Messages

1

Intrusion Detection and Prevention / Making an inline Suricata box using OPNsense

« on: February 16, 2019, 09:27:28 pm »

I'm looking to make an inline Suricata box to intercept certain applications. I need DPI to detect certain applications (i.e. unauthorized VPN traffic) and block it. The box needs to be inline and receive its LAN IP address from the DCHP server.

I have been looking at OPNsense (as opposed to Security Onion) to do this project quickly but got lost in the configurations. Is there a knowledgebase article to setup OPNsense in bridge mode to transparently pass through traffic with Suricata IPS active?

2

17.1 Legacy Series / Re: OPNsense install from a USB key

« on: April 07, 2017, 04:56:20 pm »

I gave up on OPNsense. Everything seems an uphill battle. Should be named "Sisyphus". Perhaps I'll try a future version. I miss the m0n0wall days, I ran it for a decade, rebooting only for updates, sometimes for years between. It's nice to see uptime counters of 600 days. Screenshot attached of final power-down.

3

17.1 Legacy Series / Re: Getting a VPN to work (PP2P, L2TP, IPsec)

« on: April 06, 2017, 04:56:50 pm »

Any reason not to use OpenVPN? It's more secure than pptp and by far the easiest to configure

OP:   "Re: Getting a VPN to work (PP2P, L2TP, IPsec)"

4

17.1 Legacy Series / Getting a VPN to work (PP2P, L2TP, IPsec)

« on: April 06, 2017, 04:32:16 pm »

I can’t seem to get a VPN working. My test setup is OPNsense connected to WAN configured with DynDNS dynamic address. I am attempting to connect to the OPNsense VPN using an iPad (iOS 10) over 3G network. This setup works well to test VPN (PPTP, L2TP, IPsec) on firewalls e.g. monowall or Sophos. This pathway has no demonstrated VPN connectivity problems and the WAN IP address is correct.

I have tried three VPN setups (PP2P, L2TP, IPsec) on OPNsense without success:

PPTP:  installed plugin, configured PPTP settings listening on WAN, created PPTP user, and setup PPTP firewall rules (screenshot attached). When I try to connect with the iPad: “The PPTP-VPN server did not respond”. The most recent entries in the PPTP log file:

Apr 6 09:07:32   pptps: PPTP: waiting for connection on 192.168.1.1 1723
Apr 6 09:07:32   pptps: process 11772 started, version 5.8 (root@sensey64 21:52 27-Mar-2017)

L2TP: installed plugin, configured L2TP settings listening on WAN, created L2TP user, and setup L2TP firewall rules (screenshot attached).  The iPad does not connect. The L2TP log file:

Apr 5 21:12:18   l2tps: L2TP: waiting for connection on 192.168.1.1 1701
Apr 5 21:12:18   l2tps: process 86558 started, version 5.8 (root@sensey64 21:52 27-Mar-2017)

IPsec: Setup tunnel and mobile client. Screenshot attached. I did notice on the Phase 1 proposal, there is not a place for Peer Identifier, which is called Group Name on the iPad VPN client. I left this empty when setting up the iPad settings. I created a system level group named “VPN Users” and a user with VPN: IPsec XAUTH dialin privileges. Firewall rules were created. The IPsec log is as follows:

Apr 6 09:17:06   charon: 16[NET] sending packet: from 73.xxx.xxx.247[4500] to 166.xxx.xxx.144[35000] (92 bytes)
Apr 6 09:17:06   charon: 16[ENC] generating INFORMATIONAL_V1 request 220118731 [ HASH N(AUTH_FAILED) ]
Apr 6 09:17:06   charon: 16[IKE] found 1 matching config, but none allows XAuthInitPSK authentication using Main Mode
Apr 6 09:17:06   charon: 16[CFG] looking for XAuthInitPSK peer configs matching 73.xxx.xxx.247...166.xxx.xxx.144[10.xxx.xxx.16]
Apr 6 09:17:06   charon: 16[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Apr 6 09:17:06   charon: 16[NET] received packet: from 166.xxx.xxx.144[35000] to 73.xxx.xxx.247[4500] (108 bytes)
Apr 6 09:17:06   charon: 16[NET] sending packet: from 73.xxx.xxx.247[500] to 166.xxx.xxx.144[54300] (244 bytes)
Apr 6 09:17:06   charon: 16[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Apr 6 09:17:06   charon: 16[IKE] remote host is behind NAT
Apr 6 09:17:06   charon: 16[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Apr 6 09:17:06   charon: 16[NET] received packet: from 166.xxx.xxx.144[54300] to 73.xxx.xxx.247[500] (228 bytes)
Apr 6 09:17:06   charon: 16[NET] sending packet: from 73.xx.xx.247[500] to 166.xx.xx.144[54300] (160 bytes)
Apr 6 09:17:06   charon: 16[ENC] generating ID_PROT response 0 [ SA V V V V ]
Apr 6 09:17:06   charon: 16[IKE] 166.xxx.xxx.144 is initiating a Main Mode IKE_SA
Apr 6 09:17:06   charon: 16[IKE] 166.xxx.xxx.144 is initiating a Main Mode IKE_SA
Apr 6 09:17:06   charon: 16[IKE] received DPD vendor ID
Apr 6 09:17:06   charon: 16[IKE] received FRAGMENTATION vendor ID
Apr 6 09:17:06   charon: 16[IKE] received Cisco Unity vendor ID
Apr 6 09:17:06   charon: 16[IKE] received XAuth vendor ID
Apr 6 09:17:06   charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Apr 6 09:17:06   charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Apr 6 09:17:06   charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Apr 6 09:17:06   charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Apr 6 09:17:06   charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Apr 6 09:17:06   charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Apr 6 09:17:06   charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Apr 6 09:17:06   charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Apr 6 09:17:06   charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
Apr 6 09:17:06   charon: 16[IKE] received NAT-T (RFC 3947) vendor ID
Apr 6 09:17:06   charon: 16[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]
Apr 6 09:17:06   charon: 16[NET] received packet: from 166.xxx.xxx.144[54300] to 73.xxx.xxx.247[500] (848 bytes)

Any suggestions on getting any of these interfaces to work?

