IPsec AUTH_FAILED



  • Hallo zusammen,

    ich habe ein paar Probleme mit einer Net to Net Verbindung.

    Es sieht so aus als wenn mit der Authentifizierung was nicht stimmt.

    Oct 4 17:44:02 	ipsec_starter 	41610 	ipsec starter stopped
    Oct 4 17:44:02 	ipsec_starter 	41610 	charon stopped after 200 ms
    Oct 4 17:44:02 	charon 		00[DMN] signal of type SIGINT received. Shutting down
    Oct 4 17:43:27 	charon 		07[NET] sending packet: from 2a00:xxxx:xxxx:xxxx::[500] to 2a02:xxxx:xxxx:xxxx:xxxx:fe6e:9774[500]
    Oct 4 17:43:27 	charon 		13[NET] <bypasslan|1> sending packet: from 2a00:xxxx:xxxx:xxxx::[500] to 2a02:xxxx:xxxx:xxxx:xxxx:fe6e:9774[500] (65 bytes)
    Oct 4 17:43:27 	charon 		13[ENC] <bypasslan|1> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
    Oct 4 17:43:27 	charon 		13[IKE] <bypasslan|1> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Oct 4 17:43:27 	charon 		13[IKE] <bypasslan|1> no shared key found for '2a00:xxxx:xxxx:xxxx::' - '2a02:xxxx:xxxx:xxxx:xxxx:fe6e:9774'
    Oct 4 17:43:27 	charon 		13[CFG] <bypasslan|1> selected peer config 'bypasslan'
    Oct 4 17:43:27 	charon 		13[CFG] <1> looking for peer configs matching 2a00:xxxx:xxxx:xxxx::[2a00:xxxx:xxxx:xxxx::]...2a02:xxxx:xxxx:xxxx:xxxx:fe6e:9774[2a02:xxxx:xxxx:xxxx:xxxx:fe6e:9774]
    Oct 4 17:43:27 	charon 		13[ENC] <1> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
    Oct 4 17:43:27 	charon 		13[NET] <1> received packet: from 2a02:xxxx:xxxx:xxxx:xxxx:fe6e:9774[500] to 2a00:xxxx:xxxx:xxxx::[500] (317 bytes)
    Oct 4 17:43:27 	charon 		02[NET] waiting for data on sockets
    Oct 4 17:43:27 	charon 		02[NET] received packet: from 2a02:xxxx:xxxx:xxxx:xxxx:fe6e:9774[500] to 2a00:xxxx:xxxx:xxxx::[500]
    Oct 4 17:43:27 	charon 		07[NET] sending packet: from 2a00:xxxx:xxxx:xxxx::[500] to 2a02:xxxx:xxxx:xxxx:xxxx:fe6e:9774[500]
    Oct 4 17:43:27 	charon 		14[NET] <1> sending packet: from 2a00:xxxx:xxxx:xxxx::[500] to 2a02:xxxx:xxxx:xxxx:xxxx:fe6e:9774[500] (712 bytes)
    Oct 4 17:43:27 	charon 		14[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
    Oct 4 17:43:27 	charon 		14[LIB] <1> size of DH secret exponent: 4095 bits
    Oct 4 17:43:26 	charon 		14[CFG] <1> selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/MODP_4096
    Oct 4 17:43:26 	charon 		14[IKE] <1> 2a02:xxxx:xxxx:xxxx:xxxx:fe6e:9774 is initiating an IKE_SA
    Oct 4 17:43:26 	charon 		14[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    Oct 4 17:43:26 	charon 		14[NET] <1> received packet: from 2a02:xxxx:xxxx:xxxx:xxxx:fe6e:9774[500] to 2a00:xxxx:xxxx:xxxx::[500] (712 bytes)
    Oct 4 17:43:26 	charon 		02[NET] waiting for data on sockets
    Oct 4 17:43:26 	charon 		02[NET] received packet: from 2a02:xxxx:xxxx:xxxx:xxxx:fe6e:9774[500] to 2a00:xxxx:xxxx:xxxx::[500]
    Oct 4 17:43:09 	ipsec_starter 	41610 	'bypasslan' shunt PASS policy installed
    Oct 4 17:43:09 	charon 		16[CFG] received stroke: route 'bypasslan'
    Oct 4 17:43:09 	charon 		15[CFG] added configuration 'bypasslan'
    Oct 4 17:43:09 	charon 		15[CFG] received stroke: add connection 'bypasslan'
    Oct 4 17:43:09 	ipsec_starter 	41610 	charon (41810) started after 60 ms
    Oct 4 17:43:09 	charon 		16[LIB] created thread 16 [802018300]
    Oct 4 17:43:09 	charon 		15[LIB] created thread 15 [80201a600]
    Oct 4 17:43:09 	charon 		02[NET] waiting for data on sockets
    Oct 4 17:43:09 	charon 		05[LIB] created thread 05 [802017e00]
    Oct 4 17:43:09 	charon 		14[LIB] created thread 14 [802180000]
    Oct 4 17:43:09 	charon 		13[LIB] created thread 13 [802019200]
    Oct 4 17:43:09 	charon 		12[LIB] created thread 12 [80201ab00]
    Oct 4 17:43:09 	charon 		11[LIB] created thread 11 [802019700]
    Oct 4 17:43:09 	charon 		10[LIB] created thread 10 [802180500]
    Oct 4 17:43:09 	charon 		09[LIB] created thread 09 [80201a100]
    Oct 4 17:43:09 	charon 		08[LIB] created thread 08 [802018800]
    Oct 4 17:43:09 	charon 		04[LIB] created thread 04 [802017900]
    Oct 4 17:43:09 	charon 		06[LIB] created thread 06 [802019c00]
    Oct 4 17:43:09 	charon 		07[LIB] created thread 07 [802018d00]
    Oct 4 17:43:09 	charon 		02[LIB] created thread 02 [802016f00]
    Oct 4 17:43:09 	charon 		03[LIB] created thread 03 [802017400]
    Oct 4 17:43:09 	charon 		01[LIB] created thread 01 [802016a00]
    Oct 4 17:43:09 	charon 		00[JOB] spawning 16 worker threads
    Oct 4 17:43:09 	charon 		00[LIB] unable to load 8 plugin features (7 due to unmet dependencies)
    Oct 4 17:43:09 	charon 		00[LIB] loaded plugins: charon unbound aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf curve25519 xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock counters
    Oct 4 17:43:09 	charon 		00[LIB] unloading plugin 'eap-sim-file' without loaded features
    Oct 4 17:43:09 	charon 		00[CFG] loaded 0 RADIUS server configurations
    Oct 4 17:43:09 	charon 		00[LIB] feature CUSTOM:sim-provider in plugin 'eap-sim-file' has unmet dependency: CUSTOM:eap-sim-file-triplets
    Oct 4 17:43:09 	charon 		00[LIB] feature CUSTOM:sim-card in plugin 'eap-sim-file' has unmet dependency: CUSTOM:eap-sim-file-triplets
    Oct 4 17:43:09 	charon 		00[LIB] feature CUSTOM:eap-sim-file-triplets in plugin 'eap-sim-file' failed to load
