Replaced pfSense for OPNsense, IPSEC will not connect (to SonicWALL router)

Started by Rayman, November 02, 2018, 09:50:39 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
November 02, 2018, 09:50:39 PM Last Edit: November 05, 2018, 10:40:02 AM by Rayman
Hi,

I'm trying to connect a SonicWALL router with IPSEC to my new OPNsense 18.7.6 A10 appliance.

Internet is fiber from Xs4all, pppoe.

IPSEC log:
Nov 2 21:42:44 charon: 11[NET] <con2|22> sending packet: from a.a.a.a[500] to b.b.b.b[500] (80 bytes)
Nov 2 21:42:44 charon: 11[ENC] <con2|22> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Nov 2 21:42:44 charon: 11[IKE] <con2|22> no shared key found for '%any' - 'www.bbbb.nl'
Nov 2 21:42:44 charon: 11[CFG] <con2|22> selected peer config 'con2'
Nov 2 21:42:44 charon: 11[CFG] <22> looking for peer configs matching a.a.a.a[%any]...b.b.b.b[www.bbbb.nl]
Nov 2 21:42:44 charon: 11[ENC] <22> parsed IKE_AUTH request 1 [ IDi CERTREQ AUTH SA TSi TSr N(INIT_CONTACT) ]
Nov 2 21:42:44 charon: 11[NET] <22> received packet: from b.b.b.b[500] to a.a.a.a[500] (240 bytes)
Nov 2 21:42:44 charon: 11[NET] <22> sending packet: from a.a.a.a[500] to b.b.b.b[500] (440 bytes)
Nov 2 21:42:44 charon: 11[ENC] <22> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Nov 2 21:42:44 charon: 11[IKE] <22> b.b.b.b is initiating an IKE_SA
Nov 2 21:42:44 charon: 11[ENC] <22> received unknown vendor ID: 2a:67:75:d0:ad:2a:a7:88:7c:33:fe:1d:68:ba:f3:08:96:6f:00:01
Nov 2 21:42:44 charon: 11[ENC] <22> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ]
Nov 2 21:42:44 charon: 11[NET] <22> received packet: from b.b.b.b[500] to a.a.a.a[500] (444 bytes)

I copied the settings from my old pfSense router, but here the tunnel will not get up.

I have added the 3 WAN rules and 1 IPSEC to LAN rule, and applied these.

Anyone an idea?

Thanks!
November 02, 2018, 10:42:06 PM #1
Did you try setting "automatic outbound nat" under nat ?
November 02, 2018, 11:36:59 PM #2
I only had it on this setting.
November 05, 2018, 10:37:37 AM #3
I've been playing around with this.

Is it possible that a certificate is in the way? It asks for a certificate in the IPSEC config, which I can't deselect. The tunnel does not use a certificate at all.

