Topics

1

Tutorials and FAQs / IPSEC Firewall rule for passing traffic when gatewaygroup is applied to LAN defa

« on: March 12, 2020, 08:31:33 pm »

Whenever I enable dual-WAN and have IPSEC configured over one of the WAN connections traffic for the IPSEC sops working.

In the documentation, there is a reference to the DNS rule that needs to be created but nothing about how to handle the IPSEC traffic to ensure it continues to work.

2

Development and Code Review / IPSEC Failover Management plugin?

« on: March 12, 2020, 07:37:12 pm »

I would be really interested in finding someone that could develop a VPN failover control solution possibly as a plugin.

It does not make sense why this cannot be an easy solution.

What I envision is as follows:

The ability for 2 firewalls to communicate with each other over ssl/https to each other over a single or dual wan setup.

It will allow the sharing of information as to which WAN connections are up to allow each firewall to determine which IPSEC tunnel to disable or enable based on defined criteria.

For Example: 

Site A has a single Static WAN
Site B has 2 single static WAN in Failover

Both sites have 2 (P1 and P2) IPsec configurations so that VPN can work across all WAN interfaces.

Depending on which interface is up or down the 2 firewalls will communicate this info and based on the info will disable or enable the respective tunnel.  This can also be weighted so when a primary WAN comes back up it will fail the tunnel back over.

If I do not see any interest in this I will try my luck on upwork but it would be great to see if anyone else is interested and find someone to build this out as it is a feature that is available in pretty much every other firewall solution.

3

20.1 Legacy Series / Multi-Wan with single IPSEC Tunnel (Manual Failover) Help Please!

« on: March 06, 2020, 06:32:50 am »

I have configured 2 opnsense firewalls.

Is there some kind of rule I need to add or modify to allow location2 to pass traffic across IPSEC to location1?

Location1 can ping LAN at location2 but location 2 cannot ping LAn at location1

Location1: Single WAN with 2 vpn configurations for each remote IP. 
IPSECVPN to RemoteWAN1 to location2 is disabled.
IPSECVPN to RemoteWAN2 is up and connected.
I can ping remote lan subnet.


Location2 Dual WAN.  WAN1 is down and lWAN2 is up.

Using Gateway Group with both WAN1 and WAN2.  LAN default rule is set to GW Group

DNS record is placed above default group to allow DNS as described in documentation.

I am unable to ping devices in Location1 LAN

4

20.1 Legacy Series / Netflow not working

« on: March 02, 2020, 10:19:43 pm »

The Netflow system does not seem to be attaching templates to the data being sent.  See photo.  Updated photo.  See arrows.  They should have template info so the Data is not able to be properly ingested into a Netflow collector.

5

Tutorials and FAQs / Ipsec mobile vpn with external Radius (Also posted job on Upwork)

« on: November 17, 2019, 09:10:17 am »

Getting the "The error code returned on failure is 13801" error.

Followed these directions:

https://docs.opnsense.org/manual/how-tos/ipsec-rw-srv-eapradius.html

And also these:

https://docs.opnsense.org/manual/how-tos/ipsec-rw.html

I also posted a job on Upwork if you would like to assist and get paid as I need this resolved ASAP.

6

19.7 Legacy Series / Restore Config to new hardware fails to configure WAN Rules properly

« on: November 12, 2019, 01:23:53 am »

I imported a config and it failed to restore the following WAN rules.

RFC 1918 networks
Reserved/not assigned by IANA

Is this a bug or by design.  If I try to uncheck and re-check the boxes it fails to return them to the WAN rules

7

General Discussion / IPSEC Mobile VPN (BUG?) stops passing traffic if no activity

« on: September 04, 2019, 01:03:29 am »

I noticed that the VPN stops passing traffic if there is no activity for 5 minutes or so.  If I keep a constant ping it stays connected but if not I must disconnect and re-connect the VPN.  Any advice on what can be done or any info I should provide that might shed light as to why?

