Messages

My IPSEC VTI uses:

The OPNSense WAN address for the "Local Address"
The Fortigate WAN address for the "Remote Address"
172.16.100.6 for the "Local Tunnel Address"
172.16.100.5 for the "Remote Tunnel Address"

I have static routes added on both sides forwarding the remote side's LAN in. I.e. the OPNSense side has a route to 172.17.0.0/16 configured with a gateway of 172.16.100.5

I've been following along here: https://docs.opnsense.org/manual/how-tos/ipsec-s2s-conn-route.html in order to establish a link between my local networks (OPNSense) and a remote network (Fortigate).

I'm able to pull up the tunnel and see that the interface (Site1Site2) is created.

No traffic is able to pass over the tunnel however.

Code Select Expand

Site1
Local Network: 172.19.0.0/16
VPN Pool 172.16.100.4/30
VPN Address 172.16.100.6


Site2
Local Network: 172.17.0.0/16
VPN Pool 172.16.100.4/30
VPN Address 172.16.100.5
I've enabled logging on the IPV4 <- * * * * * * and IPV4 -> * * * * * * rules in both the Site1Site2 and IPsec firewall tables.

The symptom I'm seeing in the logs is all outbound traffic is going out the Site1Site2 interface, but all the traffic from Site2 is coming in and hitting the IPsec firewall table/interface.

Should these be connected somehow?

True to form, the issue was DNS.

The CNAME I was using for everything was pointing towards an A and AAAA record.

It seems I'm not the first that's had this issue either.

https://github.com/opnsense/core/issues/4819

I suspect as ipv6 gets rolled out more, this will become more prevalent.


Sent from my iPhone using Tapatalk

I've got what I feel is a properly configured IKEv2 EAP-MSCHAPv2 road warrior setup.

I can connect to it over WAN from any android device as well as a Linux laptop.

I can connect to it over LAN from an iOS device. However, if I try to connect to it via WAN, I get "The VPN server did not respond"

I'm not sure what the issues could be, because android and Linux connect just fine over WAN.

It feels like there is some firewall rule or setting not exposed that needs to be set.

Yep! That was the issue. The documents need to include checking the "Install Policy" on the Phase 1.

In addition, adding 0.0.0.0/0 to pass ALL traffic over the VPN causes the end client to fail to connect. Adding a different subnet (i.e.172.19.0.0/16) will allow all access to those hosts.

Further, for the "ipsec" rule table, bidirectional pass rules will be needed to each interface.

Here is my IPSEC authentication log. I think that querying policy might be part of my issue.

