ikedv2 - Erfahrungen mit Verbindungen zwischen OPNsense & OpenBSD

suados_forum

Active Member
Abend,

hat jemand Erfahrungen damit, ob eine Verbindun zwischen den Systemen möglich ist? Ich versuche gerade mittels vether-Interface auf OpenBSD und dem virtuellen Interface (LAN) auf OPNsense eine verschlüsselte Verbindung zu etablieren.

Aber ich hänge noch in Phase 1 fest!?

Code:
#Ausgabe OpenBSD
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical 0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type AUTHENTICATION_FAILED
ikev2_handle_notifies: AUTHENTICATION_FAILED, closing SA
spi=0x091e4fa28a0723f5: sa_state: SA_INIT -> CLOSED from 192.168.1.1:500 to 192.168.1.2:500 policy 'initiator <-> responder'
ikev2_recv: closing SA
 

suados_forum

Active Member
Der erste Teil stimmt mich ja schon mal zuversichtlich!

Hier mal die Konfiguarationen:

Auf OpenBSD gibt es ein vether-Interface mit 10.1.1.2/30 und auf OPNense ein virtuelles Interface auf der LAN-Schnittstelle mit 10.1.1.1/30.

Code:
# OpenBSD: cat /etc/iked.conf
ikev2 "opensbd <-> opnsense" active esp \
  from 10.1.1.2/30 to 10.1.1.1/30 \
  from 10.1.1.2/30 to 192.168.1.2 \
  from 192.168.1.1 to 10.1.1.1/30 \
  peer 192.168.1.2 \
  psk "password"



Code:
# Konfiguration OPNsense
PHASE 1
-------

General information 
 Connection method: default
 Key Exchange version: V2
 Internet Protocol: IPv4
 Interface: LAN
 Remote gateway: 192.168.1.2
 
Phase 1 proposal (Authentication)
 Authentication method: Mutual PSK
 My identifier: IP address 192.168.1.1
 Peer identifier: IP address 192.168.1.2
 Pre-Shared Key: password
Phase 1 proposal (Algorithms)
 Encryption algorithm: AES 128
 Hash algorithm: 14 (2048 bits)
 Lifetime: 28800

Advanced Options
 NAT Traversal: disable
 MOBIKE: disable


PHASE 2
-------

General information    full
 Mode: Tunnel IPv4
 
Local Network
 Type: Address 
 Adress: 10.1.1.1/32
 
Remote Network Type: Address
 Address: 10.1.1.2/32
 
Phase 2 proposal (SA/Key Exchange)
 Protocol: ESP
 Hash algorithms: SHA256
 PFS key group: 14 (2048 bits)
 Lifetime: 3600

