Text only | Text with Images

OPNsense Forum

English Forums => Tutorials and FAQs => Topic started by: loganx1121 on October 15, 2019, 02:24:10 AM

Title: Need help with IPSec and Windows machines
Post by: loganx1121 on October 15, 2019, 02:24:10 AM
I posted in the 19.7 production forum but looks like people are posting questions here as well so I figured it couldn't hurt since I am completely stuck.

I've also posted on the reddit which includes screen shots here:https://www.reddit.com/r/OPNsenseFirewall/comments/dhjwwz/need_some_ipsec_help_pretty_please/

Basically I'm trying to setup IPSec and have it work with Windows 10 clients, and I am failing miserably.  I followed the guide on the wiki, but when I try to connect from my friends laptop (using teamviewer for the remote session) I can't even see the traffic from her public IP hit my firewall.

Key points:
- I followed this guide: https://wiki.opnsense.org/manual/how-tos/ipsec-rw-srv-mschapv2.html
- I downloaded the CA from the firewall and installed it on the client laptop
- I'm using DDNS so people can use a name to reach my public IP.  This has worked flawlessly before with other setups
- I can't see the traffic in the live firewall logs when I try to make the connection from my friends laptop

I am assuming I'm doing something stupid, or missing something, but I've been at it for 2 days straight and I'm just lost.  Please let me know if I can provide further screen shots or information beyond what is posted in the reddit thread if it will help.

Thank you in advance.
Title: Re: Need help with IPSec and Windows machines
Post by: loganx1121 on October 15, 2019, 04:41:37 PM
So as far as I can tell, the traffic isn't even getting to the firewall.  I have no idea why.  The DDNS I'm using for the IPSec connection is the same one I am using for the port forward and configuration for my XMPP server, which is up and working.  If I "inspect" the firewall rules I was told to add via the guide, and the firewall rule for the IPsec, I see several "evaluations" but no packets, bytes, or states.  But here is something interesting...

- If I leave the client configuration on the Windows 10 machine the way the guide tells me, and I initiate the connection, it just says "Connecting" and never does anything.

- If I switch it to "Use machine certifcates" then it says Connecting, it displays the DDNS name, and then fails with the error "IKE failed to find valid machine certificate"

- If I modify it to say "Use my windows logon credentials", it says Connecting, it displays the DDNS name, but it just hangs after that.

Regardless of which option I choose above, the states, packets, bytes on the rules remain at 0
Text only | Text with Images