Messages

1

24.7 Production Series / Re: IPsec IKEv2 EAP-MSCHAPv2 stopped working with iOS 18.1 update

« on: Today at 06:48:10 am »

Maybe someone will be interested, I use this config for my phones. Authorization via freeradius and certificate from letsencrypt. It works for several years without problems.

Code: [Select]

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>IKEv2</key>
<dict>
<key>AuthName</key>
<string>username</string>
<key>AuthPassword</key>
<string>verystrongpassword</string>
<key>AuthenticationMethod</key>
<string>None</string>
<key>ChildSecurityAssociationParameters</key>
<dict>
<key>DiffieHellmanGroup</key>
<integer>20</integer>
<key>EncryptionAlgorithm</key>
<string>AES-256-GCM</string>
<key>IntegrityAlgorithm</key>
<string>SHA2-384</string>
</dict>
<key>DeadPeerDetectionRate</key>
<string>Low</string>
<key>EnableFallback</key>
<false/>
<key>EnablePFS</key>
<true/>
<key>ExtendedAuthEnabled</key>
<integer>1</integer>
<key>IKESecurityAssociationParameters</key>
<dict>
<key>DiffieHellmanGroup</key>
<integer>20</integer>
<key>EncryptionAlgorithm</key>
<string>AES-256-GCM</string>
<key>IntegrityAlgorithm</key>
<string>SHA2-384</string>
</dict>
<key>LocalIdentifier</key>
<string>username</string>
<key>NATKeepAliveOffloadEnable</key>
<integer>1</integer>
<key>OnDemandEnabled</key>
<integer>1</integer>
<key>OnDemandRules</key>
<array>
<dict>
<key>Action</key>
<string>Disconnect</string>
<key>InterfaceTypeMatch</key>
<string>WiFi</string>
<key>SSIDMatch</key>
<array>
<string>SSID</string>
<string>SSID_1</string>
</array>
</dict>
<dict>
<key>Action</key>
<string>Connect</string>
</dict>
</array>
<key>RemoteAddress</key>
<string>vpn.example.net</string>
<key>RemoteIdentifier</key>
<string>vpn.example.net</string>
<key>ServerCertificateCommonName</key>
<string>vpn.example.net</string>
<key>UseConfigurationAttributeInternalIPSubnet</key>
<false/>
</dict>
<key>PayloadDisplayName</key>
<string>ikev2.home</string>
<key>PayloadIdentifier</key>
<string>net.example.vpn.conf1</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadUUID</key>
<string>cf6e0c93-a7f4-485b-90ff-7904668e68cd</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>UserDefinedName</key>
<string>ikev2.home</string>
<key>VPNType</key>
<string>IKEv2</string>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>ikev2.home</string>
<key>PayloadIdentifier</key>
<string>ikev2.home</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>7aadc059-c7c4-4034-ac96-e1b6ccb69b81</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>



2

Russian - Русский / Re: FreeRadius, изменение конфигов

« on: October 26, 2024, 09:09:25 pm »

Всё же есть в GUI

3

24.7 Production Series / Re: PSA: Test kernel with Intel fixes is available for testing

« on: October 17, 2024, 09:15:36 am »

similarly, works for several days without problems on this machine - https://bsd-hardware.info/?probe=d408973732

4

24.1 Legacy Series / Re: IPv6 connectivity loss on 24.1.10

« on: July 12, 2024, 09:07:24 am »

Gut! All work. Thank you!
P.S.
After reboot too

5

24.1 Legacy Series / Re: IPv6 connectivity loss on 24.1.10

« on: July 12, 2024, 08:54:53 am »

Yes, it from bad attempt

6

24.1 Legacy Series / Re: IPv6 connectivity loss on 24.1.10

« on: July 12, 2024, 08:47:29 am »

after that  opnsense-patch e94baab85 all is ok

7

24.1 Legacy Series / Re: IPv6 connectivity loss on 24.1.10

« on: July 12, 2024, 08:44:45 am »

