ipsec bricht nach SA Lifetime ab Opnsense <-> Festa TPLink

Started by Speedy2024, November 14, 2024, 07:26:12 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 14, 2024, 07:26:12 AM Last Edit: November 14, 2024, 08:48:28 AM by Speedy2024
Hallo,

ich habe einen ipsec Tunnel zwischen der OpnSense (feste IP) und einem kleinen Festa TPLink (dyn. IP) aufgebaut. Nach Ablauf der eingestellten SA Liftetime, ist der Tunnel für ca. 2min down. Die Einstellungen im Festa sind recht übersichtlich und ich weiß nicht, wo ich ansetzen soll. Habt ihr eine Idee?


Hier noch Logauszüge:

Code Select
2024-11-14T08:42:53 Informational charon 09[NET1] <baa084c5-d489-4c98-9b04-cc83354160a8|65> sending packet: from OpnSense-WAN-IP[4500] to TPLINK-WAN-IP[4500] (256 bytes)
2024-11-14T08:42:53 Informational charon 09[ENC1] <baa084c5-d489-4c98-9b04-cc83354160a8|65> generating IKE_AUTH response 1 [ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr ]
2024-11-14T08:42:53 Notice charon [UPDOWN] received up-client event for reqid 4
2024-11-14T08:42:53 Notice charon [UPDOWN] received up-client event for reqid 4
2024-11-14T08:42:53 Notice charon [UPDOWN] received up-client event for reqid 4
2024-11-14T08:42:53 Informational charon 09[IKE0] <baa084c5-d489-4c98-9b04-cc83354160a8|65> CHILD_SA a47ca189-339d-4157-95b5-4f7554397d64{487} established with SPIs c7ab4e7c_i c06beb70_o and TS 10.1.0.0/24 10.1.5.0/24 192.168.2.0/24 === 192.168.3.0/24
2024-11-14T08:42:53 Informational charon 09[CFG1] <baa084c5-d489-4c98-9b04-cc83354160a8|65> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
2024-11-14T08:42:53 Informational charon 09[IKE1] <baa084c5-d489-4c98-9b04-cc83354160a8|65> maximum IKE_SA lifetime 15464s
2024-11-14T08:42:53 Informational charon 09[IKE1] <baa084c5-d489-4c98-9b04-cc83354160a8|65> scheduling rekeying in 14024s
2024-11-14T08:42:53 Informational charon 09[IKE0] <baa084c5-d489-4c98-9b04-cc83354160a8|65> IKE_SA baa084c5-d489-4c98-9b04-cc83354160a8[65] established between OpnSense-WAN-IP[OpnSense-WAN-IP]...TPLINK-WAN-IP[meindyndnsaccount.ddns.net]
2024-11-14T08:42:53 Informational charon 09[IKE1] <baa084c5-d489-4c98-9b04-cc83354160a8|65> authentication of 'OpnSense-WAN-IP' (myself) with pre-shared key
2024-11-14T08:42:53 Informational charon 09[IKE1] <baa084c5-d489-4c98-9b04-cc83354160a8|65> peer supports MOBIKE, but disabled in config
2024-11-14T08:42:53 Informational charon 09[IKE1] <baa084c5-d489-4c98-9b04-cc83354160a8|65> authentication of 'meindyndnsaccount.ddns.net' with pre-shared key successful
2024-11-14T08:42:53 Informational charon 09[CFG1] <baa084c5-d489-4c98-9b04-cc83354160a8|65> selected peer config 'baa084c5-d489-4c98-9b04-cc83354160a8'
2024-11-14T08:42:53 Informational charon 09[CFG1] <65> looking for peer configs matching OpnSense-WAN-IP[OpnSense-WAN-IP]...TPLINK-WAN-IP[meindyndnsaccount.ddns.net]
2024-11-14T08:42:53 Informational charon 09[ENC1] <65> parsed IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
2024-11-14T08:42:53 Informational charon 09[NET1] <65> received packet: from TPLINK-WAN-IP[4500] to OpnSense-WAN-IP[4500] (320 bytes)
2024-11-14T08:42:52 Informational charon 09[NET1] <65> sending packet: from OpnSense-WAN-IP[500] to TPLINK-WAN-IP[500] (509 bytes)
