Messages

pkg check didn't do anything interesting, but force installing the opnsense pkg again seems to have done the trick. Thanks.

This one has me a little confused. I have the VM configured to use the default pkg mirror, type Community:

Code Select Expand

Type opnsense
Version 24.1
Architecture amd64
Commit 2a5b9278e
Mirror https://pkg.opnsense.org/FreeBSD:13:amd64/24.1
Repositories OPNsense
Updated on Fri Jan 26 21:50:57 AEDT 2024
Checked on Fri May 17 14:38:02 AEST 2024

When I run a check for updates, it appears successful:

Code Select Expand

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 24.1 at Fri May 17 14:38:02 AEST 2024
Fetching changelog information, please wait... done
Updating OPNsense repository catalogue...
Waiting for another process to update repository OPNsense
All repositories are up to date.
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking for upgrades (0 candidates): . done
Processing candidates (0 candidates): . done
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***

And I get the green popup telling me there are no updates available on the selected mirror. However, if I attempt to install a plugin, I'm informed that I need to update first:

Code Select Expand

***GOT REQUEST TO INSTALL***
Currently running OPNsense 24.1 at Fri May 17 14:44:09 AEST 2024
Installation out of date. The update to opnsense-24.1.7 is required.
***DONE***

The System > Firmware > Changelog quite reasonably shows me that I'm behind:

Version   Date   
24.1.7   2024-05-16   
24.1.6   2024-04-18   
24.1.5   2024-04-04   
24.1.4   2024-03-20   
24.1.3   2024-03-06   
24.1.2   2024-02-20   
24.1.1   2024-02-06   
24.1 (installed)   2024-01-30

The restored config is from a host with 24.1.6 installed, in case that matters. I'm guessing there's something I need to reset, but I'm lost as to what. I did try swapping to a different mirror, and a power cycle, but no change - there are still no updates available, but I'm not updated either.

I've fallen at the final hurdle configuring my OPNsense to accept incoming IPSec "road warrior" Mobile Client connections. The intent is to use AD + TOTP - and under System > Access > Tester, I can successfully authenticate using username and passwordTOTP (I have it configured in "reverse" mode).

Reference versions:

• OPNsense is 22.7.10_2
• Windows is Win11 current
• Android is StrongSwan app on Android 11

I've been following the combination of https://docs.opnsense.org/manual/how-tos/ipsec-rw.html for the OPNsense side and https://docs.opnsense.org/manual/how-tos/ipsec-rw-w7.html#ikev2-eap-mschapv2-or-eap-radius for the client.

Current Config - OPNsense (VPN > IPSec > Mobile Clients)

• Enable: Checked
• Backend for Authentication: Active Directory + TOTP (but I have also tried all other options I have incl AD alone, Local, and Local with TOTP)
• Enforce local group: None
• IPv4 Pool: Unique /24 subnet
• IPv6 Pool: Unique /64 subnet
• Network List: Checked
• Save Xauth: Disabled
• DNS Default Domain: Internal DNS suffix
• DNS Servers: Internal DNS Server IPs
• WINS: Unchecked
• Phase 2 PFS: Off
• Login Banner: Unchecked

Current Config - OPNsense - Phase 1 Selector

• Disabled: Unchecked
• Connection method: Respond only
• Key Exchange version: V2
• Internet Protocol: IPv4
• Interface: CARP VIP on Internet Interface
• Phase 1 Authentication

   
• Authentication Method: EAP-MSCHAPv2
• My identifier: Dynamic DNS (host.example.com)
• Certificate: host.example.com (issued by OPNsense CA)
• Phase 1 Algorithms

   
• Encryption: AES 256
• Hash: SHA 256
• DH Group: 14
• Lifetime: 28800
• Advanced

   
• Install policy: Checked
• Disable Rekey: Unchecked
• Disable Reauth: Unchecked
• Tunnel Isolation: Unchecked
• SHA256 96 bit truncation: Unchecked
• NAT Traversal: Enable
• Disable MOBIKE: Unchecked
• Close Action: None
• Dead Peer Detection: Checked (60 seconds, 5 retries)
• Inactivity Timeout: 600
• Keyingtries: Empty
• Margintime: Empty
• Rekeyfuzz: Empty

Current Config - OPNsense - Phase 2 Selector

• Disabled: Unchecked
• Mode: Tunnel IPv4
• Local Network
  
  
     
  • Type: LAN subnet
• Phase 2 Proposal
  
  
     
  • Protocol: ESP
  • Encryption algorithms: AES 256
  • Hash algorithms: SHA 256
  • PFS Key group: Off
  • Lifetime: 3600 seconds
• Automatically ping host: Empty

On the client side, I've created a new IKEv2 connection following along the document above. However, Windows doesn't choose very secure Phase 1 and Phase 2 configurations, so I've forced the appropriate encryption and hashes:

Set-VpnConnectionIpsecConfiguration -ConnectionName VPN -AuthenticationTransformConstants SHA256 -CipherTransformConstants AES256 -DHgroup Group14 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None

Prior to running that command, I was getting policy match errors which are now resolved. On the client, I get "username or password incorrect" and Event Viewer claims error -2143157998 which I think translates to 0x80420112? Doesn't seem to match error codes I recognise (often starting with 0x8007...). Edit: Authentication failed. Thanks Windows, much useful. Very help.

Strongswan on the 'droid fares about the same, though obviously there's a more helpful log that tells me authentication failed.

I don't get any errors in the OPNsense ipsec log other than Auth Failed, which I would have expected - are there other logs I can look at here? Other suggestions for logs / log levels are appreciated.

It might be worth setting the group ID differently on each interface (as that will ensure the MAC addresses are unique). I had weird issues till I did that. Certainly the example configuration has different groups set per interface.

I also think the double-master you have is hurting you - are you certain you have different skews on the two hosts? Normally I think it's base 1 + skew 0 on the primary and base 1 + skew 100 on the secondary.

Having said that - I think I have other broken NAT issues on my 21.1 environment, which I'm still troubleshooting, so I could be way off.