Hallo allemaal,
Een tijd geleden heb ik een PC Engines APU2C4 gekocht om te gebruiken als firewall in mijn thuis netwerk. Ik heb er inmiddels al een hoop leuke dingen mee gedaan. Het enige waar ik nog mee zit is om verbinding te maken met IPsec IKEv2 met EAP-MSCHAPv2.
Adhv. deze how-to heb ik het werkende gekregen via het mobiele netwerk en alle wifi netwerken, behalve mijn eigen lokale wifi/netwerk.
Log van de Strongswan app op Android:
Log van PFsense:
Mijn certificaat heeft 2 IP's. het lokale IP en mijn publieke IP. De FQDN als common name en alternative name.
Mijn Phase 2:
Mijn LAN is 10.0.0/16, waar DHCP is 10.0.1.0/24 en al mijn servers zijn in 10.0.0.0/24. IPsec is 10.1.0.0/24.
PFsense is versie 2.3.2-RELEASE-p1 (amd64).
Ik denk zelf dat de fout ergens in Phase 2 zit; dat ik nog een 2de tunnel moet toevoegen of dat ik NAT/BINAT translation moet gaan gebruiken.
Wie kan mij verder helpen?
Een tijd geleden heb ik een PC Engines APU2C4 gekocht om te gebruiken als firewall in mijn thuis netwerk. Ik heb er inmiddels al een hoop leuke dingen mee gedaan. Het enige waar ik nog mee zit is om verbinding te maken met IPsec IKEv2 met EAP-MSCHAPv2.
Adhv. deze how-to heb ik het werkende gekregen via het mobiele netwerk en alle wifi netwerken, behalve mijn eigen lokale wifi/netwerk.
Log van de Strongswan app op Android:
Jan 8 09:57:09 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1rc1, Linux 3.4.67-cyanogenmod-g845a9ab, armv7l) Jan 8 09:57:09 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls Jan 8 09:57:09 00[JOB] spawning 16 worker threads Jan 8 09:57:09 05[IKE] initiating IKE_SA android[1] to 10.0.0.2 Jan 8 09:57:09 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Jan 8 09:57:09 05[NET] sending packet: from 10.0.1.17[49205] to 10.0.0.2[500] (744 bytes) Jan 8 09:57:09 04[NET] received packet: from 10.0.0.2[500] to 10.0.1.17[49205] (38 bytes) Jan 8 09:57:09 04[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] Jan 8 09:57:09 04[IKE] peer didn't accept DH group ECP_256, it requested MODP_3072 Jan 8 09:57:09 04[IKE] initiating IKE_SA android[1] to 10.0.0.2 Jan 8 09:57:09 04[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Jan 8 09:57:09 04[NET] sending packet: from 10.0.1.17[49205] to 10.0.0.2[500] (1064 bytes) Jan 8 09:57:10 08[NET] received packet: from 10.0.0.2[500] to 10.0.1.17[49205] (609 bytes) Jan 8 09:57:10 08[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ] Jan 8 09:57:10 08[IKE] faking NAT situation to enforce UDP encapsulation Jan 8 09:57:10 08[IKE] received cert request for "C=NL, ST=-, L=-, O=-, E=none@none.nl, CN=IPsec, OU=-" Jan 8 09:57:10 08[IKE] sending cert request for "C=NL, ST=-, L=-, O=-, E=none@none.nl, CN=IPsec, OU=-" Jan 8 09:57:10 08[IKE] establishing CHILD_SA android Jan 8 09:57:10 08[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] Jan 8 09:57:10 08[NET] sending packet: from 10.0.1.17[59790] to 10.0.0.2[4500] (544 bytes) Jan 8 09:57:10 09[NET] received packet: from 10.0.0.2[4500] to 10.0.1.17[59790] (80 bytes) Jan 8 09:57:10 09[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] Jan 8 09:57:10 09[IKE] received AUTHENTICATION_FAILED notify error
Log van PFsense:
Jan 8 13:18:23 charon 14[IKE] <bypasslan|24> IKE_SA bypasslan[24] state change: CONNECTING => DESTROYING Jan 8 13:18:23 charon 14[NET] <bypasslan|24> sending packet: from 10.0.0.2[4500] to 10.0.1.17[40215] (80 bytes) Jan 8 13:18:23 charon 14[ENC] <bypasslan|24> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Jan 8 13:18:23 charon 14[IKE] <bypasslan|24> peer supports MOBIKE Jan 8 13:18:23 charon 14[IKE] <bypasslan|24> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Jan 8 13:18:23 charon 14[IKE] <bypasslan|24> processing INTERNAL_IP6_DNS attribute Jan 8 13:18:23 charon 14[IKE] <bypasslan|24> processing INTERNAL_IP4_DNS attribute Jan 8 13:18:23 charon 14[IKE] <bypasslan|24> processing INTERNAL_IP6_ADDRESS attribute Jan 8 13:18:23 charon 14[IKE] <bypasslan|24> processing INTERNAL_IP4_ADDRESS attribute Jan 8 13:18:23 charon 14[CFG] <bypasslan|24> no alternative config found Jan 8 13:18:23 charon 14[IKE] <bypasslan|24> peer requested EAP, config inacceptable Jan 8 13:18:23 charon 14[CFG] <bypasslan|24> selected peer config 'bypasslan' Jan 8 