Replaced pfSense for OPNsense, IPSEC will not connect (to SonicWALL router)

[Rayman]

Hi,

I'm trying to connect a SonicWALL router with IPSEC to my new OPNsense 18.7.6 A10 appliance.

Internet is fiber from Xs4all, pppoe.

IPSEC log:
Nov 2 21:42:44 charon: 11[NET] <con2|22> sending packet: from a.a.a.a[500] to b.b.b.b[500] (80 bytes)
Nov 2 21:42:44 charon: 11[ENC] <con2|22> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Nov 2 21:42:44 charon: 11[IKE] <con2|22> no shared key found for '%any' - 'www.bbbb.nl'
Nov 2 21:42:44 charon: 11[CFG] <con2|22> selected peer config 'con2'
Nov 2 21:42:44 charon: 11[CFG] <22> looking for peer configs matching a.a.a.a[%any]...b.b.b.b[www.bbbb.nl]
Nov 2 21:42:44 charon: 11[ENC] <22> parsed IKE_AUTH request 1 [ IDi CERTREQ AUTH SA TSi TSr N(INIT_CONTACT) ]
Nov 2 21:42:44 charon: 11[NET] <22> received packet: from b.b.b.b[500] to a.a.a.a[500] (240 bytes)
Nov 2 21:42:44 charon: 11[NET] <22> sending packet: from a.a.a.a[500] to b.b.b.b[500] (440 bytes)
Nov 2 21:42:44 charon: 11[ENC] <22> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Nov 2 21:42:44 charon: 11[IKE] <22> b.b.b.b is initiating an IKE_SA
Nov 2 21:42:44 charon: 11[ENC] <22> received unknown vendor ID: 2a:67:75:d0:ad:2a:a7:88:7c:33:fe:1d:68:ba:f3:08:96:6f:00:01
Nov 2 21:42:44 charon: 11[ENC] <22> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ]
Nov 2 21:42:44 charon: 11[NET] <22> received packet: from b.b.b.b[500] to a.a.a.a[500] (444 bytes)

I copied the settings from my old pfSense router, but here the tunnel will not get up.

I have added the 3 WAN rules and 1 IPSEC to LAN rule, and applied these.

Anyone an idea?

Thanks!

[JL]

Did you try setting "automatic outbound nat" under nat ?

[Rayman]

I only had it on this setting.

[Rayman]

I've been playing around with this.

Is it possible that a certificate is in the way? It asks for a certificate in the IPSEC config, which I can't deselect. The tunnel does not use a certificate at all.

