA for peer '203.0.113.154' due to uniqueness policy and suspected reauthentication
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <con1|10293> IKE_SA con1[10293] established between 198.51.100.194[198.51.100.194]...203.0.113.154[203.0.113.154]
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <con1|10293> scheduling reauthentication in 2578s
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <con1|10293> maximum IKE_SA lifetime 3118s
Jul 23 10:24:07 fw1 charon[29650]: 16[CFG] <con1|10293> selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <con1|10293> CHILD_SA con1{10349} established with SPIs c4087868_i ccceaada_o and TS 192.168.20.232/29 === 192.168.190.0/24
Jul 23 10:24:07 fw1 charon[29650]: 16[ENC] <con1|10293> generating IKE_AUTH response 1 [ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Jul 23 10:24:07 fw1 charon[29650]: 16[NET] <con1|10293> sending packet: from 198.51.100.194[4500] to 203.0.113.154[4500] (336 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 16[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 16[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(1/11) ]
Jul 23 10:24:07 fw1 charon[29650]: 16[ENC] <con1|10293> received fragment #1 of 11, waiting for complete IKE message
Jul 23 10:24:07 fw1 charon[29650]: 15[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 15[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(6/11) ]
Jul 23 10:24:07 fw1 charon[29650]: 15[ENC] <con1|10293> received fragment #6 of 11, waiting for complete IKE message
Jul 23 10:24:07 fw1 charon[29650]: 09[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 09[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(5/11) ]
Jul 23 10:24:07 fw1 charon[29650]: 09[ENC] <con1|10293> received fragment #5 of 11, waiting for complete IKE message
Jul 23 10:24:07 fw1 charon[29650]: 06[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 06[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(4/11) ]
Jul 23 10:24:07 fw1 charon[29650]: 06[ENC] <con1|10293> received fragment #4 of 11, waiting for complete IKE message
Jul 23 10:24:07 fw1 charon[29650]: 08[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 08[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(3/11) ]
Jul 23 10:24:07 fw1 charon[29650]: 08[ENC] <con1|10293> received fragment #3 of 11, waiting for complete IKE message
Jul 23 10:24:07 fw1 charon[29650]: 14[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 14[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(2/11) ]
Jul 23 10:24:07 fw1 charon[29650]: 14[ENC] <con1|10293> received fragment #2 of 11, waiting for complete IKE message
Jul 23 10:24:07 fw1 charon[29650]: 08[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 08[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(7/11) ]
Jul 23 10:24:07 fw1 charon[29650]: 08[ENC] <con1|10293> received fragment #7 of 11, waiting for complete IKE message
Jul 23 10:24:07 fw1 charon[29650]: 14[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (180 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 14[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(11/11) ]
Jul 23 10:24:07 fw1 charon[29650]: 14[ENC] <con1|10293> received fragment #11 of 11, waiting for complete IKE message
Jul 23 10:24:07 fw1 charon[29650]: 16[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 16[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(10/11) ]
Jul 23 10:24:07 fw1 charon[29650]: 16[ENC] <con1|10293> received fragment #10 of 11, waiting for complete IKE message
Jul 23 10:24:07 fw1 charon[29650]: 15[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 15[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(9/11) ]
Jul 23 10:24:07 fw1 charon[29650]: 15[ENC] <con1|10293> fragmented IKE message is too large
Jul 23 10:24:07 fw1 charon[29650]: 09[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 09[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(8/11) ]
Jul 23 10:24:07 fw1 charon[29650]: 09[ENC] <con1|10293> received fragment #8 of 11, waiting for complete IKE message
