Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - breakaway

Pages1
#1
Virtual private networks / Site to Site wireguard - service will not start.
October 27, 2022, 04:21:18 PM
Hi all

I have tried using this guide https://www.youtube.com/watch?v=RoXHe5dqCM0 and also read this https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html however I cannot get my site to site wireguard to even start.

Side A is running
OPNsense 22.1.10_4-amd64
os-wireguard   1.11
wireguard-go   0.0.20220316_2,1
wireguard-tools   1.0.20210914_1

Side B is running
OPNsense 22.7.6-amd64
os-wireguard   1.12
wireguard-go   0.0.20220316_6,1
wireguard-tools   1.0.20210914_1

LAN Network of Subnet behind Side A: 10.13.254.0/24
LAN Network of Subnet behind Side B: 10.12.254.0/24

Side A Settings - Local
Code Select

Name: S2StoSideBLOCAL
Public Key: *REDACTED*
Private Key: *REDACTED*
Listen Port: 51825
Tunnel Address: 192.168.0.1/24
Peers: SideB

Side A Settings - Endpoint
Code Select
Name: S2StoSideBEndPoint
Public Key: *REDACTED*
Shared Secret: Blank
Allowed IPs: 10.12.254.0/24 192.168.0.1/32
Endpoint Address: <IP address of side B>
Endpoint Port:
Keepalive: 60

Side B Settings - Local
Code Select

Name: S2StoSideALOCAL
Public Key: *REDACTED*
Private Key: *REDACTED*
Listen Port: 51825
Tunnel Address: 192.168.0.2/24
Peers: SideB

Side B Settings - Endpoint
Code Select
Name: S2StoSideAEndPoint
Public Key: *REDACTED*
Shared Secret: Blank
Allowed IPs: 10.13.254.0/24 192.168.0.2/32
Endpoint Address: <IP address of side B>
Endpoint Port:
Keepalive: 60

If I do that, I can't get the wireguard tunnel to establish. When I check "List Configuration" on side B, I see no mention of this new local/endpoint. On Side B (where this WG config is the only one), I can see the service is not even starting. If I try to manually start wireguard:

Code Select
root@router:~ # service wireguard start
[#] ifconfig wg create name wg1
[!] Missing WireGuard kernel support (ifconfig: SIOCIFCREATE2 (wg): Invalid argument). Falling back to slow userspace implementation.
[#] wireguard-go wg1
┌──────────────────────────────────────────────────────┐
│                                                      │
│   Running wireguard-go is not required because this  │
│   kernel has first class support for WireGuard. For  │
│   information on installing the kernel module,       │
│   please visit:                                      │
│         https://www.wireguard.com/install/           │
│                                                      │
└──────────────────────────────────────────────────────┘
[#] wg setconf wg1 /dev/stdin
[#] ifconfig wg1 inet 192.168.0.1/24 alias
[#] ifconfig wg1 mtu 1420
[#] ifconfig wg1 up
[#] route -q -n add -inet 192.168.0.1/32 -interface wg1
[#] rm -f /var/run/wireguard/wg1.sock

Any ideas?
#2
General Discussion / How do I use AES-NI acceleration for IPSEC to pfSense?
June 04, 2022, 06:27:18 AM
Long time pfSense user, I have many pfsense systems I look after but I am looking to make a switch.

I now have OPNsense 22.1.8_1-amd64 running in my lab. I am trying to connect IPSEC to a pfSense running 2.6.0 (latest) by using AES-NI acceleration.

I tried setting the same settings on both sides:
OpnSense:
Phase 1
->  Encryption algorithm 128 bit AES-GCM with 128 bit icv
->  Hash algorithm AES-XCBC
->  DH Group: 14

pfSense:
Phase 1
-> Algorithm: AES128-GCM
-> Key Length: 128 bit
-> Hash: AES-XCBC
-> DH Group: 14

But if I apply this, the IPSEC phase 1 won't connect. pfSense side shows timeout, and OpnSense side shows "key derivation failed".

If I set the "Hash" to SHA i.e. SHA512 on both sides (P1 & P2) it will connect. Why won't it connect with AES-XCBC on both sides?


Some log output below. Any ideas?


