- gelöst - IPsec mit Windows 10

Started by Stephan84, May 05, 2020, 11:36:11 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 05, 2020, 11:36:11 AM Last Edit: May 06, 2020, 09:13:46 PM by Stephan84
Hallo,

ich versuche gerade mit Windows 10 Bordmitteln einen IPsec-Tunnel mit der Opnsense herzustellen. Halte mich dabei genau an die Anleitung von aqui

https://administrator.de/wissen/ipsec-vpn-mobile-benutzer-pfsense-opnsense-firewall-einrichten-337198.html

Leider bekomme ich beim Verbinden die Fehlermeldung: IKE-Authentifizierung-Anmeldeinformationen sind nicht akzeptabel.

Habe zum Test die Opnsense als VmWare laufen und soweit alles konfiguriert, habe auch schon erfolgreich OpenVPN und Wireguard-Tunnel laufen lassen. Firewalleinstellungen sind zum Testen auf ANY gestellt.

Habe eine CA erstellt und daraufhin ein Server-Zertifikat, welches ich dann exportiert und im Client importiert habe. Irgendwie habe ich das Gefühl, dass was mit den Zertifikaten nicht stimmt!? Kann mir diese jemand bestätigen?

Die Opnsesne läuft in der Version: OPNsense 20.1.6-amd64

Hier mal die Konfguration:
Übersicht:


Mobile_Client:


Phase 1:



Phase 2:



Habe hier mal den Log von der Opnsense:

2020-05-05T11:09:07   charon: 14[JOB] <con1|1> deleting half open IKE_SA with 192.168.178.82 after timeout
2020-05-05T11:08:37   charon: 14[NET] <con1|1> sending packet: from 192.168.178.250[4500] to 192.168.178.82[4500] (436 bytes)
2020-05-05T11:08:37   charon: 14[NET] <con1|1> sending packet: from 192.168.178.250[4500] to 192.168.178.82[4500] (1236 bytes)
2020-05-05T11:08:37   charon: 14[ENC] <con1|1> generating IKE_AUTH response 1 [ EF(2/2) ]
2020-05-05T11:08:37   charon: 14[ENC] <con1|1> generating IKE_AUTH response 1 [ EF(1/2) ]
2020-05-05T11:08:37   charon: 14[ENC] <con1|1> splitting IKE message (1600 bytes) into 2 fragments
2020-05-05T11:08:37   charon: 14[ENC] <con1|1> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
2020-05-05T11:08:37   charon: 14[IKE] <con1|1> sending end entity cert "C=DE, ST=BW, L=KA, O=abc, E=info@infode, CN=OPNsense, subjectAltName=IP:192.168.178.250,DNS:OPNsense.localdomain"
2020-05-05T11:08:37   charon: 14[IKE] <con1|1> authentication of '192.168.178.250' (myself) with RSA signature successful
2020-05-05T11:08:37   charon: 14[IKE] <con1|1> peer supports MOBIKE
2020-05-05T11:08:37   charon: 14[IKE] <con1|1> initiating EAP_IDENTITY method (id 0x00)
2020-05-05T11:08:37   charon: 14[CFG] <con1|1> selected peer config 'con1'
2020-05-05T11:08:37   charon: 14[CFG] <1> looking for peer configs matching 192.168.178.250[%any]...192.168.178.82[192.168.178.82]
2020-05-05T11:08:37   charon: 14[IKE] <1> received 69 cert requests for an unknown ca
2020-05-05T11:08:37   charon: 14[IKE] <1> received cert request for "C=DE, ST=BW, L=KA, O=abc, E=info@infode, CN=OPNsense, subjectAltName=IP:192.168.178.250,DNS:OPNsense.localdomain"
2020-05-05T11:08:37   charon: 14[IKE] <1> received cert request for "C=AD, ST=DE, L=KA, O=abc, E=info@info.de, CN=Test"
2020-05-05T11:08:37   charon: 14[ENC] <1> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
2020-05-05T11:08:37   charon: 14[ENC] <1> received fragment #3 of 4, reassembled fragmented IKE message (1712 bytes)
2020-05-05T11:08:37   charon: 14[ENC] <1> parsed IKE_AUTH request 1 [ EF(3/4) ]
2020-05-05T11:08:37   charon: 14[NET] <1> received packet: from 192.168.178.82[4500] to 192.168.178.250[4500] (580 bytes)
2020-05-05T11:08:37   charon: 15[ENC] <1> received fragment #4 of 4, waiting for complete IKE message
2020-05-05T11:08:37   charon: 15[ENC] <1> parsed IKE_AUTH request 1 [ EF(4/4) ]
2020-05-05T11:08:37   charon: 15[NET] <1> received packet: from 192.168.178.82[4500] to 192.168.178.250[4500] (228 bytes)
2020-05-05T11:08:37   charon: 03[ENC] <1> received fragment #2 of 4, waiting for complete IKE message
2020-05-05T11:08:37   charon: 03[ENC] <1> parsed IKE_AUTH request 1 [ EF(2/4) ]
2020-05-05T11:08:37   charon: 03[NET] <1> received packet: from 192.168.178.82[4500] to 192.168.178.250[4500] (580 bytes)
2020-05-05T11:08:37   charon: 05[ENC] <1> received fragment #1 of 4, waiting for complete IKE message
2020-05-05T11:08:37   charon: 05[ENC] <1> parsed IKE_AUTH request 1 [ EF(1/4) ]
2020-05-05T11:08:37   charon: 05[NET] <1> received packet: from 192.168.178.82[4500] to 192.168.178.250[4500] (580 bytes)
2020-05-05T11:08:37   charon: 05[NET] <1> sending packet: from 192.168.178.250[500] to 192.168.178.82[500] (501 bytes)
2020-05-05T11:08:37   charon: 05[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
2020-05-05T11:08:37   charon: 05[IKE] <1> sending cert request for "C=DE, ST=BW, L=KA, O=abc, E=info@infode, CN=vpnca"
2020-05-05T11:08:37   charon: 05[IKE] <1> sending cert request for "C=AD, ST=DE, L=KA, O=abc, E=info@info.de, CN=Test"
2020-05-05T11:08:37   charon: 05[CFG] <1> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
2020-05-05T11:08:37   charon: 05[IKE] <1> 192.168.178.82 is initiating an IKE_SA
2020-05-05T11:08:37   charon: 05[ENC] <1> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
2020-05-05T11:08:37   charon: 05[IKE] <1> received Vid-Initial-Contact vendor ID
2020-05-05T11:08:37   charon: 05[IKE] <1> received MS-Negotiation Discovery Capable vendor ID
2020-05-05T11:08:37   charon: 05[IKE] <1> received MS NT5 ISAKMPOAKLEY v9 vendor ID
2020-05-05T11:08:37   charon: 05[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
2020-05-05T11:08:37   charon: 05[NET] <1> received packet: from 192.168.178.82[500] to 192.168.178.250[500] (544 bytes)



