I have a Problem with IPsec since updated to OPNsense 22.7.x
IPsec Setup (Road Warrior)
Client: macOS 12
OPNsense 22.1.x
Connect with Client to OPNsense Network from "the road". All IPs on the VPN Network are accessable, Internet Routing goes through Client Internet Connection.
After Update to 22.7.x
Connect with Client to OPNsense Network from "the road". All IPs on the VPN Network are accessable, Internet Routing goes through VPN Connection and Internet/DNS is not working or too slow.
This behavior i had before i found the setting "Provide a list of accessible networks to clients" (VPN/IPSec/Mobile Clients).
1. Did i discribe the problem to be understood?
2. Is there a quick-fix - maybe in an configuration file on the opnsense server?
3. Please do not offer solutions like "this is better, or use wireguard" - i'm interested in this solution, and it worked allready, so i would like to fix it, thank you.
Greetings
Further investigations:
strongswan.conf (OPNsense 22.7) (not working)
cisco_unity = yes
plugins {
attr {
dns = 10.1.1.1
# Search domain and default domain
28674 = corporation.local
28675 = corporation.local
25 = corporation.local
}
xauth-pam {
pam_service = ipsec
session = no
trim_email = yes
}
}
strongswan.conf (OPNsense 22.1) (working)
cisco_unity = yes
plugins {
attr {
subnet = 192.168.100.0/24
split-include = 192.168.100.0/24
dns = 192.168.100.1
# Search domain and default domain
28674 = network.local
28675 = network.local
25 = network.local
}
xauth-pam {
pam_service = ipsec
session = no
trim_email = yes
}
}
The file says a warning: "# Automatically generated, please do not modify"
So the change needs to made in OPNsense?
Thank you
Client macOS 12.5
netstat:
Connected with OPNsense 22.7 (not working) -> gateway is the vpn interface
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 10.1.99.100.51771 17.248.173.48.https SYN_SENT
Connected with OPNsense 22.1 (working) -> local gateway is used
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 mbp-16-han.fritz.51894 10.5.1.113.net-assista SYN_SENT
I tried do edit /usr/local/etc/strongswan.conf -> the file gets recovered by the system on restart of strongswan
I tried to create /usr/local/etc/stongswan.opnsense.d/include.conf -> works!
-----
starter {
}
charon {
plugins {
attr {
subnet = 10.1.1.0/24
split-include = 10.1.1.0/24
}
}
}
-----
Thanks, this is helpful. I have >30 entries in "subnet" and "split-include".
Did you copy the whole content of strongswan.conf into include.conf, or just the missing part?
What would also interest me is whether this behaviour is a "feature" or a bug. I will probably try vs. 22.1.10 in the evening.
Hi eell!
Thank you for reply!
I copied just the missing part to the include.conf with the necessary brackets and header.
Really missing are just this 2 lines:
subnet = 10.1.1.0/24
split-include = 10.1.1.0/24
IMO this is a bug - it worked with 22.1.x (when you activated "Provide a list of accessible networks to clients"), but the 2 lines disappeared with 22.7 and dont come back, even if you activate the button.
Greetings
Hannes
Thank you Hannes,
worked like a charm. I did not try 22.1 as you did this already. But i filed a bug report: #5960
Best regards
Thanks for the ticket. Commit causing this has likely been found and ticket assigned over to author for inspection.
Cheers,
Franco