OPNsense Forum
Archive => 17.7 Legacy Series => Topic started by: BertM on October 18, 2017, 10:28:57 am
-
I just replaced one of our pfSense firewalls for an OPNsense 17.7.5, and while attempting to configure the Phase 1 authentication for Mobile IPsec, I am unable to enter the Peer ID. There are no fields in the form to enter it.
As a result, none of my mobile IPsec clients can connect.
I am unable to configure the Shrewsoft VPN Client without a local identity.
I know that it used to be there, because I have an older OPNsense 17.7.5 box that started with version 16.1, and although the field for Peer Identifier is currently also missing in the config form, the entry still exists in the configuration file because I configured it in the past.
I know that a temporary solution would be to enter it manually in the configuration file like below where the Peer ID TAG is "PeerID":
<peerid_type>keyid tag</peerid_type>
<peerid_data>PeerID</peerid_data>
and then upload the config again.
The problem for me is that uploading the config will reboot the firewall, and I am only allowed to do that once a month during a 15 minite time window.
Anyone having some clever ideas?
-
Hi Bert,
It was unused in the mobile phase 1 case, and to our knowledge that was the case in pfSense as well:
https://github.com/opnsense/core/commit/0dd120
Or at least mobile reverts to allow any to connect as well...
https://github.com/pfsense/pfsense/blob/RELENG_2_4_0/src/etc/inc/vpn.inc#L713
You can try to revert that commit:
# opnsense-patch 0dd120
Does that work then? If not, the issue may be somewhere else. (Rerun the patch command to remove the patch.)
Cheers,
Franco
-
Franco,
I am not a programmer, and I have absolutely no idea what you ask me to do.
Because over 40 Mobile VPN users could not work anymore, I downloaded the config, edited the lines for the phase1 for the mobile IPsec, uploaded the config again and restarted strongswan. After that is all worked again.
That at least saved me from being skinned alive ;-)
The change in the config file is as follows:
I went to the part for the phase1 entry for the mobile IPsec, to the lines that looked like:
<myid_type>myaddress</myid_type>
<encryption-algorithm>
and added some lines in between like:
<myid_type>myaddress</myid_type>
<myid_data/>
<peerid_type>keyid tag</peerid_type>
<peerid_data>*********</peerid_data>
<encryption-algorithm>
(obviously my file contained my keyID tag instead of the stars)
I would definitively want to see these fields back in the web gui, because I am not sure what happens with the config file after making changes to the config.
Regards,
Bert
-
Hi Bert,
It's really simple. This commit removed the peer ID from mobile:
https://github.com/opnsense/core/commit/0dd120
From the commit hash you can see there (0dd120) our "opnsense-patch" tool can undo this change when run from the console:
# opnsense-patch 0dd120
Running that command is harmless (I double-checked prior to suggesting it).
It enables you to edit the peer ID from the GUI. If that works fine, the config renders ok and your users are connected we should probably bring that change back to where it was.
If not, we need to find a different cause.
Running the patch command again will restore your code to the release version for triple-checking. ;)
Cheers,
Franco
-
Hi franco,
I just did run the command you suggested:
# opnsense-patch 0dd120
And after that, it all worked OK.
I am able to configure the peer ID for the mobile clients, it is saved correctly in the config file and the StrongSWAN properly honors this config setting.
It now works again.
But still one question.
Will this stick after an OPNsense update, or do I have to run this command again then?
Kind regards,
Bert
-
Hi Bert,
So far so good. 17.7.7 will remove this patch again, so you need to reapply for now.
We want to find a confirmation for the solution so would ask you to find out what changes in /usr/local/etc/ipsec.conf with this patch (vs. without the patch using "diff -u") to be sure that we're going for the right fix.
Rerunning the patch command can remove the patch easily.
Thank you,
Franco
-
Franco,
Because this mobile VPN environment is actually in use 24x7 I did not want to fiddle around with it, so I did setup a test environment to have a look at the /usr/local/etc/ipsec.conf file.
I first installed OPNsense, and configured the mobile IPsec VPN. Obviously, I was not able to configure the peer ID at that time, and I was unable to establish a mobile VPN connection using the ShrewSoft VPN Client.
Then I went into the shell and did a "cat /usr/local/etc/ipsec.conf".
After that I did a "opnsense-patch 0dd120", after which I was able to configure the KeyID tag.
I verified that I was able to establish a mobile VPN connection.
Then I went into the shell again and did a "cat /usr/local/etc/ipsec.conf", only to find that nothing has chaged in that file.
So I guess the KeyID tag is not stored in the /usr/local/etc/ipsec.conf file, but somewhere else.
Any idea where it could be?
Kind regards,
Bert
-
Franco,
For now after each update in the 17.7 series, to be able to configure the peer ID for mobile IPsec clients, I issued the command "opnsense-patch 0dd120".
The important questions for mwe are:
- Will this be fixed in the 18.1 series?
- If not, will running the command "opnsense-patch 0dd120" still fix things for me?
Kind regards,
Bert
-
Hi Bert,
I added a ticket... https://github.com/opnsense/core/issues/2070
Can you please do the following for me:
The changes may be taking place in /usr/local/etc/ipsec.secrets -- can you diff this for me and send it over via PM or email?
Applying the patch will still fix this in 18.1 unless there is a conflict, but the patch can also be refreshed. Ideally, however, it should be merged in a way that makes sense.
Cheers,
Franco
-
Hi Bert,
can you post a screenshot of your Phase1 config?
-
FYI, +1 on this end for rolling back to show/use Peer Identifier / Group address. Couldn't make it work without it, and then once I ran the rollback patch on 18.1.5, it worked.