Messages

Hi,
I have WAN1 used for all internet accesss (using as GW for 0.0.0.0/1 and 128.0.0.0.0/1).
Now, I want to use WAN2 for all IPSec access. If I setup a static route to remote IP, this works fine. However, there's a dynamic IP on the other end, so this is not a solution.
It seems that with pfsense this is not possible, routing always wins over policy routing and the traffic for a service (let's say udp/500) goes out using static route even if IPSec is bound to WAN2 interface and you have a gateway set up in firwall rules. Is opnsense capable of this?

So, good news: I have tried with custom configs- created custom config file in swanctl\conf.d
I made a completely new connection with unique id and full settings. It worked - even with deprecated ciphers.
I also tried adding just an update to settings made in GUI like this:

Code Select Expand


connections {
    con1 {
        children {
            con1 {
                esp_proposals = aes128-sha1
            }
        }
    }
}

this worked fine as well.

What does not work is 3des for ESP. This is not done by strongswan, but kernel. Adding 3des support to freebsd would likely mean kernel recompiling.

Thanks, good to know. Legacy settings are what I am more used to be working with.
Now, have only last issue with the tunnel - I can ping, http etc. from the lan at zyxel side any device on remote side of the tunnel, but not in opposite direction. I've checked firewall rules, ipsec P2 networks, routing.. what else could be wrong?

EDIT: it was because of asymmetric routing. all ok now. thanks again

Somehow, I managed to get the tunnel connected. Well, I can't ping the firewalls from either site, but that should be easier to handle. :)
I don't know what was wrong—I was experimenting so much with it—but I suspect something in the Zyxel. Also, I switched to configuring OPNsense using the legacy connection—only regret I didn't find that sooner it's so much more convenient that Connections.. Hopefully, they don't remove it in a future version.

tried rebooting, creating new setups on both sides, switched from ikev1 to ikev2, used domains and email addresses for IDs, nothing helped.

There's small progress though, seems like now they are able to agree no p1 proposal, but stucked in ikev2_init\[I\] and  ikev2_init[R].

Geez, thinking about i was about to migrate 20 tunnels from another (commercial) strongswan vendor to opnsense and spent whole weekend with the first one lol.

Hi,
can't get past ipsec phase1, getting NO-PROPOSAL-CHOSEN although everything matches, checked hundred times. Wiresharked tcpdumps etc.
What happens: in ikev1, zywall proposes AES256-SHA512-DH14, nat traversal, dpd etc.
Opnsense immediately replies with NO-PROPOSAL-CHOSEN.
I have played with multiple cipher /single different cipher etc.
Both are behind NAT, but opnsense has udp/500, upd/4500 ports from public ip.
What am I doing wrong?

I kept getting this error when no virtual ip alias was assigned
- that's bit different topic, but seems like opnsense uses the "Local addresses" textbox in ipsec not only for p1 auth, but for outgoing ike traffic as well. So you can't just use whatever ip you want, but you have to use your wan ip. If that's true, you probably have to use virtual ip for your wan if wan is behind nat and might keep changing..

Managed to get over P1 using the custom conf. However no luck with P2 - i was not able to define 3des-sha1 proposal with any combination of config (triedg addin children node with esp_proposals etc.).

Isabella, did you manage to have the tunnel fully working? Also, in your custom conf file - did you use the connection id the same as in swanctl.conf, or you created full new settings (including p2 children section etc.)? Thanks!

Cedrik, the tampered backup trick had no effect in the connection (leading to no proposal chosen).
BTW If anyone struggle to see what are the proposals received - you can either set log level to "include sensitive information" to see proposals in syslog or use tcpdump

Thanks, for your reply.
I kept getting this error when no virtual ip alias was assigned:
04[NET] error writing to socket: Can't assign requested address

I have already tried making 192.168.5.1 (the IP i want local network to be for the remote side of the tunnel) an IP alias for loopback, WAN and LAN, but no luck. Didn't tried making it nonvirtual if yet.
Because of that and other posts here on the forum I thought manual spd entries is the only way to go.
What's strange is that P1 local id seems to affect what IP is going to be used for IKE connection - if I go with 192.168.5.1 IKE packet is no being sent out, if I enter my WAN ip into the P1 ID, the tunnel gets connected.

Yes, that was my point. You are not allowed to set custom (weak) ciphers from UI, so you have to play with custom config files. I don't feel do all doing all tunnel settings in custom config, that's why I investigated restoring tampered backups alternative.

I tried that, but didn't work. tcpdump showed no nat took place. Seems like ipsec precedes natting rules.

Hello,
I read through all docs but still not sure how am I meant to do that.
My setup: WAN (192.168.4.2), LAN (10.0.0.5/24). I just need to access remote networks over ipsec tunnel, nothing needs to be reachable from other side. Remote side requires me to have local network for P2 192.168.5.1/32 and I am doing NAT before ipsec. Unfortunately, seems like NAT is not taking place before ipsec no matter what i do. Tunnel is established, traffic allowed.
I tried outgoing nat, one-to-one nat, playing around with virtual ip aliases, routing etc.
Should I use reqid + manual SPD instead? Or maybe VTI?
Please help, already spent more nights than expected with that:(

BTW Find out I need to set 192.168.5.1 in P1 otherwise tunnels is not established.

Thank you. Seems like i was on the right track.
So to get insecure ciphers for ipsec my friend can:
1) add custom.conf with
charon {
   proposals = 3des-sha1-modp1536, aes128-sha1-modp1536
}

2) edit backup-config.xml and set this to connection node of the tunnel
<proposals>default,3des-sha1-modp1536, aes128-sha1-modp1536</proposals>

3) restore modded backup file

Correct?
Thanks!

Hello,
I need to temporarily make an ipsec connection to some old tp-link router which supports just weak cipher sets nothing more secure than AES128-SHA1-DH5.
I know it is not available in GUI for good reasons and the support has been removed, but what if i manually edit some conf files (ipsec.conf, swanctl.con) etc.?
Is adding charon {     proposals = 3des-sha1-modp1536 } gonna do something?
What about editing conf backup and adding 3des-sha1-modp1536 to tunnel proposals?
Thanks!