IPSec IKev2,RSA-Cert, PFSense <-> PFSense no NAT failed to bring net tunnel up?
-
Hallo Forum,
after trying several combinations with NAT from Home Office (strong swan OpenSuSE, Sophos, ..) and spending several hours,
I decided to go back to in my opinion the easiest possible setup (no NAT, both ends pfsense 2.3.2p1 RELEASE, only one Network <-> Network tunnel)172.30.21.0/24 PFS_A (official static IP) <–--> PFS_B (official static IP) 172.30.11.0/24
means "only" ;) 172.30.21.0/24 <-> 172.30.11.0/24 tunnel where both A,B have also more such Networks (comes than later ...)
Setup-Data:
1.) setup Cert-CA on A + generate Server Cert, generate Client (B) certificate
put Cert-CA.crt, Cert-B.crt,Cert-B.key on B via import certificate..
2.) IPSec - Parameter on both ends:
Key Exchange version: 2 (later for Home office I need NAT ..)
Internet Protocols: ipv4
Interface: WAN
Remote Gateway IP-Adress of Peer
Authentication Method Mutual RSA
My identifier My IP-Address
Peer identifier Peer IP-Address
My Certificate A (Server Cert), B (Client Cert)
Peer Certificate Authority Cert-CA of A
Phase 1:
Encryption Algorithm AES 256Bits
Hash Algorithm SHA256
DH Group 14(2048)
Lifetime 28800
Disable rekey false
Disable Reauth false
Responder Only A (true), B (false)
MOBIKE disable
Split connections false
Dead Peer Detection enabled
Delay 10
Max failures 5
Phase 2:
Mode Tunnel IPv4
Local Network Network A(172.30.21.0/24), B(172.30.11.0/24)
NAT/BINAT translation none
Remote Network Network A(172.30.11.0/24), B(172.30.21.0/24)
Protocol ESP
Encryption Algorithms AES 256 Bits
Hash Algorithms SHA256
PFS key group 14(2048)
Lifetime 3600
Advanced settings: Everything ist disabled except of:
Configure Unique IDs as Yes
Auto-exclude LAN addr trueSo if I starts the tunnel from B the Phase 1 succeeds and B also shows in the GUI that the tunnel (SPD) are setuped ...
But A shows in their locks, that there are problems see log (reverse odering of lines....)Oct 17 15:06:17 charon 04[ENC] <bypasslan|1>generating IKE_AUTH response 1 [ IDr CERT AUTH N(AUTH_LFT) N(TS_UNACCEPT) ]
Oct 17 15:06:17 charon 04[IKE] <bypasslan|1>failed to establish CHILD_SA, keeping IKE_SA
Oct 17 15:06:17 charon 04[IKE] <bypasslan|1>traffic selectors 172.30.21.0/24|/0 === 172.30.11.0/24|/0 inacceptable
Oct 17 15:06:17 charon 04[CFG] <bypasslan|1>172.30.20.0/24|/0
Oct 17 15:06:17 charon 04[CFG] <bypasslan|1>proposing traffic selectors for other:
Oct 17 15:06:17 charon 04[CFG] <bypasslan|1>172.30.20.0/24|/0
Oct 17 15:06:17 charon 04[CFG] <bypasslan|1>proposing traffic selectors for us:
Oct 17 15:06:17 charon 04[CFG] <bypasslan|1>looking for a child config for 172.30.21.0/24|/0 === 172.30.11.0/24|/0
Oct 17 15:06:17 charon 04[IKE] <bypasslan|1>maximum IKE_SA lifetime 10510s
Oct 17 15:06:17 charon 04[IKE] <bypasslan|1>scheduling reauthentication in 9970s
Oct 17 15:06:17 charon 04[IKE] <bypasslan|1>IKE_SA bypasslan[1] state change: CONNECTING => ESTABLISHEDAnd after this, the IKE_SA is not useable at all, but why B shows in the GUI everything is fine ??
The shown Network 172.30.20.0/24 is also available on A, but nowhere be setuped for this tunnel …So for me the "easy" - case doen't work either ... :-[
Pleas give me some Input to get it work, like it should ..Thank you</bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1>