Code: [Select]

sudo tcpdump -ve -i pflog0 udp port 546 or udp port 547
Password:
tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 262144 bytes
01:31:21.137376 rule 72/0(match): pass in on igc0: (flowlabel 0xe03b8, hlim 1, next-header UDP (17) payload length: 76) fe80::9209:d0ff:fe2c:2bfa.dhcpv6-client > ff02::1:2.dhcpv6-server: [udp sum ok] dhcp6 solicit (xid=7027e2 (client-ID hwaddr type 1 9009d02c2bfa) (option-request DNS-server DNS-search-list) (elapsed-time 65535) (Client-FQDN) (IA_NA IAID:3492555770 T1:3600 T2:5400))
01:31:36.745789 rule 72/0(match): pass in on igc0: (flowlabel 0xd0000, hlim 1, next-header UDP (17) payload length: 58) fe80::1443:eb41:299:bf99.dhcpv6-client > ff02::1:2.dhcpv6-server: [udp sum ok] dhcp6 solicit (xid=cab31f (client-ID hwaddr type 1 7ae0d678f796) (option-request DNS-server DNS-search-list opt_103) (elapsed-time 15768) (IA_NA IAID:0 T1:0 T2:0))
01:32:45.734092 rule 94/0(match) [uid 0]: pass out on igc1: (hlim 1, next-header UDP (17) payload length: 105) fe80::e63a:6eff:fe60:f068.dhcpv6-client > ff02::1:2.dhcpv6-server: [bad udp cksum 0x4205 -> 0x12a1!] dhcp6 solicit (xid=9ed244 (client-ID hwaddr/time type 1 time 758694841 e43a6e60f067) (IA_NA IAID:0 T1:0 T2:0) (elapsed-time 25083) (option-request DNS-server DNS-search-list) (IA_PD IAID:0 T1:0 T2:0 (IA_PD-prefix ::/60 pltime:4294967295 vltime:4294967295)))
01:32:45.812523 rule 17/0(match): block in on igc1: (flowlabel 0xa95d5, hlim 63, next-header UDP (17) payload length: 173) 2001:558:4081:cd::10.dhcpv6-server > fe80::e63a:6eff:fe60:f068.dhcpv6-client: [udp sum ok] dhcp6 advertise (xid=9ed244 (client-ID hwaddr/time type 1 time 758694841 e43a6e60f067) (server-ID hwaddr/time type 1 time 391757488 14feb5d5b5d0) (IA_NA IAID:0 T1:77079 T2:123327 (IA_ADDR 2001:558:6022:cd:9c37:2b2c:358c:5a3a pltime:154159 vltime:154159)) (IA_PD IAID:0 T1:77079 T2:123327 (IA_PD-prefix 2601:2c1:8e80:7ba0::/60 pltime:154160 vltime:154160)) (DNS-server cdns01.comcast.net cdns02.comcast.net))
01:33:27.347975 rule 72/0(match): pass in on igc0: (flowlabel 0xe03b8, hlim 1, next-header UDP (17) payload length: 76) fe80::9209:d0ff:fe2c:2bfa.dhcpv6-client > ff02::1:2.dhcpv6-server: [udp sum ok] dhcp6 solicit (xid=7027e2 (client-ID hwaddr type 1 9009d02c2bfa) (option-request DNS-server DNS-search-list) (elapsed-time 65535) (Client-FQDN) (IA_NA IAID:3492555770 T1:3600 T2:5400))
01:33:47.010003 rule 72/0(match): pass in on igc0: (flowlabel 0xd0000, hlim 1, next-header UDP (17) payload length: 58) fe80::1443:eb41:299:bf99.dhcpv6-client > ff02::1:2.dhcpv6-server: [udp sum ok] dhcp6 solicit (xid=cab31f (client-ID hwaddr type 1 7ae0d678f796) (option-request DNS-server DNS-search-list opt_103) (elapsed-time 30814) (IA_NA IAID:0 T1:0 T2:0))
01:34:36.785343 rule 94/0(match) [uid 0]: pass out on igc1: (hlim 1, next-header UDP (17) payload length: 105) fe80::e63a:6eff:fe60:f068.dhcpv6-client > ff02::1:2.dhcpv6-server: [bad udp cksum 0x4205 -> 0xe73f!] dhcp6 solicit (xid=9ed244 (client-ID hwaddr/time type 1 time 758694841 e43a6e60f067) (IA_NA IAID:0 T1:0 T2:0) (elapsed-time 36188) (option-request DNS-server DNS-search-list) (IA_PD IAID:0 T1:0 T2:0 (IA_PD-prefix ::/60 pltime:4294967295 vltime:4294967295)))
