Topics

Guten Tag

Unsere Schule hat 2 Standorte, hier A und B genannt. An jedem Standort haben wir eine OPNSense-Firewall im Einsatz, welche auch über jeweils zwei Internetanschlüsse verfügen. Die beiden Standorte sind über Glasfaser miteinander verbunden.
VPN habe ich aber nur auf der Firewall von Standort A eingerichtet. Nun möchte ich aber über die VPN-Verbindung auch die Geräte von Standort B erreichen können. Ich nehme an, ich muss hier einige Regeln einrichten. Aber ich habe bereits einiges versucht und nichts hat geholfen. Deshalb wäre ich froh um Tipps. Ich habe mal eine grobe Darstellung der Situtation angehängt.


Freundliche Grüsse
Marc Läderach

Good day

I used the following road warrior manual to set up VPN with SSL:
https://docs.opnsense.org/manual/how-tos/sslvpn_client.html

But whereas this manual uses single user authentication, I would like to use LDAP Authentication which works fine without SSL. But as soon as I switch the authentication mode from "Remote Access (User Auth)" to "Remote Access (SSL/TLS + User Auth)", it stops working probably as there is no user certificate available.

The log of OpenVPN GUI says the following:

Fri Dec 02 11:47:42 2016 OpenVPN 2.3.13 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Nov  3 2016
Fri Dec 02 11:47:42 2016 Windows version 6.2 (Windows 8 or greater) 64bit
Fri Dec 02 11:47:42 2016 library versions: OpenSSL 1.0.1u  22 Sep 2016, LZO 2.09
Enter Management Password:
Fri Dec 02 11:47:53 2016 Control Channel Authentication: tls-auth using INLINE static key file
Fri Dec 02 11:47:53 2016 Attempting to establish TCP connection with [AF_INET]<public-IP>:1194 [nonblock]
Fri Dec 02 11:47:54 2016 TCP connection established with [AF_INET]<public-IP>:1194
Fri Dec 02 11:47:54 2016 TCPv4_CLIENT link local (bound): [undef]
Fri Dec 02 11:47:54 2016 TCPv4_CLIENT link remote: [AF_INET]<public-IP):1194
Fri Dec 02 11:47:54 2016 Connection reset, restarting

• 
  Fri Dec 02 11:47:54 2016 SIGUSR1[soft,connection-reset] received, process restarting

Is it even possible to have VPN with SSL and LDAP authentication? Or is there a workaround (e.g. by using RADIUS via AD like in this manual for pfsense https://doc.pfsense.org/index.php/OpenVPN_with_RADIUS_via_Active_Directory)?

Thanks in advance for any help and suggestions.


Kind Regards
Marc

Hi guys

I'm not a genius at networking but still have some basic experience in this field. A few days ago we have installed OPNSense on a few self built firewalls that have been running a basic linux with some manual firewall settings. But we have some troubles to get the IPSec tunnels up and running.

The whole network consists of three sites that are connected in a WAN network of an ISP which is then somehow routed to the internet (I don't know exactly how this part is but shouldn't play an important role here). All three sites should be connected to each other via an IPSec Tunnel. There is a basic diagram of the network attached (IPSec_Li-Au_Overview.png).

I think it's enough to just look at one IPSec Tunnel: The one between Site A and C. All the settings I used at Site A can be checked in the picture "IPSec_Li-Au.png". The settings used at Site C are shown in picture "IPSec_Au-Li.png".

Some additional information about what is working and what isn't: I can see that traffic is going out at Site C and traffic is coming in at Site A. But not the other way (Check the attachment IPSec_Traffic.png).