Code Select
2022-06-04T16:08:22 Informational charon 09[NET] <108> sending packet: from 122.23.25.86[500] to 126.33.25.61[500] (36 bytes)
2022-06-04T16:08:22 Informational charon 09[ENC] <108> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
2022-06-04T16:08:22 Informational charon 09[IKE] <108> key derivation failed
2022-06-04T16:08:22 Informational charon 09[IKE] <108> KDF_PRF with PRF_UNDEFINED not supported
2022-06-04T16:08:22 Informational charon 09[CFG] <108> selected proposal: IKE:AES_GCM_16_128/PRF_AES128_XCBC/MODP_2048
2022-06-04T16:08:22 Informational charon 09[IKE] <108> 126.33.25.61 is initiating an IKE_SA
2022-06-04T16:08:22 Informational charon 09[ENC] <108> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
2022-06-04T16:08:22 Informational charon 09[NET] <108> received packet: from 126.33.25.61[500] to 122.23.25.86[500] (456 bytes)
2022-06-04T16:08:18 Informational charon 09[CFG] ignoring acquire for reqid 1, connection attempt pending
2022-06-04T16:08:18 Informational charon 09[KNL] creating acquire job for policy 122.23.25.86/32 === 126.33.25.61/32 with reqid {1}
2022-06-04T16:08:18 Informational charon 09[NET] <107> sending packet: from 122.23.25.86[500] to 126.33.25.61[500] (36 bytes)
2022-06-04T16:08:18 Informational charon 09[ENC] <107> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
2022-06-04T16:08:18 Informational charon 09[IKE] <107> key derivation failed
2022-06-04T16:08:18 Informational charon 09[IKE] <107> KDF_PRF with PRF_UNDEFINED not supported
2022-06-04T16:08:18 Informational charon 09[CFG] <107> selected proposal: IKE:AES_GCM_16_128/PRF_AES128_XCBC/MODP_2048
2022-06-04T16:08:18 Informational charon 09[IKE] <107> 126.33.25.61 is initiating an IKE_SA
2022-06-04T16:08:18 Informational charon 09[ENC] <107> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
2022-06-04T16:08:18 Informational charon 09[NET] <107> received packet: from 126.33.25.61[500] to 122.23.25.86[500] (456 bytes)
2022-06-04T16:08:16 Informational charon 09[NET] <106> sending packet: from 122.23.25.86[500] to 126.33.25.61[500] (36 bytes)
2022-06-04T16:08:16 Informational charon 09[ENC] <106> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
2022-06-04T16:08:16 Informational charon 09[IKE] <106> key derivation failed
2022-06-04T16:08:16 Informational charon 09[IKE] <106> KDF_PRF with PRF_UNDEFINED not supported
2022-06-04T16:08:16 Informational charon 09[CFG] <106> selected proposal: IKE:AES_GCM_16_128/PRF_AES128_XCBC/MODP_2048
2022-06-04T16:08:16 Informational charon 09[IKE] <106> 126.33.25.61 is initiating an IKE_SA
2022-06-04T16:08:16 Informational charon 09[ENC] <106> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
2022-06-04T16:08:16 Informational charon 09[NET] <106> received packet: from 126.33.25.61[500] to 122.23.25.86[500] (456 bytes)
2022-06-04T16:08:15 Informational charon 13[CFG] ignoring acquire for reqid 1, connection attempt pending
2022-06-04T16:08:15 Informational charon 13[KNL] creating acquire job for policy 122.23.25.86/32 === 126.33.25.61/32 with reqid {1}
2022-06-04T16:08:14 Informational charon 13[NET] <105> sending packet: from 122.23.25.86[500] to 126.33.25.61[500] (36 bytes)
2022-06-04T16:08:14 Informational charon 13[ENC] <105> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
2022-06-04T16:08:14 Informational charon 13[IKE] <105> key derivation failed
2022-06-04T16:08:14 Informational charon 13[IKE] <105> KDF_PRF with PRF_UNDEFINED not supported
2022-06-04T16:08:14 Informational charon 13[CFG] <105> selected proposal: IKE:AES_GCM_16_128/PRF_AES128_XCBC/MODP_2048
2022-06-04T16:08:14 Informational charon 13[IKE] <105> 126.33.25.61 is initiating an IKE_SA
2022-06-04T16:08:14 Informational charon 13[ENC] <105> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
2022-06-04T16:08:14 Informational charon 13[NET] <105> received packet: from 126.33.25.61[500] to 122.23.25.86[500] (456 bytes)
2022-06-04T16:08:12 Informational charon 13[CFG] ignoring acquire for reqid 1, connection attempt pending
2022-06-04T16:08:12 Informational charon 13[KNL] creating acquire job for policy 122.23.25.86/32 === 126.33.25.61/32 with reqid {1}
2022-06-04T16:08:12 Informational charon 13[NET] <104> sending packet: from 122.23.25.86[500] to 126.33.25.61[500] (36 bytes)
2022-06-04T16:08:12 Informational charon 13[ENC] <104> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
2022-06-04T16:08:12 Informational charon 13[IKE] <104> key derivation failed
2022-06-04T16:08:12 Informational charon 13[IKE] <104> KDF_PRF with PRF_UNDEFINED not supported
2022-06-04T16:08:12 Informational charon 13[CFG] <104> selected proposal: IKE:AES_GCM_16_128/PRF_AES128_XCBC/MODP_2048
2022-06-04T16:08:12 Informational charon 13[IKE] <104> 126.33.25.61 is initiating an IKE_SA
2022-06-04T16:08:12 Informational charon 13[ENC] <104> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
2022-06-04T16:08:12 Informational charon 13[NET] <104> received packet: from 126.33.25.61[500] to 122.23.25.86[500] (456 bytes)
2022-06-04T16:08:11 Informational charon 09[CFG] ignoring acquire for reqid 1, connection attempt pending
2022-06-04T16:08:11 Informational charon 09[KNL] creating acquire job for policy 122.23.25.86/32 === 126.33.25.61/32 with reqid {1}
2022-06-04T16:08:10 Informational charon 09[NET] <103> sending packet: from 122.23.25.86[500] to 126.33.25.61[500] (36 bytes)
2022-06-04T16:08:10 Informational charon 09[ENC] <103> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]


Pages1