Code Select Expand

2021-10-27T09:14:50 charon[87122] 15[IKE] <con1|3> sending keep alive to $IPHONE_WAN[56385]
2021-10-27T09:14:50 charon[87122] 15[KNL] <con1|3> querying policy 172.19.204.0/24 === 10.10.0.1/32 out failed, not found  
2021-10-27T09:14:30 charon[87122] 15[IKE] <con1|3> sending keep alive to $IPHONE_WAN[56385]
2021-10-27T09:14:30 charon[87122] 15[KNL] <con1|3> querying policy 172.19.204.0/24 === 10.10.0.1/32 out failed, not found
2021-10-27T09:14:28 charon[87122] 15[KNL] <con1|3> querying policy 172.19.204.0/24 === 10.10.0.1/32 out failed, not found
2021-10-27T09:14:11 charon[87122] 14[IKE] <con1|3> CHILD_SA con1{1} established with SPIs ccde62c4_i 0cd97ad8_o and TS 172.19.204.0/24 === 10.10.0.1/32
2021-10-27T09:14:11 charon[87122] 14[ENC] <con1|3> parsed QUICK_MODE request 1242775051 [ HASH ]
2021-10-27T09:14:11 charon[87122] 14[NET] <con1|3> received packet: from $IPHONE_WAN[56385] to $OPNSENSE_WAN[4500] (60 bytes)
2021-10-27T09:14:11 charon[87122] 14[NET] <con1|3> sending packet: from $OPNSENSE_WAN[4500] to $IPHONE_WAN[56385] (172 bytes)
2021-10-27T09:14:11 charon[87122] 14[ENC] <con1|3> generating QUICK_MODE response 1242775051 [ HASH SA No ID ID ]
2021-10-27T09:14:11 charon[87122] 14[CFG] <con1|3> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
2021-10-27T09:14:11 charon[87122] 14[ENC] <con1|3> parsed QUICK_MODE request 1242775051 [ HASH SA No ID ID ]
2021-10-27T09:14:11 charon[87122] 14[NET] <con1|3> received packet: from $IPHONE_WAN[56385] to $OPNSENSE_WAN[4500] (380 bytes)
2021-10-27T09:14:10 charon[87122] 14[NET] <con1|3> sending packet: from $OPNSENSE_WAN[4500] to $IPHONE_WAN[56385] (188 bytes)
2021-10-27T09:14:10 charon[87122] 14[ENC] <con1|3> generating TRANSACTION response 3591551841 [ HASH CPRP(ADDR SUBNET U_SPLITINC DNS DNS U_DEFDOM U_SPLITDNS DOMAIN) ]
2021-10-27T09:14:10 charon[87122] 14[IKE] <con1|3> assigning virtual IP 10.10.0.1 to peer '$USER'
2021-10-27T09:14:10 charon[87122] 14[CFG] <con1|3> assigning new lease to '$USER'
2021-10-27T09:14:10 charon[87122] 14[IKE] <con1|3> peer requested virtual IP %any
2021-10-27T09:14:10 charon[87122] 14[ENC] <con1|3> parsed TRANSACTION request 3591551841 [ HASH CPRQ(ADDR MASK DNS NBNS EXP VER U_BANNER U_DEFDOM U_SPLITDNS U_SPLITINC U_LOCALLAN U_PFS U_SAVEPWD U_FWTYPE U_BKPSRV (28683)) ]
2021-10-27T09:14:10 charon[87122] 14[ENC] <con1|3> unknown attribute type (28683)
2021-10-27T09:14:10 charon[87122] 14[NET] <con1|3> received packet: from $IPHONE_WAN[56385] to $OPNSENSE_WAN[4500] (140 bytes)
2021-10-27T09:14:09 charon[87122] 15[IKE] <con1|3> maximum IKE_SA lifetime 28498s
2021-10-27T09:14:09 charon[87122] 15[IKE] <con1|3> scheduling reauthentication in 27958s
2021-10-27T09:14:09 charon[87122] 15[IKE] <con1|3> IKE_SA con1[3] established between $OPNSENSE_WAN[$OPNSENSE_FQDN]...$IPHONE_WAN[0.0.0.0]
2021-10-27T09:14:09 charon[87122] 15[ENC] <con1|3> parsed TRANSACTION response 1233271016 [ HASH CPA(X_STATUS) ]
2021-10-27T09:14:09 charon[87122] 15[NET] <con1|3> received packet: from $IPHONE_WAN[56385] to $OPNSENSE_WAN[4500] (76 bytes)
2021-10-27T09:14:09 charon[87122] 15[NET] <con1|3> sending packet: from $OPNSENSE_WAN[4500] to $IPHONE_WAN[56385] (76 bytes)
2021-10-27T09:14:09 charon[87122] 15[ENC] <con1|3> generating TRANSACTION request 1233271016 [ HASH CPS(X_STATUS) ]
2021-10-27T09:14:09 charon[87122] 15[IKE] <con1|3> XAuth authentication of '$USER' successful
2021-10-27T09:14:09 charon[87122] 15[IKE] <con1|3> PAM authentication of '$USER' successful
2021-10-27T09:14:09 charon[87122] 15[ENC] <con1|3> parsed TRANSACTION response 3033065133 [ HASH CPRP(X_USER X_PWD) ]
2021-10-27T09:14:09 charon[87122] 15[NET] <con1|3> received packet: from $IPHONE_WAN[56385] to $OPNSENSE_WAN[4500] (92 bytes)
2021-10-27T09:14:09 charon[87122] 15[NET] <con1|3> sending packet: from $OPNSENSE_WAN[4500] to $IPHONE_WAN[56385] (76 bytes)
2021-10-27T09:14:09 charon[87122] 15[ENC] <con1|3> generating TRANSACTION request 3033065133 [ HASH CPRQ(X_USER X_PWD) ]
2021-10-27T09:14:09 charon[87122] 15[NET] <con1|3> sending packet: from $OPNSENSE_WAN[4500] to $IPHONE_WAN[56385] (92 bytes)
2021-10-27T09:14:09 charon[87122] 15[ENC] <con1|3> generating ID_PROT response 0 [ ID HASH ]
2021-10-27T09:14:09 charon[87122] 15[CFG] <3> selected peer config "con1"
