OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: Kofl on April 27, 2018, 08:20:48 pm

Title: IPSec OPNsense <-> Cisco ASA not working (solution inside)
Post by: Kofl on April 27, 2018, 08:20:48 pm

Hello,

we had massive issues to get the VPN OPNsense <-> Cisco ASA working. This small article is hopefully helpful for someone else and saving massive headaches :)

OPNsense 18.1 sends by default not only the configured Traffic Selectors for IPSEC Phase2 to the Cisco ASA, but also the public IP addresses, which the ASA will refuse.

So IPSEC initialization only works from the ASA site, but not from the OPNSense site, except you up the tunnel by hand on OPNSense. If its initiated by traffic from the OPNSense site, the phase2 negotiation fails. Strange, but true.

Workaround:
/usr/local/etc/strongswan.conf

Code: [Select]

charon {
..
ignore_acquire_ts=yes
..
}


Quote

If this is disabled the traffic selectors from the kernel's acquire events, which are derived from the triggering packet, are prepended to the traffic selectors from the configuration for IKEv2 connection. By enabling this, such specific traffic selectors will be ignored and only the ones in the config will be sent. This always happens for IKEv1 connections as the protocol only supports one set of traffic selectors per CHILD_SA.

The issue so far seems to be caused by FreeBSD, as other *unix are not affected:
https://wiki.strongswan.org/issues/1313

Thanks for the attention,
Thomas

Title: Re: IPSec OPNsense <-> Cisco ASA not working (solution inside)
Post by: franco on May 02, 2018, 04:06:28 pm

Hi Thomas,

Thank you for this, I've committed the following to test on the development version:

https://github.com/opnsense/core/commit/9a604aa5bb

The patch can be installed in the release with:

# opnsense-patch 9a604aa5bb


Cheers,
Franco

Title: Re: IPSec OPNsense <-> Cisco ASA not working (solution inside)
Post by: Kofl on May 07, 2018, 09:59:22 am

Awesome, thanks