Code:
# iked -dvvv -f /etc/iked.conf
set_policy: could not find pubkey for /etc/iked/pubkeys/ipv4/192.168.1.1
ikev2 "opensbd <-> opnsense" active tunnel esp inet from 10.10.10.202/30 to 192.168.1.1 from 10.10.10.202/30 to 10.10.10.201/30 from 192.168.1.2 to 10.10.10.202/30 local any peer 192.168.1.1 ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group curve25519,ecp521,ecp384,ecp256,modp4096,modp3072,modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 esn,noesn lifetime 10800 bytes 536870912 psk 0x746573747465737474657374
/etc/iked.conf: loaded 1 configuration rules
ca_privkey_serialize: type RSA_KEY length 1770
ca_pubkey_serialize: type RSA_KEY length 398
ca_privkey_to_method: type RSA_KEY method RSA_SIG
ca_getkey: received private key type RSA_KEY length 1770
config_getpolicy: received policy
ca_getkey: received public key type RSA_KEY length 398
ca_dispatch_parent: config reset
config_getpfkey: received pfkey fd 3
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getsocket: received socket fd 6
config_getsocket: received socket fd 7
config_getmobike: mobike
config_getfragmentation: no fragmentation
config_getnattport: nattport 4500
ca_reload: local cert type RSA_KEY
config_getocsp: ocsp_url none
ikev2_dispatch_cert: updated local CERTREQ type RSA_KEY length 0
ikev2_init_ike_sa: initiating "opensbd <-> opnsense"
ikev2_policy2id: srcid FQDN/openbsd length 18
ikev2_add_proposals: length 156
ikev2_next_payload: length 160 nextpayload KE
ikev2_next_payload: length 40 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0xbeb20699912acab9 0x0000000000000000 0.0.0.0:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0xbeb20699912acab9 0x0000000000000000 192.168.1.1:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_next_payload: length 14 nextpayload NONE
ikev2_pld_parse: header ispi 0xbeb20699912acab9 rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 334 response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 160
ikev2_pld_sa: more 0 reserved 0 length 156 proposal #1 protoid IKE spisize 0 xforms 17 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id CURVE25519
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 40
ikev2_pld_ke: dh group CURVE25519 reserved 0
f5f980c7 915f8e81 e23f3371 e0f6bf01 43bdf744 ead993c6 e5a20599 0bfe2b70
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
786dfb68 e21a4037 f9871a5a e4464481 8635889f fdd0d20b 5ec026cb 447c1ef2
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
73eb3105 a443c698 e87db77c aaa2cdf1 967dc6b7
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
cba4b3e9 3ea081a6 cddf1126 a2ee3db5 a47d1db4
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
00020003 0004
spi=0xbeb20699912acab9: send IKE_SA_INIT req 0 peer 192.168.1.1:500 local 0.0.0.0:500, 334 bytes
spi=0xbeb20699912acab9: sa_state: INIT -> SA_INIT
spi=0xbeb20699912acab9: recv IKE_SA_INIT res 0 peer 192.168.1.1:500 local 192.168.1.2:500, 38 bytes, policy 'opensbd <-> opnsense'
ikev2_recv: ispi 0xbeb20699912acab9 rspi 0x0000000000000000
ikev2_recv: updated SA to peer 192.168.1.1:500 local 192.168.1.2:500
ikev2_pld_parse: header ispi 0xbeb20699912acab9 rspi 0x0000000000000000 nextpayload NOTIFY version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 38 response 1
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 10
