[PFSense] Verbinding maken met IPsec over (W)LAN

Pagina: 1
Acties:

Onderwerpen

Vraag


Acties:
  • 0 Henk 'm!

  • stefan14
  • Registratie: September 2007
  • Laatst online: 21:32
Hallo allemaal,

Een tijd geleden heb ik een PC Engines APU2C4 gekocht om te gebruiken als firewall in mijn thuis netwerk. Ik heb er inmiddels al een hoop leuke dingen mee gedaan. Het enige waar ik nog mee zit is om verbinding te maken met IPsec IKEv2 met EAP-MSCHAPv2.

Adhv. deze how-to heb ik het werkende gekregen via het mobiele netwerk en alle wifi netwerken, behalve mijn eigen lokale wifi/netwerk.

Log van de Strongswan app op Android:
Jan  8 09:57:09 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1rc1, Linux 3.4.67-cyanogenmod-g845a9ab, armv7l)
Jan  8 09:57:09 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls
Jan  8 09:57:09 00[JOB] spawning 16 worker threads
Jan  8 09:57:09 05[IKE] initiating IKE_SA android[1] to 10.0.0.2
Jan  8 09:57:09 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan  8 09:57:09 05[NET] sending packet: from 10.0.1.17[49205] to 10.0.0.2[500] (744 bytes)
Jan  8 09:57:09 04[NET] received packet: from 10.0.0.2[500] to 10.0.1.17[49205] (38 bytes)
Jan  8 09:57:09 04[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Jan  8 09:57:09 04[IKE] peer didn't accept DH group ECP_256, it requested MODP_3072
Jan  8 09:57:09 04[IKE] initiating IKE_SA android[1] to 10.0.0.2
Jan  8 09:57:09 04[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan  8 09:57:09 04[NET] sending packet: from 10.0.1.17[49205] to 10.0.0.2[500] (1064 bytes)
Jan  8 09:57:10 08[NET] received packet: from 10.0.0.2[500] to 10.0.1.17[49205] (609 bytes)
Jan  8 09:57:10 08[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
Jan  8 09:57:10 08[IKE] faking NAT situation to enforce UDP encapsulation
Jan  8 09:57:10 08[IKE] received cert request for "C=NL, ST=-, L=-, O=-, E=none@none.nl, CN=IPsec, OU=-"
Jan  8 09:57:10 08[IKE] sending cert request for "C=NL, ST=-, L=-, O=-, E=none@none.nl, CN=IPsec, OU=-"
Jan  8 09:57:10 08[IKE] establishing CHILD_SA android
Jan  8 09:57:10 08[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Jan  8 09:57:10 08[NET] sending packet: from 10.0.1.17[59790] to 10.0.0.2[4500] (544 bytes)
Jan  8 09:57:10 09[NET] received packet: from 10.0.0.2[4500] to 10.0.1.17[59790] (80 bytes)
Jan  8 09:57:10 09[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jan  8 09:57:10 09[IKE] received AUTHENTICATION_FAILED notify error