2024-11-14T08:42:52 Informational charon 09[ENC1] <65> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
2024-11-14T08:42:52 Informational charon 09[IKE1] <65> sending cert request for "C=DE, CN=internal-sslvpn-ca"
2024-11-14T08:42:52 Informational charon 09[IKE1] <65> sending cert request for "C=US, O=Let's Encrypt, CN=R11"
2024-11-14T08:42:52 Informational charon 09[IKE1] <65> remote host is behind NAT
2024-11-14T08:42:52 Informational charon 09[CFG1] <65> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
2024-11-14T08:42:52 Informational charon 09[IKE0] <65> TPLINK-WAN-IP is initiating an IKE_SA
2024-11-14T08:42:52 Informational charon 09[ENC1] <65> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
2024-11-14T08:42:52 Informational charon 09[NET1] <65> received packet: from TPLINK-WAN-IP[500] to OpnSense-WAN-IP[500] (448 bytes)
2024-11-14T08:42:46 Informational charon 09[IKE1] <baa084c5-d489-4c98-9b04-cc83354160a8|64> received AUTHENTICATION_FAILED notify error
2024-11-14T08:42:46 Informational charon 09[ENC1] <baa084c5-d489-4c98-9b04-cc83354160a8|64> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
2024-11-14T08:42:46 Informational charon 09[NET1] <baa084c5-d489-4c98-9b04-cc83354160a8|64> received packet: from TPLINK-WAN-IP[4500] to OpnSense-WAN-IP[4500] (80 bytes)
2024-11-14T08:42:46 Informational charon 09[NET1] <baa084c5-d489-4c98-9b04-cc83354160a8|64> sending packet: from OpnSense-WAN-IP[4500] to TPLINK-WAN-IP[4500] (320 bytes)
2024-11-14T08:42:46 Informational charon 09[ENC1] <baa084c5-d489-4c98-9b04-cc83354160a8|64> generating IKE_AUTH request 1 [ IDi CERTREQ AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
2024-11-14T08:42:46 Informational charon 09[IKE0] <baa084c5-d489-4c98-9b04-cc83354160a8|64> establishing CHILD_SA a47ca189-339d-4157-95b5-4f7554397d64{486} reqid 4
2024-11-14T08:42:46 Informational charon 09[IKE1] <baa084c5-d489-4c98-9b04-cc83354160a8|64> authentication of 'OpnSense-WAN-IP' (myself) with pre-shared key
2024-11-14T08:42:46 Informational charon 09[CFG1] <baa084c5-d489-4c98-9b04-cc83354160a8|64> no IDi configured, fall back on IP address
2024-11-14T08:42:46 Informational charon 09[IKE1] <baa084c5-d489-4c98-9b04-cc83354160a8|64> sending cert request for "C=DE, CN=internal-sslvpn-ca"
2024-11-14T08:42:46 Informational charon 09[IKE1] <baa084c5-d489-4c98-9b04-cc83354160a8|64> sending cert request for "C=US, O=Let's Encrypt, CN=R11"
2024-11-14T08:42:46 Informational charon 09[IKE1] <baa084c5-d489-4c98-9b04-cc83354160a8|64> remote host is behind NAT
2024-11-14T08:42:46 Informational charon 09[CFG1] <baa084c5-d489-4c98-9b04-cc83354160a8|64> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
2024-11-14T08:42:46 Informational charon 09[ENC1] <baa084c5-d489-4c98-9b04-cc83354160a8|64> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
2024-11-14T08:42:46 Informational charon 09[NET1] <baa084c5-d489-4c98-9b04-cc83354160a8|64> received packet: from TPLINK-WAN-IP[500] to OpnSense-WAN-IP[500] (456 bytes)
2024-11-14T08:42:45 Informational charon 11[NET1] <baa084c5-d489-4c98-9b04-cc83354160a8|64> sending packet: from OpnSense-WAN-IP[500] to TPLINK-WAN-IP[500] (464 bytes)
