Neue IPSEC VPN für Remoteworker einrichten

Started by Body, July 20, 2025, 02:14:24 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 20, 2025, 02:14:24 PM
Hallo zusammen,

leider bekomme ich es nicht hin mit meinem iPhone 12 Pro eine IKE2 VPN zur OpnSense i.d. neusten Version herzustellen.
Ich bin nach diesem Link vorgegangen:

https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html

Meine Opnsense ist hinter einer FritzBox!, bei der FritzBox! sind alle entsprechenden Ports freigegeben.

Meine Logs der Firewall sagen folgendes:

2025-07-20T14:07:16   Informational   charon    16[IKE] <2ae66195-b865-4427-bb71-6463efb28cd5|72> sending keep alive to 212.117.xx.xx[4500]
2025-07-20T14:07:14   Informational   charon    16[JOB] <8a3834e7-9448-47ce-a1c1-747a4e0f206f|74> deleting half open IKE_SA with 80.187.xx.xx after timeout
2025-07-20T14:07:14   Informational   charon    16[JOB] <8a3834e7-9448-47ce-a1c1-747a4e0f206f|73> deleting half open IKE_SA with 80.187.xx.xx after timeout
2025-07-20T14:07:04   Informational   charon    11[IKE] <8a3834e7-9448-47ce-a1c1-747a4e0f206f|74> sending keep alive to 80.187.xx.xx[10041]
2025-07-20T14:07:04   Informational   charon    11[IKE] <8a3834e7-9448-47ce-a1c1-747a4e0f206f|73> sending keep alive to 80.187.xx.xx[10041]
2025-07-20T14:06:56   Informational   charon    11[ENC] <2ae66195-b865-4427-bb71-6463efb28cd5|72> parsed INFORMATIONAL response 135 [ N(NATD_S_IP) N(NATD_D_IP) ]
2025-07-20T14:06:56   Informational   charon    11[NET] <2ae66195-b865-4427-bb71-6463efb28cd5|72> received packet: from 212.117.xxx.xxx[4500] to 192.168.178.2[4500] (128 bytes)
2025-07-20T14:06:56   Informational   charon    11[NET] <2ae66195-b865-4427-bb71-6463efb28cd5|72> sending packet: from 192.168.178.2[4500] to 212.117.xxx.xxx[4500] (128 bytes)
2025-07-20T14:06:56   Informational   charon    11[ENC] <2ae66195-b865-4427-bb71-6463efb28cd5|72> generating INFORMATIONAL request 135 [ N(NATD_S_IP) N(NATD_D_IP) ]
2025-07-20T14:06:56   Informational   charon    11[IKE] <2ae66195-b865-4427-bb71-6463efb28cd5|72> sending DPD request
2025-07-20T14:06:46   Informational   charon    11[IKE] <2ae66195-b865-4427-bb71-6463efb28cd5|72> sending keep alive to 212.117.93.203[4500]
2025-07-20T14:06:44   Informational   charon    11[NET] <8a3834e7-9448-47ce-a1c1-747a4e0f206f|74> sending packet: from 192.168.178.2[4500] to 80.187.xxx.xxx[10041] (452 bytes)
2025-07-20T14:06:44   Informational   charon    11[NET] <8a3834e7-9448-47ce-a1c1-747a4e0f206f|74> sending packet: from 192.168.178.2[4500] to 80.187.xxx.xxx[10041] (1236 bytes)
2025-07-20T14:06:44   Informational   charon    11[ENC] <8a3834e7-9448-47ce-a1c1-747a4e0f206f|74> generating IKE_AUTH response 1 [ EF(2/2) ]
2025-07-20T14:06:44   Informational   charon    11[ENC] <8a3834e7-9448-47ce-a1c1-747a4e0f206f|74> generating IKE_AUTH response 1 [ EF(1/2) ]
2025-07-20T14:06:44   Informational   charon    11[ENC] <8a3834e7-9448-47ce-a1c1-747a4e0f206f|74> splitting IKE message (1616 bytes) into 2 fragments
2025-07-20T14:06:44   Informational   charon    11[ENC] <8a3834e7-9448-47ce-a1c1-747a4e0f206f|74> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
2025-07-20T14:06:44   Informational   charon    11[IKE] <8a3834e7-9448-47ce-a1c1-747a4e0f206f|74> sending end entity cert "C=DE, xxxx
2025-07-20T14:06:44   Informational   charon    11[IKE] <8a3834e7-9448-47ce-a1c1-747a4e0f206f|74> authentication of 'MEIN FQDN' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
2025-07-20T14:06:44   Informational   charon    11[IKE] <8a3834e7-9448-47ce-a1c1-747a4e0f206f|74> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
2025-07-20T14:06:44   Informational   charon    11[IKE] <8a3834e7-9448-47ce-a1c1-747a4e0f206f|74> peer supports MOBIKE
2025-07-20T14:06:44   Informational   charon    11[IKE] <8a3834e7-9448-47ce-a1c1-747a4e0f206f|74> initiating EAP_IDENTITY method (id 0x00)
2025-07-20T14:06:44   Informational   charon    11[CFG] <8a3834e7-9448-47ce-a1c1-747a4e0f206f|74> selected peer config '8a3834e7-9448-47ce-a1c1-747a4e0f206f'
2025-07-20T14:06:44   Informational   charon    11[CFG] <74> looking for peer configs matching 192.168.178.2[XXXXx]...80.187.xx.xx[username@test.de]
2025-07-20T14:06:44   Informational   charon    11[ENC] <74> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
2025-07-20T14:06:44   Informational   charon    11[ENC] <74> unknown attribute type INTERNAL_DNS_DOMAIN
2025-07-20T14:06:44   Informational   charon    11[NET] <74> received packet: from 80.187.xx.xx[10041] to 192.168.178.2[4500] (400 bytes)
