Problems with the new IPsec Connection tab and assigning a pool adress

Started by Phomakesmehappy, February 01, 2024, 11:28:48 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 01, 2024, 11:28:48 AM
Hi,

I have to get a roadwarrior EAP_MSCHAPV2 config to work with the additional obstacle of IoT clients, so I can't access any log on the client side.

I managed to get everything working under the legacy GUI, albeit not stable enough for my taste (no proposals found for renegotiating), and I would like to use the newer GUI.

I want to use static IPs for every client, but no IP from the pool gets assigned albeit phase 1 working.

024-02-01T11:08:10   Informational   charon   06[NET] <c8d2c7ac-39de-4b39-aec4-21378f35744e|3> sending packet: from 10.246.42.10[4500] to 10.246.42.51[4500] (500 bytes)   
2024-02-01T11:08:10   Informational   charon   06[NET] <c8d2c7ac-39de-4b39-aec4-21378f35744e|3> sending packet: from 10.246.42.10[4500] to 10.246.42.51[4500] (1236 bytes)   
2024-02-01T11:08:10   Informational   charon   06[IKE] <c8d2c7ac-39de-4b39-aec4-21378f35744e|3> received retransmit of request with ID 1, retransmitting response   
2024-02-01T11:08:10   Informational   charon   06[NET] <c8d2c7ac-39de-4b39-aec4-21378f35744e|3> received packet: from 10.246.42.51[4500] to 10.246.42.10[4500] (416 bytes)   
2024-02-01T11:08:06   Informational   charon   09[NET] <c8d2c7ac-39de-4b39-aec4-21378f35744e|3> sending packet: from 10.246.42.10[4500] to 10.246.42.51[4500] (500 bytes)   
2024-02-01T11:08:06   Informational   charon   09[NET] <c8d2c7ac-39de-4b39-aec4-21378f35744e|3> sending packet: from 10.246.42.10[4500] to 10.246.42.51[4500] (1236 bytes)   
2024-02-01T11:08:06   Informational   charon   09[ENC] <c8d2c7ac-39de-4b39-aec4-21378f35744e|3> generating IKE_AUTH response 1 [ EF(2/2) ]   
2024-02-01T11:08:06   Informational   charon   09[ENC] <c8d2c7ac-39de-4b39-aec4-21378f35744e|3> generating IKE_AUTH response 1 [ EF(1/2) ]   
2024-02-01T11:08:06   Informational   charon   09[ENC] <c8d2c7ac-39de-4b39-aec4-21378f35744e|3> splitting IKE message (1664 bytes) into 2 fragments   
2024-02-01T11:08:06   Informational   charon   09[ENC] <c8d2c7ac-39de-4b39-aec4-21378f35744e|3> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]   
2024-02-01T11:08:06   Informational   charon   09[IKE] <c8d2c7ac-39de-4b39-aec4-21378f35744e|3> sending end entity cert "C=DE, ST=Hamburg, L=Hamburg, O=Compugroup, E=joern.bonte@cgm.com, CN=opnSense-IPSec"   
2024-02-01T11:08:06   Informational   charon   09[IKE] <c8d2c7ac-39de-4b39-aec4-21378f35744e|3> authentication of '10.246.42.10' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful   
2024-02-01T11:08:06   Informational   charon   09[IKE] <c8d2c7ac-39de-4b39-aec4-21378f35744e|3> peer supports MOBIKE   
2024-02-01T11:08:06   Informational   charon   09[IKE] <c8d2c7ac-39de-4b39-aec4-21378f35744e|3> initiating EAP_MSCHAPV2 method (id 0x0A)   
2024-02-01T11:08:06   Informational   charon   09[IKE] <c8d2c7ac-39de-4b39-aec4-21378f35744e|3> using configured EAP-Identity kt1   
2024-02-01T11:08:06   Informational   charon   09[CFG] <c8d2c7ac-39de-4b39-aec4-21378f35744e|3> selected peer config 'c8d2c7ac-39de-4b39-aec4-21378f35744e'   
2024-02-01T11:08:06   Informational   charon   09[CFG] <3> looking for peer configs matching 10.246.42.10[%any]...10.246.42.51[10.246.42.51]   
2024-02-01T11:08:06   Informational   charon   09[IKE] <3> REDACTED"   
2024-02-01T11:08:06   Informational   charon   09[ENC] <3> parsed IKE_AUTH request 1 [ IDi CERTREQ CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]   
2024-02-01T11:08:06   Informational   charon   09[NET] <3> received packet: from 10.246.42.51[4500] to 10.246.42.10[4500] (416 bytes)   
2024-02-01T11:08:05   Informational   charon   09[NET] <3> sending packet: from 10.246.42.10[500] to 10.246.42.51[500] (497 bytes)   
2024-02-01T11:08:05   Informational   charon   09[ENC] <3> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]   
2024-02-01T11:08:05   Informational   charon   09[IKE] <3> sending cert request for "REDACTED"   
2024-02-01T11:08:05   Informational   charon   09[IKE] <3> faking NAT situation to enforce UDP encapsulation   
2024-02-01T11:08:05   Informational   charon   09[CFG] <3> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048   
2024-02-01T11:08:05   Informational   charon   09[IKE] <3> 10.246.42.51 is initiating an IKE_SA   
2024-02-01T11:08:05   Informational   charon   09[ENC] <3> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]   
2024-02-01T11:08:05   Informational   charon   09[NET] <3> received packet: from 10.246.42.51[500] to 10.246.42.10[500] (1156 bytes)

This is the log output. Any tips on how to troubleshoot this any further ? The connection tab shows an active connection, but the client in question still uses it's own static IP instead of the pool IP.

Thanks a lot in advance!
Print
Go Up Pages1
User actions