ikev2_pld_notify: protoid NONE spisize 0 type INVALID_KE_PAYLOAD
000e
ikev2_handle_notifies: responder selected DH group 14
spi=0xbeb20699912acab9: sa_state: SA_INIT -> CLOSED from 192.168.1.1:500 to 192.168.1.2:500 policy 'opensbd <-> opnsense'
ikev2_recv: closing SA
spi=0xbeb20699912acab9: sa_free: reinitiating with new DH group
ikev2_init_ike_sa: initiating "opensbd <-> opnsense"
ikev2_policy2id: srcid FQDN/openbsd length 18
ikev2_add_proposals: length 156
ikev2_next_payload: length 160 nextpayload KE
ikev2_next_payload: length 264 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0xd6cb201c319ec2db 0x0000000000000000 0.0.0.0:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0xd6cb201c319ec2db 0x0000000000000000 192.168.1.1:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_next_payload: length 14 nextpayload NONE
ikev2_pld_parse: header ispi 0xd6cb201c319ec2db rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 558 response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 160
ikev2_pld_sa: more 0 reserved 0 length 156 proposal #1 protoid IKE spisize 0 xforms 17 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id CURVE25519
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048 reserved 0
b4883255 1872588d 3ac96b29 a6e2ae31 6d589662 53e141b0 1c4dea36 f4ca26a7
e6225459 920a271d f0fc72d1 4dbdc2b3 9cf98930 743af0d0 ad469f03 facdd67c
47d18bf4 a27354c1 50a0903c cd362594 a2d2eb69 60f4995e 0ed2fe86 c0649c7c
cf315edc 18c41a97 aa9bd2d6 11b3a703 f22cd7ff 09e11abe 03fc133f 974e2687
07fa573c 2169927b fdd734c6 08705389 aeafaef1 0bfb6c83 b717def2 ef59c6ad
029b2fac ee11788d d8bf69f1 7b0ec7ec 8b6d5e2e abfa11bd 0c96875c f31c7dac
803c1374 8d20a378 c7837cf3 daf2a42a aae92616 4d0d74f1 d12b7b66 5925e322
112b2f9b b135a989 a5081ec6 0eff2f70 06c0dd47 1392c942 5b2a1cd9 b95fda28
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
936934be 6466ba6e c40ed978 65141239 f6b59c54 78d2ca81 b29e61c5 c989d4b2
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
6346b2b4 421d61e6 99b04d1d ed4636fd 1ee8ef56
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
c7be7640 612e8577 777e90c8 c2497711 fbc17351
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
00020003 0004
spi=0xd6cb201c319ec2db: send IKE_SA_INIT req 0 peer 192.168.1.1:500 local 0.0.0.0:500, 558 bytes
spi=0xd6cb201c319ec2db: sa_state: INIT -> SA_INIT
spi=0xd6cb201c319ec2db: recv IKE_SA_INIT res 0 peer 192.168.1.1:500 local 192.168.1.2:500, 464 bytes, policy 'opensbd <-> opnsense'
ikev2_recv: ispi 0xd6cb201c319ec2db rspi 0xb21f151b48c8a8b0
ikev2_recv: updated SA to peer 192.168.1.1:500 local 192.168.1.2:500
ikev2_pld_parse: header ispi 0xd6cb201c319ec2db rspi 0xb21f151b48c8a8b0 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 464 response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048 reserved 0
431cbf47 529c20fd e5cf3911 d1afe4ff acfe40a4 1976c376 f97ab776 dc32102b
6eeb1082 171fa24d 97ff62eb 238b0728 29da5ab9 221e1bea da5cde05 27b1d251
d875b59b 2d43e574 371eb3cf e6b0b0c2 f1ba36ce 6ece3565 dc9b3c66 513ecdcd
d2e3f3b7 da5a7ef8 4aff4791 56f4c0f4 42315166 23e4bbbd 6e6319b2 31e7127f
8e782143 693aab0b f762b363 81b6d78b 295a06c2 2ed16a53 2b4f5121 3d3fbbbe
5fedf78d b12477bc a4d1a000 e0373e32 a8dd097f 8048d0ef 4201c29a 213830d4
aee5fe6b 25ef750a 0c0f6989 b4e5a2b3 d584b960 39286c11 76ada1be 34d5da57
15c1f452 50853c8c cc80243e b5eb971e a755393d fada3477 9fa1dc1f 6696c991
