Messages

1

Virtual private networks / Re: IPSec assistance...

« on: August 09, 2022, 05:37:20 pm »

Well- I was hoping there was a known issue or something along those lines.

Looks like I'm going to order a Checkpoint and be done with this. It's time sensitive. 12pm is the cutoff point for me.

Thanks for the assist.

2

Virtual private networks / Re: IPSec assistance...

« on: August 09, 2022, 04:13:21 pm »

Crank up debug level and watch for "no matching proposal" messages? Have you tried tunnel isolation? The networks on both sides match exactly? If there is even a slight mismatch (e.g. wrong netmask for just one subnet), ASA might refuse to bring up phase 2 entirely.

HTH,
Patrick

Currently testing with only one tunnel and one subnet. Any isolation issue could be dealt with later.

3

Virtual private networks / Re: IPSec assistance...

« on: August 09, 2022, 04:11:39 pm »

Crank up debug level and watch for "no matching proposal" messages? Have you tried tunnel isolation? The networks on both sides match exactly? If there is even a slight mismatch (e.g. wrong netmask for just one subnet), ASA might refuse to bring up phase 2 entirely.

HTH,
Patrick

It took us two weeks just to get a network engineer from the client to talk to us. In our meeting yesterday they say they cannot see any phase 2 activity at all. And we don't see it on the status page either.

I'm also not seeing any traffic in the firewall log monitor.

I have re-installed strongswan, reset to defaults ETC.

We're configuring based on what we were given. I can challenge them to recheck the subnets.

4

Virtual private networks / Re: IPSec assistance...

« on: August 09, 2022, 04:09:50 pm »

Crank up debug level and watch for "no matching proposal" messages? Have you tried tunnel isolation? The networks on both sides match exactly? If there is even a slight mismatch (e.g. wrong netmask for just one subnet), ASA might refuse to bring up phase 2 entirely.

HTH,
Patrick

It took us two weeks just to get a network engineer from the client to talk to us. In our meeting yesterday they say they cannot see any phase 2 activity at all. And we don't see it on the status page either.

I'm also not seeing any traffic in the firewall log monitor.

I have re-installed strongswan, reset to defaults ETC.

5

Virtual private networks / IPSec assistance...

« on: August 09, 2022, 04:02:45 pm »

Hello fellow admins...

We've deployed the commercial version of OPNsense and we can't get IPsec working at all.

We can establish our phase 1 tunnel, and our client can see the connection.

When we add a tunnel with a subnet it never shows connected and doesn't pass traffic.

I'm in a bind here, either I have to find the answer by noon ET or I have to rip out OPNsense fro the network. We've been working on this problem for two weeks.

The endpoint we connect to is not under our control, but rather is a customer. It's apparently a Cisco ASA.

The basic config we were given looks like this:

         IKE POLICY (PHASE 1)
IKE Encryption Policy      AES 256      
IKE Authentication         SHA1      
IKE Lifetime (Seconds)      28800 / 480 minutes / 8 hours
Diffie Hellman Group      Group 5       
Identity            IP Address   
Authentication         Pre-shared Key   
Main Mode or Aggressive Mode   Main Mode   
Pre-shared Key         thisisnotourkeybutmaybeitisornotbackwardshuh?

             IPSEC POLICY (PHASE 2)         
IPSEC Encryption Policy      ESP - AES 256            
IPSEC Authentication Policy      SHA1               
Perfect Forward Secrecy & DH Group   Disabled               
IPSEC SA Lifetime Seconds      28800               
IPSEC SA Lifetime Kilobytes      Disabled               
Vendor ID         Disabled               
Compression         Disabled               

There are roughly 12 /24 subnets on the remote endpoint. We configure the tunnels, they never show up in status and will not pass traffic.

Is there an apparent quick fix known issue scenario here? It is possible the problem is on the remote ASA. But I'm going to have to prove that.

Thoughts?