Messages

The current layout of editing an IPSEC connection is awesome. I have come across an area where it gets messy and could be cleaner though: When a child tunnel requires NAT/BINAT.

When editing the child connection, we have the Local and Remote fields, but must go into the Firewall:NAT:One-to-One to configure the translation.

How this is handled in pfsense is much cleaner and easier to configure as per the attached image there is a section between Local and Remote where the NAT/BINAT can be configured and is always visible when editing the child in future.

Is it possible to consider adding this into the OPNsense UX?

Looking at your log file it seems the Phase 1 is standing up fine. It is trying to initiate the Phase 2 (CHILD_SA) and is failing for some reason.

Personally, I'd start by looking at the settings for the Phase 2 tunnel and comparing the settings on both ends of the connection to make sure they match EXACTLY.... mismatched lifetimes can cause issues with one end of the connection terminating. IPSEC is very intolerant of mismatched settings.

Personally I make the lifetimes for Phase 2 half the duration of Phase 1. So if Phase 1 is 28800, then Phase 2 is 14400.

Changing the log settings to debug can show more detail about what might be going on with the CHILD_SA as well.

OPNsense 22.1.7_1-amd64

Have the preset cron job for automatic firmware update enabled as per attached. It should run at 2am each day to check. I expected that it would have run and picked up 22.1.8_1, but it hasn't.

Exporting the config I can see the following job definition:

Code Select Expand

        <job uuid="*****">
          <origin>cron</origin>
          <enabled>1</enabled>
          <minutes>0</minutes>
          <hours>2</hours>
          <days>*</days>
          <months>*</months>
          <weekdays>*</weekdays>
          <who>root</who>
          <command>firmware auto-update</command>
          <parameters/>
          <description>Update Firmware</description>
        </job>

Manually running

Code Select Expand

/usr/local/sbin/configctl firmware auto-update worked, but that kind of defeats the purpose of having a cron  ;)

Anyone else experiencing this? If so, we might be able to get a bug raised for it.

Hi all

I have a strange one I am trying to work my way through.  I have previously been able to create an IKEv2 S2S IPSEC using LetsEncrypt certs created using the acme module and it works great.

I now have an OPNsense 21.7.8 that I am trying to connect to a Cisco FirePower with Digicert CA that I don't have access to.

I have loaded the intermediate and root CA's for LE and Digicert and it appears the phase 1 authenticates fine. Then this happens:

Code Select Expand


[ENC] parsed IKE_AUTH response 1 [ V IDr CERT AUTH SA TSi TSr N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
[IKE] received end entity cert "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
[CFG]   using certificate "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
[CFG]   using trusted intermediate ca certificate "C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1"
[CFG] checking certificate status of "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
[CFG]   requesting ocsp status from 'http://ocsp.digicert.com' ...
[LIB] unable to fetch from http://ocsp.digicert.com, no capable fetcher found
[CFG] ocsp request to http://ocsp.digicert.com failed
[CFG] ocsp check failed, fallback to crl
[CFG]   fetching crl from 'http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1.crl' ...
[LIB] unable to fetch from http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1.crl, no capable fetcher found
[CFG] crl fetching failed
[CFG]   fetching crl from 'http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1.crl' ...
[LIB] unable to fetch from http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1.crl, no capable fetcher found
[CFG] crl fetching failed
[CFG] certificate status is not available
[CFG]   using trusted ca certificate "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA"
[CFG] checking certificate status of "C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1"
[CFG]   requesting ocsp status from 'http://ocsp.digicert.com' ...
[LIB] unable to fetch from http://ocsp.digicert.com, no capable fetcher found
[CFG] ocsp request to http://ocsp.digicert.com failed
[CFG] ocsp check failed, fallback to crl
[CFG]   fetching crl from 'http://crl3.digicert.com/DigiCertGlobalRootCA.crl' ...
[LIB] unable to fetch from http://crl3.digicert.com/DigiCertGlobalRootCA.crl, no capable fetcher found
[CFG] crl fetching failed
[CFG] certificate status is not available
[CFG] certificate policy 2.23.140.1.2.2 for 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' not allowed by trustchain, ignored
[CFG]   reached self-signed root ca with a path length of 1
[IKE] signature validation failed, looking for another key
[CFG]   using certificate "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
[CFG]   using trusted intermediate ca certificate "C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1"
[CFG] checking certificate status of "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
[CFG]   requesting ocsp status from 'http://ocsp.digicert.com' ...
[LIB] unable to fetch from http://ocsp.digicert.com, no capable fetcher found
[CFG] ocsp request to http://ocsp.digicert.com failed
[CFG] ocsp check failed, fallback to crl
[CFG]   fetching crl from 'http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1.crl' ...
[LIB] unable to fetch from http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1.crl, no capable fetcher found
[CFG] crl fetching failed
[CFG]   fetching crl from 'http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1.crl' ...
[LIB] unable to fetch from http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1.crl, no capable fetcher found
[CFG] crl fetching failed
[CFG] certificate status is not available
[CFG]   using trusted ca certificate "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA"
[CFG] checking certificate status of "C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1"
[CFG]   requesting ocsp status from 'http://ocsp.digicert.com' ...
[LIB] unable to fetch from http://ocsp.digicert.com, no capable fetcher found
[CFG] ocsp request to http://ocsp.digicert.com failed
[CFG] ocsp check failed, fallback to crl
[CFG]   fetching crl from 'http://crl3.digicert.com/DigiCertGlobalRootCA.crl' ...
[LIB] unable to fetch from http://crl3.digicert.com/DigiCertGlobalRootCA.crl, no capable fetcher found
[CFG] crl fetching failed
[CFG] certificate status is not available
[CFG] certificate policy 2.23.140.1.2.2 for 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' not allowed by trustchain, ignored
[CFG]   reached self-signed root ca with a path length of 1
[IKE] signature validation failed, looking for another key
[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
[NET] sending packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (65 bytes)
initiate failed: establishing CHILD_SA 'con5' failed


and it falls on it's face :(

The Phase one is 256 bit AES-GCM with 128 bit ICV + SHA384,SHA512 + DH Group 21
Phase 2 is    aes192gcm16, aes256gcm16 + + off

My hunting lead me to a couple of Strongswan posts:
https://wiki.strongswan.org/issues/3343
https://wiki.strongswan.org/issues/2473
Am I maybe hitting this?  Should I ask the other network team to enable SHA1? Although based on my reading of the second post, both systems should be using method 14?

So has anyone run across this before and got a gem they could share with me please? I've spent more than a dozen hours trying to sort it out and can't seem to get anywhere.

Also... Is there a way we can resolve the fetching errors for the OCSP and CRLs?

Any help or suggestions very much appreciated.