OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 18.7 Legacy Series »
  • [solved]IPsec, phase 2 and routing
« previous next »
  • Print
Pages: [1]

Author Topic: [solved]IPsec, phase 2 and routing  (Read 11761 times)

FCM

  • Newbie
  • *
  • Posts: 40
  • Karma: 1
    • View Profile
[solved]IPsec, phase 2 and routing
« on: May 17, 2018, 12:20:09 pm »
Hello there :)

In my long quest to make my distant data lan and voip lan to work, I am trying the IPsec VPN after the OpenVPN...

So I followed the wiki and created IPsec site to site tunnel.

the problem is that the tunnel itself seems to have glitches on site A, and the phase 2 is not in place...

I mirrored all the configuration and don't know where is the problem...
And something bother me, when I look at the routes tables, I see that the distant LAN is routed via the WAN gateway of each Opnsense, is this normal ?

site A and B routes :





My configurations :

IPsec configurations :






IPsec Status :





The glitches that occurs :




I can add connection logs if it can add informations that help...
Thanks

Networks :
Site A
LAN in 192.168.20.32/23
WAN in 192.168.13.4/24
Opnsense behind a Stormshield firewall

Site B
LAN in 192.168.13.1/24
WAN in 192.168.100.16/24
« Last Edit: May 22, 2018, 03:52:46 pm by FCM »
Logged

FCM

  • Newbie
  • *
  • Posts: 40
  • Karma: 1
    • View Profile
Re: IPsec, phase 2 and routing
« Reply #1 on: May 17, 2018, 04:36:36 pm »
and without a reason, they can't authentificate anymore...

Code: [Select]
May 17 16:34:25 charon: 06[IKE] received AUTHENTICATION_FAILED notify error
May 17 16:34:25 charon: 06[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
May 17 16:34:25 charon: 06[NET] received packet: from 88.188.61.125[4500] to 192.168.13.4[4500] (96 bytes)
May 17 16:34:25 charon: 06[NET] sending packet: from 192.168.13.4[4500] to 88.188.61.125[4500] (416 bytes)
May 17 16:34:25 charon: 06[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
May 17 16:34:25 charon: 06[IKE] establishing CHILD_SA con1{2}
May 17 16:34:25 charon: 06[IKE] establishing CHILD_SA con1{2}
May 17 16:34:25 charon: 06[IKE] authentication of '192.168.13.4' (myself) with pre-shared key
May 17 16:34:25 charon: 06[IKE] sending cert request for "C=NL, ST=ZH, L=Middelharnis, O=OPNsense, E=spam@opnsense.org, CN=internal-sslvpn-ca"
May 17 16:34:25 charon: 06[IKE] received 2 cert requests for an unknown ca
May 17 16:34:25 charon: 06[IKE] remote host is behind NAT
May 17 16:34:25 charon: 06[IKE] local host is behind NAT, sending keep alives
May 17 16:34:25 charon: 06[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
May 17 16:34:25 charon: 06[NET] received packet: from 88.188.61.125[500] to 192.168.13.4[500] (509 bytes)
May 17 16:34:25 charon: 06[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 17 16:34:25 charon: 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
May 17 16:34:25 charon: 06[IKE] initiating IKE_SA con1[8] to 88.188.61.125
May 17 16:34:25 charon: 06[IKE] initiating IKE_SA con1[8] to 88.188.61.125
May 17 16:34:25 charon: 11[CFG] received stroke: initiate 'con1'
Logged

Droppie391

  • Jr. Member
  • **
  • Posts: 55
  • Karma: 4
    • View Profile
Re: IPsec, phase 2 and routing
« Reply #2 on: May 18, 2018, 08:17:31 am »
hi, try to only use one cypher in both the authentication and cypher settings for phase2. we had problems with more then one in the past. e.g Cypher protocol = AES256 and Auth = SHA1 or whatever you prefer.
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6293
  • Karma: 432
    • View Profile
Re: IPsec, phase 2 and routing
« Reply #3 on: May 18, 2018, 08:34:49 am »
For me it seems to be mismatched secret and also P1 not established
Logged
Twitter: mimu_muc
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

FCM

  • Newbie
  • *
  • Posts: 40
  • Karma: 1
    • View Profile
Re: IPsec, phase 2 and routing
« Reply #4 on: May 18, 2018, 09:01:31 am »
I know :(
but the secret word is simple and short and the same on each side...
and this morning, like yesterday, I have the green play button on both site status...