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
1ad4d2fe 3c948aac e43340ab 60af88e9 f1946aa8 4b326cbe ef83f46d 38eef2b0
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
d309b24f 37588c0d 904a2375 afb78de9 fefaeba9
ikev2_nat_detection: peer source 0xd6cb201c319ec2db 0xb21f151b48c8a8b0 192.168.1.1:500
d309b24f 37588c0d 904a2375 afb78de9 fefaeba9
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
baec5558 9152776e 40f161a5 64f30f09 563472fe
ikev2_nat_detection: peer destination 0xd6cb201c319ec2db 0xb21f151b48c8a8b0 192.168.1.2:500
baec5558 9152776e 40f161a5 64f30f09 563472fe
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 16
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
00020003 00040005
ikev2_pld_notify: signature hash SHA2_256 (2)
ikev2_pld_notify: signature hash SHA2_384 (3)
ikev2_pld_notify: signature hash SHA2_512 (4)
ikev2_pld_notify: signature hash <UNKNOWN:5> (5)
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type CHILDLESS_IKEV2_SUPPORTED
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type MULTIPLE_AUTH_SUPPORTED
proposals_match: xform 1 <-> 1 (7): ENCR AES_CBC (keylength 128 <-> 0) 128
proposals_match: xform 1 <-> 1 (1): INTEGR HMAC_SHA2_256_128 (keylength 0 <-> 0)
proposals_match: xform 1 <-> 1 (1): PRF HMAC_SHA2_256 (keylength 0 <-> 0)
proposals_match: xform 1 <-> 1 (13): DH MODP_2048 (keylength 0 <-> 0)
proposals_negotiate: score 22
proposals_negotiate: score 7: ENCR AES_CBC 128
proposals_negotiate: score 1: PRF HMAC_SHA2_256
proposals_negotiate: score 1: INTEGR HMAC_SHA2_256_128
proposals_negotiate: score 13: DH MODP_2048
sa_stateok: SA_INIT flags 0x0000, require 0x0008 auth
spi=0xd6cb201c319ec2db: ikev2_sa_keys: DHSECRET with 256 bytes
7e2d4983 2a66063e b329e47e 50ec0b8c 18fc5575 b7403cee 5ea49e99 ad4472bd
a1ed92f0 87aaa7d2 718582ff fccee9a2 a82580dd dd197d11 da34fe1f 6061c50f
e906e4ad 21336008 f7d94d9d b267a214 7777b1ed fe830723 7a53bd71 aec560df
b195572f 4590e5d5 afb57d57 87225380 f5592066 c4a553c0 d27a5229 7eb90172
36f59705 b0ed284f 1f16ba26 ff81c509 d48f8d0b 43596a0a 6d5271b2 a0ceee53
fc391361 84e6a991 1a32150e df392abc a8dd8986 7a6ff16d 134cb795 f4acbffb
1750be6e e6ece6f0 ba1f699b 22f93d1d b49fd56a 4e378c49 f97c3891 cc7cb52d
79abf3f8 c3933c0c 14af4b31 618ce3b1 3226b99f 742ec048 5f82d8a3 fe89cd57
ikev2_sa_keys: SKEYSEED with 32 bytes
868deab3 d70fa612 1e9ba672 fd2a284e 861f4650 498b43e4 a27142cb 768cbf72
spi=0xd6cb201c319ec2db: ikev2_sa_keys: S with 80 bytes
936934be 6466ba6e c40ed978 65141239 f6b59c54 78d2ca81 b29e61c5 c989d4b2
1ad4d2fe 3c948aac e43340ab 60af88e9 f1946aa8 4b326cbe ef83f46d 38eef2b0
d6cb201c 319ec2db b21f151b 48c8a8b0
ikev2_prfplus: T1 with 32 bytes
fc31adcc c427cb46 3514a960 27325b2c 360a1c12 c56e89d0 69c08276 10328918
ikev2_prfplus: T2 with 32 bytes
acf603cb a01ee03c 6500717c 51b11ff4 2b53432f 87077f0e 75943984 3eb2daed
ikev2_prfplus: T3 with 32 bytes
d9434308 f4e379f8 6f72d4f1 7352ffe9 69fce5bf 674e13e0 c8362846 4184be37
ikev2_prfplus: T4 with 32 bytes
90816cf7 d99fe5e2 00052cba 1e7e3ba0 89bbc595 4861a77f 77f6c714 4e6ebca6
ikev2_prfplus: T5 with 32 bytes
99036cf1 4b059a8f 98b7b3d1 0a9c632a 7a7263bf fd439fdb fa8fb7c7 6051f8fb
ikev2_prfplus: T6 with 32 bytes
e0549914 6f0f8c4a 883caff1 a4a09630 450cb2ee 4005c974 33cb6b29 41dfbf9d
ikev2_prfplus: Tn with 192 bytes
fc31adcc c427cb46 3514a960 27325b2c 360a1c12 c56e89d0 69c08276 10328918
