Hi,
I'm trying to set up an IPSec RoadWarrior setup, clients will be using the buildt-in VPN client in Win 10.
I tried to follow
https://docs.opnsense.org/manual/how-tos/ipsec-rw-srv-mschapv2.html and
https://docs.opnsense.org/manual/how-tos/ipsec-rw-w7.html
but I get theses errors:
2023-03-20T15:01:03 Informational charon 14[IKE] <con1|1> unable to resolve %any, initiate aborted
2023-03-20T15:01:03 Informational charon 14[CFG] initiating 'con1'
2023-03-20T15:01:03 Informational charon 14[CFG] added vici connection: con1
2023-03-20T15:01:03 Informational charon 12[CFG] added vici pool defaultv4: 10.10.10.0, 254 entries
2023-03-20T15:01:03 Informational charon 14[CFG] loaded EAP shared key with id 'eap-d955cab7-40cb-4679-91fc-1aca866de861' for: 'christianwin'
2023-03-20T15:01:03 Informational charon 14[CFG] loaded ANY private key
2023-03-20T15:01:03 Informational charon 13[CFG] loaded certificate 'CN=xxxxx'
2023-03-20T15:01:03 Informational charon 14[CFG] loaded certificate 'C=US, O=Let's Encrypt, CN=R3'
2023-03-20T15:01:03 Informational charon 14[CFG] loaded certificate 'C=xx, ST=xxx, L=xx, O=xx, E=xx, CN=Server-CA'
2023-03-20T15:01:03 Informational charon 15[CFG] loaded certificate 'CN=ChangeMe'
2023-03-20T15:01:03 Informational charon 14[CFG] loaded certificate 'CN=xx'
2023-03-20T15:01:02 Informational charon 00[JOB] spawning 16 worker threads
2023-03-20T15:01:02 Informational charon 00[LIB] loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf curve25519 xcbc cmac hmac kdf gcm drbg attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam whitelist addrblock counters
2023-03-20T15:01:02 Informational charon 00[CFG] loaded 0 RADIUS server configurations
2023-03-20T15:01:02 Informational charon 00[CFG] opening secrets file '/usr/local/etc/ipsec.secrets' failed: No such file or directory
2023-03-20T15:01:02 Informational charon 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
2023-03-20T15:01:02 Informational charon 00[CFG] reading directory failed
2023-03-20T15:01:02 Informational charon 00[LIB] opening directory '/usr/local/etc/ipsec.d/crls' failed: No such file or directory
2023-03-20T15:01:02 Informational charon 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
2023-03-20T15:01:02 Informational charon 00[CFG] reading directory failed
2023-03-20T15:01:02 Informational charon 00[LIB] opening directory '/usr/local/etc/ipsec.d/acerts' failed: No such file or directory
2023-03-20T15:01:02 Informational charon 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
2023-03-20T15:01:02 Informational charon 00[CFG] reading directory failed
2023-03-20T15:01:02 Informational charon 00[LIB] opening directory '/usr/local/etc/ipsec.d/ocspcerts' failed: No such file or directory
2023-03-20T15:01:02 Informational charon 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
2023-03-20T15:01:02 Informational charon 00[CFG] reading directory failed
2023-03-20T15:01:02 Informational charon 00[LIB] opening directory '/usr/local/etc/ipsec.d/aacerts' failed: No such file or directory
2023-03-20T15:01:02 Informational charon 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
2023-03-20T15:01:02 Informational charon 00[CFG] reading directory failed
2023-03-20T15:01:02 Informational charon 00[LIB] opening directory '/usr/local/etc/ipsec.d/cacerts' failed: No such file or directory
2023-03-20T15:01:02 Informational charon 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
2023-03-20T15:01:02 Informational charon 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
2023-03-20T15:01:02 Informational charon 00[KNL] unable to set UDP_ENCAP: Invalid argument
2023-03-20T15:01:02 Informational charon 00[CFG] using '/sbin/resolvconf' to install DNS servers
2023-03-20T15:01:02 Informational charon 00[DMN] Starting IKE charon daemon (strongSwan 5.9.10, FreeBSD 13.1-RELEASE-p7, amd64)
searching for "unable to resolve %any, initiate aborted" did not yield any useful results ... :-(
any idea?
