OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • General Discussion »
  • IPSec VPN OPnsense --> Fritzbox (Site2Site)
« previous next »
  • Print
Pages: [1]

Author Topic: IPSec VPN OPnsense --> Fritzbox (Site2Site)  (Read 3799 times)

schnipp

  • Sr. Member
  • ****
  • Posts: 370
  • Karma: 19
    • View Profile
IPSec VPN OPnsense --> Fritzbox (Site2Site)
« on: December 20, 2018, 03:18:53 pm »
I am trying to establish a new IPsec VPN connection (site-to-site) between Opnsense and AVM Fritzbox. I previously tested it with Opnsense 18.7.x and a Fritzbox 7412 (v.6.83) in a lab environment. It worked fine.

But now, for production usage I tried to configure the VPN connection between Opnsense 18.7.9 and Fritzbox 7490 (7560CA also tested; both with fiormware v.7.01) again. The VPN connection does not come up. Opnsense sends an IKE packet to the Fritzbox, which is not responding.

Instead the support logfile of Fritzbox shows the following error:

Code: [Select]
1970-01-01 01:11:23 avmike:<<<  identity protection mode[10.2.0.1] ???: V1.0 196 IC 571384ec2fd93cb2 RC 00000000 0000 SA flags=
1970-01-01 01:11:23 avmike:no phase1ss for cert users configured
1970-01-01 01:11:23 avmike:10.2.0.1:500: new_neighbour_template failed
If I unstand correctly, the box assumes that the opnsense requests certificate based authentication. Is that right? But, Opnsense uses PSK.

The configuration in the Fritzbox looks like:

Code: [Select]
vpncfg {
        vpncfg_version = 1;
        connections {
                enabled = yes;
                editable = no;
                conn_type = conntype_lan;
                name = "C-Test_neu12";
                boxuser_id = 0;
                always_renew = no;
                reject_not_encrypted = no;
                dont_filter_netbios = yes;
                localip = 0.0.0.0;
                local_virtualip = 0.0.0.0;
                remoteip = 0.0.0.0;
                remote_virtualip = 0.0.0.0;
                remotehostname = "";
                keepalive_ip = 0.0.0.0;
                localid {
                        fqdn = "SECRET";
                }
                remoteid {
                        fqdn = "SECRET";
                }
                mode = phase1_mode_idp;
                phase1ss = "dh14/aes/sha";
                keytype = connkeytype_pre_shared;
                key = "SECRET";
                cert_do_server_auth = no;
                use_nat_t = no;
                use_xauth = no;
                use_cfgmode = no;
                phase2localid {
                        ipnet {
                                ipaddr = 192.168.10.0;
                                mask = 255.255.255.0;
                        }
                }
                phase2remoteid {
                        ipnet {
                                ipaddr = 10.100.0.0;
                                mask = 255.255.255.0;
                        }
                }
                phase2ss = "esp-aes-sha/ah-all/comp-lzjh-no/pfs";
                accesslist =
                             "permit ip 192.168.10.0 255.255.255.0 10.100.0.0 255.255.255.0";
                app_id = 0;
        }
}
The IKE packet sent by the Opnsense looks like:

