Topics

I have spent 4 hours now trying to get this VPN solution to work and have rebuilt the firewall 5 times, reinstalled Wireguard just as many times, and gone through the tutorial, and every time the setup fails.  I am unable to pass any traffic to the internal networks.  One of the worst setups I have experienced so far with OpnSense.  I am hoping someone can provide a better tutorial that actually explains how to set this up as even after reading it a dozen times and walking through it and setting it up it fails to work.

I am trying to set up an IPSEC VPN tunnel between a OpnSense and a Unifi UDM-PRO.

On the OpnSense side it has the option to select a checkbox for Dynamic gateway but I can find no documentation on how to properly set this up.  Remote firewall does not have DynDNS and per information, I have found is not needed.

Is there any documentation on the proper setting for the P1 in OpnSense if the remote firewall supporting ipsec is using a dynamic ip?

Remote Gateway will not be correct because IP is dynamic.
Peer identifier is also an unknown so not sure what to choose.

Whenever I enable dual-WAN and have IPSEC configured over one of the WAN connections traffic for the IPSEC sops working.

In the documentation, there is a reference to the DNS rule that needs to be created but nothing about how to handle the IPSEC traffic to ensure it continues to work.

I would be really interested in finding someone that could develop a VPN failover control solution possibly as a plugin.

It does not make sense why this cannot be an easy solution.

What I envision is as follows:

The ability for 2 firewalls to communicate with each other over ssl/https to each other over a single or dual wan setup.

It will allow the sharing of information as to which WAN connections are up to allow each firewall to determine which IPSEC tunnel to disable or enable based on defined criteria.

For Example: 

Site A has a single Static WAN
Site B has 2 single static WAN in Failover

Both sites have 2 (P1 and P2) IPsec configurations so that VPN can work across all WAN interfaces.

Depending on which interface is up or down the 2 firewalls will communicate this info and based on the info will disable or enable the respective tunnel.  This can also be weighted so when a primary WAN comes back up it will fail the tunnel back over.

If I do not see any interest in this I will try my luck on upwork but it would be great to see if anyone else is interested and find someone to build this out as it is a feature that is available in pretty much every other firewall solution.

I have configured 2 opnsense firewalls.

Is there some kind of rule I need to add or modify to allow location2 to pass traffic across IPSEC to location1?

Location1 can ping LAN at location2 but location 2 cannot ping LAn at location1

Location1: Single WAN with 2 vpn configurations for each remote IP. 
IPSECVPN to RemoteWAN1 to location2 is disabled.
IPSECVPN to RemoteWAN2 is up and connected.
I can ping remote lan subnet.


Location2 Dual WAN.  WAN1 is down and lWAN2 is up.

Using Gateway Group with both WAN1 and WAN2.  LAN default rule is set to GW Group

DNS record is placed above default group to allow DNS as described in documentation.

I am unable to ping devices in Location1 LAN

The Netflow system does not seem to be attaching templates to the data being sent.  See photo.  Updated photo.  See arrows.  They should have template info so the Data is not able to be properly ingested into a Netflow collector.

Getting the "The error code returned on failure is 13801" error.

Followed these directions:

https://docs.opnsense.org/manual/how-tos/ipsec-rw-srv-eapradius.html

And also these:

https://docs.opnsense.org/manual/how-tos/ipsec-rw.html

I also posted a job on Upwork if you would like to assist and get paid as I need this resolved ASAP.

I imported a config and it failed to restore the following WAN rules.

RFC 1918 networks
Reserved/not assigned by IANA

Is this a bug or by design.  If I try to uncheck and re-check the boxes it fails to return them to the WAN rules

I noticed that the VPN stops passing traffic if there is no activity for 5 minutes or so.  If I keep a constant ping it stays connected but if not I must disconnect and re-connect the VPN.  Any advice on what can be done or any info I should provide that might shed light as to why?

I am using Windows 10 Native client

Logs from connection (Can PING)

