Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - kapara

Pages: [1] 2

Tutorials and FAQs / Ipsec mobile vpn with external Radius (Also posted job on Upwork)

« on: November 17, 2019, 09:10:17 am »

Getting the "The error code returned on failure is 13801" error.

Followed these directions:

https://docs.opnsense.org/manual/how-tos/ipsec-rw-srv-eapradius.html

And also these:

https://docs.opnsense.org/manual/how-tos/ipsec-rw.html

I also posted a job on Upwork if you would like to assist and get paid as I need this resolved ASAP.

19.7 Production Series / Restore Config to new hardware fails to configure WAN Rules properly

« on: November 12, 2019, 01:23:53 am »

I imported a config and it failed to restore the following WAN rules.

RFC 1918 networks
Reserved/not assigned by IANA

Is this a bug or by design. If I try to uncheck and re-check the boxes it fails to return them to the WAN rules

General Discussion / IPSEC Mobile VPN (BUG?) stops passing traffic if no activity

« on: September 04, 2019, 01:03:29 am »

I noticed that the VPN stops passing traffic if there is no activity for 5 minutes or so. If I keep a constant ping it stays connected but if not I must disconnect and re-connect the VPN. Any advice on what can be done or any info I should provide that might shed light as to why?

I am using Windows 10 Native client

Logs from connection (Can PING)

Code: [Select]