2024-11-14T08:42:45 Informational charon 11[ENC1] <baa084c5-d489-4c98-9b04-cc83354160a8|64> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
2024-11-14T08:42:45 Informational charon 11[IKE0] <baa084c5-d489-4c98-9b04-cc83354160a8|64> initiating IKE_SA baa084c5-d489-4c98-9b04-cc83354160a8[64] to TPLINK-WAN-IP
2024-11-14T08:42:45 Informational charon 11[KNL1] creating acquire job for policy OpnSense-WAN-IP/32 === TPLINK-WAN-IP/32 with reqid {4}
2024-11-14T08:42:27 Informational charon 11[IKE1] <baa084c5-d489-4c98-9b04-cc83354160a8|63> received AUTHENTICATION_FAILED notify error
2024-11-14T08:42:27 Informational charon 11[ENC1] <baa084c5-d489-4c98-9b04-cc83354160a8|63> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
2024-11-14T08:42:27 Informational charon 11[NET1] <baa084c5-d489-4c98-9b04-cc83354160a8|63> received packet: from TPLINK-WAN-IP[4500] to OpnSense-WAN-IP[4500] (80 bytes)
2024-11-14T08:42:27 Informational charon 11[NET1] <baa084c5-d489-4c98-9b04-cc83354160a8|63> sending packet: from OpnSense-WAN-IP[4500] to TPLINK-WAN-IP[4500] (320 bytes)
2024-11-14T08:42:27 Informational charon 11[ENC1] <baa084c5-d489-4c98-9b04-cc83354160a8|63> generating IKE_AUTH request 1 [ IDi CERTREQ AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
2024-11-14T08:42:27 Informational charon 11[IKE0] <baa084c5-d489-4c98-9b04-cc83354160a8|63> establishing CHILD_SA a47ca189-339d-4157-95b5-4f7554397d64{485} reqid 4
2024-11-14T08:42:27 Informational charon 11[IKE1] <baa084c5-d489-4c98-9b04-cc83354160a8|63> authentication of 'OpnSense-WAN-IP' (myself) with pre-shared key
2024-11-14T08:42:27 Informational charon 11[CFG1] <baa084c5-d489-4c98-9b04-cc83354160a8|63> no IDi configured, fall back on IP address
2024-11-14T08:42:27 Informational charon 11[IKE1] <baa084c5-d489-4c98-9b04-cc83354160a8|63> sending cert request for "C=DE, CN=internal-sslvpn-ca"
2024-11-14T08:42:27 Informational charon 11[IKE1] <baa084c5-d489-4c98-9b04-cc83354160a8|63> sending cert request for "C=US, O=Let's Encrypt, CN=R11"
2024-11-14T08:42:27 Informational charon 11[IKE1] <baa084c5-d489-4c98-9b04-cc83354160a8|63> remote host is behind NAT
2024-11-14T08:42:27 Informational charon 11[CFG1] <baa084c5-d489-4c98-9b04-cc83354160a8|63> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
2024-11-14T08:42:27 Informational charon 11[ENC1] <baa084c5-d489-4c98-9b04-cc83354160a8|63> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
2024-11-14T08:42:27 Informational charon 11[NET1] <baa084c5-d489-4c98-9b04-cc83354160a8|63> received packet: from TPLINK-WAN-IP[500] to OpnSense-WAN-IP[500] (456 bytes)
2024-11-14T08:42:26 Informational charon 11[NET1] <baa084c5-d489-4c98-9b04-cc83354160a8|63> sending packet: from OpnSense-WAN-IP[500] to TPLINK-WAN-IP[500] (464 bytes)
2024-11-14T08:42:26 Informational charon 11[ENC1] <baa084c5-d489-4c98-9b04-cc83354160a8|63> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
2024-11-14T08:42:26 Informational charon 11[IKE0] <baa084c5-d489-4c98-9b04-cc83354160a8|63> initiating IKE_SA baa084c5-d489-4c98-9b04-cc83354160a8[63] to TPLINK-WAN-IP
2024-11-14T08:42:26 Informational charon 11[KNL1] creating acquire job for policy OpnSense-WAN-IP/32 === TPLINK-WAN-IP/32 with reqid {4}
2024-11-14T08:42:11 Informational charon 11[IKE1] <baa084c5-d489-4c98-9b04-cc83354160a8|62> received AUTHENTICATION_FAILED notify error