Log van PFsense:
Jan 8 13:18:23	charon		14[IKE] <bypasslan|24> IKE_SA bypasslan[24] state change: CONNECTING => DESTROYING
Jan 8 13:18:23	charon		14[NET] <bypasslan|24> sending packet: from 10.0.0.2[4500] to 10.0.1.17[40215] (80 bytes)
Jan 8 13:18:23	charon		14[ENC] <bypasslan|24> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jan 8 13:18:23	charon		14[IKE] <bypasslan|24> peer supports MOBIKE
Jan 8 13:18:23	charon		14[IKE] <bypasslan|24> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jan 8 13:18:23	charon		14[IKE] <bypasslan|24> processing INTERNAL_IP6_DNS attribute
Jan 8 13:18:23	charon		14[IKE] <bypasslan|24> processing INTERNAL_IP4_DNS attribute
Jan 8 13:18:23	charon		14[IKE] <bypasslan|24> processing INTERNAL_IP6_ADDRESS attribute
Jan 8 13:18:23	charon		14[IKE] <bypasslan|24> processing INTERNAL_IP4_ADDRESS attribute
Jan 8 13:18:23	charon		14[CFG] <bypasslan|24> no alternative config found
Jan 8 13:18:23	charon		14[IKE] <bypasslan|24> peer requested EAP, config inacceptable
Jan 8 13:18:23	charon		14[CFG] <bypasslan|24> selected peer config 'bypasslan'
Jan 8 13:18:23	charon		14[CFG] <24> candidate "bypasslan", match: 1/1/24 (me/other/ike)
Jan 8 13:18:23	charon		14[CFG] <24> looking for peer configs matching 10.0.0.2[%any]...10.0.1.17[stfn@XXX.XXX]
Jan 8 13:18:23	charon		14[IKE] <24> received cert request for "C=NL, ST=none, L=none, O=none, E=none@none.nl, CN=firewall.hijnn.net, OU=none"
Jan 8 13:18:23	charon		14[ENC] <24> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Jan 8 13:18:23	charon		14[NET] <24> received packet: from 10.0.1.17[40215] to 10.0.0.2[4500] (544 bytes)
Jan 8 13:18:23	charon		14[NET] <24> sending packet: from 10.0.0.2[500] to 10.0.1.17[44217] (609 bytes)
Jan 8 13:18:23	charon		14[ENC] <24> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
Jan 8 13:18:23	charon		14[IKE] <24> sending cert request for "C=NL, ST=none, L=none, O=none, E=none@none.nl, CN=firewall.hijnn.net, OU=none"
Jan 8 13:18:23	charon		14[IKE] <24> remote host is behind NAT
Jan 8 13:18:22	charon		14[CFG] <24> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
Jan 8 13:18:22	charon		14[CFG] <24> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024
Jan 8 13:18:22	charon		14[CFG] <24> received proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/(31)/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_1024, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/(31)/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_1024
Jan 8 13:18:22	charon		14[CFG] <24> proposal matches
Jan 8 13:18:22	charon		14[CFG] <24> selecting proposal:
Jan 8 13:18:22	charon		14[IKE] <24> IKE_SA (unnamed)[24] state change: CREATED => CONNECTING
Jan 8 13:18:22	charon		14[IKE] <24> 10.0.1.17 is initiating an IKE_SA
Jan 8 13:18:22	charon		14[CFG] <24> found matching ike config: %any...%any with prio 24
Jan 8 13:18:22	charon		14[CFG] <24> candidate: %any...%any, prio 24
Jan 8 13:18:22	charon		14[CFG] <24> looking for an ike config for 10.0.0.2...10.0.1.17
Jan 8 13:18:22	charon		14[ENC] <24> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 8 13:18:22	charon		14[NET] <24> received packet: from 10.0.1.17[44217] to 10.0.0.2[500] (1064 bytes)
Jan 8 13:18:22	charon		14[IKE] <23> IKE_SA (unnamed)[23] state change: CONNECTING => DESTROYING
Jan 8 13:18:22	charon		14[NET] <23> sending packet: from 10.0.0.2[500] to 10.0.1.17[44217] (38 bytes)
Jan 8 13:18:22	charon		14[ENC] <23> generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Jan 8 13:18:22	charon		14[IKE] <23> DH group ECP_256 inacceptable, requesting MODP_3072
Jan 8 13:18:22	charon		14[IKE] <23> remote host is behind NAT
Jan 8 13:18:22	charon		14[CFG] <23> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
Jan 8 13:18:22	charon		14[CFG] <23> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024
Jan 8 13:18:22	charon		14[CFG] <23> received proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/(31)/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_1024, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/(31)/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_1024
Jan 8 13:18:22	charon		14[CFG] <23> proposal matches
Jan 8 13:18:22	charon		14[CFG] <23> selecting proposal:
Jan 8 13:18:22	charon		14[IKE] <23> IKE_SA (unnamed)[23] state change: CREATED => CONNECTING
Jan 8 13:18:22	charon		14[IKE] <23> 10.0.1.17 is initiating an IKE_SA
Jan 8 13:18:22	charon		14[CFG] <23> found matching ike config: %any...%any with prio 24
Jan 8 13:18:22	charon		14[CFG] <23> candidate: %any...%any, prio 24
Jan 8 13:18:22	charon		14[CFG] <23> looking for an ike config for 10.0.0.2...10.0.1.17
Jan 8 13:18:22	charon		14[ENC] <23> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 8 13:18:22	charon		14[NET] <23> received packet: from 10.0.1.17[44217] to 10.0.0.2[500] (744 bytes)


Mijn certificaat heeft 2 IP's. het lokale IP en mijn publieke IP. De FQDN als common name en alternative name.

Mijn Phase 2:

Mode   Local Subnet   Remote Subnet   P2 Protocol   P2 Transforms   P2 Auth Methods
tunnel   0.0.0.0/0               ESP         AES (auto)   SHA1, SHA256


Mijn LAN is 10.0.0/16, waar DHCP is 10.0.1.0/24 en al mijn servers zijn in 10.0.0.0/24. IPsec is 10.1.0.0/24.

PFsense is versie 2.3.2-RELEASE-p1 (amd64).

Ik denk zelf dat de fout ergens in Phase 2 zit; dat ik nog een 2de tunnel moet toevoegen of dat ik NAT/BINAT translation moet gaan gebruiken.

Wie kan mij verder helpen?

Alle reacties


Acties:
  • 0 Henk 'm!

  • stefan14
  • Registratie: September 2007
  • Laatst online: 21:32
Niemand?

Acties:
  • 0 Henk 'm!

  • Kabouterplop01
  • Registratie: Maart 2002
  • Laatst online: 28-09 20:41

Kabouterplop01

chown -R me base:all

hmm zou het kunnen dat je ipsec range roet in het eten gooit: 10.1.0.0/24 valt niet binnen 10.0.0.0/16.
Ook zie ik een auth failed. lijkt me ook niet goed

Acties:
  • 0 Henk 'm!

  • XiMMiX
  • Registratie: Mei 2012
  • Laatst online: 02-10 14:20
Ik heb niet veel ervaring met IPsec en al helemaal niet met road warrior setups, maar bij gebrek aan andere antwoorden wil ik wel een gokje wagen.
stefan14 schreef op zondag 8 januari 2017 @ 14:19:
Jan 8 13:18:23	charon		14\[CFG] <bypasslan|24> selected peer config 'bypasslan'
Jan 8 13:18:23	charon		14\[CFG] <24> candidate "bypasslan", match: 1/1/24 (me/other/ike)
De connectie faalt uiteindelijk nadat de "bypasslan" configuratie wordt geselecteerd. "bypasslan" is een interne configuratie van Pfsense om te voorkomen dat bij sommige configuraties je Pfsense machine onbereikbaar wordt. Bijvoorbeeld als bij een site to site config je lan subnet binnen je remote subnet, bv 0.0.0.0/0, valt, voorkomt deze config dat verkeer vanaf je LAN naar je Pfsense machine zelf, bv de webinterface, door de tunnel gaat.
Je kan deze config aan/uit zetten dmv de "Auto-exclude LAN address" optie onder advanced settings.

Aangezien het specifiek niet werkt als je vanaf je eigen lan verbinding maakt denk ik dat de fout in die "bypasslan" config zit. Let wel op met uitschakelen ervan, als ik ongelijk heb maak je je pfsense install wellicht onbereikbaar.