acf603cb a01ee03c 6500717c 51b11ff4 2b53432f 87077f0e 75943984 3eb2daed
d9434308 f4e379f8 6f72d4f1 7352ffe9 69fce5bf 674e13e0 c8362846 4184be37
90816cf7 d99fe5e2 00052cba 1e7e3ba0 89bbc595 4861a77f 77f6c714 4e6ebca6
99036cf1 4b059a8f 98b7b3d1 0a9c632a 7a7263bf fd439fdb fa8fb7c7 6051f8fb
e0549914 6f0f8c4a 883caff1 a4a09630 450cb2ee 4005c974 33cb6b29 41dfbf9d
ikev2_sa_keys: SK_d with 32 bytes
fc31adcc c427cb46 3514a960 27325b2c 360a1c12 c56e89d0 69c08276 10328918
ikev2_sa_keys: SK_ai with 32 bytes
acf603cb a01ee03c 6500717c 51b11ff4 2b53432f 87077f0e 75943984 3eb2daed
ikev2_sa_keys: SK_ar with 32 bytes
d9434308 f4e379f8 6f72d4f1 7352ffe9 69fce5bf 674e13e0 c8362846 4184be37
ikev2_sa_keys: SK_ei with 16 bytes
90816cf7 d99fe5e2 00052cba 1e7e3ba0
ikev2_sa_keys: SK_er with 16 bytes
89bbc595 4861a77f 77f6c714 4e6ebca6
ikev2_sa_keys: SK_pi with 32 bytes
99036cf1 4b059a8f 98b7b3d1 0a9c632a 7a7263bf fd439fdb fa8fb7c7 6051f8fb
ikev2_sa_keys: SK_pr with 32 bytes
e0549914 6f0f8c4a 883caff1 a4a09630 450cb2ee 4005c974 33cb6b29 41dfbf9d
ikev2_msg_auth: initiator auth data length 622
d6cb201c 319ec2db 00000000 00000000 21202208 00000000 0000022e 220000a0
0000009c 01010011 0300000c 0100000c 800e0100 0300000c 0100000c 800e00c0
0300000c 0100000c 800e0080 03000008 01000003 03000008 02000005 03000008
02000002 03000008 0300000c 03000008 03000002 03000008 0400001f 03000008
04000015 03000008 04000014 03000008 04000013 03000008 04000010 03000008
0400000f 03000008 0400000e 03000008 04000005 00000008 04000002 28000108
000e0000 b4883255 1872588d 3ac96b29 a6e2ae31 6d589662 53e141b0 1c4dea36
f4ca26a7 e6225459 920a271d f0fc72d1 4dbdc2b3 9cf98930 743af0d0 ad469f03
facdd67c 47d18bf4 a27354c1 50a0903c cd362594 a2d2eb69 60f4995e 0ed2fe86
c0649c7c cf315edc 18c41a97 aa9bd2d6 11b3a703 f22cd7ff 09e11abe 03fc133f
974e2687 07fa573c 2169927b fdd734c6 08705389 aeafaef1 0bfb6c83 b717def2
ef59c6ad 029b2fac ee11788d d8bf69f1 7b0ec7ec 8b6d5e2e abfa11bd 0c96875c
f31c7dac 803c1374 8d20a378 c7837cf3 daf2a42a aae92616 4d0d74f1 d12b7b66
5925e322 112b2f9b b135a989 a5081ec6 0eff2f70 06c0dd47 1392c942 5b2a1cd9
b95fda28 29000024 936934be 6466ba6e c40ed978 65141239 f6b59c54 78d2ca81
b29e61c5 c989d4b2 2900001c 00004004 6346b2b4 421d61e6 99b04d1d ed4636fd
1ee8ef56 2900001c 00004005 c7be7640 612e8577 777e90c8 c2497711 fbc17351
0000000e 0000402f 00020003 00041ad4 d2fe3c94 8aace433 40ab60af 88e9f194
6aa84b32 6cbeef83 f46d38ee f2b01ea3 d5161a36 27be8319 2f45ea04 f2aead7c
04836a08 48b886ca 5e453502 7427
sa_stateok: SA_INIT flags 0x0008, require 0x0008 auth
ikev2_next_payload: length 22 nextpayload AUTH
ikev2_next_payload: length 40 nextpayload SA
pfkey_sa_getspi: spi 0xc00ed1e8
pfkey_sa_init: new spi 0xc00ed1e8
ikev2_add_proposals: length 80
ikev2_next_payload: length 84 nextpayload TSi
ikev2_next_payload: length 40 nextpayload TSr
ikev2_next_payload: length 56 nextpayload NONE
ikev2_msg_encrypt: decrypted length 242
27000016 02000000 46572d4d 474d2d31 30362d30 39392100 00280200 000060f0
51b6f594 97d61b41 2dd095ae cfe65d1c 6bd6b087 655bfb5b e3b007cc 8cad2c00
00540000 00500103 0407c00e d1e80300 000c0100 000c800e 01000300 000c0100
000c800e 00c00300 000c0100 000c800e 00800300 00080300 000c0300 00080300
00020300 00080500 00010000 00080500 00002d00 00280200 00000700 00100000
ffff0a0a 0ac80a0a 0acb0700 00100000 ffffc0a8 6463c0a8 64630000 00380300
