Author Topic: IPSEC AUTHENTICATION_FAILED notify error (Read 6649 times)

Sven-J · « **on:** September 02, 2019, 08:50:27 pm »

Moin zusammen!

Folgendes Szenario:

Im Datacenter:

OPNsense 19.7.2-amd64
FreeBSD 11.2-RELEASE-p12-HBSD
OpenSSL 1.0.2s 28 May 2019

Zu Hause:

OPNsense 19.7.3-amd64
FreeBSD 11.2-RELEASE-p14-HBSD
OpenSSL 1.0.2s 28 May 2019

IPSEC:

Im DataCenter folgende Konfiguration:

Zu Hause folgende Konfiguration:

Nun folgendes Problem:

Logs vom Datacenter:

Code: [Select]

Sep 2 20:27:40	charon: 05[IKE] <con2|4> received AUTHENTICATION_FAILED notify error
Sep 2 20:27:40	charon: 05[ENC] <con2|4> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Sep 2 20:27:40	charon: 05[NET] <con2|4> received packet: from 80.XXX.XXX.55[4500] to 149.XXX.XXX.178.178[4500] (80 bytes)
Sep 2 20:27:40	charon: 05[NET] <con2|4> sending packet: from 149.XXX.XXX.178.178[4500] to 80.XXX.XXX.55[4500] (116 bytes)
Sep 2 20:27:40	charon: 05[NET] <con2|4> sending packet: from 149.XXX.XXX.178.178[4500] to 80.XXX.XXX.55[4500] (1236 bytes)
Sep 2 20:27:40	charon: 05[NET] <con2|4> sending packet: from 149.XXX.XXX.178.178[4500] to 80.XXX.XXX.55[4500] (1236 bytes)
Sep 2 20:27:40	charon: 05[ENC] <con2|4> generating IKE_AUTH request 1 [ EF(3/3) ]
Sep 2 20:27:40	charon: 05[ENC] <con2|4> generating IKE_AUTH request 1 [ EF(2/3) ]
Sep 2 20:27:40	charon: 05[ENC] <con2|4> generating IKE_AUTH request 1 [ EF(1/3) ]
Sep 2 20:27:40	charon: 05[ENC] <con2|4> splitting IKE message (2448 bytes) into 3 fragments
Sep 2 20:27:40	charon: 05[ENC] <con2|4> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Sep 2 20:27:40	charon: 05[IKE] <con2|4> establishing CHILD_SA con2{11}
Sep 2 20:27:40	charon: 05[IKE] <con2|4> authentication of '149.XXX.XXX.178.178' (myself) with pre-shared key
Sep 2 20:27:40	charon: 05[IKE] <con2|4> sending cert request for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
Sep 2 20:27:40	charon: 05[IKE] <con2|4> sending cert request for "C=DE, ST=Niedersachsen, L=Nottensdorf, O=SJT CONSULTING, E=info@example.de, CN=internal-ca"
Sep 2 20:27:40	charon: 05[CFG] <con2|4> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Sep 2 20:27:40	charon: 05[ENC] <con2|4> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Sep 2 20:27:40	charon: 05[NET] <con2|4> received packet: from 80.XXX.XXX.55[500] to 149.XXX.XXX.178.178[500] (472 bytes)
Sep 2 20:27:40	charon: 05[NET] <con2|4> sending packet: from 149.XXX.XXX.178.178[500] to 80.XXX.XXX.55[500] (464 bytes)
Sep 2 20:27:40	charon: 05[ENC] <con2|4> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sep 2 20:27:40	charon: 05[IKE] <con2|4> initiating IKE_SA con2[4] to 80.XXX.XXX.55
Sep 2 20:27:40	charon: 10[CFG] received stroke: initiate 'con2'

Logs von zu Hause:

Code: [Select]

