Site-to-Site VPN to Synology router fails

Started by BiTRiP, March 18, 2019, 09:11:01 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 18, 2019, 09:11:01 PM Last Edit: March 18, 2019, 09:13:51 PM by BiTRiP
Hi,

I'm trying to setup a site-to-site between my OPNSense 19.1 and a Synology 1900ac router.

While I have the settings on both end exactly the same it doesn't connect.
The output is below. I changed my OPNSense address here to O and Synology to S for security reasons.

Code Select
Mar 18 21:00:13 router charon: 09[NET] <412> received packet: from S.S.S.S[500] to O.O.O.O[500] (204 bytes)
Mar 18 21:00:13 router charon: 09[ENC] <412> parsed ID_PROT request 0 [ SA V V V V V V ]
Mar 18 21:00:13 router charon: 09[IKE] <412> received DPD vendor ID
Mar 18 21:00:13 router charon: 09[IKE] <412> received FRAGMENTATION vendor ID
Mar 18 21:00:13 router charon: 09[IKE] <412> received NAT-T (RFC 3947) vendor ID
Mar 18 21:00:13 router charon: 09[IKE] <412> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Mar 18 21:00:13 router charon: 09[IKE] <412> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Mar 18 21:00:13 router charon: 09[IKE] <412> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Mar 18 21:00:13 router charon: 09[IKE] <412> S.S.S.S is initiating a Main Mode IKE_SA
Mar 18 21:00:13 router charon: 09[CFG] <412> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Mar 18 21:00:13 router charon: 09[ENC] <412> generating ID_PROT response 0 [ SA V V V V ]
Mar 18 21:00:13 router charon: 09[NET] <412> sending packet: from O.O.O.O[500] to S.S.S.S[500] (160 bytes)
Mar 18 21:00:13 router charon: 09[NET] <412> received packet: from S.S.S.S[500] to O.O.O.O[500] (396 bytes)
Mar 18 21:00:13 router charon: 09[ENC] <412> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Mar 18 21:00:13 router charon: 09[ENC] <412> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Mar 18 21:00:13 router charon: 09[NET] <412> sending packet: from O.O.O.O[500] to S.S.S.S[500] (396 bytes)
Mar 18 21:00:13 router charon: 09[NET] <412> received packet: from S.S.S.S[500] to O.O.O.O[500] (92 bytes)
Mar 18 21:00:13 router charon: 09[ENC] <412> parsed ID_PROT request 0 [ ID HASH ]
Mar 18 21:00:13 router charon: 09[CFG] <412> looking for pre-shared key peer configs matching O.O.O.O...S.S.S.S[myvpn.ddns.net]
Mar 18 21:00:13 router charon: 09[IKE] <412> found 1 matching config, but none allows pre-shared key authentication using Main Mode
Mar 18 21:00:13 router charon: 09[ENC] <412> generating INFORMATIONAL_V1 request 620821303 [ HASH N(AUTH_FAILED) ]
Mar 18 21:00:13 router charon: 09[NET] <412> sending packet: from O.O.O.O[500] to S.S.S.S[500] (108 bytes)

Any idea? I already changed both to Aggressive mode, or just one on aggressive. Nothing helps.
It just changes the error to "found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode"

Hope you can help.

BiTRiP
March 18, 2019, 09:57:17 PM #1

Ok, found out that it's because I use multiple IPSec and the limitation of strongwan.
I can't use a second IPsec entry with FQDN but only static IP otherwise it will use the PSK auth from the first IPsec entry.

Found out here:
https://community.ubnt.com/t5/EdgeRouter/second-IPSec-tunnel-not-working/td-p/1525300
Print
Go Up Pages1
User actions