IPSec / strongswan errors

[BSAfH42]

Hi,

I'm trying to set up an IPSec RoadWarrior setup, clients will be using the buildt-in VPN client in Win 10.

I tried to follow

https://docs.opnsense.org/manual/how-tos/ipsec-rw-srv-mschapv2.html and
https://docs.opnsense.org/manual/how-tos/ipsec-rw-w7.html

but I get theses errors:

Code: [Select]


2023-03-20T15:01:03 Informational charon 14[IKE] <con1|1> unable to resolve %any, initiate aborted

2023-03-20T15:01:03 Informational charon 14[CFG] initiating 'con1'
2023-03-20T15:01:03 Informational charon 14[CFG] added vici connection: con1
2023-03-20T15:01:03 Informational charon 12[CFG] added vici pool defaultv4: 10.10.10.0, 254 entries
2023-03-20T15:01:03 Informational charon 14[CFG] loaded EAP shared key with id 'eap-d955cab7-40cb-4679-91fc-1aca866de861' for: 'christianwin'
2023-03-20T15:01:03 Informational charon 14[CFG] loaded ANY private key
2023-03-20T15:01:03 Informational charon 13[CFG] loaded certificate 'CN=xxxxx'
2023-03-20T15:01:03 Informational charon 14[CFG] loaded certificate 'C=US, O=Let's Encrypt, CN=R3'
2023-03-20T15:01:03 Informational charon 14[CFG] loaded certificate 'C=xx, ST=xxx, L=xx, O=xx, E=xx, CN=Server-CA'
2023-03-20T15:01:03 Informational charon 15[CFG] loaded certificate 'CN=ChangeMe'
2023-03-20T15:01:03 Informational charon 14[CFG] loaded certificate 'CN=xx'
2023-03-20T15:01:02 Informational charon 00[JOB] spawning 16 worker threads
2023-03-20T15:01:02 Informational charon 00[LIB] loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf curve25519 xcbc cmac hmac kdf gcm drbg attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam whitelist addrblock counters
2023-03-20T15:01:02 Informational charon 00[CFG] loaded 0 RADIUS server configurations


2023-03-20T15:01:02 Informational charon 00[CFG] opening secrets file '/usr/local/etc/ipsec.secrets' failed: No such file or directory
2023-03-20T15:01:02 Informational charon 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
2023-03-20T15:01:02 Informational charon 00[CFG] reading directory failed
2023-03-20T15:01:02 Informational charon 00[LIB] opening directory '/usr/local/etc/ipsec.d/crls' failed: No such file or directory
2023-03-20T15:01:02 Informational charon 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
2023-03-20T15:01:02 Informational charon 00[CFG] reading directory failed
2023-03-20T15:01:02 Informational charon 00[LIB] opening directory '/usr/local/etc/ipsec.d/acerts' failed: No such file or directory
2023-03-20T15:01:02 Informational charon 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
2023-03-20T15:01:02 Informational charon 00[CFG] reading directory failed
2023-03-20T15:01:02 Informational charon 00[LIB] opening directory '/usr/local/etc/ipsec.d/ocspcerts' failed: No such file or directory
2023-03-20T15:01:02 Informational charon 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
2023-03-20T15:01:02 Informational charon 00[CFG] reading directory failed
2023-03-20T15:01:02 Informational charon 00[LIB] opening directory '/usr/local/etc/ipsec.d/aacerts' failed: No such file or directory
2023-03-20T15:01:02 Informational charon 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
2023-03-20T15:01:02 Informational charon 00[CFG] reading directory failed
2023-03-20T15:01:02 Informational charon 00[LIB] opening directory '/usr/local/etc/ipsec.d/cacerts' failed: No such file or directory
2023-03-20T15:01:02 Informational charon 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'


2023-03-20T15:01:02 Informational charon 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
2023-03-20T15:01:02 Informational charon 00[KNL] unable to set UDP_ENCAP: Invalid argument
2023-03-20T15:01:02 Informational charon 00[CFG] using '/sbin/resolvconf' to install DNS servers
2023-03-20T15:01:02 Informational charon 00[DMN] Starting IKE charon daemon (strongSwan 5.9.10, FreeBSD 13.1-RELEASE-p7, amd64)

searching for "unable to resolve %any, initiate aborted" did not yield any useful results ... :-(

any idea?