    Oct 4 17:43:09 	charon 		00[CFG] opening triplet file /usr/local/etc/ipsec.d/triplets.dat failed: No such file or directory
    Oct 4 17:43:09 	charon 		00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Oct 4 17:43:09 	charon 		00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
    Oct 4 17:43:09 	charon 		00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
    Oct 4 17:43:09 	charon 		00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
    Oct 4 17:43:09 	charon 		00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
    Oct 4 17:43:09 	charon 		00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
    Oct 4 17:43:09 	charon 		00[LIB] feature CERT_DECODE:OCSP_REQUEST in plugin 'pem' has unmet dependency: CERT_DECODE:OCSP_REQUEST
    Oct 4 17:43:09 	charon 		00[LIB] feature PRIVKEY:BLISS in plugin 'pem' has unmet dependency: PRIVKEY:BLISS
    Oct 4 17:43:09 	charon 		00[LIB] feature PRIVKEY:DSA in plugin 'pem' has unmet dependency: PRIVKEY:DSA
    Oct 4 17:43:09 	charon 		00[CFG] ipseckey plugin is disabled
    Oct 4 17:43:09 	charon 		00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet dependency: PUBKEY:DSA
    Oct 4 17:43:09 	charon 		00[LIB] feature PUBKEY:BLISS in plugin 'pem' has unmet dependency: PUBKEY:BLISS
    Oct 4 17:43:09 	charon 		00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
    Oct 4 17:43:09 	charon 		00[KNL] unable to set UDP_ENCAP: Invalid argument
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'counters': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'addrblock': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'whitelist': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'xauth-eap': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'xauth-generic': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'eap-peap': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'eap-ttls': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'eap-tls': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'eap-radius': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'eap-dynamic': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'eap-mschapv2': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'eap-md5': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'eap-sim-file': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'eap-sim': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'eap-identity': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'updown': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'vici': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'stroke': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'socket-default': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'resolve': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'kernel-pfroute': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'kernel-pfkey': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'attr': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'curl': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'hmac': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'cmac': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'xcbc': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'curve25519': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'fips-prf': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'openssl': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'pem': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'ipseckey': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'sshkey': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'dnskey': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'pgp': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'pkcs12': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'pkcs8': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'pkcs7': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'pkcs1': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'pubkey': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'constraints': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'revocation': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'x509': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'nonce': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'random': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'md5': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'md4': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'sha1': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'sha2': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'rc2': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'blowfish': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'des': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'aes': loaded successfully
    Oct 4 17:43:09 	charon 		00[LIB] plugin 'unbound': loaded successfully
    Oct 4 17:43:09 	charon 		00[DMN] Starting IKE charon daemon (strongSwan 5.7.1, FreeBSD 11.2-RELEASE-p10, amd64)
    Oct 4 17:43:09 	ipsec_starter 	41033 	no known IPsec stack detected, ignoring!
    Oct 4 17:43:09 	ipsec_starter 	41033 	no KLIPS IPsec stack detected
    Oct 4 17:43:09 	ipsec_starter 	41033 	no netkey IPsec stack detected
    Oct 4 17:43:09 	ipsec_starter 	41033 	Starting strongSwan 5.7.1 IPsec [starter]... 
    