5

17.1 Legacy Series / Re: OPNsense install from a USB key

« on: April 06, 2017, 02:34:33 pm »

As a datapoint, the nano-amd64 build OPNsense-17.1.4-OpenSSL-nano-amd64.img writes smoothly to a USB key and runs without a problem.

I attempted another run with the vga-amd64 build using linux and dd. GParted reports “Invalid partition table- recursive partition on /dev/sdd” and has trouble viewing the partitions. I did not make any changes using GParted, restarted the computer, and it successfully booted from the USB. It took 53 minutes to load the kernel and I had a console login prompt.

Not sure what happened. The nano-amd64 booted to console prompt in a minute, whereas the vga-amd64 took an hour. Regardless, I used the “install” username at the console login, and it worked.

6

17.1 Legacy Series / Re: PPTP Plugin

« on: April 06, 2017, 03:03:08 am »

Any results to this?

I have under WAN:

IPv4 TCP * * * 1723 (PPTP) *
IPv4 GRE * * * *                  *

Under PPTP:

IPv4* * * * * *

Are these the correct settings?

7

17.1 Legacy Series / Re: OPNsense install from a USB key

« on: April 05, 2017, 04:57:37 pm »

I'd like to start down the "root cause" path, starting with the downloading and unzipping the *.img file.

For someone who has successfully created USB installation media from the OPNsense-17.1.4-OpenSSL-vga-amd64.img.bz2 file (MD5 checksum 6e1563a155a8715aa73e62be4cf0d542) please post:

- confirm the MD5 of your downloaded *.bz2 file before continuing
- unzip the *.bz2 file
- report the file size and MD5 of the unzipped *.img file
- the partition table of the USB installation media (i.e. a screenshot of GParted)
- Any GPT error reports from GParted

Same goes for the CDROM image file OPNsense-17.1.4-OpenSSL-cdrom-amd64.iso.bz2. I'm confused to why the unzipped file is >720MB and won't fit onto standard CDROM media.  I tried mounting the unzipped *.iso file and found errors, so something is going wrong.

For reference, here are my results:

OPNsense-17.1.4-OpenSSL-vga-amd64.img     928,658KB   MD5: b4d7579895eab34ff6193fc2422f58be
OPNsense-17.1.4-OpenSSL-cdrom-amd64.iso   879,030KB   MD5: 66a2ecc498689ea16510ee47243448db

8

17.1 Legacy Series / Re: OPNsense install from a USB key

« on: April 05, 2017, 02:35:19 pm »

I have tried downloading several of the r.17 releases (including today r17.1.2 64-bit amd) both *.ISO and *.IMG files and have not succeeded in creating installation media. I have used different computers and different approaches (i.e. Rufus, physdiskwrite, dd, etc.). I checked the downloaded files against the MD5 checksums posted in the source directories (i.e. using WinMD5Free in Windows).

The CDROM *.ISO when unzipped is 879,030KB and there is not an MD5 checksum for the unzipped ISO image. The ISO image is too large to be writable on a standard CDROM. I have performed the download and unzipping on both Windows 7 and Linux computers. Specifically, I performed the unzipping on two separate computers using 7-Zip (Windows 7) and bzip2 (Linux). Both computers resulted in the same 858MB ISO file, which could not be written to an ordinary CDROM.

The USB *.IMG is 928,658KB when unzipped and there is not an MD5 checksum for the unzipped image. I downloaded and unzipped the files using two different computers using the same process as before (7-Zip in Windows and bzip2 in Linux). Both operating systems resulted in the same >900MB *.img file.

I attempted several different utilities to write both the *.iso and *.img file to several different brands of USB keys (Mushkin, Lexar, SanDisk).  I did not attempt writing a CDROM because the *.iso file was too big to fit on standard CD media. The *.iso file is not formatted to create a bootable USB, so all *.iso attempts resulted in unsuccessful installation media.

When using Windows utilities (Rufus, physdiskwrite, yumi) to create USB installation media with the *.img file, the resulting USB partition table is corrupt and immediately blue-screens any Windows 7 computer it is inserted. I tried plugging a written USB drive into another Windows laptop, and it blue-screened immediately. I could recover these badly-written USB drives by cleaning up the mess with a few minutes of DBAN followed by a fresh partition table with partd.

I attempted dd if=OPNsense.img of=/dev/sdd (Linux). When viewed in GParted after writing, the drive (/dev/sdd) had GPT (partition table) errors. GParted attempted to fix the GPT errors, but the boot record and partition contents remained corrupt (in some cases, unreadable).

My conclusion is the img/ISO files are bad. They unzip way too large (>800MB) and the partition tables are corrupt (seen in parted/GParted). It doesn't matter what write utilities are used if the img/ISO file are bad from the start.

There are several posts on this forum of people not being able to write the *.img to USB. Most of these forum posts are answered with the typical and unhelpful "you're doing it wrong" responses. For those users experiencing media installation creation problems, you should wait until either the developers or knowledgeable users are able to re-create the problem for themselves and present a solution.