[solved]IPsec, phase 2 and routing

[FCM]

Hello there

In my long quest to make my distant data lan and voip lan to work, I am trying the IPsec VPN after the OpenVPN...

So I followed the wiki and created IPsec site to site tunnel.

the problem is that the tunnel itself seems to have glitches on site A, and the phase 2 is not in place...

I mirrored all the configuration and don't know where is the problem...
And something bother me, when I look at the routes tables, I see that the distant LAN is routed via the WAN gateway of each Opnsense, is this normal ?

site A and B routes :





My configurations :

IPsec configurations :





IPsec Status :





The glitches that occurs :




I can add connection logs if it can add informations that help...
Thanks

Networks :
Site A
LAN in 192.168.20.32/23
WAN in 192.168.13.4/24
Opnsense behind a Stormshield firewall

Site B
LAN in 192.168.13.1/24
WAN in 192.168.100.16/24

[FCM]

and without a reason, they can't authentificate anymore...

Code: [Select]

May 17 16:34:25 charon: 06[IKE] received AUTHENTICATION_FAILED notify error
May 17 16:34:25 charon: 06[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
May 17 16:34:25 charon: 06[NET] received packet: from 88.188.61.125[4500] to 192.168.13.4[4500] (96 bytes)
May 17 16:34:25 charon: 06[NET] sending packet: from 192.168.13.4[4500] to 88.188.61.125[4500] (416 bytes)
May 17 16:34:25 charon: 06[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
May 17 16:34:25 charon: 06[IKE] establishing CHILD_SA con1{2}
May 17 16:34:25 charon: 06[IKE] establishing CHILD_SA con1{2}
May 17 16:34:25 charon: 06[IKE] authentication of '192.168.13.4' (myself) with pre-shared key
May 17 16:34:25 charon: 06[IKE] sending cert request for "C=NL, ST=ZH, L=Middelharnis, O=OPNsense, E=spam@opnsense.org, CN=internal-sslvpn-ca"
May 17 16:34:25 charon: 06[IKE] received 2 cert requests for an unknown ca
May 17 16:34:25 charon: 06[IKE] remote host is behind NAT
May 17 16:34:25 charon: 06[IKE] local host is behind NAT, sending keep alives
May 17 16:34:25 charon: 06[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
May 17 16:34:25 charon: 06[NET] received packet: from 88.188.61.125[500] to 192.168.13.4[500] (509 bytes)
May 17 16:34:25 charon: 06[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 17 16:34:25 charon: 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
May 17 16:34:25 charon: 06[IKE] initiating IKE_SA con1[8] to 88.188.61.125
May 17 16:34:25 charon: 06[IKE] initiating IKE_SA con1[8] to 88.188.61.125
May 17 16:34:25 charon: 11[CFG] received stroke: initiate 'con1'

[Droppie391]

hi, try to only use one cypher in both the authentication and cypher settings for phase2. we had problems with more then one in the past. e.g Cypher protocol = AES256 and Auth = SHA1 or whatever you prefer.

[mimugmail]

For me it seems to be mismatched secret and also P1 not established

[FCM]

I know
but the secret word is simple and short and the same on each side...
and this morning, like yesterday, I have the green play button on both site status...

I don't understand I did nothing but in the afternoon Auth failed then in the morning no more fail...
and sometimes site A status icone change from green to orange
same thing each day for the last 2 days... this time it's not authentification but connection ??

and still no phase 2

logs from this morning :

Code: [Select]

May 18 08:51:34 charon: 13[IKE] establishing IKE_SA failed, peer not responding
May 18 08:51:34 charon: 13[IKE] giving up after 5 retransmits
May 18 08:50:18 charon: 13[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:50:18 charon: 13[IKE] retransmit 5 of request with message ID 0
May 18 08:49:36 charon: 13[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:49:36 charon: 13[IKE] retransmit 4 of request with message ID 0
May 18 08:49:13 charon: 13[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:49:13 charon: 13[IKE] retransmit 3 of request with message ID 0
May 18 08:49:00 charon: 13[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:49:00 charon: 13[IKE] retransmit 2 of request with message ID 0
May 18 08:48:53 charon: 13[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:48:53 charon: 13[IKE] retransmit 1 of request with message ID 0
May 18 08:48:49 charon: 13[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:48:49 charon: 13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
May 18 08:48:49 charon: 13[IKE] initiating IKE_SA con1[16] to 88.188.61.125
May 18 08:48:49 charon: 13[IKE] initiating IKE_SA con1[16] to 88.188.61.125
May 18 08:48:49 charon: 13[IKE] peer not responding, trying again (3/3)
May 18 08:48:49 charon: 13[IKE] giving up after 5 retransmits
May 18 08:47:33 charon: 13[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:47:33 charon: 13[IKE] retransmit 5 of request with message ID 0
May 18 08:46:51 charon: 13[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:46:51 charon: 13[IKE] retransmit 4 of request with message ID 0
May 18 08:46:28 charon: 13[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:46:28 charon: 13[IKE] retransmit 3 of request with message ID 0
May 18 08:46:14 charon: 13[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:46:14 charon: 13[IKE] retransmit 2 of request with message ID 0
May 18 08:46:07 charon: 06[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:46:07 charon: 06[IKE] retransmit 1 of request with message ID 0
May 18 08:46:03 charon: 06[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:46:03 charon: 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
May 18 08:46:03 charon: 06[IKE] initiating IKE_SA con1[16] to 88.188.61.125
May 18 08:46:03 charon: 06[IKE] initiating IKE_SA con1[16] to 88.188.61.125
May 18 08:46:03 charon: 06[IKE] peer not responding, trying again (2/3)
May 18 08:46:03 charon: 06[IKE] giving up after 5 retransmits
May 18 08:44:48 charon: 06[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:44:48 charon: 06[IKE] retransmit 5 of request with message ID 0
May 18 08:44:06 charon: 08[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:44:06 charon: 08[IKE] retransmit 4 of request with message ID 0
May 18 08:43:42 charon: 11[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:43:42 charon: 11[IKE] retransmit 3 of request with message ID 0
May 18 08:43:29 charon: 11[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:43:29 charon: 11[IKE] retransmit 2 of request with message ID 0
May 18 08:43:22 charon: 11[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:43:22 charon: 11[IKE] retransmit 1 of request with message ID 0
May 18 08:43:18 charon: 11[NET] sending packet: from 192.168.13.4[500] to 88.188.61.125[500] (464 bytes)
May 18 08:43:18 charon: 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
May 18 08:43:18 charon: 11[IKE] initiating IKE_SA con1[16] to 88.188.61.125
May 18 08:43:18 charon: 11[IKE] initiating IKE_SA con1[16] to 88.188.61.125
May 18 08:43:18 charon: 09[CFG] received stroke: initiate 'con1'

[mimugmail]

The it's related to your NAT device in front ... IPSEC and NAT are not the best buddies ..

[FCM]

problem resolved...
in fact the "auth failed" came from the local ID and peer ID !
At first, I let the "My IP address" and the "Peer IP address" in the authentification fields as described in the wiki.
But when I put siteA / siteB and siteB / SiteA as unique names, then the connection was established !!

Fist step done, now the phones...

thanks again for helping !