May 06, 2020, 09:13:21 PM #1
- gelöst -
May 06, 2020, 10:36:10 PM #2
Und was war die Lösung?


Gesendet von iPhone mit Tapatalk Pro
Internet: Willy.tel Down: 1Gbit/s, UP: 250Mbit/s Glasfaser  |
Router/Firewall: pfSense+ 23.09  |
Hardware: Netgate 6100
October 09, 2021, 09:25:00 AM #3 Last Edit: October 09, 2021, 09:28:28 AM by markush
Hallo,

ich kämpfe aktuell mit dem exakt gleichen Problem und der gleichen Logausgabe:
Code Select

2021-10-09T09:20:26 charon[79660] 13[JOB] <con1|3> deleting half open IKE_SA with 80.187.106.185 after timeout
2021-10-09T09:20:17 charon[79660] 13[IKE] <con1|3> sending keep alive to 80.187.106.185[7116]
2021-10-09T09:19:56 charon[79660] 11[NET] <con1|3> sending packet: from ...........[4500] to 80.187.106.185[7116] (500 bytes)
2021-10-09T09:19:56 charon[79660] 11[NET] <con1|3> sending packet: from ..............[4500] to 80.187.106.185[7116] (1236 bytes)
2021-10-09T09:19:56 charon[79660] 11[ENC] <con1|3> generating IKE_AUTH response 1 [ EF(2/2) ]
2021-10-09T09:19:56 charon[79660] 11[ENC] <con1|3> generating IKE_AUTH response 1 [ EF(1/2) ]
2021-10-09T09:19:56 charon[79660] 11[ENC] <con1|3> splitting IKE message (1664 bytes) into 2 fragments
2021-10-09T09:19:56 charon[79660] 11[ENC] <con1|3> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
2021-10-09T09:19:56 charon[79660] 11[IKE] <con1|3> sending end entity cert ...........
2021-10-09T09:19:56 charon[79660] 11[IKE] <con1|3> authentication of '................' (myself) with RSA signature successful
2021-10-09T09:19:56 charon[79660] 11[IKE] <con1|3> peer supports MOBIKE
2021-10-09T09:19:56 charon[79660] 11[IKE] <con1|3> initiating EAP_IDENTITY method (id 0x00)
2021-10-09T09:19:56 charon[79660] 11[CFG] <con1|3> selected peer config 'con1'

Vielleicht kann mir hier jemand weiterhelfen bzw. TO einen Tip geben?

Ach ja: vom Handy aus geht das VPN problemlos!

Gruß
Print
Go Up Pages1
User actions