OPNsense Forum
Archive => 16.7 Legacy Series => Topic started by: bobbythomas on June 27, 2016, 11:44:53 pm
-
Hi All,
I am new here. I was an IPfire user previously and I was so attracted by the OPNsense and thought of giving it a try. Although I don't see that much addons as in IPfire I was much impressed by the default feature set. I am running this on my new Intel NUC and it took me while to get the interfaces installed (the onboard realtek interface was not working and I had to recompile the if_re kernel). It would have been better if there was an ARM version of OPNsense available. But this one is really cool (I am still playing around.)
Ok, let me come straight to the point, I am currently trying to setup an IPSec roadwarrior VPN and I almost got that working. I was able to use 2FA and was able to bring up the tunnel, but the main issue is traffic is not passing through this tunnel. I configured the access rules as mentioned in this document (https://docs.opnsense.org/manual/how-tos/ipsec-road.html) but still no luck. I am getting an IP from the virtual pool. I checked the logs but couldn't find much info. I tried capturing the ipsec packets but cannot see any packets. Am I doing anything wrong? Can someone guide me in the right direction? Your help is highly appreciated. :)
Thank you,
Regards,
Bobby Thomas.
-
Any suggestions?
Regards,
Bobby Thomas
-
some suggestions:
- double check phase 2, for correct subnet etc.
- check firewall log if anything is blocked
- where did you try to wireshark? try somewhere else
- get more verbose logs, although the logs/debugging IPsec in general are a REAL PITA...
finally:
- try openVPN. Will work normally out of the box, if config is error-free :-)
-
Thanks Chemlud for taking time to reply. Here is the IPSec connection log for a recent session.(I have masked the ip addresses.)
Jun 29 18:22:16 charon: 16[IKE] CHILD_SA con1{11} established with SPIs c9ace458_i 0cc0e0bf_o and TS INSIDE_SUBNET === VPN_CLIENT_VIRTUAL_IP
Jun 29 18:22:16 charon: 16[IKE] <con1|11> CHILD_SA con1{11} established with SPIs c9ace458_i 0cc0e0bf_o and TS INSIDE_SUBNET === VPN_CLIENT_VIRTUAL_IP
Jun 29 18:22:16 charon: 16[ENC] parsed QUICK_MODE request 3201133312 [ HASH ]
Jun 29 18:22:16 charon: 16[NET] received packet: from VPN_CLIENT_PUB_IP[500] to FW_WAN_IP[500] (92 bytes)
Jun 29 18:22:14 charon: 16[NET] sending packet: from FW_WAN_IP[500] to VPN_CLIENT_PUB_IP[500] (188 bytes)
Jun 29 18:22:14 charon: 16[ENC] generating QUICK_MODE response 3201133312 [ HASH SA No ID ID ]
Jun 29 18:22:14 charon: 16[IKE] received 28800s lifetime, configured 3600s
Jun 29 18:22:14 charon: 16[IKE] <con1|11> received 28800s lifetime, configured 3600s
Jun 29 18:22:14 charon: 16[ENC] parsed QUICK_MODE request 3201133312 [ HASH SA No ID ID ]
Jun 29 18:22:14 charon: 16[NET] received packet: from VPN_CLIENT_PUB_IP[500] to FW_WAN_IP[500] (476 bytes)
Jun 29 18:22:13 charon: 07[NET] sending packet: from FW_WAN_IP[500] to VPN_CLIENT_PUB_IP[500] (124 bytes)
Jun 29 18:22:13 charon: 07[ENC] generating TRANSACTION response 3950866675 [ HASH CPRP(ADDR SUBNET U_SPLITINC U_SAVEPWD) ]
Jun 29 18:22:13 charon: 07[IKE] assigning virtual IP VPN_CLIENT_VIRTUAL_IP to peer 'VPN_CLIENT_HOSTNAME'
Jun 29 18:22:13 charon: 07[IKE] <con1|11> assigning virtual IP VPN_CLIENT_VIRTUAL_IP to peer 'VPN_CLIENT_HOSTNAME'
Jun 29 18:22:13 charon: 07[CFG] reassigning offline lease to 'VPN_CLIENT_HOSTNAME'
Jun 29 18:22:13 charon: 07[IKE] peer requested virtual IP %any
Jun 29 18:22:13 charon: 07[IKE] <con1|11> peer requested virtual IP %any
Jun 29 18:22:13 charon: 07[ENC] parsed TRANSACTION request 3950866675 [ HASH CPRQ(ADDR MASK DNS NBNS U_BANNER U_DEFDOM U_SPLITDNS U_SPLITINC U_LOCALLAN VER) ]
Jun 29 18:22:13 charon: 07[NET] received packet: from VPN_CLIENT_PUB_IP[500] to FW_WAN_IP[500] (140 bytes)
Jun 29 18:22:13 charon: 16[IKE] maximum IKE_SA lifetime 28464s
Jun 29 18:22:13 charon: 16[IKE] <con1|11> maximum IKE_SA lifetime 28464s
Jun 29 18:22:13 charon: 16[IKE] scheduling reauthentication in 27924s
Jun 29 18:22:13 charon: 16[IKE] <con1|11> scheduling reauthentication in 27924s
Jun 29 18:22:13 charon: 16[IKE] IKE_SA con1[11] established between FW_WAN_IP[WAN_IP]...VPN_CLIENT_PUB_IP[VPN_PEER_ID]
Jun 29 18:22:13 charon: 16[IKE] <con1|11> IKE_SA con1[11] established between FW_WAN_IP[WAN_IP]...VPN_CLIENT_PUB_IP[VPN_PEER_ID]
Jun 29 18:22:13 charon: 16[ENC] parsed TRANSACTION response 3153971281 [ HASH CPA(X_STATUS) ]
Jun 29 18:22:13 charon: 16[NET] received packet: from VPN_CLIENT_PUB_IP[500] to FW_WAN_IP[500] (108 bytes)
Jun 29 18:22:13 charon: 16[NET] sending packet: from FW_WAN_IP[500] to VPN_CLIENT_PUB_IP[500] (92 bytes)
Jun 29 18:22:13 charon: 16[ENC] generating TRANSACTION request 3153971281 [ HASH CPS(X_STATUS) ]
Jun 29 18:22:13 charon: 16[IKE] XAuth authentication of 'VPN_CLIENT_HOSTNAME' successful
Jun 29 18:22:13 charon: 16[IKE] <con1|11> XAuth authentication of 'VPN_CLIENT_HOSTNAME' successful
Jun 29 18:22:13 charon: 16[IKE] XAuth-SCRIPT succeeded for user 'VPN_CLIENT_HOSTNAME'.