Code Select Expand

Sep 4 06:07:25 charon: 10[NET] <con1|3> sending packet: from 51.81.XXX.XXX[4500] to 50.76.XXX.XXX[38909] (320 bytes)
Sep 4 06:07:25 charon: 10[ENC] <con1|3> generating IKE_AUTH response 5 [ AUTH CPRP(ADDR SUBNET U_DEFDOM U_SPLITDNS (25)) N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Sep 4 06:07:25 charon: 10[IKE] <con1|3> CHILD_SA con1{22} established with SPIs cdbd2a89_i 0930f7e0_o and TS 192.168.127.128/27 === 10.10.80.1/32
Sep 4 06:07:25 charon: 10[CFG] <con1|3> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Sep 4 06:07:25 charon: 10[IKE] <con1|3> no virtual IP found for %any6 requested by 'user@domain.local'
Sep 4 06:07:25 charon: 10[IKE] <con1|3> peer requested virtual IP %any6
Sep 4 06:07:25 charon: 10[IKE] <con1|3> assigning virtual IP 10.10.80.1 to peer 'user@domain.local'
Sep 4 06:07:25 charon: 10[CFG] <con1|3> reassigning offline lease to 'user@domain.local'
Sep 4 06:07:25 charon: 10[IKE] <con1|3> peer requested virtual IP %any
Sep 4 06:07:25 charon: 10[IKE] <con1|3> maximum IKE_SA lifetime 28470s
Sep 4 06:07:25 charon: 10[IKE] <con1|3> scheduling reauthentication in 27930s
Sep 4 06:07:25 charon: 10[IKE] <con1|3> IKE_SA con1[3] established between 51.81.XXX.XXX[dc.domain.org]...50.76.XXX.XXX[10.20.30.10]
Sep 4 06:07:25 charon: 10[IKE] <con1|3> authentication of 'dc.domain.org' (myself) with EAP
Sep 4 06:07:25 charon: 10[IKE] <con1|3> authentication of '10.20.30.10' with EAP successful
Sep 4 06:07:25 charon: 10[ENC] <con1|3> parsed IKE_AUTH request 5 [ AUTH ]
Sep 4 06:07:25 charon: 10[NET] <con1|3> received packet: from 50.76.XXX.XXX[38909] to 51.81.XXX.XXX[4500] (112 bytes)
Sep 4 06:07:25 charon: 10[NET] <con1|3> sending packet: from 51.81.XXX.XXX[4500] to 50.76.XXX.XXX[38909] (80 bytes)
Sep 4 06:07:25 charon: 10[ENC] <con1|3> generating IKE_AUTH response 4 [ EAP/SUCC ]
Sep 4 06:07:25 charon: 10[IKE] <con1|3> EAP method EAP_MSCHAPV2 succeeded, MSK established
Sep 4 06:07:25 charon: 10[ENC] <con1|3> parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Sep 4 06:07:25 charon: 10[NET] <con1|3> received packet: from 50.76.XXX.XXX[38909] to 51.81.XXX.XXX[4500] (80 bytes)
Sep 4 06:07:25 charon: 10[NET] <con1|3> sending packet: from 51.81.XXX.XXX[4500] to 50.76.XXX.XXX[38909] (144 bytes)
Sep 4 06:07:25 charon: 10[ENC] <con1|3> generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Sep 4 06:07:25 charon: 10[ENC] <con1|3> parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Sep 4 06:07:25 charon: 10[NET] <con1|3> received packet: from 50.76.XXX.XXX[38909] to 51.81.XXX.XXX[4500] (160 bytes)
Sep 4 06:07:24 charon: 10[NET] <con1|3> sending packet: from 51.81.XXX.XXX[4500] to 50.76.XXX.XXX[38909] (112 bytes)
Sep 4 06:07:24 charon: 10[ENC] <con1|3> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Sep 4 06:07:24 charon: 10[IKE] <con1|3> initiating EAP_MSCHAPV2 method (id 0xBD)
Sep 4 06:07:24 charon: 10[IKE] <con1|3> received EAP identity 'user@domain.local'
Sep 4 06:07:24 charon: 10[ENC] <con1|3> parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Sep 4 06:07:24 charon: 10[NET] <con1|3> received packet: from 50.76.XXX.XXX[38909] to 51.81.XXX.XXX[4500] (96 bytes)
Sep 4 06:07:24 charon: 16[NET] <con1|3> sending packet: from 51.81.XXX.XXX[4500] to 50.76.XXX.XXX[38909] (1236 bytes)
Sep 4 06:07:24 charon: 16[ENC] <con1|3> generating IKE_AUTH response 1 [ EF(2/2) ]
Sep 4 06:07:24 charon: 16[ENC] <con1|3> generating IKE_AUTH response 1 [ EF(1/2) ]
Sep 4 06:07:24 charon: 16[ENC] <con1|3> splitting IKE message (1696 bytes) into 2 fragments
Sep 4 06:07:24 charon: 16[ENC] <con1|3> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Sep 4 06:07:24 charon: 16[IKE] <con1|3> sending end entity cert "C=US, ST=CA, L=San Rafael, O=IT Department, E=user@domain.local, CN=dc.domain.org, subjectAltName=DNS:dc.domain.org,IP:51.81.XXX.XXX"
Sep 4 06:07:24 charon: 16[IKE] <con1|3> authentication of 'dc.domain.org' (myself) with RSA signature successful
Sep 4 06:07:24 charon: 16[IKE] <con1|3> peer supports MOBIKE
Sep 4 06:07:24 charon: 16[IKE] <con1|3> initiating EAP_IDENTITY method (id 0x00)
Sep 4 06:07:24 charon: 16[CFG] <con1|3> selected peer config 'con1'
Sep 4 06:07:24 charon: 16[CFG] <3> looking for peer configs matching 51.81.XXX.XXX[%any]...50.76.XXX.XXX[10.20.30.10]
Sep 4 06:07:24 charon: 16[IKE] <3> received 56 cert requests for an unknown ca
Sep 4 06:07:24 charon: 16[IKE] <3> received cert request for "C=US, ST=CA, L=San Rafael, O=IT Department, E=user@domain.local, CN=internal-ca"
Sep 4 06:07:24 charon: 16[ENC] <3> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Sep 4 06:07:24 charon: 16[ENC] <3> received fragment #3 of 3, reassembled fragmented IKE message (1440 bytes)
Sep 4 06:07:24 charon: 16[ENC] <3> parsed IKE_AUTH request 1 [ EF(3/3) ]
Sep 4 06:07:24 charon: 16[NET] <3> received packet: from 50.76.XXX.XXX[38909] to 51.81.XXX.XXX[4500] (452 bytes)
Sep 4 06:07:24 charon: 16[ENC] <3> received fragment #2 of 3, waiting for complete IKE message
Sep 4 06:07:24 charon: 16[ENC] <3> parsed IKE_AUTH request 1 [ EF(2/3) ]