[wbk]

Could there be an incorrect comment in one of the configuration files? Using % instead of an semicolon or # for example, or a missing quote for "any' rule in a literal option?

Is "ANY" private key a key you named yourself?

[schnipp]

I encountered the same problem some time ago. No chance, NAT-T is not implemented in FreeBSD for IPsec over IPv6. NAT-T needs to be disabled in this case. Unfortunately, some implementations do not allow to configure this parameter.

Another solution may be to use Wireguard instead.

[BSAfH42]

Could there be an incorrect comment in one of the configuration files? Using % instead of an semicolon or # for example, or a missing quote for "any' rule in a literal option?

Is "ANY" private key a key you named yourself?

I did note write the config files manually. everything has been created by the OPNsense GUI.

I don't even know where I could find those files.

The ANY or %any has been produced by the OPNsense GUI. I did select it anywhere nor did I type it in - there is not even a field in the GUI where I could type it in.

[BSAfH42]

I encountered the same problem some time ago. No chance, NAT-T is not implemented in FreeBSD for IPsec over IPv6. NAT-T needs to be disabled in this case. Unfortunately, some implementations do not allow to configure this parameter.

Another solution may be to use Wireguard instead.

no IPv6 - pure IPv4

Wireguard is not possible in this case, the Windows client machine can only use the built-in VPN client, it is not possible to install any additional VPN client on them.

 (these are centrally managed windows notebooks (via SCCM), and this a special usecase for 6 out of 800 machines, the central management will not install any software for such a small number of machines)

[BSAfH42]

I encountered the same problem some time ago. No chance, NAT-T is not implemented in FreeBSD for IPsec over IPv6. NAT-T needs to be disabled in this case. Unfortunately, some implementations do not allow to configure this parameter.

Another solution may be to use Wireguard instead.

I switched of NAT-T in the OPNsense GUI and restarted strongswan.

still no luck

Code: [Select]

2023-03-20T18:34:40 Informational charon 05[IKE] <con1|2> unable to resolve %any, initiate aborted
2023-03-20T18:34:40 Informational charon 15[CFG] received stroke: initiate 'con1'
2023-03-20T18:34:30 Informational charon 13[IKE] <con1|1> unable to resolve %any, initiate aborted
2023-03-20T18:34:30 Informational charon 13[CFG] initiating 'con1'
2023-03-20T18:34:30 Informational charon 13[CFG] added vici connection: con1
2023-03-20T18:34:30 Informational charon 11[CFG] added vici pool defaultv4: 10.10.10.0, 254 entries
2023-03-20T18:34:30 Informational charon 13[CFG] loaded EAP shared key with id 'eap-d955cab7-40cb-4679-91fc-1aca866de861' for: 'xxxxxx'
2023-03-20T18:34:30 Informational charon 13[CFG] loaded ANY private key


[schnipp]

no IPv6 - pure IPv4

What do you exactly mean with above statement? If I read the log correctly, you are trying to establish an IPsec tunnel over IPv6 with NAT-T.

I switched of NAT-T in the OPNsense GUI and restarted strongswan.

AFAIK charon does not support disabling NAT-T even if the parameter is set/unset. You can try disabling MOBIKE or forcing the client to disable NAT-T.

[BSAfH42]

well, it should be IPv4 only, so, where to disabled IPv6 for this tunnel negotiation?