Code: [Select]
Internet Security Association and Key Management Protocol
    Initiator SPI: b7ddbf282036d4cc
    Responder SPI: 0000000000000000
    Next payload: Security Association (1)
    Version: 1.0
        0001 .... = MjVer: 0x1
        .... 0000 = MnVer: 0x0
    Exchange type: Identity Protection (Main Mode) (2)
    Flags: 0x00
        .... ...0 = Encryption: Not encrypted
        .... ..0. = Commit: No commit
        .... .0.. = Authentication: No authentication
    Message ID: 0x00000000
    Length: 196
    Payload: Security Association (1)
        Next payload: Vendor ID (13)
        Reserved: 00
        Payload length: 52
        Domain of interpretation: IPSEC (1)
        Situation: 00000001
            .... .... .... .... .... .... .... ...1 = Identity Only: True
            .... .... .... .... .... .... .... ..0. = Secrecy: False
            .... .... .... .... .... .... .... .0.. = Integrity: False
        Payload: Proposal (2) # 0
            Next payload: NONE / No Next Payload  (0)
            Reserved: 00
            Payload length: 40
            Proposal number: 0
            Protocol ID: ISAKMP (1)
            SPI Size: 0
            Proposal transforms: 1
            Payload: Transform (3) # 1
                Next payload: NONE / No Next Payload  (0)
                Reserved: 00
                Payload length: 32
                Transform number: 1
                Transform ID: KEY_IKE (1)
                Reserved: 0000
                IKE Attribute (t=1,l=2): Encryption-Algorithm: 3DES-CBC
                IKE Attribute (t=2,l=2): Hash-Algorithm: SHA
                IKE Attribute (t=4,l=2): Group-Description: 2048 bit MODP group
                IKE Attribute (t=3,l=2): Authentication-Method: Pre-shared key
                IKE Attribute (t=11,l=2): Life-Type: Seconds
                IKE Attribute (t=12,l=2): Life-Duration: 3600
    Payload: Vendor ID (13) : XAUTH
        Next payload: Vendor ID (13)
        Reserved: 00
        Payload length: 12
        Vendor ID: 09002689dfd6b712
        Vendor ID: XAUTH
    Payload: Vendor ID (13) : RFC 3706 DPD (Dead Peer Detection)
        Next payload: Vendor ID (13)
        Reserved: 00
        Payload length: 20
        Vendor ID: afcad71368a1f1c96b8696fc77570100
        Vendor ID: RFC 3706 DPD (Dead Peer Detection)
    Payload: Vendor ID (13) : CISCO-UNITY 1.0
        Next payload: Vendor ID (13)
        Reserved: 00
        Payload length: 20
        Vendor ID: 12f5f28c457168a9702d9fe274cc0100
        Vendor ID: CISCO-UNITY
        CISCO-UNITY Major version: 1
        CISCO-UNITY Minor version: 0
    Payload: Vendor ID (13) : Cisco Fragmentation
        Next payload: Vendor ID (13)
        Reserved: 00
        Payload length: 24
        Vendor ID: 4048b7d56ebce88525e7de7f00d6c2d380000000
        Vendor ID: Cisco Fragmentation
    Payload: Vendor ID (13) : RFC 3947 Negotiation of NAT-Traversal in the IKE
        Next payload: Vendor ID (13)
        Reserved: 00
        Payload length: 20
        Vendor ID: 4a131c81070358455c5728f20e95452f
        Vendor ID: RFC 3947 Negotiation of NAT-Traversal in the IKE
    Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-02\n
        Next payload: NONE / No Next Payload  (0)
        Reserved: 00
        Payload length: 20
        Vendor ID: 90cb80913ebb696e086381b5ec427b1f
        Vendor ID: draft-ietf-ipsec-nat-t-ike-02\n

Does anybody have a working site-2-site configuration?
« Last Edit: December 20, 2018, 03:21:05 pm by schnipp »
Logged
OPNsense 24.7.1-amd64

schnipp

  • Sr. Member
  • ****
  • Posts: 370
  • Karma: 19
    • View Profile
Re: IPSec VPN OPnsense --> Fritzbox (Site2Site)
« Reply #1 on: December 29, 2018, 02:43:52 pm »
Is nobody of the opnsense users connecting to a fritzbox via IPSec VPN?

I thought the fritzbox is a wide-spread CPE for many DSL interfaces and some users have a site2site VPN between opnsense and this box. Maybe, I am wrong?
 
Logged
OPNsense 24.7.1-amd64

mpanknin

  • Newbie
  • *
  • Posts: 4
  • Karma: 0
    • View Profile
Re: IPSec VPN OPnsense --> Fritzbox (Site2Site)
« Reply #2 on: February 06, 2023, 06:10:51 pm »
Hi, do you got the ipsec running?

Reguards Michael
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • General Discussion »
  • IPSec VPN OPnsense --> Fritzbox (Site2Site)
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2