[SOLVED] Ipsec between two FW

Started by Julien, August 03, 2017, 01:27:48 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 03, 2017, 01:27:48 AM Last Edit: August 03, 2017, 07:22:24 AM by franco
Hi Guys,
between two OPNsense Firewall have configured the IPSEC VPN as explained below
https://docs.opnsense.org/manual/how-tos/ipsec-s2s.html?highlight=ipsec

the tunnel is not coming up, I have stoped the services and even rebooted both firewalls.
Can someone please point me to the right directions ?

Log site A

Code Select

Aug 3 01:24:51 charon: 02[CFG] received stroke: route 'con1'
Aug 3 01:24:51 charon: 05[CFG] added configuration 'con1'
Aug 3 01:24:51 charon: 05[CFG] received stroke: add connection 'con1'
Aug 3 01:24:51 charon: 00[JOB] spawning 16 worker threads
Aug 3 01:24:51 charon: 00[LIB] loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac gcm attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock
Aug 3 01:24:51 charon: 00[CFG] loaded 0 RADIUS server configurations
Aug 3 01:24:51 charon: 00[CFG] loaded IKE secret for 98.44.55.66
Aug 3 01:24:51 charon: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Aug 3 01:24:51 charon: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
Aug 3 01:24:51 charon: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Aug 3 01:24:51 charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Aug 3 01:24:51 charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'

Log Site B

Code Select
Aug 3 01:20:18 charon: 05[NET] sending packet: from IP SITE B [500] to IP SITE A[500] (36 bytes)
Aug 3 01:20:18 charon: 05[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Aug 3 01:20:18 charon: 05[IKE] received proposals inacceptable
Aug 3 01:20:18 charon: 05[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Aug 3 01:20:18 charon: 05[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Aug 3 01:20:18 charon: 05[IKE] 5.200.21.175 is initiating an IKE_SA
Aug 3 01:20:18 charon: 05[IKE] 5.200.21.175 is initiating an IKE_SA
Aug 3 01:20:18 charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 3 01:20:18 charon: 05[NET] received packet: from IP SITE A [500] to IP SITE B[500] (466 bytes)
Aug 3 01:18:12 charon: 05[CFG] received stroke: route 'con1'
DEC4240 – OPNsense Owner
August 03, 2017, 03:06:40 AM #1
I have created a OPENVPN Tunnel and it does works.
https://docs.opnsense.org/manual/how-tos/sslvpn_s2s.html?highlight=vpn
I'll stick with the ssl tunnel as its more secure than the IPSEC.

DEC4240 – OPNsense Owner
August 03, 2017, 10:03:49 AM #2 Last Edit: August 03, 2017, 04:19:17 PM by kug1977
Hi,

it's complain about the Algorithms ... doesn't find an acceptable algorithms proposed by the party try to connect to (in IPsec most of the time called right side).

Code Select
Aug 3 01:20:18 charon: 05[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Aug 3 01:20:18 charon: 05[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048

You have to use one of them 128bit (AES_CBC_128) or 256bit AES (AES_CBC_256) ... or make both available for selection on at least one site.

King regards,
Kay-Uwe Genz
August 03, 2017, 11:07:30 AM #3 Last Edit: August 03, 2017, 11:12:36 AM by Julien
Quote from: kug1977 on August 03, 2017, 10:03:49 AM
Hi,

it's complain about the Algorithms ... doesn't find an acceptable algorithms proposed by the party try to connect to (in IPsec most of the time called right side).

Code Select
Aug 3 01:20:18 charon: 05[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Aug 3 01:20:18 charon: 05[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048

You have to use one of them 128bit (AES_CBC_128) or 256bit AES (AES_CBC_256) ... or make both available for selection in at least one side.

King regards,
Kay-Uwe Genz

Thank you for your answer,
this absolutely a good catch
do you suggest to use IPSEC over the OPENVPN ?
According to research the openvpn is faster than the IPSEC.
Can someone share his experience with us.

DEC4240 – OPNsense Owner
August 03, 2017, 11:30:39 AM #4
If you feel more comfortable with OpenVPN, stick to it. Only if you see a lack of performance try IPSEC, but I think you should be very fine now.
August 03, 2017, 04:18:23 PM #5
Quotedo you suggest to use IPSEC over the OPENVPN ?
According to research the openvpn is faster than the IPSEC.

For site-to-site connections I prefer IPsec tunnels. For mobile Clients (aka Road warrior)  I use OpenVPN. And, honestly, OPNSense has some history on break IPsec while upgrading ... hopefully that's past. So having both might by a good idea anyway.
August 04, 2017, 03:47:38 AM #6
Quote from: kug1977 on August 03, 2017, 04:18:23 PM
Quotedo you suggest to use IPSEC over the OPENVPN ?
According to research the openvpn is faster than the IPSEC.

For site-to-site connections I prefer IPsec tunnels. For mobile Clients (aka Road warrior)  I use OpenVPN. And, honestly, OPNSense has some history on break IPsec while upgrading ... hopefully that's past. So having both might by a good idea anyway.

Today I've done some tests.
with IPSEC the tunnel is not really stable and is slower than the OPENVPN.
the idea behind the tunnel is office 1 can reach active directory on office 2. no remote users.
remote users are using openvpn
DEC4240 – OPNsense Owner
Print
Go Up Pages1
User actions