Jul 23 10:24:07 fw1 charon[29650]: 15[IKE] <con1|10292> sending DPD request
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <con1|10291> deleting IKE_SA con1[10291] between 198.51.100.194[198.51.100.194]...203.0.113.154[203.0.113.154]
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <con1|10291> sending DELETE for IKE_SA con1[10291]
Jul 23 10:24:07 fw1 charon[29650]: 15[ENC] <con1|10292> generating INFORMATIONAL request 0 [ ]
Jul 23 10:24:07 fw1 charon[29650]: 16[ENC] <con1|10291> generating INFORMATIONAL request 0 [ D ]
Jul 23 10:24:07 fw1 charon[29650]: 15[NET] <con1|10292> sending packet: from 198.51.100.194[4500] to 203.0.113.154[4500] (80 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 16[NET] <con1|10291> sending packet: from 198.51.100.194[4500] to 203.0.113.154[4500] (80 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 16[NET] <con1|10292> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (80 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 16[ENC] <con1|10292> parsed INFORMATIONAL response 0 [ ]
Jul 23 10:24:07 fw1 charon[29650]: 16[NET] <10294> received packet: from 203.0.113.154[500] to 198.51.100.194[500] (1076 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 16[ENC] <10294> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <10294> 203.0.113.154 is initiating an IKE_SA
Jul 23 10:24:07 fw1 charon[29650]: 16[CFG] <10294> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jul 23 10:24:07 fw1 charon[29650]: 15[NET] <con1|10291> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (80 bytes)
Jul 23 10:24:07 fw1 charon[29650]: 15[ENC] <con1|10291> parsed INFORMATIONAL response 0 [ ]
Jul 23 10:24:07 fw1 charon[29650]: 15[IKE] <con1|10291> IKE_SA deleted
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <10294> sending cert request for "DC=int, DC=unternehmen, DC=emea, CN=unternehmenEMEA-CA"
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <10294> sending cert request for "C=DE, ST=Baden-Wuerttemberg, L=Ortschaft, O=unternehmen, E=edv@unternehmen.de, CN=unternehmenMobile"
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <10294> sending cert request for "C=DE, ST=Baden-Wuerttemberg, L=Ortschaft, O=unternehmen, E=edv@unternehmen.de, CN=unternehmenFirewall-CA"
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <10294> sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA"
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <10294> sending cert request for "C=US, O=Let's Encrypt, CN=R3"
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <10294> sending cert request for "C=DE, ST=B-W, L=Ortschaft, O= Unternehmen, E=edv@unternehmen.de, CN=unternehmenFW-Squid"
Jul 23 10:24:07 fw1 charon[29650]: 16[IKE] <10294> sending cert request for "C=US, O=(STAGING) Let's Encrypt, CN=(STAGING) Artificial Apricot R3"
Jul 23 10:24:07 fw1 charon[29650]: 16[ENC] <10294> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jul 23 10:24:07 fw1 charon[29650]: 16[NET] <10294> sending packet: from 198.51.100.194[500] to 203.0.113.154[500] (617 bytes)
Jul 23 10:24:08 fw1 charon[29650]: 16[NET] <10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1200 bytes)
Jul 23 10:24:08 fw1 charon[29650]: 16[ENC] <10294> parsed IKE_AUTH request 1 [ IDi CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jul 23 10:24:08 fw1 charon[29650]: 16[IKE] <10294> received cert request for "C=DE, ST=Baden-Wuerttemberg, L=Ortschaft, O=unternehmen, E=edv@unternehmen.de, CN=unternehmenFirewall-CA"
Jul 23 10:24:08 fw1 charon[29650]: 16[IKE] <10294> received 1 cert requests for an unknown ca
Jul 23 10:24:08 fw1 charon[29650]: 16[CFG] <10294> looking for peer configs matching 198.51.100.194[198.51.100.194]...203.0.113.154[203.0.113.154]
Jul 23 10:24:08 fw1 charon[29650]: 16[CFG] <con1|10294> selected peer config 'con1'
Jul 23 10:24:08 fw1 charon[29650]: 16[IKE] <con1|10294> authentication of '203.0.113.154' with pre-shared key successful
Jul 23 10:24:08 fw1 charon[29650]: 16[IKE] <con1|10294> peer supports MOBIKE