I am using Windows 10 Native client

Logs from connection (Can PING)

Code: [Select]

Sep 4 06:07:25 charon: 10[NET] <con1|3> sending packet: from 51.81.XXX.XXX[4500] to 50.76.XXX.XXX[38909] (320 bytes)
Sep 4 06:07:25 charon: 10[ENC] <con1|3> generating IKE_AUTH response 5 [ AUTH CPRP(ADDR SUBNET U_DEFDOM U_SPLITDNS (25)) N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Sep 4 06:07:25 charon: 10[IKE] <con1|3> CHILD_SA con1{22} established with SPIs cdbd2a89_i 0930f7e0_o and TS 192.168.127.128/27 === 10.10.80.1/32
Sep 4 06:07:25 charon: 10[CFG] <con1|3> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Sep 4 06:07:25 charon: 10[IKE] <con1|3> no virtual IP found for %any6 requested by 'user@domain.local'
Sep 4 06:07:25 charon: 10[IKE] <con1|3> peer requested virtual IP %any6
Sep 4 06:07:25 charon: 10[IKE] <con1|3> assigning virtual IP 10.10.80.1 to peer 'user@domain.local'
Sep 4 06:07:25 charon: 10[CFG] <con1|3> reassigning offline lease to 'user@domain.local'
Sep 4 06:07:25 charon: 10[IKE] <con1|3> peer requested virtual IP %any
Sep 4 06:07:25 charon: 10[IKE] <con1|3> maximum IKE_SA lifetime 28470s
Sep 4 06:07:25 charon: 10[IKE] <con1|3> scheduling reauthentication in 27930s
Sep 4 06:07:25 charon: 10[IKE] <con1|3> IKE_SA con1[3] established between 51.81.XXX.XXX[dc.domain.org]...50.76.XXX.XXX[10.20.30.10]
Sep 4 06:07:25 charon: 10[IKE] <con1|3> authentication of 'dc.domain.org' (myself) with EAP
Sep 4 06:07:25 charon: 10[IKE] <con1|3> authentication of '10.20.30.10' with EAP successful
Sep 4 06:07:25 charon: 10[ENC] <con1|3> parsed IKE_AUTH request 5 [ AUTH ]
Sep 4 06:07:25 charon: 10[NET] <con1|3> received packet: from 50.76.XXX.XXX[38909] to 51.81.XXX.XXX[4500] (112 bytes)
Sep 4 06:07:25 charon: 10[NET] <con1|3> sending packet: from 51.81.XXX.XXX[4500] to 50.76.XXX.XXX[38909] (80 bytes)
Sep 4 06:07:25 charon: 10[ENC] <con1|3> generating IKE_AUTH response 4 [ EAP/SUCC ]
Sep 4 06:07:25 charon: 10[IKE] <con1|3> EAP method EAP_MSCHAPV2 succeeded, MSK established
Sep 4 06:07:25 charon: 10[ENC] <con1|3> parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Sep 4 06:07:25 charon: 10[NET] <con1|3> received packet: from 50.76.XXX.XXX[38909] to 51.81.XXX.XXX[4500] (80 bytes)
Sep 4 06:07:25 charon: 10[NET] <con1|3> sending packet: from 51.81.XXX.XXX[4500] to 50.76.XXX.XXX[38909] (144 bytes)
Sep 4 06:07:25 charon: 10[ENC] <con1|3> generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Sep 4 06:07:25 charon: 10[ENC] <con1|3> parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Sep 4 06:07:25 charon: 10[NET] <con1|3> received packet: from 50.76.XXX.XXX[38909] to 51.81.XXX.XXX[4500] (160 bytes)
Sep 4 06:07:24 charon: 10[NET] <con1|3> sending packet: from 51.81.XXX.XXX[4500] to 50.76.XXX.XXX[38909] (112 bytes)
Sep 4 06:07:24 charon: 10[ENC] <con1|3> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Sep 4 06:07:24 charon: 10[IKE] <con1|3> initiating EAP_MSCHAPV2 method (id 0xBD)
Sep 4 06:07:24 charon: 10[IKE] <con1|3> received EAP identity 'user@domain.local'
Sep 4 06:07:24 charon: 10[ENC] <con1|3> parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Sep 4 06:07:24 charon: 10[NET] <con1|3> received packet: from 50.76.XXX.XXX[38909] to 51.81.XXX.XXX[4500] (96 bytes)
Sep 4 06:07:24 charon: 16[NET] <con1|3> sending packet: from 51.81.XXX.XXX[4500] to 50.76.XXX.XXX[38909] (1236 bytes)
Sep 4 06:07:24 charon: 16[ENC] <con1|3> generating IKE_AUTH response 1 [ EF(2/2) ]
Sep 4 06:07:24 charon: 16[ENC] <con1|3> generating IKE_AUTH response 1 [ EF(1/2) ]
Sep 4 06:07:24 charon: 16[ENC] <con1|3> splitting IKE message (1696 bytes) into 2 fragments
Sep 4 06:07:24 charon: 16[ENC] <con1|3> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Sep 4 06:07:24 charon: 16[IKE] <con1|3> sending end entity cert "C=US, ST=CA, L=San Rafael, O=IT Department, E=user@domain.local, CN=dc.domain.org, subjectAltName=DNS:dc.domain.org,IP:51.81.XXX.XXX"
Sep 4 06:07:24 charon: 16[IKE] <con1|3> authentication of 'dc.domain.org' (myself) with RSA signature successful
Sep 4 06:07:24 charon: 16[IKE] <con1|3> peer supports MOBIKE
Sep 4 06:07:24 charon: 16[IKE] <con1|3> initiating EAP_IDENTITY method (id 0x00)
Sep 4 06:07:24 charon: 16[CFG] <con1|3> selected peer config 'con1'
Sep 4 06:07:24 charon: 16[CFG] <3> looking for peer configs matching 51.81.XXX.XXX[%any]...50.76.XXX.XXX[10.20.30.10]
Sep 4 06:07:24 charon: 16[IKE] <3> received 56 cert requests for an unknown ca
Sep 4 06:07:24 charon: 16[IKE] <3> received cert request for "C=US, ST=CA, L=San Rafael, O=IT Department, E=user@domain.local, CN=internal-ca"
Sep 4 06:07:24 charon: 16[ENC] <3> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Sep 4 06:07:24 charon: 16[ENC] <3> received fragment #3 of 3, reassembled fragmented IKE message (1440 bytes)
Sep 4 06:07:24 charon: 16[ENC] <3> parsed IKE_AUTH request 1 [ EF(3/3) ]
Sep 4 06:07:24 charon: 16[NET] <3> received packet: from 50.76.XXX.XXX[38909] to 51.81.XXX.XXX[4500] (452 bytes)
Sep 4 06:07:24 charon: 16[ENC] <3> received fragment #2 of 3, waiting for complete IKE message
Sep 4 06:07:24 charon: 16[ENC] <3> parsed IKE_AUTH request 1 [ EF(2/3) ]