Jun 29 18:22:13 charon: 16[IKE] <con1|11> XAuth-SCRIPT succeeded for user 'VPN_CLIENT_HOSTNAME'.
Jun 29 18:22:13 charon: user 'VPN_CLIENT_HOSTNAME' authenticated
Jun 29 18:22:12 charon: 16[ENC] parsed TRANSACTION response 4167000247 [ HASH CPRP(X_USER X_PWD) ]
Jun 29 18:22:12 charon: 16[NET] received packet: from VPN_CLIENT_PUB_IP[500] to FW_WAN_IP[500] (124 bytes)
Jun 29 18:22:12 charon: 16[ENC] parsed INFORMATIONAL_V1 request 2958006015 [ HASH N(INITIAL_CONTACT) ]
Jun 29 18:22:12 charon: 16[NET] received packet: from VPN_CLIENT_PUB_IP[500] to FW_WAN_IP[500] (124 bytes)
Jun 29 18:22:12 charon: 06[NET] sending packet: from FW_WAN_IP[500] to VPN_CLIENT_PUB_IP[500] (92 bytes)
Jun 29 18:22:12 charon: 06[ENC] generating TRANSACTION request 4167000247 [ HASH CPRQ(X_USER X_PWD) ]
Jun 29 18:22:12 charon: 06[ENC] parsed AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
Jun 29 18:22:12 charon: 06[NET] received packet: from VPN_CLIENT_PUB_IP[500] to FW_WAN_IP[500] (136 bytes)
Jun 29 18:22:11 charon: 06[NET] sending packet: from FW_WAN_IP[500] to VPN_CLIENT_PUB_IP[500] (468 bytes)
Jun 29 18:22:11 charon: 06[ENC] generating AGGRESSIVE response 0 [ SA KE No ID V V V V V NAT-D NAT-D HASH ]
Jun 29 18:22:11 charon: 06[CFG] selected peer config "con1"
Jun 29 18:22:11 charon: 06[CFG] looking for XAuthInitPSK peer configs matching FW_WAN_IP...VPN_CLIENT_PUB_IP[VPN_PEER_ID]
Jun 29 18:22:11 charon: 06[IKE] VPN_CLIENT_PUB_IP is initiating a Aggressive Mode IKE_SA
Jun 29 18:22:11 charon: 06[IKE] <11> VPN_CLIENT_PUB_IP is initiating a Aggressive Mode IKE_SA
Jun 29 18:22:11 charon: 06[IKE] received DPD vendor ID
Jun 29 18:22:11 charon: 06[IKE] <11> received DPD vendor ID
Also find the attached images which has the SA DB info and SP DB.
You can see when I try to ping from my local subnet the traffic is hitting firewall but not getting any response back from the client.
When I try to ping the local subnet from the client it's not even hitting the firewall. Tried capturing the packets but not seeing any packets originating from client.
By the by the client is an unrooted Android phone and when I checked the route I don't see any routes being injected for local subnet (I believe it could be the reason). I can see a tun0 interface got created on the client android phone and an IP address of the virtual ip pool being assigned to that but the default route is pointing to it's public gateway and no other routes can be seen there. How can we inject the route into the client? Do we need a rooted android phone?
I haven't tried this with any other client.
The reason I wanted to use IPSec instead of OpenVPN is that IPSec has native support on android and windows. I am not suppose to install any other apps on my office laptop or phone.
Thanks in advance,
Regards,
Bobby Thomas
-
"but the default route is pointing to it's public gateway and no other routes can be seen there"
I think you are pretty much at the point ;-)
I see at "VPN" -> "IPsec" -> "mobile clients" on the first page an option "network list", did you check this?
-
Thanks Chelmud,
I see at "VPN" -> "IPsec" -> "mobile clients" on the first page an option "network list", did you check this?
This is already checked, don't know how to fix that issue. Will check with another client and will update the status here.
Regards,
Bobby Thomas