Jul 23 10:24:08 fw1 charon[29650]: 16[IKE] <con1|10294> authentication of '198.51.100.194' (myself) with pre-shared key
Jul 23 10:24:08 fw1 charon[29650]: 16[IKE] <con1|10292> schedule delete of duplicate IKE_SA for peer '203.0.113.154' due to uniqueness policy and suspected reauthentication
Jul 23 10:24:08 fw1 charon[29650]: 16[IKE] <con1|10293> schedule delete of duplicate IKE_SA for peer '203.0.113.154' due to uniqueness policy and suspected reauthentication
Jul 23 10:24:08 fw1 charon[29650]: 16[IKE] <con1|10294> IKE_SA con1[10294] established between 198.51.100.194[198.51.100.194]...203.0.113.154[203.0.113.154]
Jul 23 10:24:08 fw1 charon[29650]: 16[IKE] <con1|10294> scheduling reauthentication in 2524s
Jul 23 10:24:08 fw1 charon[29650]: 16[IKE] <con1|10294> maximum IKE_SA lifetime 3064s
Jul 23 10:24:08 fw1 charon[29650]: 16[CFG] <con1|10294> selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
Jul 23 10:24:08 fw1 charon[29650]: 16[IKE] <con1|10294> CHILD_SA con1{10350} established with SPIs c3ea32ff_i c4d27627_o and TS 192.168.20.232/29 === 192.168.190.0/24
Jul 23 10:24:08 fw1 charon[29650]: 16[ENC] <con1|10294> generating IKE_AUTH response 1 [ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Jul 23 10:24:08 fw1 charon[29650]: 16[NET] <con1|10294> sending packet: from 198.51.100.194[4500] to 203.0.113.154[4500] (336 bytes)
Jul 23 10:24:08 fw1 charon[29650]: 16[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:08 fw1 charon[29650]: 16[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(1/11) ]
Jul 23 10:24:08 fw1 charon[29650]: 16[ENC] <con1|10294> received fragment #1 of 11, waiting for complete IKE message
Jul 23 10:24:08 fw1 charon[29650]: 09[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:08 fw1 charon[29650]: 09[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(3/11) ]
Jul 23 10:24:08 fw1 charon[29650]: 09[ENC] <con1|10294> received fragment #3 of 11, waiting for complete IKE message
Jul 23 10:24:08 fw1 charon[29650]: 14[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:08 fw1 charon[29650]: 14[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(2/11) ]
Jul 23 10:24:08 fw1 charon[29650]: 14[ENC] <con1|10294> received fragment #2 of 11, waiting for complete IKE message
Jul 23 10:24:08 fw1 charon[29650]: 14[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:08 fw1 charon[29650]: 14[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(4/11) ]
Jul 23 10:24:08 fw1 charon[29650]: 14[ENC] <con1|10294> received fragment #4 of 11, waiting for complete IKE message
Jul 23 10:24:08 fw1 charon[29650]: 09[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:08 fw1 charon[29650]: 09[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(6/11) ]
Jul 23 10:24:08 fw1 charon[29650]: 09[ENC] <con1|10294> received fragment #6 of 11, waiting for complete IKE message
Jul 23 10:24:08 fw1 charon[29650]: 16[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:08 fw1 charon[29650]: 16[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(5/11) ]
Jul 23 10:24:08 fw1 charon[29650]: 16[ENC] <con1|10294> received fragment #5 of 11, waiting for complete IKE message
Jul 23 10:24:08 fw1 charon[29650]: 08[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (180 bytes)
Jul 23 10:24:08 fw1 charon[29650]: 08[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(11/11) ]
Jul 23 10:24:08 fw1 charon[29650]: 08[ENC] <con1|10294> received fragment #11 of 11, waiting for complete IKE message
Jul 23 10:24:08 fw1 charon[29650]: 05[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:08 fw1 charon[29650]: 05[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(10/11) ]
Jul 23 10:24:08 fw1 charon[29650]: 05[ENC] <con1|10294> received fragment #10 of 11, waiting for complete IKE message
Jul 23 10:24:08 fw1 charon[29650]: 13[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:08 fw1 charon[29650]: 13[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(9/11) ]