Log from when traffic stops:

Code: [Select]

Sep 4 06:12:40 charon: 09[NET] <con1|3> sending packet: from 51.81.XXX.XXX[4500] to 50.76.XXX.XXX[38909] (80 bytes)
Sep 4 06:12:40 charon: 09[ENC] <con1|3> generating INFORMATIONAL response 6 [ D ]
Sep 4 06:12:40 charon: 09[IKE] <con1|3> CHILD_SA closed
Sep 4 06:12:40 charon: 09[IKE] <con1|3> sending DELETE for ESP CHILD_SA with SPI cdbd2a89
Sep 4 06:12:40 charon: 09[IKE] <con1|3> closing CHILD_SA con1{22} with SPIs cdbd2a89_i (240 bytes) 0930f7e0_o (496 bytes) and TS 192.168.127.128/27 === 10.10.80.1/32
Sep 4 06:12:40 charon: 09[IKE] <con1|3> received DELETE for ESP CHILD_SA with SPI 0930f7e0
Sep 4 06:12:40 charon: 09[ENC] <con1|3> parsed INFORMATIONAL request 6 [ D ]
Sep 4 06:12:40 charon: 09[NET] <con1|3> received packet: from 50.76.XXX.XXX[38909] to 51.81.XXX.XXX[4500] (80 bytes)
And this is the following logs which oddly says that "no acceptable proposal found"?

