Hello fellow admins...
We've deployed the commercial version of OPNsense and we can't get IPsec working at all.
We can establish our phase 1 tunnel, and our client can see the connection.
When we add a tunnel with a subnet it never shows connected and doesn't pass traffic.
I'm in a bind here, either I have to find the answer by noon ET or I have to rip out OPNsense fro the network. We've been working on this problem for two weeks.
The endpoint we connect to is not under our control, but rather is a customer. It's apparently a Cisco ASA.
The basic config we were given looks like this:
IKE POLICY (PHASE 1)
IKE Encryption Policy AES 256
IKE Authentication SHA1
IKE Lifetime (Seconds) 28800 / 480 minutes / 8 hours
Diffie Hellman Group Group 5
Identity IP Address
Authentication Pre-shared Key
Main Mode or Aggressive Mode Main Mode
Pre-shared Key thisisnotourkeybutmaybeitisornotbackwardshuh?
IPSEC POLICY (PHASE 2)
IPSEC Encryption Policy ESP - AES 256
IPSEC Authentication Policy SHA1
Perfect Forward Secrecy & DH Group Disabled
IPSEC SA Lifetime Seconds 28800
IPSEC SA Lifetime Kilobytes Disabled
Vendor ID Disabled
Compression Disabled
There are roughly 12 /24 subnets on the remote endpoint. We configure the tunnels, they never show up in status and will not pass traffic.
Is there an apparent quick fix known issue scenario here? It is possible the problem is on the remote ASA. But I'm going to have to prove that.
Thoughts?
Crank up debug level and watch for "no matching proposal" messages? Have you tried tunnel isolation? The networks on both sides match exactly? If there is even a slight mismatch (e.g. wrong netmask for just one subnet), ASA might refuse to bring up phase 2 entirely.
HTH,
Patrick
Quote from: pmhausen on August 09, 2022, 04:05:16 PM
Crank up debug level and watch for "no matching proposal" messages? Have you tried tunnel isolation? The networks on both sides match exactly? If there is even a slight mismatch (e.g. wrong netmask for just one subnet), ASA might refuse to bring up phase 2 entirely.
HTH,
Patrick
It took us two weeks just to get a network engineer from the client to talk to us. In our meeting yesterday they say they cannot see any phase 2 activity at all. And we don't see it on the status page either.
I'm also not seeing any traffic in the firewall log monitor.
I have re-installed strongswan, reset to defaults ETC.
Quote from: cozzicon on August 09, 2022, 04:09:50 PM
Quote from: pmhausen on August 09, 2022, 04:05:16 PM
Crank up debug level and watch for "no matching proposal" messages? Have you tried tunnel isolation? The networks on both sides match exactly? If there is even a slight mismatch (e.g. wrong netmask for just one subnet), ASA might refuse to bring up phase 2 entirely.
HTH,
Patrick
It took us two weeks just to get a network engineer from the client to talk to us. In our meeting yesterday they say they cannot see any phase 2 activity at all. And we don't see it on the status page either.
I'm also not seeing any traffic in the firewall log monitor.
I have re-installed strongswan, reset to defaults ETC.
We're configuring based on what we were given. I can challenge them to recheck the subnets.
Quote from: pmhausen on August 09, 2022, 04:05:16 PM
Crank up debug level and watch for "no matching proposal" messages? Have you tried tunnel isolation? The networks on both sides match exactly? If there is even a slight mismatch (e.g. wrong netmask for just one subnet), ASA might refuse to bring up phase 2 entirely.
HTH,
Patrick
Currently testing with only one tunnel and one subnet. Any isolation issue could be dealt with later.
tcpdump ...? Do you see IPsec packets after phase 1 is established? NAT-T?
Well- I was hoping there was a known issue or something along those lines.
Looks like I'm going to order a Checkpoint and be done with this. It's time sensitive. 12pm is the cutoff point for me.
Thanks for the assist.
I have set up dozens of multi vendor IPsec VPNs in my life and it always boiled down to: read the logs until you spot what they don't agree about. Then fix that.
E.g. having the same lifetime ind seconds for phase 1 amd phase 2 looks weird. phase 2 should be shorter than phase 1. I don't know if this is an issue for OPNsense, but I would not run a setup like this.
HTH,
Patrick
EDIT: are you using NAT-T? if not did you open ESP and AH from your peer to your external address on WAN? If yes, did you open UDP:4500 in addition to UDP:500 on WAN?