Log from when traffic stops:

Code Select Expand

Sep 4 06:12:40 charon: 09[NET] <con1|3> sending packet: from 51.81.XXX.XXX[4500] to 50.76.XXX.XXX[38909] (80 bytes)
Sep 4 06:12:40 charon: 09[ENC] <con1|3> generating INFORMATIONAL response 6 [ D ]
Sep 4 06:12:40 charon: 09[IKE] <con1|3> CHILD_SA closed
Sep 4 06:12:40 charon: 09[IKE] <con1|3> sending DELETE for ESP CHILD_SA with SPI cdbd2a89
Sep 4 06:12:40 charon: 09[IKE] <con1|3> closing CHILD_SA con1{22} with SPIs cdbd2a89_i (240 bytes) 0930f7e0_o (496 bytes) and TS 192.168.127.128/27 === 10.10.80.1/32
Sep 4 06:12:40 charon: 09[IKE] <con1|3> received DELETE for ESP CHILD_SA with SPI 0930f7e0
Sep 4 06:12:40 charon: 09[ENC] <con1|3> parsed INFORMATIONAL request 6 [ D ]
Sep 4 06:12:40 charon: 09[NET] <con1|3> received packet: from 50.76.XXX.XXX[38909] to 51.81.XXX.XXX[4500] (80 bytes)

And this is the following logs which oddly says that "no acceptable proposal found"?