00000700 00100000 ffffc0a8 6452c0a8 64520700 00100000 ffff0a0a 0ac80a0a
0acb0700 00100000 ffff0a0a 0ac80a0a 0acb
ikev2_msg_encrypt: padded length 256
27000016 02000000 46572d4d 474d2d31 30362d30 39392100 00280200 000060f0
51b6f594 97d61b41 2dd095ae cfe65d1c 6bd6b087 655bfb5b e3b007cc 8cad2c00
00540000 00500103 0407c00e d1e80300 000c0100 000c800e 01000300 000c0100
000c800e 00c00300 000c0100 000c800e 00800300 00080300 000c0300 00080300
00020300 00080500 00010000 00080500 00002d00 00280200 00000700 00100000
ffff0a0a 0ac80a0a 0acb0700 00100000 ffffc0a8 6463c0a8 64630000 00380300
00000700 00100000 ffffc0a8 6452c0a8 64520700 00100000 ffff0a0a 0ac80a0a
0acb0700 00100000 ffff0a0a 0ac80a0a 0acb57e4 029c025e 8e57a343 ed16d70d
ikev2_msg_encrypt: length 243, padding 13, output length 288
c2743f8b 72df05a2 351d9d23 026c9431 b6b6042c d56a382f 059276e5 148c1608
88ca8ccf e046a8d6 4a12896c be7171ee 8c7b8cb5 da678eda 8a99b873 3ae6c11e
921b07a7 70212b48 acf7da4e 42723d05 bb2225a5 b3eea918 fea8e772 dc0e1aa1
723aa248 2ddecaec 51d0d9cc 870b07ee 0cec92de 438f5456 b1f4711b 356c5df9
54cf92df ba8f52ed edab04b4 17319240 d4e4ed34 1bd40a90 6622071c 19a8e681
ab0712fa 54d011f6 0ee719d4 e7e4d0cb 49d439fa aa2bf485 d39eb49a 88c55285
ee658188 cf46080d 54358f57 84449bdf 3d536ead 570cffc8 f62b42da abc62ac6
e130c63b 4c671b8a 5a539916 77f98887 7065adcb 593b28e6 bf9e08af 2bbd3dcb
7d4eaa26 0a10bd01 ed8c7c1d 63377c8c 00000000 00000000 00000000 00000000
ikev2_next_payload: length 292 nextpayload IDi
ikev2_msg_integr: message length 320
d6cb201c 319ec2db b21f151b 48c8a8b0 2e202308 00000001 00000140 23000124
c2743f8b 72df05a2 351d9d23 026c9431 b6b6042c d56a382f 059276e5 148c1608
88ca8ccf e046a8d6 4a12896c be7171ee 8c7b8cb5 da678eda 8a99b873 3ae6c11e
921b07a7 70212b48 acf7da4e 42723d05 bb2225a5 b3eea918 fea8e772 dc0e1aa1
723aa248 2ddecaec 51d0d9cc 870b07ee 0cec92de 438f5456 b1f4711b 356c5df9
54cf92df ba8f52ed edab04b4 17319240 d4e4ed34 1bd40a90 6622071c 19a8e681
ab0712fa 54d011f6 0ee719d4 e7e4d0cb 49d439fa aa2bf485 d39eb49a 88c55285
ee658188 cf46080d 54358f57 84449bdf 3d536ead 570cffc8 f62b42da abc62ac6
e130c63b 4c671b8a 5a539916 77f98887 7065adcb 593b28e6 bf9e08af 2bbd3dcb
7d4eaa26 0a10bd01 ed8c7c1d 63377c8c 00000000 00000000 00000000 00000000
ikev2_msg_integr: integrity checksum length 16
faa3da56 ec16387c 5bb78bc4 1fbe2d8b 9e31055b dfeedcac 5e63c16d e11ccb90
ikev2_pld_parse: header ispi 0xd6cb201c319ec2db rspi 0xb21f151b48c8a8b0 nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 320 response 0
ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 292
ikev2_msg_decrypt: IV length 16
c2743f8b 72df05a2 351d9d23 026c9431
ikev2_msg_decrypt: encrypted payload length 256
b6b6042c d56a382f 059276e5 148c1608 88ca8ccf e046a8d6 4a12896c be7171ee
8c7b8cb5 da678eda 8a99b873 3ae6c11e 921b07a7 70212b48 acf7da4e 42723d05
bb2225a5 b3eea918 fea8e772 dc0e1aa1 723aa248 2ddecaec 51d0d9cc 870b07ee
0cec92de 438f5456 b1f4711b 356c5df9 54cf92df ba8f52ed edab04b4 17319240
d4e4ed34 1bd40a90 6622071c 19a8e681 ab0712fa 54d011f6 0ee719d4 e7e4d0cb
49d439fa aa2bf485 d39eb49a 88c55285 ee658188 cf46080d 54358f57 84449bdf
3d536ead 570cffc8 f62b42da abc62ac6 e130c63b 4c671b8a 5a539916 77f98887
7065adcb 593b28e6 bf9e08af 2bbd3dcb 7d4eaa26 0a10bd01 ed8c7c1d 63377c8c
ikev2_msg_decrypt: integrity checksum length 16
faa3da56 ec16387c 5bb78bc4 1fbe2d8b