Code: [Select]

Sep 4 06:14:03 charon: 10[NET] <con1|3> sending packet: from 51.81.XXX.XXX[4500] to 50.76.XXX.XXX[38909] (80 bytes)
Sep 4 06:14:03 charon: 10[ENC] <con1|3> generating CREATE_CHILD_SA response 10 [ N(NO_PROP) ]
Sep 4 06:14:03 charon: 10[IKE] <con1|3> failed to establish CHILD_SA, keeping IKE_SA
Sep 4 06:14:03 charon: 10[IKE] <con1|3> no acceptable proposal found
Sep 4 06:14:03 charon: 10[CFG] <con1|3> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Sep 4 06:14:03 charon: 10[CFG] <con1|3> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_256/NO_EXT_SEQ
Sep 4 06:14:03 charon: 10[ENC] <con1|3> parsed CREATE_CHILD_SA request 10 [ SA No TSi TSr KE ]
Sep 4 06:14:03 charon: 10[NET] <con1|3> received packet: from 50.76.XXX.XXX[38909] to 51.81.XXX.XXX[4500] (384 bytes)
Sep 4 06:13:58 charon: 10[NET] <con1|3> sending packet: from 51.81.XXX.XXX[4500] to 50.76.XXX.XXX[38909] (80 bytes)
Sep 4 06:13:58 charon: 10[ENC] <con1|3> generating CREATE_CHILD_SA response 9 [ N(NO_PROP) ]
Sep 4 06:13:58 charon: 10[IKE] <con1|3> failed to establish CHILD_SA, keeping IKE_SA
Sep 4 06:13:58 charon: 10[IKE] <con1|3> no acceptable proposal found
Sep 4 06:13:58 charon: 10[CFG] <con1|3> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Sep 4 06:13:58 charon: 10[CFG] <con1|3> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_256/NO_EXT_SEQ
Sep 4 06:13:58 charon: 10[ENC] <con1|3> parsed CREATE_CHILD_SA request 9 [ SA No TSi TSr KE ]
Sep 4 06:13:58 charon: 10[NET] <con1|3> received packet: from 50.76.XXX.XXX[38909] to 51.81.XXX.XXX[4500] (384 bytes)
Sep 4 06:13:53 charon: 10[NET] <con1|3> sending packet: from 51.81.XXX.XXX[4500] to 50.76.XXX.XXX[38909] (80 bytes)
Sep 4 06:13:53 charon: 10[ENC] <con1|3> generating CREATE_CHILD_SA response 8 [ N(NO_PROP) ]
Sep 4 06:13:53 charon: 10[IKE] <con1|3> failed to establish CHILD_SA, keeping IKE_SA
Sep 4 06:13:53 charon: 10[IKE] <con1|3> no acceptable proposal found
Sep 4 06:13:53 charon: 10[CFG] <con1|3> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Sep 4 06:13:53 charon: 10[CFG] <con1|3> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_256/NO_EXT_SEQ
Sep 4 06:13:53 charon: 10[ENC] <con1|3> parsed CREATE_CHILD_SA request 8 [ SA No TSi TSr KE ]
Sep 4 06:13:53 charon: 10[NET] <con1|3> received packet: from 50.76.XXX.XXX[38909] to 51.81.XXX.XXX[4500] (384 bytes)
Sep 4 06:13:48 charon: 10[NET] <con1|3> sending packet: from 51.81.XXX.XXX[4500] to 50.76.XXX.XXX[38909] (80 bytes)
Sep 4 06:13:48 charon: 10[ENC] <con1|3> generating CREATE_CHILD_SA response 7 [ N(NO_PROP) ]
Sep 4 06:13:48 charon: 10[IKE] <con1|3> failed to establish CHILD_SA, keeping IKE_SA
Sep 4 06:13:48 charon: 10[IKE] <con1|3> no acceptable proposal found
Sep 4 06:13:48 charon: 10[CFG] <con1|3> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Sep 4 06:13:48 charon: 10[CFG] <con1|3> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_256/NO_EXT_SEQ
Sep 4 06:13:48 charon: 10[ENC] <con1|3> parsed CREATE_CHILD_SA request 7 [ SA No TSi TSr KE ]
Sep 4 06:13:48 charon: 10[NET] <con1|3> received packet: from 50.76.XXX.XXX[38909] to 51.81.XXX.XXX[4500] (384 bytes)