I don't understand I did nothing but in the afternoon Auth failed then in the morning no more fail...
and sometimes site A status icone change from green to orange
same thing each day for the last 2 days... this time it's not authentification but connection ??

and still no phase 2 :(

logs from this morning :
Code: [Select]
May 18 08:51:34 charon: 13[IKE] establishing IKE_SA failed, peer not responding
May 18 08:51:34 charon: 13[IKE] giving up after 5 retransmits
May 18 08:50:18 charon: 13[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:50:18 charon: 13[IKE] retransmit 5 of request with message ID 0
May 18 08:49:36 charon: 13[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:49:36 charon: 13[IKE] retransmit 4 of request with message ID 0
May 18 08:49:13 charon: 13[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:49:13 charon: 13[IKE] retransmit 3 of request with message ID 0
May 18 08:49:00 charon: 13[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:49:00 charon: 13[IKE] retransmit 2 of request with message ID 0
May 18 08:48:53 charon: 13[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:48:53 charon: 13[IKE] retransmit 1 of request with message ID 0
May 18 08:48:49 charon: 13[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:48:49 charon: 13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
May 18 08:48:49 charon: 13[IKE] initiating IKE_SA con1[16] to 88.188.61.125
May 18 08:48:49 charon: 13[IKE] initiating IKE_SA con1[16] to 88.188.61.125
May 18 08:48:49 charon: 13[IKE] peer not responding, trying again (3/3)
May 18 08:48:49 charon: 13[IKE] giving up after 5 retransmits
May 18 08:47:33 charon: 13[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:47:33 charon: 13[IKE] retransmit 5 of request with message ID 0
May 18 08:46:51 charon: 13[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:46:51 charon: 13[IKE] retransmit 4 of request with message ID 0
May 18 08:46:28 charon: 13[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:46:28 charon: 13[IKE] retransmit 3 of request with message ID 0
May 18 08:46:14 charon: 13[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:46:14 charon: 13[IKE] retransmit 2 of request with message ID 0
May 18 08:46:07 charon: 06[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:46:07 charon: 06[IKE] retransmit 1 of request with message ID 0
May 18 08:46:03 charon: 06[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:46:03 charon: 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
May 18 08:46:03 charon: 06[IKE] initiating IKE_SA con1[16] to 88.188.61.125
May 18 08:46:03 charon: 06[IKE] initiating IKE_SA con1[16] to 88.188.61.125
May 18 08:46:03 charon: 06[IKE] peer not responding, trying again (2/3)
May 18 08:46:03 charon: 06[IKE] giving up after 5 retransmits
May 18 08:44:48 charon: 06[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:44:48 charon: 06[IKE] retransmit 5 of request with message ID 0
May 18 08:44:06 charon: 08[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:44:06 charon: 08[IKE] retransmit 4 of request with message ID 0
May 18 08:43:42 charon: 11[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:43:42 charon: 11[IKE] retransmit 3 of request with message ID 0
May 18 08:43:29 charon: 11[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:43:29 charon: 11[IKE] retransmit 2 of request with message ID 0
May 18 08:43:22 charon: 11[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:43:22 charon: 11[IKE] retransmit 1 of request with message ID 0
May 18 08:43:18 charon: 11[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:43:18 charon: 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
May 18 08:43:18 charon: 11[IKE] initiating IKE_SA con1[16] to 88.188.61.125
May 18 08:43:18 charon: 11[IKE] initiating IKE_SA con1[16] to 88.188.61.125
May 18 08:43:18 charon: 09[CFG] received stroke: initiate 'con1'
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6293
  • Karma: 432
    • View Profile
Re: IPsec, phase 2 and routing
« Reply #5 on: May 18, 2018, 09:55:53 am »
The it's related to your NAT device in front ... IPSEC and NAT are not the best buddies ..
Logged
Twitter: mimu_muc
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

FCM

  • Newbie
  • *
  • Posts: 40
  • Karma: 1
    • View Profile
Re: IPsec, phase 2 and routing
« Reply #6 on: May 22, 2018, 03:52:30 pm »
problem resolved...
in fact the "auth failed" came from the local ID and peer ID !
At first, I let the "My IP address" and the "Peer IP address" in the authentification fields as described in the wiki.
But when I put siteA / siteB and siteB / SiteA as unique names, then the connection was established !!

Fist step done, now the phones... :)

thanks again for helping ! :)
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 18.7 Legacy Series »
  • [solved]IPsec, phase 2 and routing
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2