01:34:36.861682 rule 17/0(match): block in on igc1: (flowlabel 0xa95d5, hlim 63, next-header UDP (17) payload length: 173) 2001:558:4081:cd::10.dhcpv6-server > fe80::e63a:6eff:fe60:f068.dhcpv6-client: [udp sum ok] dhcp6 advertise (xid=9ed244 (client-ID hwaddr/time type 1 time 758694841 e43a6e60f067) (server-ID hwaddr/time type 1 time 391757488 14feb5d5b5d0) (IA_NA IAID:0 T1:77024 T2:123238 (IA_ADDR 2001:558:6022:cd:9c37:2b2c:358c:5a3a pltime:154048 vltime:154048)) (IA_PD IAID:0 T1:77024 T2:123238 (IA_PD-prefix 2601:2c1:8e80:7ba0::/60 pltime:154049 vltime:154049)) (DNS-server cdns01.comcast.net cdns02.comcast.net))
01:35:34.316332 rule 72/0(match): pass in on igc0: (flowlabel 0xe03b8, hlim 1, next-header UDP (17) payload length: 76) fe80::9209:d0ff:fe2c:2bfa.dhcpv6-client > ff02::1:2.dhcpv6-server: [udp sum ok] dhcp6 solicit (xid=7027e2 (client-ID hwaddr type 1 9009d02c2bfa) (option-request DNS-server DNS-search-list) (elapsed-time 65535) (Client-FQDN) (IA_NA IAID:3492555770 T1:3600 T2:5400))
01:36:37.514103 rule 94/0(match) [uid 0]: pass out on igc1: (hlim 1, next-header UDP (17) payload length: 105) fe80::e63a:6eff:fe60:f068.dhcpv6-client > ff02::1:2.dhcpv6-server: [bad udp cksum 0x4205 -> 0xb816!] dhcp6 solicit (xid=9ed244 (client-ID hwaddr/time type 1 time 758694841 e43a6e60f067) (IA_NA IAID:0 T1:0 T2:0) (elapsed-time 48261) (option-request DNS-server DNS-search-list) (IA_PD IAID:0 T1:0 T2:0 (IA_PD-prefix ::/60 pltime:4294967295 vltime:4294967295)))
01:36:37.588213 rule 17/0(match): block in on igc1: (flowlabel 0xa95d5, hlim 63, next-header UDP (17) payload length: 173) 2001:558:4081:cd::10.dhcpv6-server > fe80::e63a:6eff:fe60:f068.dhcpv6-client: [udp sum ok] dhcp6 advertise (xid=9ed244 (client-ID hwaddr/time type 1 time 758694841 e43a6e60f067) (server-ID hwaddr/time type 1 time 391757488 14feb5d5b5d0) (IA_NA IAID:0 T1:76963 T2:123141 (IA_ADDR 2001:558:6022:cd:9c37:2b2c:358c:5a3a pltime:153927 vltime:153927)) (IA_PD IAID:0 T1:76963 T2:123141 (IA_PD-prefix 2601:2c1:8e80:7ba0::/60 pltime:153928 vltime:153928)) (DNS-server cdns01.comcast.net cdns02.comcast.net))
01:37:39.979613 rule 72/0(match): pass in on igc0: (flowlabel 0xe03b8, hlim 1, next-header UDP (17) payload length: 76) fe80::9209:d0ff:fe2c:2bfa.dhcpv6-client > ff02::1:2.dhcpv6-server: [udp sum ok] dhcp6 solicit (xid=7027e2 (client-ID hwaddr type 1 9009d02c2bfa) (option-request DNS-server DNS-search-list) (elapsed-time 65535) (Client-FQDN) (IA_NA IAID:3492555770 T1:3600 T2:5400))
01:38:26.031522 rule 94/0(match) [uid 0]: pass out on igc1: (hlim 1, next-header UDP (17) payload length: 105) fe80::e63a:6eff:fe60:f068.dhcpv6-client > ff02::1:2.dhcpv6-server: [bad udp cksum 0x4205 -> 0x8db2!] dhcp6 solicit (xid=9ed244 (client-ID hwaddr/time type 1 time 758694841 e43a6e60f067) (IA_NA IAID:0 T1:0 T2:0) (elapsed-time 59113) (option-request DNS-server DNS-search-list) (IA_PD IAID:0 T1:0 T2:0 (IA_PD-prefix ::/60 pltime:4294967295 vltime:4294967295)))
01:38:26.108827 rule 17/0(match): block in on igc1: (flowlabel 0xa95d5, hlim 63, next-header UDP (17) payload length: 173) 2001:558:4081:cd::10.dhcpv6-server > fe80::e63a:6eff:fe60:f068.dhcpv6-client: [udp sum ok] dhcp6 advertise (xid=9ed244 (client-ID hwaddr/time type 1 time 758694841 e43a6e60f067) (server-ID hwaddr/time type 1 time 391757488 14feb5d5b5d0) (IA_NA IAID:0 T1:76909 T2:123055 (IA_ADDR 2001:558:6022:cd:9c37:2b2c:358c:5a3a pltime:153819 vltime:153819)) (IA_PD IAID:0 T1:76909 T2:123055 (IA_PD-prefix 2601:2c1:8e80:7ba0::/60 pltime:153820 vltime:153820)) (DNS-server cdns01.comcast.net cdns02.comcast.net))