Jul 23 10:24:08 fw1 charon[29650]: 13[ENC] <con1|10294> received fragment #9 of 11, waiting for complete IKE message
Jul 23 10:24:08 fw1 charon[29650]: 14[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:08 fw1 charon[29650]: 14[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(8/11) ]
Jul 23 10:24:08 fw1 charon[29650]: 14[ENC] <con1|10294> fragmented IKE message is too large
Jul 23 10:24:08 fw1 charon[29650]: 09[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:08 fw1 charon[29650]: 09[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(7/11) ]
Jul 23 10:24:08 fw1 charon[29650]: 09[ENC] <con1|10294> received fragment #7 of 11, waiting for complete IKE message
Jul 23 10:24:11 fw1 charon[29650]: 13[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:11 fw1 charon[29650]: 13[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(1/11) ]
Jul 23 10:24:11 fw1 charon[29650]: 13[ENC] <con1|10293> received fragment #1 of 11, waiting for complete IKE message
Jul 23 10:24:11 fw1 charon[29650]: 14[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:11 fw1 charon[29650]: 14[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(3/11) ]
Jul 23 10:24:11 fw1 charon[29650]: 14[ENC] <con1|10293> received fragment #3 of 11, waiting for complete IKE message
Jul 23 10:24:11 fw1 charon[29650]: 05[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:11 fw1 charon[29650]: 05[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(2/11) ]
Jul 23 10:24:11 fw1 charon[29650]: 05[ENC] <con1|10293> received fragment #2 of 11, waiting for complete IKE message
Jul 23 10:24:11 fw1 charon[29650]: 05[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:11 fw1 charon[29650]: 05[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(6/11) ]
Jul 23 10:24:11 fw1 charon[29650]: 05[ENC] <con1|10293> received fragment #6 of 11, waiting for complete IKE message
Jul 23 10:24:11 fw1 charon[29650]: 08[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:11 fw1 charon[29650]: 08[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(5/11) ]
Jul 23 10:24:11 fw1 charon[29650]: 08[ENC] <con1|10293> received fragment #5 of 11, waiting for complete IKE message
Jul 23 10:24:11 fw1 charon[29650]: 14[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:11 fw1 charon[29650]: 14[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(4/11) ]
Jul 23 10:24:11 fw1 charon[29650]: 14[ENC] <con1|10293> received fragment #4 of 11, waiting for complete IKE message
Jul 23 10:24:11 fw1 charon[29650]: 05[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:11 fw1 charon[29650]: 05[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(9/11) ]
Jul 23 10:24:11 fw1 charon[29650]: 05[ENC] <con1|10293> received fragment #9 of 11, waiting for complete IKE message
Jul 23 10:24:11 fw1 charon[29650]: 16[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (180 bytes)
Jul 23 10:24:11 fw1 charon[29650]: 16[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(11/11) ]
Jul 23 10:24:11 fw1 charon[29650]: 16[ENC] <con1|10293> received fragment #11 of 11, waiting for complete IKE message
Jul 23 10:24:11 fw1 charon[29650]: 13[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:11 fw1 charon[29650]: 13[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(8/11) ]
Jul 23 10:24:11 fw1 charon[29650]: 13[ENC] <con1|10293> received duplicate fragment #8
Jul 23 10:24:11 fw1 charon[29650]: 14[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:11 fw1 charon[29650]: 14[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(10/11) ]
Jul 23 10:24:11 fw1 charon[29650]: 14[ENC] <con1|10293> fragmented IKE message is too large
Jul 23 10:24:11 fw1 charon[29650]: 08[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:11 fw1 charon[29650]: 08[ENC] <con1|10293> parsed CREATE_CHILD_SA request 2 [ EF(7/11) ]
Jul 23 10:24:11 fw1 charon[29650]: 08[ENC] <con1|10293> received fragment #7 of 11, waiting for complete IKE message
Jul 23 10:24:12 fw1 charon[29650]: 14[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:12 fw1 charon[29650]: 14[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(1/11) ]