Sep 4 06:07:25	charon: 10[NET] <con1|3> sending packet: from 51.81.XXX.XXX[4500] to 50.76.XXX.XXX[38909] (320 bytes)
Sep 4 06:07:25	charon: 10[ENC] <con1|3> generating IKE_AUTH response 5 [ AUTH CPRP(ADDR SUBNET U_DEFDOM U_SPLITDNS (25)) N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Sep 4 06:07:25	charon: 10[IKE] <con1|3> CHILD_SA con1{22} established with SPIs cdbd2a89_i 0930f7e0_o and TS 192.168.127.128/27 === 10.10.80.1/32
Sep 4 06:07:25	charon: 10[CFG] <con1|3> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Sep 4 06:07:25	charon: 10[IKE] <con1|3> no virtual IP found for %any6 requested by 'user@domain.local'
Sep 4 06:07:25	charon: 10[IKE] <con1|3> peer requested virtual IP %any6
Sep 4 06:07:25	charon: 10[IKE] <con1|3> assigning virtual IP 10.10.80.1 to peer 'user@domain.local'
Sep 4 06:07:25	charon: 10[CFG] <con1|3> reassigning offline lease to 'user@domain.local'
Sep 4 06:07:25	charon: 10[IKE] <con1|3> peer requested virtual IP %any
Sep 4 06:07:25	charon: 10[IKE] <con1|3> maximum IKE_SA lifetime 28470s
Sep 4 06:07:25	charon: 10[IKE] <con1|3> scheduling reauthentication in 27930s
Sep 4 06:07:25	charon: 10[IKE] <con1|3> IKE_SA con1[3] established between 51.81.XXX.XXX[dc.domain.org]...50.76.XXX.XXX[10.20.30.10]
Sep 4 06:07:25	charon: 10[IKE] <con1|3> authentication of 'dc.domain.org' (myself) with EAP
Sep 4 06:07:25	charon: 10[IKE] <con1|3> authentication of '10.20.30.10' with EAP successful
Sep 4 06:07:25	charon: 10[ENC] <con1|3> parsed IKE_AUTH request 5 [ AUTH ]
Sep 4 06:07:25	charon: 10[NET] <con1|3> received packet: from 50.76.XXX.XXX[38909] to 51.81.XXX.XXX[4500] (112 bytes)
Sep 4 06:07:25	charon: 10[NET] <con1|3> sending packet: from 51.81.XXX.XXX[4500] to 50.76.XXX.XXX[38909] (80 bytes)
Sep 4 06:07:25	charon: 10[ENC] <con1|3> generating IKE_AUTH response 4 [ EAP/SUCC ]
Sep 4 06:07:25	charon: 10[IKE] <con1|3> EAP method EAP_MSCHAPV2 succeeded, MSK established
Sep 4 06:07:25	charon: 10[ENC] <con1|3> parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Sep 4 06:07:25	charon: 10[NET] <con1|3> received packet: from 50.76.XXX.XXX[38909] to 51.81.XXX.XXX[4500] (80 bytes)
Sep 4 06:07:25	charon: 10[NET] <con1|3> sending packet: from 51.81.XXX.XXX[4500] to 50.76.XXX.XXX[38909] (144 bytes)
Sep 4 06:07:25	charon: 10[ENC] <con1|3> generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Sep 4 06:07:25	charon: 10[ENC] <con1|3> parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Sep 4 06:07:25	charon: 10[NET] <con1|3> received packet: from 50.76.XXX.XXX[38909] to 51.81.XXX.XXX[4500] (160 bytes)
Sep 4 06:07:24	charon: 10[NET] <con1|3> sending packet: from 51.81.XXX.XXX[4500] to 50.76.XXX.XXX[38909] (112 bytes)
Sep 4 06:07:24	charon: 10[ENC] <con1|3> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Sep 4 06:07:24	charon: 10[IKE] <con1|3> initiating EAP_MSCHAPV2 method (id 0xBD)
Sep 4 06:07:24	charon: 10[IKE] <con1|3> received EAP identity 'user@domain.local'
Sep 4 06:07:24	charon: 10[ENC] <con1|3> parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Sep 4 06:07:24	charon: 10[NET] <con1|3> received packet: from 50.76.XXX.XXX[38909] to 51.81.XXX.XXX[4500] (96 bytes)
Sep 4 06:07:24	charon: 16[NET] <con1|3> sending packet: from 51.81.XXX.XXX[4500] to 50.76.XXX.XXX[38909] (1236 bytes)
Sep 4 06:07:24	charon: 16[ENC] <con1|3> generating IKE_AUTH response 1 [ EF(2/2) ]
Sep 4 06:07:24	charon: 16[ENC] <con1|3> generating IKE_AUTH response 1 [ EF(1/2) ]
Sep 4 06:07:24	charon: 16[ENC] <con1|3> splitting IKE message (1696 bytes) into 2 fragments
Sep 4 06:07:24	charon: 16[ENC] <con1|3> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Sep 4 06:07:24	charon: 16[IKE] <con1|3> sending end entity cert "C=US, ST=CA, L=San Rafael, O=IT Department, E=user@domain.local, CN=dc.domain.org, subjectAltName=DNS:dc.domain.org,IP:51.81.XXX.XXX"
Sep 4 06:07:24	charon: 16[IKE] <con1|3> authentication of 'dc.domain.org' (myself) with RSA signature successful
Sep 4 06:07:24	charon: 16[IKE] <con1|3> peer supports MOBIKE
Sep 4 06:07:24	charon: 16[IKE] <con1|3> initiating EAP_IDENTITY method (id 0x00)
Sep 4 06:07:24	charon: 16[CFG] <con1|3> selected peer config 'con1'
Sep 4 06:07:24	charon: 16[CFG] <3> looking for peer configs matching 51.81.XXX.XXX[%any]...50.76.XXX.XXX[10.20.30.10]
Sep 4 06:07:24	charon: 16[IKE] <3> received 56 cert requests for an unknown ca
Sep 4 06:07:24	charon: 16[IKE] <3> received cert request for "C=US, ST=CA, L=San Rafael, O=IT Department, E=user@domain.local, CN=internal-ca"
Sep 4 06:07:24	charon: 16[ENC] <3> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Sep 4 06:07:24	charon: 16[ENC] <3> received fragment #3 of 3, reassembled fragmented IKE message (1440 bytes)
Sep 4 06:07:24	charon: 16[ENC] <3> parsed IKE_AUTH request 1 [ EF(3/3) ]
Sep 4 06:07:24	charon: 16[NET] <3> received packet: from 50.76.XXX.XXX[38909] to 51.81.XXX.XXX[4500] (452 bytes)
Sep 4 06:07:24	charon: 16[ENC] <3> received fragment #2 of 3, waiting for complete IKE message
Sep 4 06:07:24	charon: 16[ENC] <3> parsed IKE_AUTH request 1 [ EF(2/3) ]

Log from when traffic stops:

Code: [Select]

Sep 4 06:12:40	charon: 09[NET] <con1|3> sending packet: from 51.81.XXX.XXX[4500] to 50.76.XXX.XXX[38909] (80 bytes)
Sep 4 06:12:40	charon: 09[ENC] <con1|3> generating INFORMATIONAL response 6 [ D ]
Sep 4 06:12:40	charon: 09[IKE] <con1|3> CHILD_SA closed
Sep 4 06:12:40	charon: 09[IKE] <con1|3> sending DELETE for ESP CHILD_SA with SPI cdbd2a89
Sep 4 06:12:40	charon: 09[IKE] <con1|3> closing CHILD_SA con1{22} with SPIs cdbd2a89_i (240 bytes) 0930f7e0_o (496 bytes) and TS 192.168.127.128/27 === 10.10.80.1/32
Sep 4 06:12:40	charon: 09[IKE] <con1|3> received DELETE for ESP CHILD_SA with SPI 0930f7e0
Sep 4 06:12:40	charon: 09[ENC] <con1|3> parsed INFORMATIONAL request 6 [ D ]
Sep 4 06:12:40	charon: 09[NET] <con1|3> received packet: from 50.76.XXX.XXX[38909] to 51.81.XXX.XXX[4500] (80 bytes)

And this is the following logs which oddly says that "no acceptable proposal found"?