01:39:36.614890 rule 72/0(match): pass in on igc0: (flowlabel 0xe03b8, hlim 1, next-header UDP (17) payload length: 76) fe80::9209:d0ff:fe2c:2bfa.dhcpv6-client > ff02::1:2.dhcpv6-server: [udp sum ok] dhcp6 solicit (xid=7027e2 (client-ID hwaddr type 1 9009d02c2bfa) (option-request DNS-server DNS-search-list) (elapsed-time 65535) (Client-FQDN) (IA_NA IAID:3492555770 T1:3600 T2:5400))
01:40:17.044694 rule 94/0(match) [uid 0]: pass out on igc1: (hlim 1, next-header UDP (17) payload length: 105) fe80::e63a:6eff:fe60:f068.dhcpv6-client > ff02::1:2.dhcpv6-server: [bad udp cksum 0x4205 -> 0x749c!] dhcp6 solicit (xid=9ed244 (client-ID hwaddr/time type 1 time 758694841 e43a6e60f067) (IA_NA IAID:0 T1:0 T2:0) (elapsed-time 65535) (option-request DNS-server DNS-search-list) (IA_PD IAID:0 T1:0 T2:0 (IA_PD-prefix ::/60 pltime:4294967295 vltime:4294967295)))
01:40:17.116563 rule 17/0(match): block in on igc1: (flowlabel 0xa95d5, hlim 63, next-header UDP (17) payload length: 173) 2001:558:4081:cd::10.dhcpv6-server > fe80::e63a:6eff:fe60:f068.dhcpv6-client: [udp sum ok] dhcp6 advertise (xid=9ed244 (client-ID hwaddr/time type 1 time 758694841 e43a6e60f067) (server-ID hwaddr/time type 1 time 391757488 14feb5d5b5d0) (IA_NA IAID:0 T1:76854 T2:122966 (IA_ADDR 2001:558:6022:cd:9c37:2b2c:358c:5a3a pltime:153708 vltime:153708)) (IA_PD IAID:0 T1:76854 T2:122966 (IA_PD-prefix 2601:2c1:8e80:7ba0::/60 pltime:153709 vltime:153709)) (DNS-server cdns01.comcast.net cdns02.comcast.net))
01:41:04.726874 rule 72/0(match): pass in on igc0: (flowlabel 0xd0000, hlim 1, next-header UDP (17) payload length: 58) fe80::1443:eb41:299:bf99.dhcpv6-client > ff02::1:2.dhcpv6-server: [udp sum ok] dhcp6 solicit (xid=cab31f (client-ID hwaddr type 1 7ae0d678f796) (option-request DNS-server DNS-search-list opt_103) (elapsed-time 65535) (IA_NA IAID:0 T1:0 T2:0))
01:41:30.673066 rule 72/0(match): pass in on igc0: (flowlabel 0xe03b8, hlim 1, next-header UDP (17) payload length: 76) fe80::9209:d0ff:fe2c:2bfa.dhcpv6-client > ff02::1:2.dhcpv6-server: [udp sum ok] dhcp6 solicit (xid=7027e2 (client-ID hwaddr type 1 9009d02c2bfa) (option-request DNS-server DNS-search-list) (elapsed-time 65535) (Client-FQDN) (IA_NA IAID:3492555770 T1:3600 T2:5400))
01:42:15.044218 rule 94/0(match) [uid 0]: pass out on igc1: (hlim 1, next-header UDP (17) payload length: 105) fe80::e63a:6eff:fe60:f068.dhcpv6-client > ff02::1:2.dhcpv6-server: [bad udp cksum 0x4205 -> 0x749c!] dhcp6 solicit (xid=9ed244 (client-ID hwaddr/time type 1 time 758694841 e43a6e60f067) (IA_NA IAID:0 T1:0 T2:0) (elapsed-time 65535) (option-request DNS-server DNS-search-list) (IA_PD IAID:0 T1:0 T2:0 (IA_PD-prefix ::/60 pltime:4294967295 vltime:4294967295)))
01:42:15.119840 rule 17/0(match): block in on igc1: (flowlabel 0xa95d5, hlim 63, next-header UDP (17) payload length: 173) 2001:558:4081:cd::10.dhcpv6-server > fe80::e63a:6eff:fe60:f068.dhcpv6-client: [udp sum ok] dhcp6 advertise (xid=9ed244 (client-ID hwaddr/time type 1 time 758694841 e43a6e60f067) (server-ID hwaddr/time type 1 time 391757488 14feb5d5b5d0) (IA_NA IAID:0 T1:76795 T2:122872 (IA_ADDR 2001:558:6022:cd:9c37:2b2c:358c:5a3a pltime:153590 vltime:153590)) (IA_PD IAID:0 T1:76795 T2:122872 (IA_PD-prefix 2601:2c1:8e80:7ba0::/60 pltime:153591 vltime:153591)) (DNS-server cdns01.comcast.net cdns02.comcast.net))

