Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - ntkevinshao

Pages: [1]

General Discussion / Is FQDN hostname supported in Walled Garden for Captive Portal?

« on: December 01, 2022, 12:05:50 pm »

Is FQDN hostname supported in Walled Garden for Captive Portal?
Seems currently only IP address/subnet is supported

General Discussion / Captive Portal Allowed Destinations in IP address, FQDN domain/hostname format

« on: November 17, 2022, 09:02:32 am »

Dear all :
Does OPNsense captive portal service support allowed destinations(before authentication) specified in FQDN domain name or hostname format?
It seems only IP address can be entered in the Allowed addresses setting.

Virtual private networks / Re: IPsec Site to Site VPN with One Site Behind NAT

« on: August 15, 2022, 12:23:34 pm »

I know where the problem is :
Site 2 Remote Site OpnSense #2
My Identifier should use IP address 100.1.1.2 which is the outbound public address after NAT
I should use 192.168.3.22

Chinese - 中文 / Re: IPsec site to site VPN 一邊在NAT 防火牆之後, My Identifier/Peer Identifier 該如何設定 ?

« on: August 15, 2022, 12:21:25 pm »

I know where the problem is
Site 2 OpnSense #2 :
My Identifier 要用 :
IP Address
100.1.1.2 (outbound Port Forward NAT 後的 public IP
不能用自己 WAN 原本的 private 192.168.3.22

Chinese - 中文 / IPsec site to site VPN 一邊在NAT 防火牆之後, My Identifier/Peer Identifier 該如何設定 ?

« on: August 15, 2022, 10:18:49 am »

Site 1 Opnsense #1:
- LAN : 192.168.1.1 /24
- WAN : 100.1.1.1 /24

Site 2 Firewall (NAT) :
- WAN : 100.1.1.2 /24, 設定 port forward 把 AH, ESP, TCP/UDP 500/4500 全部轉發給 192.168.3.22
- LAN IP(連接 OpnSense #2) : 192.168.3.21 /24
Site 2 OpnSense #2 :
- WAN : 192.168.3.22 /24 (連接 Firewall)
- LAN : 192.168.2.22 /24

請問我 IPsec tunnel phase 1 該如何設定 My Identifier ? Peer Identifier ?
謝謝

Virtual private networks / IPsec Site to Site VPN with One Site Behind NAT

« on: August 15, 2022, 10:07:58 am »

My Lab Config :
Site 1 Local OpnSense # 1 :
- LAN IP : 192.168.1.1 /24
- WAN IP : 100.1.1.1 /24

Site 2 Remote Site Firewall(NAT) :
- WAN IP 100.1.1.2 /24
- config port forward on WAN to forward AH, ESP and TCP/UDP 500/4500 to 192.168.3.22
- LAN IP(connected to OpnSense #2) : 192.168.3.21 /24
Site 2 Remote Site OpnSense #2 for IPsec Site to Site VPN :
- WAN IP(connected to Firewall) : 192.168.3.22 /24
- LAN IP : 192.168.2.22 /24

But I could not get IPsec site to site VPN to work for Site 1 192.168.1.0/24 to connect to Site 2 192.168.2.0 /24
what should I use in Site 1 OpnSense and Site 2 Opsense Phase 1 :
My identifier = My IP address ?
Peer identifier = Peer IP address ?
NAT Traversal is enabled

VPN: IPsec: Security Policy Database can see two sessions installed
VPN: IPsec: Security Association Database is empty

Virtual private networks / Transparent Mode Running Site to Site VPN on Bridge0 IP Interface

« on: August 09, 2022, 11:34:19 am »

I am trying to configure an OpnSense(in Transparent Bridge Mode) to run IPsec site to site VPN, but failed
Bridge0 member : LAN, WAN
LAN, WAN IP address : none
Bridge0 is assigned an IP address for management and hopefully for site to site VPN
Can we config IPsec Site to Site VPN using Bridge0 IP interface ?
My lab config is as below :
Remote OpnSense(Site to Site VPN Peer) --- External Firewall at local site with Port Forwarding enabled for IPsec --- Local OpnSense in Transparent Mode configured for IPsec Site to Site VPN
I hope the 192.168.66.0 /24 remote subnet can reach local 192.168.0.0 /22 subnet each other, but failed.
Is this due to Bridge0 limitation ?