Logfile:
Nov 5 10:07:18 charon: 15[NET] <41> sending packet: from a.a.a.a[500] to b.b.b.b[500] (80 bytes)
Nov 5 10:07:18 charon: 15[ENC] <41> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Nov 5 10:07:18 charon: 15[CFG] <41> no matching peer config found
Nov 5 10:07:18 charon: 15[CFG] <41> looking for peer configs matching a.a.a.a[%any]...b.b.b.b[www.bbbb.nl]
Nov 5 10:07:18 charon: 15[ENC] <41> parsed IKE_AUTH request 1 [ IDi CERTREQ AUTH SA TSi TSr N(INIT_CONTACT) ]
Nov 5 10:07:18 charon: 15[NET] <41> received packet: from b.b.b.b[500] to a.a.a.a[500] (272 bytes)
Nov 5 10:07:18 charon: 15[NET] <41> sending packet: from a.a.a.a[500] to b.b.b.b[500] (465 bytes)
Nov 5 10:07:18 charon: 15[ENC] <41> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Nov 5 10:07:18 charon: 15[IKE] <41> sending cert request for "CN=internal-opnsense-ca"
Nov 5 10:07:18 charon: 15[IKE] <41> b.b.b.b is initiating an IKE_SA
Nov 5 10:07:18 charon: 15[ENC] <41> received unknown vendor ID: 2a:67:75:d0:ad:2a:a7:88:7c:33:fe:1d:68:ba:f3:08:96:6f:00:01
Nov 5 10:07:18 charon: 15[ENC] <41> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ]
Nov 5 10:07:18 charon: 15[NET] <41> received packet: from b.b.b.b[500] to a.a.a.a[500] (444 bytes)
Nov 5 09:46:09 charon: 15[NET] <40> sending packet: from a.a.a.a[500] to b.b.b.b[500] (80 bytes)
Nov 5 09:46:09 charon: 15[ENC] <40> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Nov 5 09:46:09 charon: 15[CFG] <40> no matching peer config found
Nov 5 09:46:09 charon: 15[CFG] <40> looking for peer configs matching a.a.a.a[%any]...b.b.b.b[www.bbbb.nl]
Nov 5 09:46:09 charon: 15[ENC] <40> parsed IKE_AUTH request 1 [ IDi CERTREQ AUTH SA TSi TSr N(INIT_CONTACT) ]
Nov 5 09:46:09 charon: 15[NET] <40> received packet: from b.b.b.b[500] to a.a.a.a[500] (272 bytes)
Nov 5 09:46:09 charon: 15[NET] <40> sending packet: from a.a.a.a[500] to b.b.b.b[500] (465 bytes)
Nov 5 09:46:09 charon: 15[ENC] <40> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Nov 5 09:46:09 charon: 15[IKE] <40> sending cert request for "CN=internal-opnsense-ca"
Nov 5 09:46:09 charon: 15[IKE] <40> b.b.b.b is initiating an IKE_SA
Nov 5 09:46:09 charon: 15[ENC] <40> received unknown vendor ID: 2a:67:75:d0:ad:2a:a7:88:7c:33:fe:1d:68:ba:f3:08:96:6f:00:01
Nov 5 09:46:09 charon: 15[ENC] <40> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ]
Nov 5 09:46:09 charon: 15[NET] <40> received packet: from b.b.b.b[500] to a.a.a.a[500] (444 bytes)
Nov 5 09:41:45 charon: 15[IKE] <con3|39> received INVALID_SYNTAX notify error
Nov 5 09:41:45 charon: 15[ENC] <con3|39> parsed IKE_AUTH response 1 [ N(INVAL_SYN) ]
Nov 5 09:41:45 charon: 15[NET] <con3|39> received packet: from b.b.b.b[500] to a.a.a.a[500] (80 bytes)
Nov 5 09:41:45 charon: 15[NET] <con3|39> sending packet: from a.a.a.a[500] to b.b.b.b[500] (496 bytes)
Nov 5 09:41:45 charon: 15[ENC] <con3|39> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Nov 5 09:41:45 charon: 15[IKE] <con3|39> establishing CHILD_SA con3{3}
Nov 5 09:41:45 charon: 15[IKE] <con3|39> authentication of (certificate id) (myself) with pre-shared key
Nov 5 09:41:45 charon: 15[IKE] <con3|39> sending cert request for "CN=internal-opnsense-ca"
Nov 5 09:41:45 charon: 15[ENC] <con3|39> received unknown vendor ID: 2a:67:75:d0:ad:2a:a7:88:7c:33:fe:1d:68:ba:f3:08:96:6f:00:01
Nov 5 09:41:45 charon: 15[ENC] <con3|39> parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ N(NATD_S_IP) N(NATD_D_IP) V ]
Nov 5 09:41:45 charon: 15[NET] <con3|39> received packet: from b.b.b.b[500] to a.a.a.a[500] (449 bytes)
Nov 5 09:41:45 charon: 15[NET] <con3|39> sending packet: from a.a.a.a[500] to b.b.b.b[500] (464 bytes)
Nov 5 09:41:45 charon: 15[ENC] <con3|39> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Nov 5 09:41:45 charon: 15[IKE] <con3|39> initiating IKE_SA con3[39] to b.b.b.b
Nov 5 09:41:45 charon: 15[CFG] received stroke: initiate 'con3'
Nov 5 09:41:45 charon: 14[CFG] added configuration 'con3'
Nov 5 09:41:45 charon: 14[CFG] id 'a.a.a.a' not confirmed by certificate, defaulting to 'certificate id'
Nov 5 09:41:45 charon: 14[CFG] loaded certificate "certificate id" from '/usr/local/etc/ipsec.d/certs/cert-3.crt'
Nov 5 09:41:45 charon: 14[CFG] received stroke: add connection 'con3'
Nov 5 09:41:45 charon: 15[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls'
Nov 5 09:41:45 charon: 15[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Nov 5 09:41:45 charon: 15[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Nov 5 09:41:45 charon: 15[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Nov 5 09:41:45 charon: 15[CFG] loaded ca certificate "CN=internal-opnsense-ca" from '/usr/local/etc/ipsec.d/cacerts/63707b99.0.crt'
November 05, 2018, 11:01:28 AM #4
Can you post screenshots of your tunnel setup?
November 05, 2018, 12:12:10 PM #5
Hi,