13:18:23 charon 14[CFG] <24> candidate "bypasslan", match: 1/1/24 (me/other/ike) Jan 8 13:18:23 charon 14[CFG] <24> looking for peer configs matching 10.0.0.2[%any]...10.0.1.17[stfn@XXX.XXX] Jan 8 13:18:23 charon 14[IKE] <24> received cert request for "C=NL, ST=none, L=none, O=none, E=none@none.nl, CN=firewall.hijnn.net, OU=none" Jan 8 13:18:23 charon 14[ENC] <24> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] Jan 8 13:18:23 charon 14[NET] <24> received packet: from 10.0.1.17[40215] to 10.0.0.2[4500] (544 bytes) Jan 8 13:18:23 charon 14[NET] <24> sending packet: from 10.0.0.2[500] to 10.0.1.17[44217] (609 bytes) Jan 8 13:18:23 charon 14[ENC] <24> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ] Jan 8 13:18:23 charon 14[IKE] <24> sending cert request for "C=NL, ST=none, L=none, O=none, E=none@none.nl, CN=firewall.hijnn.net, OU=none" Jan 8 13:18:23 charon 14[IKE] <24> remote host is behind NAT Jan 8 13:18:22 charon 14[CFG] <24> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072 Jan 8 13:18:22 charon 14[CFG] <24> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024 Jan 8 13:18:22 charon 14[CFG] <24> received proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/(31)/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_1024, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/(31)/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_1024 Jan 8 13:18:22 charon 14[CFG] <24> proposal matches Jan 8 13:18:22 charon 14[CFG] <24> selecting proposal: Jan 8 13:18:22 charon 14[IKE] <24> IKE_SA (unnamed)[24] state change: CREATED => CONNECTING Jan 8 13:18:22 charon 14[IKE] <24> 10.0.1.17 is initiating an IKE_SA Jan 8 13:18:22 charon 14[CFG] <24> found matching ike config: %any...%any with prio 24 Jan 8 13:18:22 charon 14[CFG] <24> candidate: %any...%any, prio 24 Jan 8 13:18:22 charon 14[CFG] <24> looking for an ike config for 10.0.0.2...10.0.1.17 Jan 8 13:18:22 charon 14[ENC] <24> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Jan 8 13:18:22 charon 14[NET] <24> received packet: from 10.0.1.17[44217] to 10.0.0.2[500] (1064 bytes) Jan 8 13:18:22 charon 14[IKE] <23> IKE_SA (unnamed)[23] state change: CONNECTING => DESTROYING Jan 8 13:18:22 charon 14[NET] <23> sending packet: from 10.0.0.2[500] to 10.0.1.17[44217] (38 bytes) Jan 8 13:18:22 charon 14[ENC] <23> generating IKE_SA_INIT response 0 [ N(INVAL_KE) ] Jan 8 13:18:22 charon 14[IKE] <23> DH group ECP_256 inacceptable, requesting MODP_3072 Jan 8 13:18:22 charon 14[IKE] <23> remote host is behind NAT Jan 8 13:18:22 charon 14[CFG] <23> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072 Jan 8 13:18:22 charon 14[CFG] <23> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024 Jan 8 13:18:22 charon 14[CFG] <23> received proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/(31)/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_1024, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/(31)/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_1024 Jan 8 13:18:22 charon 14[CFG] <23> proposal matches Jan 8 13:18:22 charon 14[CFG] <23> selecting proposal: Jan 8 13:18:22 charon 14[IKE] <23> IKE_SA (unnamed)[23] state change: CREATED => CONNECTING Jan 8 13:18:22 charon 14[IKE] <23> 10.0.1.17 is initiating an IKE_SA Jan 8 13:18:22 charon 14[CFG] <23> found matching ike config: %any...%any with prio 24 Jan 8 13:18:22 charon 14[CFG] <23> candidate: %any...%any, prio 24 Jan 8 13:18:22 charon 14[CFG] <23> looking for an ike config for 10.0.0.2...10.0.1.17 Jan 8 13:18:22 charon 14[ENC] <23> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Jan 8 13:18:22 charon 14[NET] <23> received packet: from 10.0.1.17[44217] to 10.0.0.2[500] (744 bytes)
Mijn certificaat heeft 2 IP's. het lokale IP en mijn publieke IP. De FQDN als common name en alternative name.
Mijn Phase 2:
Mode Local Subnet Remote Subnet P2 Protocol P2 Transforms P2 Auth Methods tunnel 0.0.0.0/0 ESP AES (auto) SHA1, SHA256
Mijn LAN is 10.0.0/16, waar DHCP is 10.0.1.0/24 en al mijn servers zijn in 10.0.0.0/24. IPsec is 10.1.0.0/24.
PFsense is versie 2.3.2-RELEASE-p1 (amd64).
Ik denk zelf dat de fout ergens in Phase 2 zit; dat ik nog een 2de tunnel moet toevoegen of dat ik NAT/BINAT translation moet gaan gebruiken.
Wie kan mij verder helpen?