Virtual private networks / Shrew VPN Client Connected but Security Associatetions Failed

« on: August 08, 2022, 09:34:45 am »

Sorry, I got stuck with IPsec VPN Mobile Clients testing and I could not find out why :
OpnSense : 22.1.2 running on VMware Workstation Pro v16
Shrew Soft VPN Client : 2.2.2 installed and running on Windows 10 PC
IPsec Phase 1 Authentication : Mutual PSK + XAUTH
After I launched the Shrew VPN client and entered correct username/password, it said Tunnel Status : "Connected", but Security Associations "Failed", and of course my remote access did not work.
I checked :
"VPN: IPsec: Security Association Database" ------> No IPsec security associations.
"VPN: IPsec: Security Policy Database" -----> No IPsec security policies.

Then I went to "VPN: IPsec: Status Overview" and manually clicked the green triangle icon under "Staus" column, then "VPN: IPsec: Security Policy Database" and "VPN: IPsec: Security Association Database" were filled with some session information and my VPN remote access worked.

Did I miss configuring anything so the Security Associations did not come up ?

Virtual private networks / Re: IPsec Mobile Client with EAP-MASCHAPv2 (Windows 10 built-in VPN Client)

« on: July 26, 2022, 08:48:11 am »

Thanks, it worked. Now my remote win 10 PC VPN connection is up and default gateway is its original default gateway not the IPsec tunnel.
But I got another problem, that is my win 10 PC did not learn route to OPNsense LAN subnet via this tunnel interface, did I miss still anything ?

Virtual private networks / Re: IPsec Mobile Client with EAP-MASCHAPv2 (Windows 10 built-in VPN Client)

« on: July 26, 2022, 06:36:07 am »

adapter setting ? where is it ?

Virtual private networks / Re: IPsec Mobile Client with EAP-MASCHAPv2 (Windows 10 built-in VPN Client)

« on: July 26, 2022, 05:21:13 am »

My bad, I found out why ? I forgot to check Install Policy in Tunnel Phase 1 Configuration
Now PC2 can ping 192.168.1.1 but cannot ping 8.8.8.8, how can I do split tunneling so only traffic to 192.168.1.0/24 is routed over IPsec tunnel, all other traffic is routed over PC2's existing default gateway ?
Now I check PC2's route table default route 0.0.0.0/0 next hop is set to 10.10.0.1 tunnel interface, this is not what I want. What I want is I should have 192.168.1.0/24 net hop 10.10.0.1 installed in PC2's route table.

Virtual private networks / IPsec Mobile Client with EAP-MASCHAPv2 (Windows 10 built-in VPN Client)

« on: July 26, 2022, 05:00:06 am »

Dear all :
(1) OPNsense 22.1.10 VMware VM running on PC 1
NIC 1(LAN) : host only with IP address is static 192.168.1.1 /24
NIC 2(WAN) : bridged to PC1's Ethernet adapter with DHCP IP 10.0.1.127 /22
IPsec Mobile Client related setting :
CA and Certificates were correctly generated
Backend for Authentication is set to "Local Database"
Client IP address pool : 10.10.0.0 /24
IPsec Tunnel Phase 2 Local Network is set to "LAN subnet"
user correctly configured under Pre-Shared Keys menu with Type "EAP"
OPNsense Firewall Rules are set to allow all on WAN, LAN and IPsec interface
(2) PC 2(Windows 10) DHCP IP 10.0.1.241 used for IPsec Mobile Client test using Windows 10's built-in VPN client connection

My problems :
1. PC2 using Windows 10 VPN client can successfully login and connect to OPNsense and get IP address 10.10.0.1 /32, is this normal ? I assume PC2 should get 10.10.0.1 /24
2. PC2 cannot access OPnsense LAN Subnet, ping 192.168.1.1 failed. I checked PC2's route table, there was no route to 192.168.1.0/24 added

Pages: [1]