Could there be an incorrect comment in one of the configuration files? Using % instead of an semicolon or # for example, or a missing quote for "any' rule in a literal option?
Is "ANY" private key a key you named yourself?
I encountered the same problem some time ago. No chance, NAT-T is not implemented in FreeBSD for IPsec over IPv6. NAT-T needs to be disabled in this case. Unfortunately, some implementations do not allow to configure this parameter.
Another solution may be to use Wireguard instead.
Quote from: wbk on March 20, 2023, 05:28:01 PM
Could there be an incorrect comment in one of the configuration files? Using % instead of an semicolon or # for example, or a missing quote for "any' rule in a literal option?
Is "ANY" private key a key you named yourself?
I did note write the config files manually. everything has been created by the OPNsense GUI.
I don't even know where I could find those files.
The ANY or %any has been produced by the OPNsense GUI. I did select it anywhere nor did I type it in - there is not even a field in the GUI where I could type it in.
Quote from: schnipp on March 20, 2023, 05:50:30 PM
I encountered the same problem some time ago. No chance, NAT-T is not implemented in FreeBSD for IPsec over IPv6. NAT-T needs to be disabled in this case. Unfortunately, some implementations do not allow to configure this parameter.
Another solution may be to use Wireguard instead.
no IPv6 - pure IPv4
Wireguard is not possible in this case, the Windows client machine can only use the built-in VPN client, it is not possible to install any additional VPN client on them.
(these are centrally managed windows notebooks (via SCCM), and this a special usecase for 6 out of 800 machines, the central management will not install any software for such a small number of machines)
Quote from: schnipp on March 20, 2023, 05:50:30 PM
I encountered the same problem some time ago. No chance, NAT-T is not implemented in FreeBSD for IPsec over IPv6. NAT-T needs to be disabled in this case. Unfortunately, some implementations do not allow to configure this parameter.
Another solution may be to use Wireguard instead.
I switched of NAT-T in the OPNsense GUI and restarted strongswan.
still no luck
2023-03-20T18:34:40 Informational charon 05[IKE] <con1|2> unable to resolve %any, initiate aborted
2023-03-20T18:34:40 Informational charon 15[CFG] received stroke: initiate 'con1'
2023-03-20T18:34:30 Informational charon 13[IKE] <con1|1> unable to resolve %any, initiate aborted
2023-03-20T18:34:30 Informational charon 13[CFG] initiating 'con1'
2023-03-20T18:34:30 Informational charon 13[CFG] added vici connection: con1
2023-03-20T18:34:30 Informational charon 11[CFG] added vici pool defaultv4: 10.10.10.0, 254 entries
2023-03-20T18:34:30 Informational charon 13[CFG] loaded EAP shared key with id 'eap-d955cab7-40cb-4679-91fc-1aca866de861' for: 'xxxxxx'
2023-03-20T18:34:30 Informational charon 13[CFG] loaded ANY private key
Quote from: BSAfH42 on March 20, 2023, 06:31:17 PM
no IPv6 - pure IPv4
What do you exactly mean with above statement? If I read the log correctly, you are trying to establish an IPsec tunnel over IPv6 with NAT-T.
Quote from: BSAfH42 on March 20, 2023, 06:37:10 PM
I switched of NAT-T in the OPNsense GUI and restarted strongswan.
AFAIK charon does not support disabling NAT-T even if the parameter is set/unset. You can try disabling MOBIKE or forcing the client to disable NAT-T.
well, it should be IPv4 only, so, where to disabled IPv6 for this tunnel negotiation?
