Messages

1

22.7 Legacy Series / Re: IPsec Routing Problem after Update to 22.7.x

« on: August 16, 2022, 02:08:59 pm »

Hi eell!

Thank you for reply!

I copied just the missing part to the include.conf with the necessary brackets and header.

Really missing are just this 2 lines:
subnet = 10.1.1.0/24
split-include = 10.1.1.0/24

IMO this is a bug - it worked with 22.1.x (when you activated "Provide a list of accessible networks to clients"), but the 2 lines disappeared with 22.7 and dont come back, even if you activate the button.

Greetings

Hannes

2

22.7 Legacy Series / Re: IPsec Routing Problem after Update to 22.7.x

« on: August 15, 2022, 01:14:28 pm »

I tried do edit /usr/local/etc/strongswan.conf -> the file gets recovered by the system on restart of strongswan

I tried to create /usr/local/etc/stongswan.opnsense.d/include.conf -> works!

-----
starter {
}
charon {
    plugins {
        attr {
            subnet = 10.1.1.0/24
            split-include = 10.1.1.0/24
        }
    }
}
-----

3

22.7 Legacy Series / Re: IPsec Routing Problem after Update to 22.7.x

« on: August 14, 2022, 06:57:01 pm »

Client macOS 12.5

netstat:

Connected with OPNsense 22.7 (not working) -> gateway is the vpn interface
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)   
tcp4       0      0  10.1.99.100.51771      17.248.173.48.https    SYN_SENT


Connected with OPNsense 22.1 (working) -> local gateway is used
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)   
tcp4       0      0  mbp-16-han.fritz.51894 10.5.1.113.net-assista SYN_SENT

4

22.7 Legacy Series / Re: IPsec Routing Problem after Update to 22.7.x

« on: August 14, 2022, 06:55:04 pm »

Further investigations:

strongswan.conf (OPNsense 22.7) (not working)

 cisco_unity = yes
    plugins {
        attr {
            dns = 10.1.1.1
            # Search domain and default domain
            28674 = corporation.local
            28675 = corporation.local
            25 = corporation.local
        }
        xauth-pam {
            pam_service = ipsec
            session = no
            trim_email = yes
        }
    }

strongswan.conf (OPNsense 22.1) (working)

cisco_unity = yes
    plugins {
        attr {
            subnet = 192.168.100.0/24
            split-include = 192.168.100.0/24
            dns = 192.168.100.1
            # Search domain and default domain
            28674 = network.local
            28675 = network.local
            25 = network.local
        }
        xauth-pam {
            pam_service = ipsec
            session = no
            trim_email = yes
        }
    }



The file says a warning: "# Automatically generated, please do not modify"

So the change needs to made in OPNsense?

Thank you

5

22.7 Legacy Series / IPsec Routing Problem after Update to 22.7.x

« on: August 10, 2022, 04:20:58 pm »

I have a Problem with IPsec since updated to OPNsense 22.7.x

IPsec Setup (Road Warrior)

Client: macOS 12

OPNsense 22.1.x
Connect with Client to OPNsense Network from "the road". All IPs on the VPN Network are accessable, Internet Routing goes through Client Internet Connection.

After Update to 22.7.x
Connect with Client to OPNsense Network from "the road". All IPs on the VPN Network are accessable, Internet Routing goes through VPN Connection and Internet/DNS is not working or too slow.

This behavior i had before i found the setting "Provide a list of accessible networks to clients" (VPN/IPSec/Mobile Clients).

1. Did i discribe the problem to be understood?
2. Is there a quick-fix - maybe in an configuration file on the opnsense server?
3. Please do not offer solutions like "this is better, or use wireguard" - i'm interested in this solution, and it worked allready, so i would like to fix it, thank you.

Greetings