1
General Discussion / Re: Lessons Learned deploying OPNsense 2022-10-01
« on: December 25, 2022, 05:10:43 am »
Hi, did you enable the hardware acceleration? Is it working? Thanks.
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
Virtual private networks / Re: Bug: IPSEC VPN - PRF_AES128_XCBC isn't working any more
« on: June 07, 2022, 10:22:23 pm »
The command pkg add -f https://pkg.opnsense.org/FreeBSD:13:amd64/snapshots/misc/strongswan-kdf.pkg fixed the problem. Thanks!
3
Virtual private networks / Bug: IPSEC VPN - PRF_AES128_XCBC isn't working any more
« on: June 07, 2022, 08:22:57 am »
This looks like a regression.
I was using AES-XCBC as the hash algorithm in "VPN: IPsec: Tunnel Settings" to accommodate Android's default VPN client which only accepts SHA1 and AES-XCBC, and SHA1 isn't used due to security reasons.
It's also the preferred hash algorithm by strongSwan Android app and Windows default client.
After a recent update (can't remember which one) all VPN clients can't connect anymore because of error "KDF_PRF with PRF_UNDEFINED not supported" and "key derivation failed". Logs:
2022-06-06T22:16:27-07:00 Informational charon 12[NET] <2> sending packet: from 10.0.0.1[500] to 10.0.0.100[42573] (36 bytes)
2022-06-06T22:16:27-07:00 Informational charon 12[ENC] <2> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
2022-06-06T22:16:27-07:00 Informational charon 12[IKE] <2> key derivation failed
2022-06-06T22:16:27-07:00 Informational charon 12[IKE] <2> KDF_PRF with PRF_UNDEFINED not supported
2022-06-06T22:16:27-07:00 Informational charon 12[IKE] <2> remote host is behind NAT
2022-06-06T22:16:27-07:00 Informational charon 12[CFG] <2> selected proposal: IKE:AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/ECP_256
2022-06-06T22:16:27-07:00 Informational charon 12[IKE] <2> 10.0.0.100 is initiating an IKE_SA
2022-06-06T22:16:27-07:00 Informational charon 12[ENC] <2> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
2022-06-06T22:16:27-07:00 Informational charon 12[NET] <2> received packet: from 10.0.0.100[42573] to 10.0.0.1[500] (716 bytes)
I have to remove AES-XCBC algorithm and use SHA256 only to accommodate strongSwan Android app and Windows client, while the Android default VPN client is still broken.
I found this thread https://bytemeta.vip/repo/strongswan/strongswan/issues/1026 but not sure if it's related. Is --disable-kdf added to the configure options? If so, removing it may fix the issue.
I was using AES-XCBC as the hash algorithm in "VPN: IPsec: Tunnel Settings" to accommodate Android's default VPN client which only accepts SHA1 and AES-XCBC, and SHA1 isn't used due to security reasons.
It's also the preferred hash algorithm by strongSwan Android app and Windows default client.
After a recent update (can't remember which one) all VPN clients can't connect anymore because of error "KDF_PRF with PRF_UNDEFINED not supported" and "key derivation failed". Logs:
2022-06-06T22:16:27-07:00 Informational charon 12[NET] <2> sending packet: from 10.0.0.1[500] to 10.0.0.100[42573] (36 bytes)
2022-06-06T22:16:27-07:00 Informational charon 12[ENC] <2> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
2022-06-06T22:16:27-07:00 Informational charon 12[IKE] <2> key derivation failed
2022-06-06T22:16:27-07:00 Informational charon 12[IKE] <2> KDF_PRF with PRF_UNDEFINED not supported
2022-06-06T22:16:27-07:00 Informational charon 12[IKE] <2> remote host is behind NAT
2022-06-06T22:16:27-07:00 Informational charon 12[CFG] <2> selected proposal: IKE:AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/ECP_256
2022-06-06T22:16:27-07:00 Informational charon 12[IKE] <2> 10.0.0.100 is initiating an IKE_SA
2022-06-06T22:16:27-07:00 Informational charon 12[ENC] <2> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
2022-06-06T22:16:27-07:00 Informational charon 12[NET] <2> received packet: from 10.0.0.100[42573] to 10.0.0.1[500] (716 bytes)
I have to remove AES-XCBC algorithm and use SHA256 only to accommodate strongSwan Android app and Windows client, while the Android default VPN client is still broken.
I found this thread https://bytemeta.vip/repo/strongswan/strongswan/issues/1026 but not sure if it's related. Is --disable-kdf added to the configure options? If so, removing it may fix the issue.
4
Intrusion Detection and Prevention / Re: IPS mode destroying IPv6
« on: March 23, 2022, 07:21:37 am »
After extensive research I realized I'm hitting the same issue here: https://forum.opnsense.org/index.php?topic=27299.0
Disabled MAC spoofing and now it's mostly working.
However, I still can't enable it on the LAN interface where an IPv6 address is assigned (causing same interface up/down issue). Still investigating...
Disabled MAC spoofing and now it's mostly working.
However, I still can't enable it on the LAN interface where an IPv6 address is assigned (causing same interface up/down issue). Still investigating...
5
Intrusion Detection and Prevention / Re: IPS mode destroying IPv6
« on: March 18, 2022, 09:12:44 pm »
Hi Franco, thanks for the quick fix, but the issue is still there 
Yesterday I upgraded it to 22.1.3 and enabled IPS mode again. The improvement is the IPv6 keeps running for a while (maybe 15 minutes) and then the WAN interface keeps up and down again.