Jul 23 10:24:12 fw1 charon[29650]: 14[ENC] <con1|10294> received fragment #1 of 11, waiting for complete IKE message
Jul 23 10:24:12 fw1 charon[29650]: 08[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:12 fw1 charon[29650]: 08[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(3/11) ]
Jul 23 10:24:12 fw1 charon[29650]: 08[ENC] <con1|10294> received fragment #3 of 11, waiting for complete IKE message
Jul 23 10:24:12 fw1 charon[29650]: 13[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:12 fw1 charon[29650]: 13[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(2/11) ]
Jul 23 10:24:12 fw1 charon[29650]: 13[ENC] <con1|10294> received fragment #2 of 11, waiting for complete IKE message
Jul 23 10:24:12 fw1 charon[29650]: 13[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:12 fw1 charon[29650]: 13[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(6/11) ]
Jul 23 10:24:12 fw1 charon[29650]: 13[ENC] <con1|10294> received fragment #6 of 11, waiting for complete IKE message
Jul 23 10:24:12 fw1 charon[29650]: 14[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:12 fw1 charon[29650]: 14[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(4/11) ]
Jul 23 10:24:12 fw1 charon[29650]: 14[ENC] <con1|10294> received fragment #4 of 11, waiting for complete IKE message
Jul 23 10:24:12 fw1 charon[29650]: 05[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:12 fw1 charon[29650]: 05[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(5/11) ]
Jul 23 10:24:12 fw1 charon[29650]: 05[ENC] <con1|10294> received fragment #5 of 11, waiting for complete IKE message
Jul 23 10:24:12 fw1 charon[29650]: 16[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:12 fw1 charon[29650]: 16[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(7/11) ]
Jul 23 10:24:12 fw1 charon[29650]: 16[ENC] <con1|10294> received duplicate fragment #7
Jul 23 10:24:12 fw1 charon[29650]: 10[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (180 bytes)
Jul 23 10:24:12 fw1 charon[29650]: 10[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(11/11) ]
Jul 23 10:24:12 fw1 charon[29650]: 10[ENC] <con1|10294> received fragment #11 of 11, waiting for complete IKE message
Jul 23 10:24:12 fw1 charon[29650]: 05[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:12 fw1 charon[29650]: 05[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(10/11) ]
Jul 23 10:24:12 fw1 charon[29650]: 05[ENC] <con1|10294> received fragment #10 of 11, waiting for complete IKE message
Jul 23 10:24:12 fw1 charon[29650]: 13[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:12 fw1 charon[29650]: 13[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(9/11) ]
Jul 23 10:24:12 fw1 charon[29650]: 13[ENC] <con1|10294> fragmented IKE message is too large
Jul 23 10:24:12 fw1 charon[29650]: 14[NET] <con1|10294> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:12 fw1 charon[29650]: 14[ENC] <con1|10294> parsed CREATE_CHILD_SA request 2 [ EF(8/11) ]
Jul 23 10:24:12 fw1 charon[29650]: 14[ENC] <con1|10294> received fragment #8 of 11, waiting for complete IKE message
Jul 23 10:24:17 fw1 charon[29650]: 05[IKE] <con1|10292> deleting IKE_SA con1[10292] between 198.51.100.194[198.51.100.194]...203.0.113.154[203.0.113.154]
Jul 23 10:24:17 fw1 charon[29650]: 05[IKE] <con1|10292> sending DELETE for IKE_SA con1[10292]
Jul 23 10:24:17 fw1 charon[29650]: 05[ENC] <con1|10292> generating INFORMATIONAL request 1 [ D ]
Jul 23 10:24:17 fw1 charon[29650]: 05[NET] <con1|10292> sending packet: from 198.51.100.194[4500] to 203.0.113.154[4500] (80 bytes)
Jul 23 10:24:17 fw1 charon[29650]: 05[NET] <con1|10292> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (80 bytes)
Jul 23 10:24:17 fw1 charon[29650]: 05[ENC] <con1|10292> parsed INFORMATIONAL response 1 [ ]
Jul 23 10:24:17 fw1 charon[29650]: 13[NET] <10295> received packet: from 203.0.113.154[500] to 198.51.100.194[500] (1076 bytes)