ikev2_msg_decrypt: integrity check succeeded
faa3da56 ec16387c 5bb78bc4 1fbe2d8b
ikev2_msg_decrypt: decrypted payload length 256/256 padding 13
27000016 02000000 46572d4d 474d2d31 30362d30 39392100 00280200 000060f0
51b6f594 97d61b41 2dd095ae cfe65d1c 6bd6b087 655bfb5b e3b007cc 8cad2c00
00540000 00500103 0407c00e d1e80300 000c0100 000c800e 01000300 000c0100
000c800e 00c00300 000c0100 000c800e 00800300 00080300 000c0300 00080300
00020300 00080500 00010000 00080500 00002d00 00280200 00000700 00100000
ffff0a0a 0ac80a0a 0acb0700 00100000 ffffc0a8 6463c0a8 64630000 00380300
00000700 00100000 ffffc0a8 6452c0a8 64520700 00100000 ffff0a0a 0ac80a0a
0acb0700 00100000 ffff0a0a 0ac80a0a 0acb57e4 029c025e 8e57a343 ed16d70d
ikev2_pld_payloads: decrypted payload IDi nextpayload AUTH critical 0x00 length 22
ikev2_pld_id: id FQDN/openbsd length 18
ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length 40
ikev2_pld_auth: method SHARED_KEY_MIC length 32
60f051b6 f59497d6 1b412dd0 95aecfe6 5d1c6bd6 b087655b fb5be3b0 07cc8cad
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 84
ikev2_pld_sa: more 0 reserved 0 length 80 proposal #1 protoid ESP spisize 4 xforms 7 spi 0xc00ed1e8
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type ESN id ESN
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 40
ikev2_pld_ts: count 2 length 32
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 10.10.10.200 end 10.10.10.203
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 192.168.1.2 end 192.168.1.2
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 56
ikev2_pld_ts: count 3 length 48
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 192.168.1.1 end 192.168.1.1
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 10.10.10.200 end 10.10.10.203
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 10.10.10.200 end 10.10.10.203
spi=0xd6cb201c319ec2db: send IKE_AUTH req 1 peer 192.168.1.1:500 local 192.168.1.2:500, 320 bytes
config_free_proposals: free 0xa109e493c80
spi=0xd6cb201c319ec2db: recv IKE_AUTH res 1 peer 192.168.1.1:500 local 192.168.1.2:500, 80 bytes, policy 'opensbd <-> opnsense'
ikev2_recv: ispi 0xd6cb201c319ec2db rspi 0xb21f151b48c8a8b0
ikev2_recv: updated SA to peer 192.168.1.1:500 local 192.168.1.2:500
ikev2_pld_parse: header ispi 0xd6cb201c319ec2db rspi 0xb21f151b48c8a8b0 nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length 80 response 1
ikev2_pld_payloads: payload SK nextpayload NOTIFY critical 0x00 length 52
ikev2_msg_decrypt: IV length 16
260e41f6 b2b3ccf2 a88153b7 68028f8c
ikev2_msg_decrypt: encrypted payload length 16
8cbef0d1 8f9e70d2 0e183cef 74cd511c
ikev2_msg_decrypt: integrity checksum length 16
6eac2bc8 77478891 3a25ae66 9322718f
ikev2_msg_decrypt: integrity check succeeded
6eac2bc8 77478891 3a25ae66 9322718f
ikev2_msg_decrypt: decrypted payload length 16/16 padding 7
00000008 00000018 c3a50650 7c73fb07
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical 0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type AUTHENTICATION_FAILED
ikev2_handle_notifies: AUTHENTICATION_FAILED, closing SA
spi=0xd6cb201c319ec2db: sa_state: SA_INIT -> CLOSED from 192.168.1.1:500 to 192.168.1.2:500 policy 'opensbd <-> opnsense'
ikev2_recv: closing SA
spi=0xd6cb201c319ec2db: sa_free: authentication failed notification from peer
config_free_proposals: free 0xa10e366ff80
 