Code Select Expand

Sep 4 06:14:03 charon: 10[NET] <con1|3> sending packet: from 51.81.XXX.XXX[4500] to 50.76.XXX.XXX[38909] (80 bytes)
Sep 4 06:14:03 charon: 10[ENC] <con1|3> generating CREATE_CHILD_SA response 10 [ N(NO_PROP) ]
Sep 4 06:14:03 charon: 10[IKE] <con1|3> failed to establish CHILD_SA, keeping IKE_SA
Sep 4 06:14:03 charon: 10[IKE] <con1|3> no acceptable proposal found
Sep 4 06:14:03 charon: 10[CFG] <con1|3> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Sep 4 06:14:03 charon: 10[CFG] <con1|3> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_256/NO_EXT_SEQ
Sep 4 06:14:03 charon: 10[ENC] <con1|3> parsed CREATE_CHILD_SA request 10 [ SA No TSi TSr KE ]
Sep 4 06:14:03 charon: 10[NET] <con1|3> received packet: from 50.76.XXX.XXX[38909] to 51.81.XXX.XXX[4500] (384 bytes)
Sep 4 06:13:58 charon: 10[NET] <con1|3> sending packet: from 51.81.XXX.XXX[4500] to 50.76.XXX.XXX[38909] (80 bytes)
Sep 4 06:13:58 charon: 10[ENC] <con1|3> generating CREATE_CHILD_SA response 9 [ N(NO_PROP) ]
Sep 4 06:13:58 charon: 10[IKE] <con1|3> failed to establish CHILD_SA, keeping IKE_SA
Sep 4 06:13:58 charon: 10[IKE] <con1|3> no acceptable proposal found
Sep 4 06:13:58 charon: 10[CFG] <con1|3> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Sep 4 06:13:58 charon: 10[CFG] <con1|3> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_256/NO_EXT_SEQ
Sep 4 06:13:58 charon: 10[ENC] <con1|3> parsed CREATE_CHILD_SA request 9 [ SA No TSi TSr KE ]
Sep 4 06:13:58 charon: 10[NET] <con1|3> received packet: from 50.76.XXX.XXX[38909] to 51.81.XXX.XXX[4500] (384 bytes)
Sep 4 06:13:53 charon: 10[NET] <con1|3> sending packet: from 51.81.XXX.XXX[4500] to 50.76.XXX.XXX[38909] (80 bytes)
Sep 4 06:13:53 charon: 10[ENC] <con1|3> generating CREATE_CHILD_SA response 8 [ N(NO_PROP) ]
Sep 4 06:13:53 charon: 10[IKE] <con1|3> failed to establish CHILD_SA, keeping IKE_SA
Sep 4 06:13:53 charon: 10[IKE] <con1|3> no acceptable proposal found
Sep 4 06:13:53 charon: 10[CFG] <con1|3> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Sep 4 06:13:53 charon: 10[CFG] <con1|3> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_256/NO_EXT_SEQ
Sep 4 06:13:53 charon: 10[ENC] <con1|3> parsed CREATE_CHILD_SA request 8 [ SA No TSi TSr KE ]
Sep 4 06:13:53 charon: 10[NET] <con1|3> received packet: from 50.76.XXX.XXX[38909] to 51.81.XXX.XXX[4500] (384 bytes)
Sep 4 06:13:48 charon: 10[NET] <con1|3> sending packet: from 51.81.XXX.XXX[4500] to 50.76.XXX.XXX[38909] (80 bytes)
Sep 4 06:13:48 charon: 10[ENC] <con1|3> generating CREATE_CHILD_SA response 7 [ N(NO_PROP) ]
Sep 4 06:13:48 charon: 10[IKE] <con1|3> failed to establish CHILD_SA, keeping IKE_SA
Sep 4 06:13:48 charon: 10[IKE] <con1|3> no acceptable proposal found
Sep 4 06:13:48 charon: 10[CFG] <con1|3> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Sep 4 06:13:48 charon: 10[CFG] <con1|3> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_256/NO_EXT_SEQ
Sep 4 06:13:48 charon: 10[ENC] <con1|3> parsed CREATE_CHILD_SA request 7 [ SA No TSi TSr KE ]
Sep 4 06:13:48 charon: 10[NET] <con1|3> received packet: from 50.76.XXX.XXX[38909] to 51.81.XXX.XXX[4500] (384 bytes)

Is it possible to create local access users with 2FA for mobile vpn access? 

Finally got the VPN to connect but I cannot ping or pass any traffic.  I have created the RULE on IPSEC interface to pass all traffic.

Install Policy on P1 is enabled.

I cannot ping anything on the 10.5.10.x network.  I have a device on 10.5.10.100 (No Firewall).

Had to modify my RULE in ipsec.

When using group in gateway:

C:\Users\Administrator.server>nslookup
Default Server:  UnKnown
Address:  10.1.10.1

When using Default Gateway

C:\Users\Administrator.server>nslookup
Default Server:  opnsense.wall.local
Address:  10.1.10.1

See below.  Issue related to dual wan gateway group.

I am curious if ZeroTier can be used with dual wan for vpn failover.  Does anyone have any experience with this?

 Has anybody here ever used SimpleWAN?  It looks like at one point it forked from pfsense.  They use PC engines hardware and also super micro.  The info I have seen show the product as a full SD-WAN solution with multi wan active active failover and other pretty neat features.  I have only seen videos on YouTube about it but no reviews.  It seems it was initially for VOIP but has changed.

I am looking to secure a client environment and having issues with how to properly set up a client ipsec vpn with a OPNsense unit that has Multi Wan.  What is the best way to provide VPN in the event that the primary connection goes down?

I am wondering if this is possible with an opensource option that can be added to OPNsense or another dedicated appliance inside a network.

I have deployed a synology MR2200ac and the webvpn works incredibly well and eliminates the need for a client.  User can just log into a web interface and connect to the entire internal network.

They also offer web http and https page redirection and RDP and VNC embedded in the web interface.  You can actually bookmark devices for access.

the device is only $139 and maybe it would just be easier to deploy it behind the OPNsense firewall rather than hoping someday this would be available.  Still hoping :-)

Looking to build a solution similar to what I have done with pfSense in the past.

https://www.supermicro.com/products/system/Box_PC/SYS-E50-9AP.cfm

This box is IP51 rated.

Looking to add GPS for NTP and optional Cellular failover.

Does anyone have any info on compatible USB GPS antennas?

Also any experience with adding Cellular Mini-PCIe to OPNsense?

Will rules enabling certain IP's through the firewall override rules from Suricata or will Suricata still block the traffic if set to block and the firewall has an allow for the same IP that Suricata might block based on the rule analysis?

I read that you dont want to add vlans to Suricata but when I added the physical interface (LAN) and not the vlan (which is on the LAN physical Interface) as a monitored interface none of my phones would work or get DHCP.  Then when I removed the physical interface (LAN) the phones started to work again.

Is this by design?