Jul 23 10:24:17 fw1 charon[29650]: 05[IKE] <con1|10292> IKE_SA deleted
Jul 23 10:24:17 fw1 charon[29650]: 13[ENC] <10295> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jul 23 10:24:17 fw1 charon[29650]: 13[IKE] <10295> 203.0.113.154 is initiating an IKE_SA
Jul 23 10:24:17 fw1 charon[29650]: 13[CFG] <10295> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jul 23 10:24:17 fw1 charon[29650]: 13[IKE] <10295> sending cert request for "DC=int, DC=unternehmen, DC=emea, CN=unternehmenEMEA-CA"
Jul 23 10:24:17 fw1 charon[29650]: 13[IKE] <10295> sending cert request for "C=DE, ST=Baden-Wuerttemberg, L=Ortschaft, O=unternehmen, E=edv@unternehmen.de, CN=unternehmenMobile"
Jul 23 10:24:17 fw1 charon[29650]: 13[IKE] <10295> sending cert request for "C=DE, ST=Baden-Wuerttemberg, L=Ortschaft, O=unternehmen, E=edv@unternehmen.de, CN=unternehmenFirewall-CA"
Jul 23 10:24:17 fw1 charon[29650]: 13[IKE] <10295> sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA"
Jul 23 10:24:17 fw1 charon[29650]: 13[IKE] <10295> sending cert request for "C=US, O=Let's Encrypt, CN=R3"
Jul 23 10:24:17 fw1 charon[29650]: 13[IKE] <10295> sending cert request for "C=DE, ST=B-W, L=Ortschaft, O= Unternehmen, E=edv@unternehmen.de, CN=unternehmenFW-Squid"
Jul 23 10:24:17 fw1 charon[29650]: 13[IKE] <10295> sending cert request for "C=US, O=(STAGING) Let's Encrypt, CN=(STAGING) Artificial Apricot R3"
Jul 23 10:24:17 fw1 charon[29650]: 13[ENC] <10295> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jul 23 10:24:17 fw1 charon[29650]: 13[NET] <10295> sending packet: from 198.51.100.194[500] to 203.0.113.154[500] (617 bytes)
Jul 23 10:24:17 fw1 charon[29650]: 13[NET] <10295> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1200 bytes)
Jul 23 10:24:17 fw1 charon[29650]: 13[ENC] <10295> parsed IKE_AUTH request 1 [ IDi CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jul 23 10:24:17 fw1 charon[29650]: 13[IKE] <10295> received cert request for "C=DE, ST=Baden-Wuerttemberg, L=Ortschaft, O=unternehmen, E=edv@unternehmen.de, CN=unternehmenFirewall-CA"
Jul 23 10:24:17 fw1 charon[29650]: 13[IKE] <10295> received 1 cert requests for an unknown ca
Jul 23 10:24:17 fw1 charon[29650]: 13[CFG] <10295> looking for peer configs matching 198.51.100.194[198.51.100.194]...203.0.113.154[203.0.113.154]
Jul 23 10:24:17 fw1 charon[29650]: 13[CFG] <con1|10295> selected peer config 'con1'
Jul 23 10:24:17 fw1 charon[29650]: 13[IKE] <con1|10295> authentication of '203.0.113.154' with pre-shared key successful
Jul 23 10:24:17 fw1 charon[29650]: 13[IKE] <con1|10295> peer supports MOBIKE
Jul 23 10:24:17 fw1 charon[29650]: 13[IKE] <con1|10295> authentication of '198.51.100.194' (myself) with pre-shared key
Jul 23 10:24:17 fw1 charon[29650]: 13[IKE] <con1|10293> schedule delete of duplicate IKE_SA for peer '203.0.113.154' due to uniqueness policy and suspected reauthentication
Jul 23 10:24:17 fw1 charon[29650]: 13[IKE] <con1|10294> schedule delete of duplicate IKE_SA for peer '203.0.113.154' due to uniqueness policy and suspected reauthentication
Jul 23 10:24:17 fw1 charon[29650]: 13[IKE] <con1|10295> IKE_SA con1[10295] established between 198.51.100.194[198.51.100.194]...203.0.113.154[203.0.113.154]
Jul 23 10:24:17 fw1 charon[29650]: 13[IKE] <con1|10295> scheduling reauthentication in 2976s
Jul 23 10:24:17 fw1 charon[29650]: 13[IKE] <con1|10295> maximum IKE_SA lifetime 3516s
Jul 23 10:24:17 fw1 charon[29650]: 13[CFG] <con1|10295> selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
Jul 23 10:24:17 fw1 charon[29650]: 13[IKE] <con1|10295> CHILD_SA con1{10351} established with SPIs c30732fe_i c86a9fe5_o and TS 192.168.20.232/29 === 192.168.190.0/24
Jul 23 10:24:17 fw1 charon[29650]: 13[ENC] <con1|10295> generating IKE_AUTH response 1 [ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Jul 23 10:24:17 fw1 charon[29650]: 13[NET] <con1|10295> sending packet: from 198.51.100.194[4500] to 203.0.113.154[4500] (336 bytes)
Jul 23 10:24:18 fw1 charon[29650]: 10[IKE] <con1|10293> deleting IKE_SA con1[10293] between 198.51.100.194[198.51.100.194]...203.0.113.154[203.0.113.154]