I attached the OPNsense screenshots.

Kind regards,
Ray
November 05, 2018, 01:04:40 PM #6
Hi,

These are the screenshots of the SonicWALL. I left out the network tab. It only shows names of the local and remote networks, but they are the full /24 local and remote network.

Ray
November 05, 2018, 01:21:39 PM #7
I think it's definately the certificate which is presented to the SonicWALL. In the SonicWALL log I see the following error:

IKEv2 initiator: Proposed IKE ID mismatch. In the data it shows the data of the certificate, which I don't want to use...

So, is it possible to configure OPNsense to NOT use a certificate for IPSEC?
November 05, 2018, 01:30:27 PM #8
Hi,

I have a similar problem with certificates and IPsec settings. After the initial creation of IPSEC Phase 1 everything is ok. However, after the first update of IPSEC Phase 1, the tunnel started to use the certificate as Local ID and the tunnel can no longer be established. Everything is seen on VPN: IPsec: Status Overview
where under Local ID instead of an IP address appears: C = D, ST = South Holland, L = Middelharnis, O = OPNsense
After that, I could not find a regular way (using webGUI) to remove this certificate from the settings.
The only way I found it is: download xml configuration and manually delete <certref> 58b76f2b66944 </ certref> from ipsec phase 1 settings. This XML tag always appears after the first webGUI settings update of ipsec phase 1.
Very strange.
November 05, 2018, 01:32:49 PM #9 Last Edit: November 05, 2018, 02:00:05 PM by Rayman
Hi,

Thanks for you reply!

You are totally right! Thank you very much!

After removing the cert from the config, tunnel did come up right away!

It would be better if the cert was removable from the gui of course. Maybe a dev can pick this up?
November 05, 2018, 02:23:30 PM #10
There is no maybe... only https://github.com/opnsense/core/issues :)


Cheers,
Franco
November 05, 2018, 02:57:08 PM #11
Hi Franco,

Did not know this, I'll create an issue there.

Thanks,
Ray
November 05, 2018, 02:59:03 PM #12
Much appreciated, thanks!
November 05, 2018, 03:44:05 PM #13
@jmirakul

This was checked by Ad.

When using Internet Explorer (which I did), the certificate field is shown and the certificate data is in the config xml file.

When another browser is used (I've tried FireFox), the certificate fields are not even in the GUI, and xml file is correct then.

Kind regards,
Ray
November 05, 2018, 03:49:38 PM #14
Yes, I saw.  :)
Everything works fine with FireFox but failed with Safari on OS X in my case.

Print
Go Up Pages1 2
User actions