Code: [Select]

Sep 4 06:14:03	charon: 10[NET] <con1|3> sending packet: from 51.81.XXX.XXX[4500] to 50.76.XXX.XXX[38909] (80 bytes)
Sep 4 06:14:03	charon: 10[ENC] <con1|3> generating CREATE_CHILD_SA response 10 [ N(NO_PROP) ]
Sep 4 06:14:03	charon: 10[IKE] <con1|3> failed to establish CHILD_SA, keeping IKE_SA
Sep 4 06:14:03	charon: 10[IKE] <con1|3> no acceptable proposal found
Sep 4 06:14:03	charon: 10[CFG] <con1|3> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Sep 4 06:14:03	charon: 10[CFG] <con1|3> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_256/NO_EXT_SEQ
Sep 4 06:14:03	charon: 10[ENC] <con1|3> parsed CREATE_CHILD_SA request 10 [ SA No TSi TSr KE ]
Sep 4 06:14:03	charon: 10[NET] <con1|3> received packet: from 50.76.XXX.XXX[38909] to 51.81.XXX.XXX[4500] (384 bytes)
Sep 4 06:13:58	charon: 10[NET] <con1|3> sending packet: from 51.81.XXX.XXX[4500] to 50.76.XXX.XXX[38909] (80 bytes)
Sep 4 06:13:58	charon: 10[ENC] <con1|3> generating CREATE_CHILD_SA response 9 [ N(NO_PROP) ]
Sep 4 06:13:58	charon: 10[IKE] <con1|3> failed to establish CHILD_SA, keeping IKE_SA
Sep 4 06:13:58	charon: 10[IKE] <con1|3> no acceptable proposal found
Sep 4 06:13:58	charon: 10[CFG] <con1|3> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Sep 4 06:13:58	charon: 10[CFG] <con1|3> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_256/NO_EXT_SEQ
Sep 4 06:13:58	charon: 10[ENC] <con1|3> parsed CREATE_CHILD_SA request 9 [ SA No TSi TSr KE ]
Sep 4 06:13:58	charon: 10[NET] <con1|3> received packet: from 50.76.XXX.XXX[38909] to 51.81.XXX.XXX[4500] (384 bytes)
Sep 4 06:13:53	charon: 10[NET] <con1|3> sending packet: from 51.81.XXX.XXX[4500] to 50.76.XXX.XXX[38909] (80 bytes)
Sep 4 06:13:53	charon: 10[ENC] <con1|3> generating CREATE_CHILD_SA response 8 [ N(NO_PROP) ]
Sep 4 06:13:53	charon: 10[IKE] <con1|3> failed to establish CHILD_SA, keeping IKE_SA
Sep 4 06:13:53	charon: 10[IKE] <con1|3> no acceptable proposal found
Sep 4 06:13:53	charon: 10[CFG] <con1|3> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Sep 4 06:13:53	charon: 10[CFG] <con1|3> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_256/NO_EXT_SEQ
Sep 4 06:13:53	charon: 10[ENC] <con1|3> parsed CREATE_CHILD_SA request 8 [ SA No TSi TSr KE ]
Sep 4 06:13:53	charon: 10[NET] <con1|3> received packet: from 50.76.XXX.XXX[38909] to 51.81.XXX.XXX[4500] (384 bytes)
Sep 4 06:13:48	charon: 10[NET] <con1|3> sending packet: from 51.81.XXX.XXX[4500] to 50.76.XXX.XXX[38909] (80 bytes)
Sep 4 06:13:48	charon: 10[ENC] <con1|3> generating CREATE_CHILD_SA response 7 [ N(NO_PROP) ]
Sep 4 06:13:48	charon: 10[IKE] <con1|3> failed to establish CHILD_SA, keeping IKE_SA
Sep 4 06:13:48	charon: 10[IKE] <con1|3> no acceptable proposal found
Sep 4 06:13:48	charon: 10[CFG] <con1|3> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Sep 4 06:13:48	charon: 10[CFG] <con1|3> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_256/NO_EXT_SEQ
Sep 4 06:13:48	charon: 10[ENC] <con1|3> parsed CREATE_CHILD_SA request 7 [ SA No TSi TSr KE ]
Sep 4 06:13:48	charon: 10[NET] <con1|3> received packet: from 50.76.XXX.XXX[38909] to 51.81.XXX.XXX[4500] (384 bytes)

General Discussion / IPSEC user auth with local user and 2FA

« on: September 01, 2019, 11:46:59 pm »

Is it possible to create local access users with 2FA for mobile vpn access?