2021-10-27T09:14:09 charon[87122] 15[CFG] <3> looking for XAuthInitPSK peer configs matching $OPNSENSE_WAN...$IPHONE_WAN[0.0.0.0]
2021-10-27T09:14:09 charon[87122] 15[ENC] <3> parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
2021-10-27T09:14:09 charon[87122] 15[NET] <3> received packet: from $IPHONE_WAN[56385] to $OPNSENSE_WAN[4500] (108 bytes)
2021-10-27T09:14:09 charon[87122] 15[NET] <3> sending packet: from $OPNSENSE_WAN[500] to $IPHONE_WAN[57425] (244 bytes)
2021-10-27T09:14:09 charon[87122] 15[ENC] <3> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
2021-10-27T09:14:09 charon[87122] 15[IKE] <3> remote host is behind NAT
2021-10-27T09:14:09 charon[87122] 15[IKE] <3> local host is behind NAT, sending keep alives
2021-10-27T09:14:09 charon[87122] 15[ENC] <3> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
2021-10-27T09:14:09 charon[87122] 15[NET] <3> received packet: from $IPHONE_WAN[57425] to $OPNSENSE_WAN[500] (228 bytes)
2021-10-27T09:14:09 charon[87122] 15[NET] <3> sending packet: from $OPNSENSE_WAN[500] to $IPHONE_WAN[57425] (180 bytes)
2021-10-27T09:14:09 charon[87122] 15[ENC] <3> generating ID_PROT response 0 [ SA V V V V V ]
2021-10-27T09:14:09 charon[87122] 15[CFG] <3> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
2021-10-27T09:14:09 charon[87122] 15[IKE] <3> $IPHONE_WAN is initiating a Main Mode IKE_SA
2021-10-27T09:14:09 charon[87122] 15[IKE] <3> received DPD vendor ID
2021-10-27T09:14:09 charon[87122] 15[IKE] <3> received FRAGMENTATION vendor ID
2021-10-27T09:14:09 charon[87122] 15[IKE] <3> received Cisco Unity vendor ID
2021-10-27T09:14:09 charon[87122] 15[IKE] <3> received XAuth vendor ID
2021-10-27T09:14:09 charon[87122] 15[IKE] <3> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
2021-10-27T09:14:09 charon[87122] 15[IKE] <3> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
2021-10-27T09:14:09 charon[87122] 15[IKE] <3> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
2021-10-27T09:14:09 charon[87122] 15[IKE] <3> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
2021-10-27T09:14:09 charon[87122] 15[IKE] <3> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
2021-10-27T09:14:09 charon[87122] 15[IKE] <3> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
2021-10-27T09:14:09 charon[87122] 15[IKE] <3> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
2021-10-27T09:14:09 charon[87122] 15[IKE] <3> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
2021-10-27T09:14:09 charon[87122] 15[IKE] <3> received draft-ietf-ipsec-nat-t-ike vendor ID
2021-10-27T09:14:09 charon[87122] 15[IKE] <3> received NAT-T (RFC 3947) vendor ID
2021-10-27T09:14:09 charon[87122] 15[ENC] <3> parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]
2021-10-27T09:14:09 charon[87122] 15[NET] <3> received packet: from $IPHONE_WAN[57425] to $OPNSENSE_WAN[500] (848 bytes)
2021-10-27T09:14:07 charon[87122] 02[CFG] added configuration 'con1'
2021-10-27T09:14:07 charon[87122] 02[CFG] adding virtual IP address pool 10.10.0.0/24
2021-10-27T09:14:07 charon[87122] 02[CFG] received stroke: add connection 'con1'

I guess that's the next question.

I just ripped out the whole configuration and tried it again with the same results.

I have multiple "LAN"s each attached to a specific VLAN.

I've also got my emergency LAN that I use a spare NIC on the OPNSense box to access.

I've tried mapping each of the "LAN Subnet"s to that option with no change.

In the IPSec rules section of the firewall, I've replicated the rule described in the guide to each individual interface.

Part of the problem is knowing exactly where to start looking. It seems most people just follow the guide and are off to the races.

I have followed the RoadWarrior setup here: https://docs.opnsense.org/manual/how-tos/ipsec-road.html

I am able to connect my iPhone (iOS15) to the opnsense VPN gateway, and am given a valid address.

I am not able to reach the internet, the local LAN(s), or the opnsense vpn gateway itself.

Opnsense is not my DNS nor DHCP server, those are handled by a pihole VM elsewhere on the network.

The log file has messages like "querying policy 0.0.0.0/0 === 10.0.0.1/32 out failed, not found" in it, since I replaced the "LAN subnet" described in the documentation with "0.0.0.0/0" as described in a few posts I've seen.

Is there anything else that could be preventing traffic from passing?