OPNsense Forum
Archive => 16.7 Legacy Series => Topic started by: PotatoCarl on December 01, 2016, 04:40:05 pm
-
Hi All,
I had with pfSense a AVM Fritzbox 7390 working well via VPN (Ipsec). However, I cannot get my new 7490 to cooperate and connect to the OPNsense.
In the OPNSense logfiles it prints "Aggressive mode disabled for security reasons". That is nice, but maybe a problem, as I remember that AVM needs to use agressive mode to connect.
Also, it seems as I cannot import my config files for the Fritzbox. As they are practially not documented, I have no idea why.
So, has anybody a working configuration he can post?
Is there a way to turn on agressive mode (which seems to be in the Documentation as working)?
Any other hints?
Thank you.
Cheers
-
Oh, forgot to say: The log file says "N(AUTH_FAILED)"
I verified that both use the same PSK and identifiers.
-
Hmm, the GUI phase 1 entry for IKEv1 will let you flip from main to aggressive mode?
-
Yes. I can set it to "agressive" but the log says
"charon: 12[IKE] <4309> Aggressive Mode PSK disabled for security reasons".
-
Strange. Which one is the OPNsense log, which one the Fritzbox log?
-
I just copied the OPNsense log in my previous posts. Fritzbox just says "Authentification failed".
-
Thats not a lot of help from the Fritzbox for a "Qualitätsrouter mit besserer Sicherheitstechnik". :D
But anyway, is this a site-to-site or road warrior setup? If the latter, who is the road warrior?
In general IKEv1 main mode should work if set on both sides for site-to-site.
Unfortunately, the 7490 doesn't do IKEv2.
Cheers,
Franco
-
Hi,
i do have a valid setup running... it works but in your case i dont know how to help
how you made the fritzbox config?
for me it doenst worked with the application from avm - i ever used used a text editor
-
Hi,
first thank you for your input so far. I got it work. The solution was... (tensions are rising)... restart the IPSec Daemon. "Accept the changes" is just not sufficient, I had to restart the service and then suddenly "aggressive" mode was performed and badaboum (BigBadaboum!) I had my connection.
Well, at last according to the log files. I used simply the IP-Adresses of the hosts (have fixed adresses on either side) as identifiers and at the FritzBox the "Fritzbox to other LAN" wizard.
I am currently a little amiss about the firewall rules. I cannot connect to any host from either side. I tried to follow the howto at https://docs.opnsense.org/manual/how-tos/ipsec-s2s.html?highlight=ipsec#firewall-rules-site-a-site-b and was stopped at the first rule on the WAN-side: I don't have a protocol option "IPv4 ESP".
I have rules on both, the LAN and the IPSEC side of passing everything from the respective subnet into the other subnet. But still, cannot get any ping or anything else through.
Do I miss here something?
-
Okay, sometimes waiting helps. Was too impatient, now everything works fine.
I used the rules for UDP 500 and 4500 but not the ESP (no idea how to do it) and everything works.
So, case solved.
-
Yay, cool, thanks for checking back :)