Logfile:
Nov 5 10:07:18 charon: 15[NET] <41> sending packet: from a.a.a.a[500] to b.b.b.b[500] (80 bytes)
Nov 5 10:07:18 charon: 15[ENC] <41> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Nov 5 10:07:18 charon: 15[CFG] <41> no matching peer config found
Nov 5 10:07:18 charon: 15[CFG] <41> looking for peer configs matching a.a.a.a[%any]...b.b.b.b[www.bbbb.nl]
Nov 5 10:07:18 charon: 15[ENC] <41> parsed IKE_AUTH request 1 [ IDi CERTREQ AUTH SA TSi TSr N(INIT_CONTACT) ]
Nov 5 10:07:18 charon: 15[NET] <41> received packet: from b.b.b.b[500] to a.a.a.a[500] (272 bytes)
Nov 5 10:07:18 charon: 15[NET] <41> sending packet: from a.a.a.a[500] to b.b.b.b[500] (465 bytes)
Nov 5 10:07:18 charon: 15[ENC] <41> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Nov 5 10:07:18 charon: 15[IKE] <41> sending cert request for "CN=internal-opnsense-ca"
Nov 5 10:07:18 charon: 15[IKE] <41> b.b.b.b is initiating an IKE_SA
Nov 5 10:07:18 charon: 15[ENC] <41> received unknown vendor ID: 2a:67:75:d0:ad:2a:a7:88:7c:33:fe:1d:68:ba:f3:08:96:6f:00:01
Nov 5 10:07:18 charon: 15[ENC] <41> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ]
Nov 5 10:07:18 charon: 15[NET] <41> received packet: from b.b.b.b[500] to a.a.a.a[500] (444 bytes)
Nov 5 09:46:09 charon: 15[NET] <40> sending packet: from a.a.a.a[500] to b.b.b.b[500] (80 bytes)
Nov 5 09:46:09 charon: 15[ENC] <40> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Nov 5 09:46:09 charon: 15[CFG] <40> no matching peer config found
Nov 5 09:46:09 charon: 15[CFG] <40> looking for peer configs matching a.a.a.a[%any]...b.b.b.b[www.bbbb.nl]
Nov 5 09:46:09 charon: 15[ENC] <40> parsed IKE_AUTH request 1 [ IDi CERTREQ AUTH SA TSi TSr N(INIT_CONTACT) ]
Nov 5 09:46:09 charon: 15[NET] <40> received packet: from b.b.b.b[500] to a.a.a.a[500] (272 bytes)
Nov 5 09:46:09 charon: 15[NET] <40> sending packet: from a.a.a.a[500] to b.b.b.b[500] (465 bytes)
Nov 5 09:46:09 charon: 15[ENC] <40> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Nov 5 09:46:09 charon: 15[IKE] <40> sending cert request for "CN=internal-opnsense-ca"
Nov 5 09:46:09 charon: 15[IKE] <40> b.b.b.b is initiating an IKE_SA
Nov 5 09:46:09 charon: 15[ENC] <40> received unknown vendor ID: 2a:67:75:d0:ad:2a:a7:88:7c:33:fe:1d:68:ba:f3:08:96:6f:00:01
Nov 5 09:46:09 charon: 15[ENC] <40> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ]
Nov 5 09:46:09 charon: 15[NET] <40> received packet: from b.b.b.b[500] to a.a.a.a[500] (444 bytes)
Nov 5 09:41:45 charon: 15[IKE] <con3|39> received INVALID_SYNTAX notify error
Nov 5 09:41:45 charon: 15[ENC] <con3|39> parsed IKE_AUTH response 1 [ N(INVAL_SYN) ]
Nov 5 09:41:45 charon: 15[NET] <con3|39> received packet: from b.b.b.b[500] to a.a.a.a[500] (80 bytes)
Nov 5 09:41:45 charon: 15[NET] <con3|39> sending packet: from a.a.a.a[500] to b.b.b.b[500] (496 bytes)
Nov 5 09:41:45 charon: 15[ENC] <con3|39> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Nov 5 09:41:45 charon: 15[IKE] <con3|39> establishing CHILD_SA con3{3}
Nov 5 09:41:45 charon: 15[IKE] <con3|39> authentication of (certificate id) (myself) with pre-shared key
Nov 5 09:41:45 charon: 15[IKE] <con3|39> sending cert request for "CN=internal-opnsense-ca"
Nov 5 09:41:45 charon: 15[ENC] <con3|39> received unknown vendor ID: 2a:67:75:d0:ad:2a:a7:88:7c:33:fe:1d:68:ba:f3:08:96:6f:00:01
Nov 5 09:41:45 charon: 15[ENC] <con3|39> parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ N(NATD_S_IP) N(NATD_D_IP) V ]
Nov 5 09:41:45 charon: 15[NET] <con3|39> received packet: from b.b.b.b[500] to a.a.a.a[500] (449 bytes)
Nov 5 09:41:45 charon: 15[NET] <con3|39> sending packet: from a.a.a.a[500] to b.b.b.b[500] (464 bytes)
Nov 5 09:41:45 charon: 15[ENC] <con3|39> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Nov 5 09:41:45 charon: 15[IKE] <con3|39> initiating IKE_SA con3[39] to b.b.b.b
Nov 5 09:41:45 charon: 15[CFG] received stroke: initiate 'con3'
Nov 5 09:41:45 charon: 14[CFG] added configuration 'con3'
Nov 5 09:41:45 charon: 14[CFG] id 'a.a.a.a' not confirmed by certificate, defaulting to 'certificate id'
Nov 5 09:41:45 charon: 14[CFG] loaded certificate "certificate id" from '/usr/local/etc/ipsec.d/certs/cert-3.crt'
Nov 5 09:41:45 charon: 14[CFG] received stroke: add connection 'con3'
Nov 5 09:41:45 charon: 15[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls'
Nov 5 09:41:45 charon: 15[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Nov 5 09:41:45 charon: 15[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Nov 5 09:41:45 charon: 15[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Nov 5 09:41:45 charon: 15[CFG] loaded ca certificate "CN=internal-opnsense-ca" from '/usr/local/etc/ipsec.d/cacerts/63707b99.0.crt'

[mimugmail]

Can you post screenshots of your tunnel setup?

[Rayman]

Hi,

I attached the OPNsense screenshots.

Kind regards,
Ray

[Rayman]

Hi,

These are the screenshots of the SonicWALL. I left out the network tab. It only shows names of the local and remote networks, but they are the full /24 local and remote network.

Ray

[Rayman]

I think it's definately the certificate which is presented to the SonicWALL. In the SonicWALL log I see the following error:

IKEv2 initiator: Proposed IKE ID mismatch. In the data it shows the data of the certificate, which I don't want to use...

So, is it possible to configure OPNsense to NOT use a certificate for IPSEC?

[jmirakul]

Hi,

I have a similar problem with certificates and IPsec settings. After the initial creation of IPSEC Phase 1 everything is ok. However, after the first update of IPSEC Phase 1, the tunnel started to use the certificate as Local ID and the tunnel can no longer be established. Everything is seen on VPN: IPsec: Status Overview
where under Local ID instead of an IP address appears: C = D, ST = South Holland, L = Middelharnis, O = OPNsense
After that, I could not find a regular way (using webGUI) to remove this certificate from the settings.
The only way I found it is: download xml configuration and manually delete <certref> 58b76f2b66944 </ certref> from ipsec phase 1 settings. This XML tag always appears after the first webGUI settings update of ipsec phase 1.
Very strange.

[Rayman]

Hi,

Thanks for you reply!

You are totally right! Thank you very much!

After removing the cert from the config, tunnel did come up right away!

It would be better if the cert was removable from the gui of course. Maybe a dev can pick this up?

[franco]

There is no maybe... only https://github.com/opnsense/core/issues


Cheers,
Franco

[Rayman]

Hi Franco,

Did not know this, I'll create an issue there.

Thanks,
Ray

[franco]

Much appreciated, thanks!

[Rayman]

@jmirakul

This was checked by Ad.

When using Internet Explorer (which I did), the certificate field is shown and the certificate data is in the config xml file.

When another browser is used (I've tried FireFox), the certificate fields are not even in the GUI, and xml file is correct then.

Kind regards,
Ray

[jmirakul]

Yes, I saw. 
Everything works fine with FireFox but failed with Safari on OS X in my case.