Jul 23 10:24:18 fw1 charon[29650]: 10[IKE] <con1|10293> sending DELETE for IKE_SA con1[10293]
Jul 23 10:24:18 fw1 charon[29650]: 10[ENC] <con1|10293> generating INFORMATIONAL request 0 [ D ]
Jul 23 10:24:18 fw1 charon[29650]: 10[NET] <con1|10293> sending packet: from 198.51.100.194[4500] to 203.0.113.154[4500] (80 bytes)
Jul 23 10:24:18 fw1 charon[29650]: 10[NET] <con1|10293> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (80 bytes)
Jul 23 10:24:18 fw1 charon[29650]: 10[ENC] <con1|10293> parsed INFORMATIONAL response 0 [ ]
Jul 23 10:24:18 fw1 charon[29650]: 10[IKE] <con1|10293> IKE_SA deleted
Jul 23 10:24:18 fw1 charon[29650]: 13[NET] <10296> received packet: from 203.0.113.154[500] to 198.51.100.194[500] (1076 bytes)
Jul 23 10:24:18 fw1 charon[29650]: 13[ENC] <10296> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jul 23 10:24:18 fw1 charon[29650]: 13[IKE] <10296> 203.0.113.154 is initiating an IKE_SA
Jul 23 10:24:18 fw1 charon[29650]: 13[CFG] <10296> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jul 23 10:24:18 fw1 charon[29650]: 13[IKE] <10296> sending cert request for "DC=int, DC=unternehmen, DC=emea, CN=unternehmenEMEA-CA"
Jul 23 10:24:18 fw1 charon[29650]: 13[IKE] <10296> sending cert request for "C=DE, ST=Baden-Wuerttemberg, L=Ortschaft, O=unternehmen, E=edv@unternehmen.de, CN=unternehmenMobile"
Jul 23 10:24:18 fw1 charon[29650]: 13[IKE] <10296> sending cert request for "C=DE, ST=Baden-Wuerttemberg, L=Ortschaft, O=unternehmen, E=edv@unternehmen.de, CN=unternehmenFirewall-CA"
Jul 23 10:24:18 fw1 charon[29650]: 13[IKE] <10296> sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA"
Jul 23 10:24:18 fw1 charon[29650]: 13[IKE] <10296> sending cert request for "C=US, O=Let's Encrypt, CN=R3"
Jul 23 10:24:18 fw1 charon[29650]: 13[IKE] <10296> sending cert request for "C=DE, ST=B-W, L=Ortschaft, O= Unternehmen, E=edv@unternehmen.de, CN=unternehmenFW-Squid"
Jul 23 10:24:18 fw1 charon[29650]: 13[IKE] <10296> sending cert request for "C=US, O=(STAGING) Let's Encrypt, CN=(STAGING) Artificial Apricot R3"
Jul 23 10:24:18 fw1 charon[29650]: 13[ENC] <10296> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jul 23 10:24:18 fw1 charon[29650]: 13[NET] <10296> sending packet: from 198.51.100.194[500] to 203.0.113.154[500] (617 bytes)
Jul 23 10:24:18 fw1 charon[29650]: 10[NET] <10296> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1200 bytes)
Jul 23 10:24:18 fw1 charon[29650]: 10[ENC] <10296> parsed IKE_AUTH request 1 [ IDi CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jul 23 10:24:18 fw1 charon[29650]: 10[IKE] <10296> received cert request for "C=DE, ST=Baden-Wuerttemberg, L=Ortschaft, O=unternehmen, E=edv@unternehmen.de, CN=unternehmenFirewall-CA"
Jul 23 10:24:18 fw1 charon[29650]: 10[IKE] <10296> received 1 cert requests for an unknown ca
Jul 23 10:24:18 fw1 charon[29650]: 10[CFG] <10296> looking for peer configs matching 198.51.100.194[198.51.100.194]...203.0.113.154[203.0.113.154]
Jul 23 10:24:18 fw1 charon[29650]: 10[CFG] <con1|10296> selected peer config 'con1'
Jul 23 10:24:18 fw1 charon[29650]: 10[IKE] <con1|10296> authentication of '203.0.113.154' with pre-shared key successful
Jul 23 10:24:18 fw1 charon[29650]: 10[IKE] <con1|10296> peer supports MOBIKE
Jul 23 10:24:18 fw1 charon[29650]: 10[IKE] <con1|10296> authentication of '198.51.100.194' (myself) with pre-shared key
Jul 23 10:24:18 fw1 charon[29650]: 10[IKE] <con1|10294> schedule delete of duplicate IKE_SA for peer '203.0.113.154' due to uniqueness policy and suspected reauthentication
Jul 23 10:24:18 fw1 charon[29650]: 10[IKE] <con1|10295> schedule delete of duplicate IKE_SA for peer '203.0.113.154' due to uniqueness policy and suspected reauthentication
Jul 23 10:24:18 fw1 charon[29650]: 10[IKE] <con1|10296> IKE_SA con1[10296] established between 198.51.100.194[198.51.100.194]...203.0.113.154[203.0.113.154]
Jul 23 10:24:18 fw1 charon[29650]: 10[IKE] <con1|10296> scheduling reauthentication in 2708s