Sep 2 20:27:40	charon: 14[NET] <3> sending packet: from 80.XXX.XXX.55[4500] to 149.XXX.XXX.178[4500] (80 bytes)
Sep 2 20:27:40	charon: 14[ENC] <3> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Sep 2 20:27:40	charon: 14[IKE] <3> peer supports MOBIKE
Sep 2 20:27:40	charon: 14[IKE] <3> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Sep 2 20:27:40	charon: 14[CFG] <3> no matching peer config found
Sep 2 20:27:40	charon: 14[CFG] <3> looking for peer configs matching 80.XXX.XXX.55[91.248.236.17]...149.XXX.XXX.178[149.XXX.XXX.178]
Sep 2 20:27:40	charon: 14[IKE] <3> received 2 cert requests for an unknown ca
Sep 2 20:27:40	charon: 14[ENC] <3> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Sep 2 20:27:40	charon: 14[ENC] <3> received fragment #2 of 3, reassembled fragmented IKE message (2448 bytes)
Sep 2 20:27:40	charon: 14[ENC] <3> parsed IKE_AUTH request 1 [ EF(2/3) ]
Sep 2 20:27:40	charon: 14[NET] <3> received packet: from 149.XXX.XXX.178[4500] to 80.XXX.XXX.55[4500] (1236 bytes)
Sep 2 20:27:40	charon: 15[ENC] <3> received fragment #3 of 3, waiting for complete IKE message
Sep 2 20:27:40	charon: 15[ENC] <3> parsed IKE_AUTH request 1 [ EF(3/3) ]
Sep 2 20:27:40	charon: 15[NET] <3> received packet: from 149.XXX.XXX.178[4500] to 80.XXX.XXX.55[4500] (116 bytes)
Sep 2 20:27:40	charon: 08[ENC] <3> received fragment #1 of 3, waiting for complete IKE message
Sep 2 20:27:40	charon: 08[ENC] <3> parsed IKE_AUTH request 1 [ EF(1/3) ]
Sep 2 20:27:40	charon: 08[NET] <3> received packet: from 149.XXX.XXX.178[4500] to 80.XXX.XXX.55[4500] (1236 bytes)
Sep 2 20:27:40	charon: 14[NET] <3> sending packet: from 80.XXX.XXX.55[500] to 149.XXX.XXX.178[500] (472 bytes)
Sep 2 20:27:40	charon: 14[ENC] <3> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Sep 2 20:27:40	charon: 14[CFG] <3> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Sep 2 20:27:40	charon: 14[IKE] <3> 149.XXX.XXX.178 is initiating an IKE_SA
Sep 2 20:27:40	charon: 14[ENC] <3> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sep 2 20:27:40	charon: 14[NET] <3> received packet: from 149.XXX.XXX.178[500] to 80.XXX.XXX.55[500] (464 bytes)

Einer ne Idee warum der hier irgendwie was mit Zerts machen will? Soll er nicht!

mimugmail · « **Reply #1 on:** September 03, 2019, 06:45:23 am »

Paar Sachen:
- Wieso respond-only wenn du bei Peer Identifier "MyAddress" hast, das ergibt keinen Sinn. Hat einer dynamische IPs?
- Wieso IKE auto? Wenn du beide Seiten kontrollierst bitte gleich v2.
- Mach den Quatsch Blowfish etc. raus, AES256, SHA256 .. das reicht, nicht zu knacken.
- PFS in P2 muss mind. 5 sein, eigentlich 14 .. ansonsten kannst du die Daten auch plain schicken (jedenfalls wenn du Angst vor Behörden hast)
- automatically ping host und "Start Immediate" beissen sich in manchen Kombinationen, z.B. Sophos-OPNsense

Sven-J · « **Reply #2 on:** September 03, 2019, 11:04:54 am »

Quote from: mimugmail on September 03, 2019, 06:45:23 am

Paar Sachen:
- Wieso respond-only wenn du bei Peer Identifier "MyAddress" hast, das ergibt keinen Sinn. Hat einer dynamische IPs?
- Wieso IKE auto? Wenn du beide Seiten kontrollierst bitte gleich v2.
- Mach den Quatsch Blowfish etc. raus, AES256, SHA256 .. das reicht, nicht zu knacken.
- PFS in P2 muss mind. 5 sein, eigentlich 14 .. ansonsten kannst du die Daten auch plain schicken (jedenfalls wenn du Angst vor Behörden hast)
- automatically ping host und "Start Immediate" beissen sich in manchen Kombinationen, z.B. Sophos-OPNsense

Moin!

Yep zu Hause habe ich ne Dynamische IP - Noch!

Wegen v2 habe ich geändert
PFS habe ich nun auch geändert sowie auch Blowfish etc. rausgeschmissen. Habe jetzt nur noch AES256, SHA256 und PFS Group14)

Disable MOBIKE war die Lösung nach dem ich das auf beiden Seiten gemacht habe, nimmt er keine Zerts mehr.

mimugmail · « **Reply #3 on:** September 03, 2019, 11:07:39 am »

Also passt alles?

Author Topic: IPSEC AUTHENTICATION_FAILED notify error (Read 6649 times)

Sven-J

IPSEC AUTHENTICATION_FAILED notify error

mimugmail

Re: IPSEC AUTHENTICATION_FAILED notify error

Sven-J

Re: IPSEC AUTHENTICATION_FAILED notify error

mimugmail

Re: IPSEC AUTHENTICATION_FAILED notify error