OPNsense Forum
English Forums => Virtual private networks => Topic started by: pcampbell on November 11, 2020, 10:55:00 pm
-
Hello everyone, I'm new to OPNsense. Just moved to it from my SonicWall where I had a L2TP/IPsec VPN setup for remote client access at our Church. I see in all the documentation that there is a L2TP plugin available for OPNsense, but cannot find it anywhere. Has it been removed? I've tried setting up IPsec with IKEv2 EAP-MSCHAPv2 but cannot get it to work properly. I would prefer using the built in Windows VPN client over OpenVPN if possible.
OPNsense V 20.7.4
Thanks
Philip
-
It was removed, yes, way too old technology. Whats your error with IKEv2?
-
If I follow the directions to the letter, I get an error on trying to connect stating "Invalid Payload Received". On inspecting the IPsec Logs I see where the client is requesting a Virtual IP and since one is not set it returns the error. If I set a VIP in the system it will connect with no errors but Internet and DNS are not working (even if I assign my internal DNS server. I am using the default IPsec rules that are auto generated, but did try the adding the rules from the documentation to no avail. On my SonicWall when I was using L2TP I did not assign a virtual IP, my DHCP Server assigned IP's to my VPN clients via a pass through and it worked every time. As I said, I'm new to this type of firewall and working my way through it so any assistance would be appreciated.
Basic Network setup:
LAN - 192.168.0.0/24
DNS Server - 192.168.0.22
VIP Range - 192.168.0.235/24
Let me know if any more info would help. Only NAT is for my Web Server and Streaming media server (AntMedia) with accompanying outbound NAT for the media server. Firewall Rules are all default except for ones created by the NAT.
Thanks
Philip
-
Which guide did you follow?
-
Firewall Setup:
https://docs.opnsense.org/manual/how-tos/ipsec-rw-srv-mschapv2.html
Client Setup:
https://docs.opnsense.org/manual/how-tos/ipsec-rw-w7.html
-
Screenshots please :)
-
Here they are. Hope they help.
-
You WAN rule doesnt allow IPsec and Virtual IP Pool should be different than LAN, like 192.168.255.0/24.
Also Screenshots of Tunnel config
-
And here are the Tunnel settings. I've changed my VIP to a different subnet and still no DNS or routing that I can see. No internet access either.
-
On the client you have the root certificate installed?
Can you post the logs when connecting?
-
Yes I do. I am not getting any errors connecting (since adding the VIP), only no routing or DNS. If you need the logs is there an easier way to get them and screenshot?
-
Ok, after some playing around I'm part way there. I can now route traffic to my internal network, but I still cannot get to the Internet via my VPN tunnel. Had to add rule to IPsec to allow my IPsec addresses (VIP now starts at 10.10.0.100/24) to my LAN (or "any" in this case). DNS and everything there seems to be working fine, but like I said, no internet. I've tried adding a rule to the WAN, and another rule to the IPsec, but must not have them right. I also tried adding another outbound NAT to see if that would be the issue.
-
Screenshot of updated phase2 in IPsec please
-
I did not change my p2 tunnel, only updated p1 with a different subnet.
-
Remote subnet 0.0.0.0 and add a Route to client?
-
Ok. I have to say thank you for all of your help. Last thing I have done is change the Local Network address in the Tunnel Phase 2 to 0.0.0.0/0 and it is all finally routing properly. LAN items to to LAN and I have internet access through the Tunnel.
Again, thanks for all of your help.
-
Ok, may have spoke too soon :-\ While I can see my network and do some things (ping several devices and access some machines) I cannot use Remote Desktop (RDP) to connect to my server. I can ping the server by DNS name and by IP, but not RDP into it. Thoughts?
-
Windows Firewall disabled?
-
Have never had to turn it off before, but did and still no luck.
-
Then do a Packet capture on LAN Interface for Port 3389 and check If you see something
-
Here you go. It appears to be passing traffic (from what I can see). But it never finishes loading the Remote Desktop into the server or a desktop I tried as well.
Thanks
Philip
-
never mind, wrong post here!
-
After much trial and testing, I've come to the determination that the cause of my issue stems around something in the Interface Scrub. If I disable that RDP works fine. If it's on I cannot get it to work properly. I've tried setting an individual setting for the IPsec interface and if I change the Max MSS to 2400 it will allow me to connect to one of my servers. If it try a desktop it will not work. If I change it to 2500 I can connect to the desktop but then I cannot connect to the Server. I have tried different combinations of settings and not made any progress. As I say though, just turning off the Interface Scrub works, so I guess I'll leave it at that.
Thanks to all who helped
Philip Campbell
-
i managed to get it working with help from deciso support, i believe there are some steps missing in the manual.. but ofcourse i cant remember what they did.. let me get back to you later on!
One thing had to do with the NAT settings, i remember that clearly :)