  • LAYER 8 Moderator

    @chris_6n said in IPsec AUTH_FAILED:

    Oct 4 17:43:27 charon 13[ENC] <bypasslan|1> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

    Das liest sich nach falscher Phase 1 Konfiguration und fehlendem/falschen Shared key. Könnte aber auch falscher Identifier sein, also beide Seiten kommunizieren über falsche IDs. Da du hier IP6 auskommentierst und IP6 gerne mit PEs dynamisch generiert sind, sollten die IDs in dem Fall selbst gewählt und hardcoded sein, sonst wird das ziemlich autsch bei Prefixwechsel oder anderer IP6

    Aber mit deinem Log mal gegen das IPSEC Troubleshooting Guide abgleichen:

    https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/ipsec-troubleshooting.html



  • Ich habe im Log noch einen Fehler gefunden.

    Oct 17 15:19:08 	php-fpm 	343 	/vpn_ipsec.php: IPSec FEHLER: Konnte keine Phase-1-Quelle für Verbindung Test VPN finden. Wird aus der Konfigurationsdatei ausgelassen. 
    

    Daraufhin habe ich im Status --> IPSec gesehen, dass die Local ID und Local IP unbekannt ist.

    IPsec-Status
    
    
    	Test VPN 	Unbekannt 	Unbekannt 	2a02:xxxx:xxxx:xxxx:xxxx:fe6e:9774 	2a02:xxxx:xxxx:xxxx:xxxx:fe6e:9774 	
    

    In der Konfig unter Meine Identifizierungsart steht "Meine IP-Adresse" im Feld.



  • Nach ein paar Test's kommt es mir vor, als ob pfSense ein Problem mit der IPv6 Adresse hat.

    Ich glaube pfSense stört sich an den Doppelpunkten am ende:

    2a00:xxxx:xxxx:xxxx::



  • Auch das config file ist nicht vollständig gefüllt.

    [2.4.4-RELEASE][root@Coro.local]/var/etc/ipsec: cat ipsec.conf
    # This file is automatically generated. Do not edit
    config setup
            uniqueids = yes
    
    conn bypasslan
            leftsubnet = 192.168.23.0/24
            rightsubnet = 192.168.23.0/24
            authby = never
            type = passthrough
            auto = route
    
    

Log in to reply