2024-11-14T08:42:11 Informational charon 11[ENC1] <baa084c5-d489-4c98-9b04-cc83354160a8|62> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
2024-11-14T08:42:11 Informational charon 11[NET1] <baa084c5-d489-4c98-9b04-cc83354160a8|62> received packet: from TPLINK-WAN-IP[4500] to OpnSense-WAN-IP[4500] (80 bytes)
2024-11-14T08:42:11 Informational charon 11[NET1] <baa084c5-d489-4c98-9b04-cc83354160a8|62> sending packet: from OpnSense-WAN-IP[4500] to TPLINK-WAN-IP[4500] (320 bytes)
2024-11-14T08:42:11 Informational charon 11[ENC1] <baa084c5-d489-4c98-9b04-cc83354160a8|62> generating IKE_AUTH request 1 [ IDi CERTREQ AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
2024-11-14T08:42:11 Informational charon 11[IKE0] <baa084c5-d489-4c98-9b04-cc83354160a8|62> establishing CHILD_SA a47ca189-339d-4157-95b5-4f7554397d64{484} reqid 4
2024-11-14T08:42:11 Informational charon 11[IKE1] <baa084c5-d489-4c98-9b04-cc83354160a8|62> authentication of 'OpnSense-WAN-IP' (myself) with pre-shared key
2024-11-14T08:42:11 Informational charon 11[CFG1] <baa084c5-d489-4c98-9b04-cc83354160a8|62> no IDi configured, fall back on IP address
2024-11-14T08:42:11 Informational charon 11[IKE1] <baa084c5-d489-4c98-9b04-cc83354160a8|62> sending cert request for "C=DE, CN=internal-sslvpn-ca"
2024-11-14T08:42:11 Informational charon 11[IKE1] <baa084c5-d489-4c98-9b04-cc83354160a8|62> sending cert request for "C=US, O=Let's Encrypt, CN=R11"
2024-11-14T08:42:11 Informational charon 11[IKE1] <baa084c5-d489-4c98-9b04-cc83354160a8|62> remote host is behind NAT
2024-11-14T08:42:11 Informational charon 11[CFG1] <baa084c5-d489-4c98-9b04-cc83354160a8|62> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
2024-11-14T08:42:11 Informational charon 11[ENC1] <baa084c5-d489-4c98-9b04-cc83354160a8|62> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
2024-11-14T08:42:11 Informational charon 11[NET1] <baa084c5-d489-4c98-9b04-cc83354160a8|62> received packet: from TPLINK-WAN-IP[500] to OpnSense-WAN-IP[500] (456 bytes)
2024-11-14T08:42:10 Informational charon 11[NET1] <baa084c5-d489-4c98-9b04-cc83354160a8|62> sending packet: from OpnSense-WAN-IP[500] to TPLINK-WAN-IP[500] (464 bytes)
2024-11-14T08:42:10 Informational charon 11[ENC1] <baa084c5-d489-4c98-9b04-cc83354160a8|62> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
2024-11-14T08:42:10 Informational charon 11[IKE0] <baa084c5-d489-4c98-9b04-cc83354160a8|62> initiating IKE_SA baa084c5-d489-4c98-9b04-cc83354160a8[62] to TPLINK-WAN-IP
2024-11-14T08:42:10 Informational charon 11[KNL1] creating acquire job for policy OpnSense-WAN-IP/32 === TPLINK-WAN-IP/32 with reqid {4}
2024-11-14T08:41:56 Informational charon 14[IKE1] <baa084c5-d489-4c98-9b04-cc83354160a8|61> received AUTHENTICATION_FAILED notify error
2024-11-14T08:41:56 Informational charon 14[ENC1] <baa084c5-d489-4c98-9b04-cc83354160a8|61> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
2024-11-14T08:41:56 Informational charon 14[NET1] <baa084c5-d489-4c98-9b04-cc83354160a8|61> received packet: from TPLINK-WAN-IP[4500] to OpnSense-WAN-IP[4500] (80 bytes)
2024-11-14T08:41:56 Informational charon 14[NET1] <baa084c5-d489-4c98-9b04-cc83354160a8|61> sending packet: from OpnSense-WAN-IP[4500] to TPLINK-WAN-IP[4500] (320 bytes)