2025-07-20T14:06:44   Informational   charon    11[NET] <74> sending packet: from 192.168.178.2[500] to 80.187.xx.xx[500] (325 bytes)
2025-07-20T14:06:44   Informational   charon    11[ENC] <74> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
2025-07-20T14:06:44   Informational   charon    11[IKE] <74> sending cert request for
2025-07-20T14:06:44   Informational   charon    11[IKE] <74> sending cert request for
2025-07-20T14:06:44   Informational   charon    11[IKE] <74> remote host is behind NAT
2025-07-20T14:06:44   Informational   charon    11[IKE] <74> local host is behind NAT, sending keep alives
2025-07-20T14:06:44   Informational   charon    11[CFG] <74> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
2025-07-20T14:06:44   Informational   charon    11[IKE] <74> 80.187.123.49 is initiating an IKE_SA
2025-07-20T14:06:44   Informational   charon    11[ENC] <74> parsed IKE_SA_INIT request 0 [ SAxx KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
2025-07-20T14:06:44   Informational   charon    11[NET] <74> received packet: from 80.187.xxx.xx[500] to 192.168.178.2[500] (370 bytes)
2025-07-20T14:06:44   Informational   charon    11[NET] <8a3834e7-9448-47ce-a1c1-747a4e0f206f|73> sending packet: from 192.168.178.2[4500] to 80.187.xx.xx[10041] (452 bytes)
2025-07-20T14:06:44   Informational   charon    11[NET] <8a3834e7-9448-47ce-a1c1-747a4e0f206f|73> sending packet: from 192.168.178.2[4500] to 80.187.xx.xx[10041] (1236 bytes)
2025-07-20T14:06:44   Informational   charon    11[ENC] <8a3834e7-9448-47ce-a1c1-747a4e0f206f|73> generating IKE_AUTH response 1 [ EF(2/2) ]
2025-07-20T14:06:44   Informational   charon    11[ENC] <8a3834e7-9448-47ce-a1c1-747a4e0f206f|73> generating IKE_AUTH response 1 [ EF(1/2) ]
2025-07-20T14:06:44   Informational   charon    11[ENC] <8a3834e7-9448-47ce-a1c1-747a4e0f206f|73> splitting IKE message (1616 bytes) into 2 fragments
2025-07-20T14:06:44   Informational   charon    11[ENC] <8a3834e7-9448-47ce-a1c1-747a4e0f206f|73> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
2025-07-20T14:06:44   Informational   charon    11[IKE] <8a3834e7-9448-47ce-a1c1-747a4e0f206f|73> sending end entity cert "C=DE,
2025-07-20T14:06:44   Informational   charon    11[IKE] <8a3834e7-9448-47ce-a1c1-747a4e0f206f|73> authentication of 'FQDN' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
2025-07-20T14:06:44   Informational   charon    11[IKE] <8a3834e7-9448-47ce-a1c1-747a4e0f206f|73> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
2025-07-20T14:06:44   Informational   charon    11[IKE] <8a3834e7-9448-47ce-a1c1-747a4e0f206f|73> peer supports MOBIKE
2025-07-20T14:06:44   Informational   charon    11[IKE] <8a3834e7-9448-47ce-a1c1-747a4e0f206f|73> initiating EAP_IDENTITY method (id 0x00)
2025-07-20T14:06:44   Informational   charon    11[CFG] <8a3834e7-9448-47ce-a1c1-747a4e0f206f|73> selected peer config '8a3834e7-9448-47ce-a1c1-747a4e0f206f'
2025-07-20T14:06:44   Informational   charon    11[CFG] <73> looking for peer configs matching 192.168.178.2xxxx
2025-07-20T14:06:44   Informational   charon    11[ENC] <73> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
2025-07-20T14:06:44   Informational   charon    11[ENC] <73> unknown attribute type INTERNAL_DNS_DOMAIN
2025-07-20T14:06:44   Informational   charon    11[NET] <73> received packet: from 80.187.xx.xx[10041] to 192.168.178.2[4500] (400 bytes)
2025-07-20T14:06:44   Informational   charon    11[NET] <73> sending packet: from 192.168.178.2[500] to 80.187.xx.xx[500] (325 bytes)
2025-07-20T14:06:44   Informational   charon    11[ENC] <73> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
2025-07-20T14:06:44   Informational   charon    11[IKE] <73> sending cert request for "C=DE,
2025-07-20T14:06:44   Informational   charon    11[IKE] <73> sending cert request for "C=DE,
2025-07-20T14:06:44   Informational   charon    11[IKE] <73> remote host is behind NAT
2025-07-20T14:06:44   Informational   charon    11[IKE] <73> local host is behind NAT, sending keep alives
2025-07-20T14:06:44   Informational   charon    11[CFG] <73> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
2025-07-20T14:06:44   Informational   charon    11[IKE] <73> 80.187.123.49 is initiating an IKE_SA
2025-07-20T14:06:44   Informational   charon    11[ENC] <73> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
2025-07-20T14:06:44   Informational   charon    11[NET] <73> received packet: from 80.187.xx.xx[500] to 192.168.178.2[500] (370 bytes)


Einer eine Idee woran es liegen kann?

Grüße
Print
Go Up Pages1
User actions