Messages

Hi all,
Been using OPNsense since v18 and got stumped when clients asked me to install ActiveSync (EAS) on the mail server.
It seems to only send from the local computer or phone. The remote computer cannot send  events out but it receives events.
I know there must be a rule issue. The only rule on the local and remote side is in the pic. (EmailPorts are 25,80,443,465,993,8080,8443).
The remote network also has an opnsense firewall.
Anybody have any rules suggestions on receiving these calendar events from remote computers?

I suspect the issue is the firewall on the remote side, because I can send and receive calendar events on the local computer and my phone (using local or cell service).  I receive events on the remote computer, just can't send any. Nothing in the logs.

Thanks in advance

The OPNsense scrollbar is just a sliver for me on a high res screen. I changed the default in chrome, but when CSS is applied it overrides.
Any way to increase the scrollbar width in OPNsense? I know it is done in CSS, so how do I permanently modify it for OPNsense?

Reinstalled the older VPN, and now it is working again.
There is definetely some confusing/conflicting rules in the new IPsec VPN guides or they are missing something.
As I mentioned in previous post, I am just going to leave it alone now with OPNsense version 24.7.1 on a VPN dedicate box

Since this is a VPN only box, I think I will go back to OPNsense 24.7 and use the legacy IPsec VPN
Since this box doesn't do anything else, should never have to update it.
Any way to permanetly prevent updates?
Legacy worked fine before version 25.

Help, day 6 and I still can't get this to work.
Stuck at 'IKE authentication credentials are unacceptable' from the Windows 11 built-in client
Redid the certs multiple times. Where is there a guide that I can follow? The Deciso guide isn't right.
I think the main issue with the guides is the mix of New and Legacy info in them.
Keep in mind, this OPNsense box's only purpose is for this VPN. No other tasks are in this firewall.
Questions
What certs and types do the server and client actually need?
Which cert stores are these certs put in? Some guides say Trusted Root, some Personal store
Do I import all the certs via mmc?

I can't believe I am the only one with this issue. What am I missing?
When I finally get it working I will post a complete step-by-step guide in this forum that others can use.

Right now, I am using an internet-based VPN service and because of my connection speeds it is very slow.
When I used the OPNsense legacy IPsec it was fast and solid. But started disconnecting with OPNsense 25+
Please help!

Thanks for response.
That commit was back in Jan. I am using OPNsense 25.1.5 so it should be there.
The error I get on the Windows 11 Client is 'IKE authentication credentials are unacceptable'
So ,from my first post, does it appear that the certs were added correctly?
Dan

What would also be useful is less conflicting and confusing instructions on the Deciso site.
Problem is as OPNsense makes changes, these changes are not reflected in the guide.

No one....
At least just a 'that will work', or a simple correction.
Please....

I have been trying to setup the New IPsec VPN and having issues. I think it is all certificate related.
I have been using the Legacy version for a couple years now and it is time to change because it is being retired, I read, and since OPNsense version 25.1 has been disconnecting clients randomly. I'm on my 4th day and I just cannot get the new IPsec VPN to work. The guides have a lot of mis-leading and incomplete info. Most I can figure out, but the sert section is troubling me.
This OPNsense box is ONLY being used for IPsec VPN access to one server and many clients using one dedicated WAN IP (ie 98.99.100.101).
I chose 'IPsec - Roadwarriors IKEv2'
Lets start with the basics - Certificates. I think this is my main source of trouble.
From the guide, I need just one Root Authority and one leaf certificate. I named the root authority 'IPsec CA' and the Certificate 'leaf-vpn'
Both certs are created in OPNsense using the Deciso guide and the 'IPsec CA' Trust Authority is downloaded then uploaded to the Windows 2022 server and installed via mmc.
The 'leaf-vpn' cert is created as a client/server certificate and also uploaded and installed on the server via mmc.
The downloaded 'leaf-vpn.crt' cert is also uploaded to the Windows 11 client. That certificate is installed with the following PowerShell command on Win11
'Import-Certificate -FilePath "leaf-vpn.crt"" -CertStoreLocation Cert:\LocalMachine\Root\'

I am not sure if I also need to use mmc to install the 'leaf-vpn.crt' cert to the Windows 11 client.

Am I missing any steps with these certificates?
Any help is greatly appreciated. Thanks, OPNsense is a fantastic product.

Thanks for that info. I will look into it.
I really do hope that Desico can fix the VPN guides to reflect the current OPNsense version.

Thanks for the reply, but I am not using site to site. I am trying to connect multiple clients to one server.
I just tried Wireguard following the instructions and when activated, it killed my client side internet. Also, didn't see any way to get to the shared folders on the server.

FYI, IPsec legacy worked fine, except it now randomly disconnects since OPNsense 25.1.4. Besides I need to change it because the legacy version is going away in 26.1.

For now my clients are using RadminVPN. Slow, but works.
I would prefer to not use VPN at all, but what other options are available to get remote access to a shared folder on a server?

I decided to start over with using a dedicated OPNsense firewall and WAN IP just for VPN. I only need to VPN to one server (one IP) from a list of clients (Pre-Shared Keys).
The issue seems to be all the variances from websites showing instructions. Following the Decisio site definetly doesn't work. Some of that guide doesn't even match the detail information on the OPNsense GUI. As an example, the guide shows the IPsec local address connection to be the WAN IP and the Remote addresses to be empty (not shown) when the GUI info shows for Remote addresses 'To initiate a connection, at least one specific address or DNS name must be specified'. And the Local addresses can be left empty.
I think this is where my problems are. Not really sure what goes in these fields. I assume the Local would be the local server 192.168.40.26 and the remote to be my WAN IP.

Another issue is the change from Legacy. Many guides have mixed directions from Legacy and new.

Can anyone direct me to a correct guide to the new IPsec VPN setup?

Whenever I try to connect I get 'ike authentication credentials are unacceptable'
I have gone over all the settings multiple times and cannot figure out how to solve this issue.
When it comes to the Trust settings, they aren't very clear to me so I used settings as close as possible from Deciso examples.
I use to have the legacy IPsec VPN and that worked until recently when it kept disconnecting every few hours.

What can I check?
Please help!

Since I updated to 25.1.5, IPsec keeps disconnecting. I am using the legacy version. Tried updating to new version last week with no success Any suggestions?

Same Policy match error here, but everything looks correct in the swanctl.conf
Works using the old IPsec method. Can't get the new method to work. Followed the OPNsense docs to the letter.
Want to convert because the legecy IPsec is going away in 26.1, just around the corner.