I'll try to disable MOBIKE
did not help, same error
The easiest way is to post your tunnel configuration without any secrets.
see file '/usr/local/etc/swanctl/swanctl.conf'
Can you post a screenshot of P1 please? It tries to initiate a tunnel when accepting 0.0.0.0, doesnt make sense
Quote from: schnipp on March 26, 2023, 07:58:55 PM
The easiest way is to post your tunnel configuration without any secrets.
see file '/usr/local/etc/swanctl/swanctl.conf'
sure
root@OPNsense:~ # cat /usr/local/etc/swanctl/swanctl.conf
# This file is automatically generated. Do not edit
connections {
con1 {
unique = replace
aggressive = no
version = 2
mobike = no
local_addrs = 192.168.178.3
local-0 {
id = fqdn:my-fqdn-name.dedyn.io
auth = pubkey
certs = cert-1.crt
}
remote-0 {
id = %any
auth = eap-mschapv2
eap_id = %any
}
encap = no
remote_addrs = %any
dpd_delay = 35 s
dpd_timeout = 210 s
pools = defaultv4
send_cert = always
proposals = aes256gcm16-sha512-curve25519,aes256gcm16-sha512-ecp521,aes256gcm16-sha512-ecp384,aes256gcm16-sha512-ecp256,aes256gcm16-sha512-modp8192,aes256gcm16-sha512-modp4096,aes256gcm16-sha512-modp2048,aes256gcm16-sha512-modp1024,aes256gcm16-sha384-curve25519,aes256gcm16-sha384-ecp521,aes256gcm16-sha384-ecp384,aes256gcm16-sha384-ecp256,aes256gcm16-sha384-modp8192,aes256gcm16-sha384-modp4096,aes256gcm16-sha384-modp2048,aes256gcm16-sha384-modp1024,aes256gcm16-sha256-curve25519,aes256gcm16-sha256-ecp521,aes256gcm16-sha256-ecp384,aes256gcm16-sha256-ecp256,aes256gcm16-sha256-modp8192,aes256gcm16-sha256-modp4096,aes256gcm16-sha256-modp2048,aes256gcm16-sha256-modp1024,aes256gcm16-sha1-curve25519,aes256gcm16-sha1-ecp521,aes256gcm16-sha1-ecp384,aes256gcm16-sha1-ecp256,aes256gcm16-sha1-modp8192,aes256gcm16-sha1-modp4096,aes256gcm16-sha1-modp2048,aes256gcm16-sha1-modp1024
children {
con1 {
start_action = start
policies = yes
mode = tunnel
sha256_96 = no
dpd_action = start
local_ts = 192.168.80.0/24
remote_ts =
esp_proposals = aes256-sha1,aes256-sha256,aes256-sha384,aes256-sha512,aes256gcm16-sha1,aes256gcm16-sha256,aes256gcm16-sha384,aes256gcm16-sha512
life_time = 3600 s
}
}
}
}
pools {
defaultv4 {
addrs = 10.10.10.0/24
}
}
secrets {
eap-d955cab7-40cb-4679-91fc-1aca866de861 {
id-0 = MYID
secret = MYPASSWD
}
}
# Include config snippets
include conf.d/*.conf
root@OPNsense:~ #
there are no files in
include conf.d/*.conf
Quote from: mimugmail on March 27, 2023, 08:49:12 AM
Can you post a screenshot of P1 please? It tries to initiate a tunnel when accepting 0.0.0.0, doesnt make sense
sure (see attachments)
(https://forum.opnsense.org/index.php?action=dlattach;topic=33126.0;attach=26756)
(https://forum.opnsense.org/index.php?action=dlattach;topic=33126.0;attach=26758)
Connection method is respond only.
Are you sure this is a mobile policy? Maybe you already have one and added a second P1?
Quote from: mimugmail on March 28, 2023, 10:23:05 AM
Connection method is respond only.
Are you sure this is a mobile policy?
well, I followed
https://docs.opnsense.org/manual/how-tos/ipsec-rw-srv-mschapv2.html (https://docs.opnsense.org/manual/how-tos/ipsec-rw-srv-mschapv2.html) and
https://docs.opnsense.org/manual/how-tos/ipsec-rw-w7.html (https://docs.opnsense.org/manual/how-tos/ipsec-rw-w7.html)
so it should be a mobile policy?
Quote from: mimugmail on March 28, 2023, 10:23:05 AM
Maybe you already have one and added a second P1?
No, there is only one P1 defined
Quote from: mimugmail on March 28, 2023, 10:23:05 AM
Connection method is respond only.