8

General Discussion / IPSEC user auth with local user and 2FA

« on: September 01, 2019, 11:46:59 pm »

Is it possible to create local access users with 2FA for mobile vpn access? 

9

General Discussion / IKEv2 Mobile VPN not passing traffic (Solved)

« on: September 01, 2019, 10:23:12 pm »

Finally got the VPN to connect but I cannot ping or pass any traffic.  I have created the RULE on IPSEC interface to pass all traffic.

Install Policy on P1 is enabled.

I cannot ping anything on the 10.5.10.x network.  I have a device on 10.5.10.100 (No Firewall).

Had to modify my RULE in ipsec.

10

19.7 Legacy Series / Unbound not working when using gateway group in LanDefault Firewall rule

« on: July 21, 2019, 06:58:03 am »

When using group in gateway:

C:\Users\Administrator.server>nslookup
Default Server:  UnKnown
Address:  10.1.10.1

When using Default Gateway

C:\Users\Administrator.server>nslookup
Default Server:  opnsense.wall.local
Address:  10.1.10.1

11

19.7 Legacy Series / Unbound DNS fails on LAN default allow rule using Gateway Group for dual WAN

« on: July 18, 2019, 07:01:42 pm »

See below.  Issue related to dual wan gateway group.

12

General Discussion / Anyone using ZeroTier? Can it be used with dual WAN for vpn failover?

« on: July 09, 2019, 10:42:25 pm »

I am curious if ZeroTier can be used with dual wan for vpn failover.  Does anyone have any experience with this?

13

General Discussion / Anyone use SimpleWAN?

« on: June 20, 2019, 05:06:45 am »

 Has anybody here ever used SimpleWAN?  It looks like at one point it forked from pfsense.  They use PC engines hardware and also super micro.  The info I have seen show the product as a full SD-WAN solution with multi wan active active failover and other pretty neat features.  I have only seen videos on YouTube about it but no reviews.  It seems it was initially for VOIP but has changed.

14

General Discussion / Multi-Wan Client VPN

« on: June 06, 2019, 09:27:23 pm »

I am looking to secure a client environment and having issues with how to properly set up a client ipsec vpn with a OPNsense unit that has Multi Wan.  What is the best way to provide VPN in the event that the primary connection goes down?

15

General Discussion / clientless SSL VPN (WEBVPN)

« on: April 26, 2019, 09:10:09 pm »

I am wondering if this is possible with an opensource option that can be added to OPNsense or another dedicated appliance inside a network.

I have deployed a synology MR2200ac and the webvpn works incredibly well and eliminates the need for a client.  User can just log into a web interface and connect to the entire internal network.

They also offer web http and https page redirection and RDP and VNC embedded in the web interface.  You can actually bookmark devices for access.

the device is only $139 and maybe it would just be easier to deploy it behind the OPNsense firewall rather than hoping someday this would be available.  Still hoping :-)