2024-11-14T08:41:56 Informational charon 14[ENC1] <baa084c5-d489-4c98-9b04-cc83354160a8|61> generating IKE_AUTH request 1 [ IDi CERTREQ AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
2024-11-14T08:41:56 Informational charon 14[IKE0] <baa084c5-d489-4c98-9b04-cc83354160a8|61> establishing CHILD_SA a47ca189-339d-4157-95b5-4f7554397d64{483} reqid 4
2024-11-14T08:41:56 Informational charon 14[IKE1] <baa084c5-d489-4c98-9b04-cc83354160a8|61> authentication of 'OpnSense-WAN-IP' (myself) with pre-shared key
2024-11-14T08:41:56 Informational charon 14[CFG1] <baa084c5-d489-4c98-9b04-cc83354160a8|61> no IDi configured, fall back on IP address
2024-11-14T08:41:56 Informational charon 14[IKE1] <baa084c5-d489-4c98-9b04-cc83354160a8|61> sending cert request for "C=DE, CN=internal-sslvpn-ca"
2024-11-14T08:41:56 Informational charon 14[IKE1] <baa084c5-d489-4c98-9b04-cc83354160a8|61> sending cert request for "C=US, O=Let's Encrypt, CN=R11"
2024-11-14T08:41:56 Informational charon 14[IKE1] <baa084c5-d489-4c98-9b04-cc83354160a8|61> remote host is behind NAT
2024-11-14T08:41:56 Informational charon 14[CFG1] <baa084c5-d489-4c98-9b04-cc83354160a8|61> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
2024-11-14T08:41:56 Informational charon 14[ENC1] <baa084c5-d489-4c98-9b04-cc83354160a8|61> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
2024-11-14T08:41:56 Informational charon 14[NET1] <baa084c5-d489-4c98-9b04-cc83354160a8|61> received packet: from TPLINK-WAN-IP[500] to OpnSense-WAN-IP[500] (456 bytes)
2024-11-14T08:41:56 Informational charon 14[NET1] <baa084c5-d489-4c98-9b04-cc83354160a8|61> sending packet: from OpnSense-WAN-IP[500] to TPLINK-WAN-IP[500] (464 bytes)
2024-11-14T08:41:56 Informational charon 14[ENC1] <baa084c5-d489-4c98-9b04-cc83354160a8|61> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
2024-11-14T08:41:56 Informational charon 14[IKE0] <baa084c5-d489-4c98-9b04-cc83354160a8|61> initiating IKE_SA baa084c5-d489-4c98-9b04-cc83354160a8[61] to TPLINK-WAN-IP
2024-11-14T08:41:56 Informational charon 11[KNL1] creating acquire job for policy OpnSense-WAN-IP/32 === TPLINK-WAN-IP/32 with reqid {4}
2024-11-14T08:41:48 Informational charon 14[IKE1] <baa084c5-d489-4c98-9b04-cc83354160a8|60> received AUTHENTICATION_FAILED notify error
2024-11-14T08:41:48 Informational charon 14[ENC1] <baa084c5-d489-4c98-9b04-cc83354160a8|60> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
November 14, 2024, 08:47:49 AM #1
Mal ins Logfile gucken als erstes?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
November 14, 2024, 08:48:57 AM #2
Danke. Habe im Start Post noch was angehängt.
November 14, 2024, 09:18:52 AM #3
Naja es steht ein paar mal das hier in den logs:

received AUTHENTICATION_FAILED notify error

Received heißt wohl das es die andere Seite der OPNsense sendet.
Hardware:
DEC740
November 14, 2024, 05:18:52 PM #4
Ich habe noch folgendes im log gesehen:

Code Select
configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ

Nun habe ich in der OpnSense in Phase 2 auf aes256-sha256 (ohne MODP_2048) umgestellt und es läuft jetzt stabil.

Danke für eure Rückmeldungen.
Print
Go Up Pages1
User actions