General Discussion / IKEv2 Mobile VPN not passing traffic (Solved)

« on: September 01, 2019, 10:23:12 pm »

Finally got the VPN to connect but I cannot ping or pass any traffic. I have created the RULE on IPSEC interface to pass all traffic.

Install Policy on P1 is enabled.

I cannot ping anything on the 10.5.10.x network. I have a device on 10.5.10.100 (No Firewall).

Had to modify my RULE in ipsec.

19.7 Production Series / Unbound not working when using gateway group in LanDefault Firewall rule

« on: July 21, 2019, 06:58:03 am »

When using group in gateway:

C:\Users\Administrator.server>nslookup
Default Server: UnKnown
Address: 10.1.10.1

When using Default Gateway

C:\Users\Administrator.server>nslookup
Default Server: opnsense.wall.local
Address: 10.1.10.1

19.7 Production Series / Unbound DNS fails on LAN default allow rule using Gateway Group for dual WAN

« on: July 18, 2019, 07:01:42 pm »

See below. Issue related to dual wan gateway group.

General Discussion / Anyone using ZeroTier? Can it be used with dual WAN for vpn failover?

« on: July 09, 2019, 10:42:25 pm »

I am curious if ZeroTier can be used with dual wan for vpn failover. Does anyone have any experience with this?

General Discussion / Anyone use SimpleWAN?

« on: June 20, 2019, 05:06:45 am »

Has anybody here ever used SimpleWAN? It looks like at one point it forked from pfsense. They use PC engines hardware and also super micro. The info I have seen show the product as a full SD-WAN solution with multi wan active active failover and other pretty neat features. I have only seen videos on YouTube about it but no reviews. It seems it was initially for VOIP but has changed.

General Discussion / Multi-Wan Client VPN

« on: June 06, 2019, 09:27:23 pm »

I am looking to secure a client environment and having issues with how to properly set up a client ipsec vpn with a OPNsense unit that has Multi Wan. What is the best way to provide VPN in the event that the primary connection goes down?

General Discussion / clientless SSL VPN (WEBVPN)

« on: April 26, 2019, 09:10:09 pm »

I am wondering if this is possible with an opensource option that can be added to OPNsense or another dedicated appliance inside a network.

I have deployed a synology MR2200ac and the webvpn works incredibly well and eliminates the need for a client. User can just log into a web interface and connect to the entire internal network.

They also offer web http and https page redirection and RDP and VNC embedded in the web interface. You can actually bookmark devices for access.

the device is only $139 and maybe it would just be easier to deploy it behind the OPNsense firewall rather than hoping someday this would be available. Still hoping :-)

Hardware and Performance / Fanless Solution for greenhouse deployment

« on: April 23, 2019, 06:53:15 am »

Looking to build a solution similar to what I have done with pfSense in the past.

https://www.supermicro.com/products/system/Box_PC/SYS-E50-9AP.cfm

This box is IP51 rated.

Looking to add GPS for NTP and optional Cellular failover.

Does anyone have any info on compatible USB GPS antennas?

Also any experience with adding Cellular Mini-PCIe to OPNsense?

Intrusion Detection and Prevention / Firewall Allow rules and Suricata

« on: November 25, 2018, 12:28:51 am »

Will rules enabling certain IP's through the firewall override rules from Suricata or will Suricata still block the traffic if set to block and the firewall has an allow for the same IP that Suricata might block based on the rule analysis?

Intrusion Detection and Prevention / Suricata and vlans

« on: November 25, 2018, 12:04:50 am »

I read that you dont want to add vlans to Suricata but when I added the physical interface (LAN) and not the vlan (which is on the LAN physical Interface) as a monitored interface none of my phones would work or get DHCP. Then when I removed the physical interface (LAN) the phones started to work again.

Is this by design?

General Discussion / Sticky connections

« on: November 24, 2018, 11:57:03 pm »

I am hoping I understand this correctly.

I use voip with Dual wan and on the pfSense I had a lot of problems that required hiring someone to create a custom program to run on the pfsense box to resolve the problem.

Scenario: Voip with Dual WAN

When using VOIP with dual wan and the primary connection goes down the phones successfully reconnect on the failover WAN.

When the primary comes back up the phones make a connection on the primary WAN but since the secondary never went down the phones still keep a open connection on the backup and then the phones do not work until they are disconnected or power cycled at which time they connect only on the primary.

Most people I would think keep the voip phones on there own subnet or vlan. This is what I did. So the script would then verify the status of both wan connections and if the primary was up it would kill all the states related to the vlan subnet.

I want to switch over to OPNsense but not having this will cause major problems. IT is a similar problem I face with most firewalls.

So will this resolve that issue or do I need to do a script again? Is there any plan to implement such a feature? Would be fantastic!

Pages: [1] 2