I'll try to disable MOBIKE

did not help, same error

[schnipp]

The easiest way is to post your tunnel configuration without any secrets.

see file '/usr/local/etc/swanctl/swanctl.conf'

[mimugmail]

Can you post a screenshot of P1 please? It tries to initiate a tunnel when accepting 0.0.0.0, doesnt make sense

[BSAfH42]

The easiest way is to post your tunnel configuration without any secrets.

see file '/usr/local/etc/swanctl/swanctl.conf'

sure

Code: [Select]

root@OPNsense:~ # cat /usr/local/etc/swanctl/swanctl.conf
# This file is automatically generated. Do not edit
connections {
    con1 {
        unique = replace
        aggressive = no
        version = 2
        mobike = no
        local_addrs = 192.168.178.3
        local-0 {
            id = fqdn:my-fqdn-name.dedyn.io
            auth = pubkey
            certs = cert-1.crt
        }
        remote-0 {
            id = %any
            auth = eap-mschapv2
            eap_id = %any
        }
        encap = no
        remote_addrs = %any
        dpd_delay = 35 s
        dpd_timeout = 210 s
        pools = defaultv4
        send_cert = always
        proposals = aes256gcm16-sha512-curve25519,aes256gcm16-sha512-ecp521,aes256gcm16-sha512-ecp384,aes256gcm16-sha512-ecp256,aes256gcm16-sha512-modp8192,aes256gcm16-sha512-modp4096,aes256gcm16-sha512-modp2048,aes256gcm16-sha512-modp1024,aes256gcm16-sha384-curve25519,aes256gcm16-sha384-ecp521,aes256gcm16-sha384-ecp384,aes256gcm16-sha384-ecp256,aes256gcm16-sha384-modp8192,aes256gcm16-sha384-modp4096,aes256gcm16-sha384-modp2048,aes256gcm16-sha384-modp1024,aes256gcm16-sha256-curve25519,aes256gcm16-sha256-ecp521,aes256gcm16-sha256-ecp384,aes256gcm16-sha256-ecp256,aes256gcm16-sha256-modp8192,aes256gcm16-sha256-modp4096,aes256gcm16-sha256-modp2048,aes256gcm16-sha256-modp1024,aes256gcm16-sha1-curve25519,aes256gcm16-sha1-ecp521,aes256gcm16-sha1-ecp384,aes256gcm16-sha1-ecp256,aes256gcm16-sha1-modp8192,aes256gcm16-sha1-modp4096,aes256gcm16-sha1-modp2048,aes256gcm16-sha1-modp1024
        children {
            con1 {
                start_action = start
                policies = yes
                mode = tunnel
                sha256_96 = no
                dpd_action = start
                local_ts = 192.168.80.0/24
                remote_ts =
                esp_proposals = aes256-sha1,aes256-sha256,aes256-sha384,aes256-sha512,aes256gcm16-sha1,aes256gcm16-sha256,aes256gcm16-sha384,aes256gcm16-sha512
                life_time = 3600 s
            }
        }
    }
}
pools {
    defaultv4 {
        addrs = 10.10.10.0/24
    }
}
secrets {
    eap-d955cab7-40cb-4679-91fc-1aca866de861 {
        id-0 = MYID
        secret = MYPASSWD
    }
}
# Include config snippets
include conf.d/*.conf
root@OPNsense:~ #

there are no files in

Code: [Select]

include conf.d/*.conf

[BSAfH42]

Can you post a screenshot of P1 please? It tries to initiate a tunnel when accepting 0.0.0.0, doesnt make sense

sure (see attachments)

[mimugmail]

Connection method is respond only.
Are you sure this is a mobile policy? Maybe you already have one and added a second P1?

[BSAfH42]

Connection method is respond only.
Are you sure this is a mobile policy?

well, I followed
https://docs.opnsense.org/manual/how-tos/ipsec-rw-srv-mschapv2.html and
https://docs.opnsense.org/manual/how-tos/ipsec-rw-w7.html
so it should be a mobile policy?

Maybe you already have one and added a second P1?

No, there is only one P1 defined

[BSAfH42]

Connection method is respond only.
Are you sure this is a mobile policy? Maybe you already have one and added a second P1?

see attachment