I'm not sure if this is only happening to me. I'm passing through an I340 adapter into a Hyper-V VM via DDA. There isn't anything else special in my setup.
Do you want me to collect some logs for debugging? Thanks!
Yesterday I upgraded it to 22.1.3 and enabled IPS mode again. The improvement is the IPv6 keeps running for a while (maybe 15 minutes) and then the WAN interface keeps up and down again.
I'm not sure if this is only happening to me. I'm passing through an I340 adapter into a Hyper-V VM via DDA. There isn't anything else special in my setup.
Do you want me to collect some logs for debugging? Thanks!
Unfortunately FreeBSD 13 seems to react differently to IPS use in intrusion detection. We have adjusted the code a little on IPv6 to not listen to detach events caused by enabling IPS mode (even the one late at boot):
https://github.com/opnsense/core/commit/c6a8090de
This patch will be part of 22.1.3 and you can help test it now on 22.1.2 via:
# opnsense-patch c6a8090de
Cheers,
Franco
6
Hardware and Performance / Re: Minimal x86 box for 1Gbps WAN
« on: March 15, 2022, 11:58:20 pm »
The Wyse 3040 didn't pass stress test (after running iperf for a few hours the USB NIC is down till a reboot) 
7
Intrusion Detection and Prevention / Re: IPS mode destroying IPv6
« on: March 14, 2022, 09:49:53 pm »
This is 100% repro... Anyone using IPv6 here?
8
Hardware and Performance / Minimal x86 box for 1Gbps WAN
« on: March 12, 2022, 09:03:32 am »
I've been using DELL Inspiron 3472 (Pentium Silver J5005 CPU) + Intel I340T2 to run my home firewall + router for a while. It works great so far (VPN, IDS, etc.). I think it's an overkill for my home network though (Comcast 300Mbps plan).
Today I tired to run it on Wyse 3040 (Atom x5-Z8350 CPU) + Realtek USB 3.0 LAN adapter instead. Surprisingly it works great too. NATing speed is 100% LAN speed (1Gbps). I didn't test VPN performance but the CPU supports AES-NI so it should work well too. Only problem is some settings in /boot/device.hints need to be changed otherwise the OS won't boot (FreeBSD bug).
Today I tired to run it on Wyse 3040 (Atom x5-Z8350 CPU) + Realtek USB 3.0 LAN adapter instead. Surprisingly it works great too. NATing speed is 100% LAN speed (1Gbps). I didn't test VPN performance but the CPU supports AES-NI so it should work well too. Only problem is some settings in /boot/device.hints need to be changed otherwise the OS won't boot (FreeBSD bug).
9
Intrusion Detection and Prevention / IPS mode destroying IPv6
« on: March 03, 2022, 09:54:08 pm »
Does anyone have problems with IPS + IPv6?
When everything else is running fine including IDS, as soon as IPS mode is enabled, the ISP assigned IPv6 is gone from the WAN interface, and then the WAN interface keeps up and down forever. I need to disable IPS and issue a reboot to recover.
Attached the screenshot on the console. igb1 is the WAN interface. It seems some IPv6 forwarding isn't working properly when IPS is enabled.
I've only enabled OPNsense-* rule-sets in the Intrusion Detection service.
When everything else is running fine including IDS, as soon as IPS mode is enabled, the ISP assigned IPv6 is gone from the WAN interface, and then the WAN interface keeps up and down forever. I need to disable IPS and issue a reboot to recover.
Attached the screenshot on the console. igb1 is the WAN interface. It seems some IPv6 forwarding isn't working properly when IPS is enabled.
I've only enabled OPNsense-* rule-sets in the Intrusion Detection service.
10
General Discussion / Re: How to disable IPv6 DHCP server and only use SLAAC in LAN
« on: March 03, 2022, 07:07:16 am »
To answer this question by my self after extensive searches...
Interfaces -> LAN:
IPv6 Configuration Type = Track Interface
Manual configuration = Allow manual adjustment of DHCPv6 and Router Advertisements
Then there is a sub menu [LAN] under Services -> DHCPv6. In there I can turn off DHCPv6 server for the LAN interface.
There is also a sub menu [LAN] under Services -> Router Advertisements. I changed it to Unmanaged.
Interfaces -> LAN:
IPv6 Configuration Type = Track Interface
Manual configuration = Allow manual adjustment of DHCPv6 and Router Advertisements
Then there is a sub menu [LAN] under Services -> DHCPv6. In there I can turn off DHCPv6 server for the LAN interface.
There is also a sub menu [LAN] under Services -> Router Advertisements. I changed it to Unmanaged.
11
General Discussion / Re: How to enable IPv6 inbound routing?
« on: March 03, 2022, 03:04:20 am »Firewall > Rules > WAN > Permit IPv6 Destination Address in ...
It solved the problem. Thanks!
I thought it's a routing problem instead of firewall
12
General Discussion / [SOLVED] How to enable IPv6 inbound routing?
« on: March 02, 2022, 10:37:11 pm »
With IPv6 enabled, every client in the LAN is assigned with a IPv6 address as expected and is working. But how to allow IPv6 inbound routing? I.e., how to allow them to be accessible from internet (I'm running a few servers in the LAN)? Thanks.
13
General Discussion / [SOLVED] How to disable IPv6 DHCP server and only use SLAAC in LAN
« on: March 02, 2022, 10:32:25 pm »
Hi, is there a way to permanently disable the IPv6 DHCP server and only use SLAAC to assign IPv6 addresses in the LAN? Thanks.
Pages: [1]