Jul 23 10:24:18 fw1 charon[29650]: 10[IKE] <con1|10296> maximum IKE_SA lifetime 3248s
Jul 23 10:24:18 fw1 charon[29650]: 10[CFG] <con1|10296> selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
Jul 23 10:24:18 fw1 charon[29650]: 10[IKE] <con1|10296> CHILD_SA con1{10352} established with SPIs c93ef0ab_i c8195350_o and TS 192.168.20.232/29 === 192.168.190.0/24
Jul 23 10:24:18 fw1 charon[29650]: 10[ENC] <con1|10296> generating IKE_AUTH response 1 [ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Jul 23 10:24:18 fw1 charon[29650]: 10[NET] <con1|10296> sending packet: from 198.51.100.194[4500] to 203.0.113.154[4500] (336 bytes)
Jul 23 10:24:19 fw1 charon[29650]: 10[NET] <con1|10296> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:19 fw1 charon[29650]: 10[ENC] <con1|10296> parsed CREATE_CHILD_SA request 2 [ EF(1/11) ]
Jul 23 10:24:19 fw1 charon[29650]: 10[ENC] <con1|10296> received fragment #1 of 11, waiting for complete IKE message
Jul 23 10:24:19 fw1 charon[29650]: 07[NET] <con1|10296> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:19 fw1 charon[29650]: 07[ENC] <con1|10296> parsed CREATE_CHILD_SA request 2 [ EF(6/11) ]
Jul 23 10:24:19 fw1 charon[29650]: 07[ENC] <con1|10296> received fragment #6 of 11, waiting for complete IKE message
Jul 23 10:24:19 fw1 charon[29650]: 08[NET] <con1|10296> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:19 fw1 charon[29650]: 08[ENC] <con1|10296> parsed CREATE_CHILD_SA request 2 [ EF(10/11) ]
Jul 23 10:24:19 fw1 charon[29650]: 08[ENC] <con1|10296> received fragment #10 of 11, waiting for complete IKE message
Jul 23 10:24:19 fw1 charon[29650]: 09[NET] <con1|10296> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:19 fw1 charon[29650]: 09[ENC] <con1|10296> parsed CREATE_CHILD_SA request 2 [ EF(9/11) ]
Jul 23 10:24:19 fw1 charon[29650]: 09[ENC] <con1|10296> received fragment #9 of 11, waiting for complete IKE message
Jul 23 10:24:19 fw1 charon[29650]: 15[NET] <con1|10296> received packet: from 203.0.113.154[4500] to 198.51.100.194[4500] (1236 bytes)
Jul 23 10:24:19 fw1 charon[29650]: 15[ENC] <con1|10296> parsed CREATE_CHILD_SA request 2 [ EF(8/11) ]
Logged
Proxmox VE
i3-4030U | 16 GB RAM | 512 GB SSD | 500 GB HDD
i3-2350M | 16 GB RAM | 120 GB SSD | 500 GB HDD

FW VMs:
2 Cores | 1 GB RAM | 20 GB SSD

vpnuser

  • Jr. Member
  • **
  • Posts: 64
  • Karma: 5
    • View Profile
Re: IPSec / Fragmentierte IKE Nachrichten?
« Reply #1 on: July 23, 2021, 01:15:30 pm »
Wir haben ebenfalls IPSec (IKEv2) im Einsatz und am Anfang Probleme mit Verbindungsabbrüchen. Meine Lösung: den Parameter MSS der LAN-Schnittstelle (NICHT WAN) auf 1300 eingestellt. Evtl. auch mal auf beiden Seiten die MTU des WAN / LAN Interface prüfen.
« Last Edit: July 23, 2021, 01:51:15 pm by vpnuser »
Logged

superwinni2

  • Hero Member
  • *****
  • Posts: 546
  • Karma: 24
  • Netzwerk der Kindheit? - Draussen
    • View Profile
Re: IPSec / Fragmentierte IKE Nachrichten?
« Reply #2 on: July 23, 2021, 03:28:26 pm »
Danke für deine Antwort.
Da ich habe nebenbei noch weitere IPSec Verbidnungen habe bei denen das Problem nicht besteht, denke ich nicht das dies die Lösung zum Problem ist.
Logged
Proxmox VE
i3-4030U | 16 GB RAM | 512 GB SSD | 500 GB HDD
i3-2350M | 16 GB RAM | 120 GB SSD | 500 GB HDD

FW VMs:
2 Cores | 1 GB RAM | 20 GB SSD

Patrick M. Hausen

  • Hero Member
  • *****
  • Posts: 6841
  • Karma: 574
    • View Profile
Re: IPSec / Fragmentierte IKE Nachrichten?
« Reply #3 on: July 23, 2021, 03:42:05 pm »
Die Einstellung der MSS hilft gegen Probleme im Tunnel, da durch den AH und ESP overhead die maximale Payload kleiner wird. Die fragmentierten IKE Pakete sind ja die, die Du empfängst. Da würde ich auf eine vergurkte MTU bri der Gegenstelle oder auf dem Pfad bis zu Dir tippen.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • International Forums »
  • German - Deutsch »
  • IPSec / Fragmentierte IKE Nachrichten?
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2