suados_forum

Active Member
Für mich ist das leider nicht so verständlich (Böhmische Dörfer) ... geht das ein wenig genauer?

Was muss ich denn ändern, damit es funktioniert?
 

mark05

Well-Known Member
Authenifiziert nicht gleich konfiguriert , Passwort nicht gleich, Zertifikat nicht gleich.

Kannste dir tauschen was nicht passt
Auf jeden Fall wird P1 nicht erfolgreich authentifiziert.

Holger
 

suados_forum

Active Member
Zertifikat benutze ich nicht...Passwort ist gleich...Authentifizierungsparameter müssten beide sprechen, da Standard bei OpenBSD und Auswahl bei OPNsense dem Standard von OpenBSD entspricht!
 

suados_forum

Active Member
Die IP's sind richtig - sie sollen im gleichen Netz sein. Habe es schon mit OpenBSD <--> OpenBSD ausprobiert und da funktioniert es ohne Probleme!
 

suados_forum

Active Member
Habe jetzt zusätzlich in die iked.conf die Parameter vermerkt:
Code:
  ...
  ikesa auth hmac-sha2-256 enc aes-256 prf hmac-sha2-256 group modp2048 \
  childsa auth hmac-sha2-256 enc aes-256 group modp2048


Für mich stellt es sich so dar, dass OpenBSD auf die vorgeschlagende Auswahl von OPNsense einfach nicht mehr reagiert:
Code:
charon[51368]: 13[JOB] <49> deleting half open IKE_SA with 192.168.1.2 after timeout
charon[51368]: 13[NET] <49> sending packet: from 192.168.1.1[500] to 192.168.1.2[500] (464 bytes)
charon[51368]: 13[ENC] <49> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
charon[51368]: 13[IKE] <49> remote host is behind NAT
charon[51368]: 13[CFG] <49> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
charon[51368]: 13[IKE] <49> 192.168.1.2 is initiating an IKE_SA


Warum? Von Seiten der Firewall wird nichts geblockt!
 

Crest

rm -rf /*
Teammitglied
Könnte auch sein, das bloß die Parameter nicht passen also z.B. der eine will AES128 und der andere AES256.
 

mr44er

moderater Moderator
Teammitglied
Es könnte noch sein, dass auf der sense als identifier statts einer IP eine Adresse im Mailformat gesetzt werden muss. Also sowas wie 'testid@sense.lokalhorst'

Hast du mal die Versionsnummern jeweils auf sense und openbsd verglichen? Ggf. sind die Pakete auf der sense mit anderen Optionen gebaut.
Möglicherweise bekommst du das Problem auch schneller gelöst, wenn du im OPNsense-Forum mal nachfragst.
 
Oben