Messages

Hi,

I am preparing some Side 2 Side tunnels using IPSEC.
In this context, I have two questions:

1. Shall Phase 2 "Reqid" be unique?
In screenshots "tunnel 1" and "tunnel 2" you can see that both tunnels are using Reqid 7.

2. Why are there 2 different Phase 2 spi-in, spi-out pairs (srceenshot Status overview) addressing single hosts although as you can see in screenshot "Tunnel 2 setting" the Remote network is a network and not a single host?
Traffic is send over the second "pair", even traffic for 10.65.3.1 (but I am not able to test this connection, because this node is not existing yet)!

I would be grateful for comments to these observations

Best regards

Jürgen

[1. What I learned about Squid as HTTP proxy in conjunction with HTTPS (which explaines my former statement, that there is a problem with HTTPS, which is not true [solved]:]

1. What I learned about Squid as HTTP proxy in conjunction with HTTPS (which explaines my former statement, that there is a problem with HTTPS, which is not true [solved]:

1.1. Squid configured as transparent:

1.1.1. Browser direct:
works for both HTTP and HTTPS

1.1.2. Browser direct, NAT 443->3128 instead of NAT 443->3129:
Fehlercode: SSL_ERROR_RX_RECORD_TOO_LONG
-> so in transparent mode, HTTPS over port 3128 doesnt work per NAT if using Browser in direct mode

1.1.3. Browser Proxy auf HTTP 3128, HTTPS 3129 (not expected, which led to my wrong statement before):
HTTP works, HTTPS fails with timeout

1.1.4. Browser Proxy auf HTTP 3128, HTTPS 3128 too:
HTTP works, HTTPS works

1.2. Squid not in transparent mode:

1.2.1. Browser Proxy auf HTTP 3128, HTTPS 3129 (not expected, which led to my wrong statement before):
HTTP works, HTTPS fails with timeout

1.2.2. Browser Proxy auf HTTP 3128, HTTPS 3128 too:
HTTP works, HTTPS works

1.3. Conclusion for HTTPS (if transparent mode is used or not): If Proxy is configured, HTTPS port is 3128, not 3129. -> [Understood and solved].  :)
Side note: I do not use a CA, because I do not want to break the SSL connection.


2. Trying hard to be able to use SSH through Squid
For instance I used hints found on https://www.seniorlinuxadmin.co.uk/ssh-over-proxy.html to configure Squid and also Putty for my tests.
Firewall rules should be fine, because all ports are tested during my HTTP/HTTPS tests above.
Both lines:
acl SSL_ports port 22
acl Safe_ports port 22
should do the job...

2.1. In nontransparent mode I attempted without success to
* include both lines in a new file in /usr/local/etc/suid/pre-auth (and restarted Squid)
* include both lines directly in /usr/local/etc/suid/squid.conf (and restarted Squid)
using the proxy settings HTTP, <address of my OPNsense>, port 3128.
The message I got was "Server unexpectedly closed network connection.

2.2. In transparent mode I repeated attempting without success to
* include both lines in a new file in /usr/local/etc/suid/pre-auth (and restarted Squid)
* include both lines directly in /usr/local/etc/suid/squid.conf (and restarted Squid)
using the proxy settings HTTP, <address of my OPNsense>, port 3128 the fault message I got was "Server unexpectedly closed network connection".
using the proxy settings HTTP, <address of my OPNsense>, port 80 the fault message I got was "Proxy error 405. Method not allowed".

2.3. So unfortunately this topic is still unsolved :'(
I very much appreciate your efforts to help me, but still couldn't find my mistake...  :o

Final Attachment (was not allowed to post more than 4 at once)...

Dear Fabian,

that's what I originally tried (please have a look to my first post in this thread). I tried FileZilla and Putty too setting the proxy to http on port 3128 in connect mode (which works perfectly using AVM KEN!) but it didn't work at all :'(
So I don't have any further idea.

Another strange aspect of this Squid implementation I don't understand I saw testing:
If I disable the checkbox "Enable transparent HTTP proxy", and set the correct Proxy address (OPNsense) and ports (HTTP: 3128, HTTPS: 3129) than only HTTP access works, HTTPS not any further.
Enabling the transparent mode again and using "direct, no proxy" in the browser, both are working again :o
What's my mistake/misunderstanding?

Please find all needed screenshots appended.

Dear fabian, thanks for replying.
Please excuse my rookie question, but I was not able to identify the http proxy plugin in the list of plugins. :-[
Maybe you could tell me the exact name of it so that I can find it in the list?

Ok, after some reading I added the both lines:
acl SSL_ports port 22
acl Safe_ports port 22
in a new file ssl.conf in /usr/local/etc/squid/pre-auth but still have no success.
Squid is configured as transparent proxy.
Therefor I added a port forward rule to NAT and firewall LAN rules (please see appended screenshots).
I tried using putty to connect using "none" proxy and got "Server unexpectedly closed network connection".
I tried using to connect using HTTP proxy using port 22 and got "Proxy error: HTTP response was absent".
Using HTTP proxy port 3128: got "Server unexpectedly closed network connection".
Using HTTP proxy port 1212: got "Network error: Connection timed out".
Any further hints?

Hi,
I succesfully enabled the squid based proxy (as a transparent one), so HTTP(S) access from a browser works fine.
Now I want to use this proxy (or another?) for SSH, SFTP and maybe other protocols to be able to log these connections and maybe block some of them in future.
I am using Putty on my Windows client and configured the proxy settings in Putty like I did before using the (good) old AVM Ken! proxy (use HTTP proxy) without success. I tried to use ports 80, 443, 3128 and 3129.
Anyone any ideas?
Thank you in advance!

@franco:
I created a feature request https://github.com/opnsense/core/issues/3990
Because it is my first one: if something is missing or unclear, just give me a hint so that I can rewrite it.

Important additional information:
using this option, there is not need anymore to use 2 different Phase 1 definitions.
Now it works like it should:
Only 1 Phase 1 definition with 2 individual Phase 2 definitions (each for one seperate network to reach at the other side).
Thank you again for helping me! :)

@mfedv:
You are my hero of the day!
That solved the issue.
Would be worth to be an option in the OPNsense GUI.
Thank you very, very much :)

@mfedv:
This could be the same problem I am observing! Do you have any hint for me, where exactly I should add this mentioned manual configuration line in the file ipsec.inc?

@banym:
It is a big and mighty customer and we are so small...
No chance to change the other sid (and they never ever had any problems before like this)...

Yes, please find attached the log which is showing this.

@mfedv: I tried to split into 2 Phase1 connections with only one Phase2 definitions each but ended in the same behaviour (only one of both is working).
@franco: Yes, I am using tunnel isolation and it's not working. That's what I meant with "Split tunnel option is enabled". Sorry for this unclear wording...

Hm,
how would you explain, that each Phase2 definition (and its traffic) alone is working, but not, if both Phase2 definitions are enabled?
Jürgen Garbe

Hi,
I am not able to establisch an IPSec connection with more than one Phase2 definition to a Cisco ASA 5540.
Having enabled only one of both Phase2 definitions at once, everthing is working fine.
Please find attached log files:
ipsecOpnSenseCiscoTestFail.log shows the error N(INVAL_SYN),
ipsecOpnSenseCiscoTest1Phase2_1ok.log shows the successful connection with only Phase2 number 1,
ipsecOpnSenseCiscoTest1Phase2_2ok.log shows the successful connection with only Phase2 number 2.
Source and target addresses have been replaced by A.B.C.D and E.F.G.H.
Split tunnel option is enabled.
Any hint is welcome!