8

24.1 Legacy Series / Re: IPv6 connectivity loss on 24.1.10

« on: July 12, 2024, 08:39:05 am »

Hi there! After upgrade to 24.1.10 and reboot, no prefix. IPv6 address on wan interface is fe80::e63a:6eff:fe60:f068/64 and gateway fe80::21c:73ff:fe00:99
USA, Xfinity

9

24.1 Legacy Series / Re: [BUG] Kea DHCP UI generates an invalid JSON config file

« on: February 01, 2024, 10:33:32 am »

Code: [Select]

--- kea-dhcp4.conf      2024-02-01 03:28:33.767775000 -0600
+++ kea-dhcp4.conf.ok   2024-02-01 03:07:07.834667000 -0600
@@ -65,7 +65,7 @@
             {
                 "library": "/usr/local/lib/kea/hooks/libdhcp_lease_cmds.so",
                 "parameters": { }
-            },
+            }
 {% if not helpers.empty('OPNsense.Kea.dhcp4.ha.enabled') %}
             {
                 "library": "/usr/local/lib/kea/hooks/libdhcp_ha.so",


10

23.7 Legacy Series / Re: How to configure IPsec for mobile clients new way (via connections)?

« on: September 06, 2023, 11:37:06 pm »

Thanks heaveaxy for sharing your config. I'm using RADIUS on the client side and cannot get it to work.
Here's my config:
- FreeRADIUS server on the "Mobile Clients" menu, as even if it's in the changelog, I cannot see any way to select a RADIUS server on the new "Connections" menu.
- Local Authorization to Public Key, with the public certificate of my server
- Remote Authorization to EAP-RADIUS, with no certificate selected.

When connecting, I get the following on the log:

Code: [Select]

loading EAP_RADIUS method failed
And I don't even see the auth request on the FreeRADIUS logs. I think the issue is that the RADIUS server is not correctly set up, as I cannot see the menu to select it.
With the legacy "Tunnel Settings" config everything works perfectly, with EAP-RADIUS on Phase1.

Hello. Take a look here https://github.com/opnsense/core/issues/6602#issuecomment-1622443985
I disabled "legacy" today and configured via connections.

11

Tutorials and FAQs / Re: Boot fails with HDMI unplugged

« on: April 10, 2023, 02:33:19 am »

maybe this is the problem ? https://www.thomas-krenn.com/en/wiki/OPNsense_does_not_boot_without_monitor