Are you sure this is a mobile policy? Maybe you already have one and added a second P1?
see attachment
Quote from: BSAfH42 on March 28, 2023, 10:52:11 AM
Quote from: mimugmail on March 28, 2023, 10:23:05 AM
Connection method is respond only.
Are you sure this is a mobile policy?
well, I followed
https://docs.opnsense.org/manual/how-tos/ipsec-rw-srv-mschapv2.html (https://docs.opnsense.org/manual/how-tos/ipsec-rw-srv-mschapv2.html) and
https://docs.opnsense.org/manual/how-tos/ipsec-rw-w7.html (https://docs.opnsense.org/manual/how-tos/ipsec-rw-w7.html)
so it should be a mobile policy?
Quote from: mimugmail on March 28, 2023, 10:23:05 AM
Maybe you already have one and added a second P1?
No, there is only one P1 defined
So in the overview of IPsec : Tunnel Settings it's labeled as "Mobile Client"? Then set the connection method to default and not start immediate should be sufficient
As mimugmail already mentioned for roadwarrior you need to set the start_action to "default" (or "none"). Additionally, if authentication fails, please remove "my identifier" in phase 1.
Quote from: schnipp on March 28, 2023, 07:13:10 PM
As mimugmail already mentioned for roadwarrior you need to set the start_action to "default" (or "none"). Additionally, if authentication fails, please remove "my identifier" in phase 1.
thanks!
yes, it is marked a s as Mobile Client
I set the start action to "default" und changed "my identifier" to "automatic" (there is no "none").
Stil does not work, but it's a different error
Date
Severity
Process
Line
2023-03-29T08:08:22 Informational charon 08[NET] <2> sending packet: from 192.168.80.2[500] to 192.168.80.105[500] (36 bytes)
2023-03-29T08:08:22 Informational charon 08[ENC] <2> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
2023-03-29T08:08:22 Informational charon 08[IKE] <2> no IKE config found for 192.168.80.2...192.168.80.105, sending NO_PROPOSAL_CHOSEN
2023-03-29T08:08:22 Informational charon 08[ENC] <2> parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
2023-03-29T08:08:22 Informational charon 08[NET] <2> received packet: from 192.168.80.105[500] to 192.168.80.2[500] (1104 bytes)
2023-03-29T08:07:44 Informational charon 13[IKE] <con1|1> unable to resolve %any, initiate aborted
2023-03-29T08:07:44 Informational charon 14[CFG] received stroke: initiate 'con1'
and the Windows client says "Fehler in der Richtlinienübereinstimmung"
So, your WAN Interface is 192.168.80., you have a gateway like .1 and your test client ist on the same net with something like .5?
Quote from: mimugmail on March 29, 2023, 12:37:07 PM
So, your WAN Interface is 192.168.80., you have a gateway like .1 and your test client ist on the same net with something like .5?
the WAN interface is 192.168.178.3, the gateway to the outside world is 192.168.178.1 (Fritz!Box)
the LAN interface is 192.168.80.2 on the OPNsense firewall
the test client is either 192.168.80.x (LAN) or in 10.0.8.x (OpenVPN VPN, OPNsense is the OpenVPN server), this is just for test for mobile clients outside the LAN.
The real application would be a road warrior with any external address. The Fritz!Box forwards everything from external addresses to the OPNsense box (in Fritz!Box terms: "exposed host").
I don't really understand what you try to do. IPsec has nothing to do with OpenVPN, these are completely different technologies. Regarding IPsec the client has to connect to the Opnsense endpoint 192.168.178.3
Quote from: schnipp on March 29, 2023, 04:53:55 PM
I don't really understand what you try to do. IPsec has nothing to do with OpenVPN, these are completely different technologies. Regarding IPsec the client has to connect to the Opnsense endpoint 192.168.178.3
well, I do know that OpenVPN is a completely different technology. For this purpose, the OVP network is just another network from where connections can come in.
And yes, the IPSec clients do connect to 192.168.178.3, because everything coming from the outside world is forwarded by the FritzBox to the interface WLAN on OPNsnse, which has 192.168.178.3
so, I do not understand what you are trying to tell me?