Topics

1

20.1 Production Series / VPN clients pass as "let out anything from firewall host itself"

« on: April 22, 2020, 11:36:56 am »

Hi,

I have an IPSec road-warrior setup, and I need to restrict what clients can access on my local Networks.
I have configured rules for that on the IPSec interface, with everything that is allowed, and a 'reject all' rule at the end.
However, my clients can access anything nevertheless and the log says "let out anything from firewall host itself" which is effectively autogenerated as a floating rule, but not labelled as 'quick'.
Where am I going wrong, or how can I solve this?

Thanks a lot in advance,
Frank

2

General Discussion / OS X road warrior with RSA Authentication

« on: December 19, 2019, 02:35:26 pm »

Hi,

I would like to setup an OPNsense Box as an IPSec gateway for our staffs mobile devices. Authentication happens based on the machine certificate that the workstations have since they are in our domain. The IPSec server also uses a certificate signed by our domains CA.

Getting this to work with Windows clients is fairly easy. Now we have some OS X clients in the wild too, and I am struggling to get them to connect.

Strongswan's log gives the following:

Code: [Select]

Dec 19 12:49:01 gate charon: 02[IKE] <18> sending cert request for "DC=lux, DC=men, CN=MEN-CA"
Dec 19 12:49:01 gate charon: 02[IKE] <18> sending cert request for "DC=lux, DC=men, CN=men-IANUS-CA"
Dec 19 12:49:01 gate charon: 02[IKE] <18> sending cert request for "DC=lux, DC=men, CN=men-DC1-CA"
Dec 19 12:49:01 gate charon: 02[IKE] <18> sending cert request for "DC=lux, DC=men, CN=men-DC2-CA"
Dec 19 12:49:01 gate charon: 02[ENC] <18> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Dec 19 12:49:01 gate charon: 02[NET] <18> sending packet: from 123.123.123.20[500] to 321.321.321.3[500] (561 bytes)
Dec 19 12:49:01 gate charon: 02[NET] <18> received packet: from 321.321.321.3[4500] to 123.123.123.20[4500] (512 bytes)
Dec 19 12:49:01 gate charon: 02[ENC] <18> unknown attribute type INTERNAL_DNS_DOMAIN
Dec 19 12:49:01 gate charon: 02[ENC] <18> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Dec 19 12:49:01 gate charon: 02[CFG] <18> looking for peer configs matching 123.123.123.20[gate.exampla.com]...321.321.321.3[CGIE]
Dec 19 12:49:01 gate charon: 02[CFG] <18> no matching peer config found
Dec 19 12:49:01 gate charon: 02[IKE] <18> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Dec 19 12:49:01 gate charon: 02[IKE] <18> peer supports MOBIKE
Dec 19 12:49:01 gate charon: 02[ENC] <18> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]


The gateway's FQDN and its IP are in the certificate. The domains CA is known and trusted on the OS X client.

What can I try next?

Thanks,

Frank

3

Intrusion Detection and Prevention / No Internet access when IPS is on

« on: October 11, 2019, 03:58:38 pm »

Hi,

I have been testing IDS, and my results are good so far. I see proper alerts for the rules I have enabled, so far so good.
When I turn on IPS, however, the internal networks don't have Internet access anymore.
I attach a screenshot of the flags and values I have set.

All internal networks are in VLANS attached to ixl0 (intel NIC with 10Gbps SFP modules).
 

I have successfully set fc to 0 on all interfaces (sysctl dev.ixl.0.fc=0, and so on)

What did I do wrong?


Thanks
Frank

4

19.7 Legacy Series / Multiple phase2, Cisco, and Tunnel Isolation

« on: September 17, 2019, 02:21:55 pm »

Hi,

I have trouble getting an IPSec connection to a Cisco: I need several phase2 tunnels (and NAT on my side). When I uncheck 'Tunnel Isolation' in phase1, the connection fails with

Code: [Select]

received TS_UNACCEPTABLE notify, no CHILD_SA builtwhen I check 'Tunnel isolation' (no other change to the config), then each phase2 can be brought up without a problem, but this brings other problems described here

https://forum.opnsense.org/index.php?topic=14240.0

Thanks for any hints,
Frank

5

19.7 Legacy Series / IPSec and SPI

« on: September 17, 2019, 02:13:55 pm »

Hi,

I am struggling with an IPSec connection to a remote CISCO. I need several phase2 tunnels, and NAT on my side (I can't use the IP range that the remote side has given me).

When I bring one phase2 tunnel UP, everything is fine. As soon as I bring a second one up, all the traffic uses the SPI of the latest tunnel, and gets refused by the remote side.

One tunnel UP:
ipsec-status:

Code: [Select]

Security Associations (1 up, 0 connecting):
        con1[2]: ESTABLISHED 17 seconds ago, 1.2.3.130[1.2.3.130]...4.5.6.130[4.5.6.130]
        con1{9}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cbd8b851_i 9231068c_o
        con1{9}:   10.203.251.240/28 === 172.16.0.0/16
tcpdump:

Code: [Select]

14:09:24.989728 (authentic,confidential): SPI 0x9231068c: IP 10.2.0.1 > 172.16.0.3: ICMP echo request, id 16897, seq 821, length 64
14:09:24.992286 (authentic,confidential): SPI 0xcbd8b851: IP 172.16.0.3 > 10.203.251.243: ICMP echo reply, id 16897, seq 821, length 64
14:09:25.991076 (authentic,confidential): SPI 0x9231068c: IP 10.2.0.1 > 172.16.0.3: ICMP echo request, id 16897, seq 822, length 64
14:09:25.993699 (authentic,confidential): SPI 0xcbd8b851: IP 172.16.0.3 > 10.203.251.243: ICMP echo reply, id 16897, seq 822, length 64
now I bring the second tunnel up (ipsec up con1-001).
ipsec-status:

Code: [Select]

Security Associations (1 up, 0 connecting):
        con1[2]: ESTABLISHED 28 seconds ago, 1.2.3.130[1.2.3.130]...4.5.6.130[4.5.6.130]
        con1{9}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cbd8b851_i 9231068c_o
        con1{9}:   10.203.251.240/28 === 172.16.0.0/16
    con1-001{10}:  INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: cf947911_i 41c91673_o
    con1-001{10}:   10.203.251.240/28 === 192.168.2.0/24

tcpdump shows the new SPI is used:

Code: [Select]

14:09:28.994230 (authentic,confidential): SPI 0x41c91673: IP 10.2.0.1 > 172.16.0.3: ICMP echo request, id 16897, seq 825, length 64
14:09:29.996407 (authentic,confidential): SPI 0x41c91673: IP 10.2.0.1 > 172.16.0.3: ICMP echo request, id 16897, seq 826, length 64
I have read  these threads here
https://github.com/opnsense/core/issues/2173
https://github.com/opnsense/core/issues/1773
but it is not clear to me if the issue is considered to be solved.

I would very much like to try the hack that involves removing the 'Manual SPD' from my phase2 entries and adding them by script.
Does anybody know how to do this?

Thanks a lot,

Frank
 

6

19.1 Legacy Series / NAT before IPSec

« on: August 14, 2019, 11:05:05 am »

Hi,

I have a local Network (192.168.0.0/24) that needs to be NATed (to 10.203.207.0/24) before it goes into the IPSec Tunnel.
When the Tunnel is up, this works perfectly fine. (ie I have a NAT defined(on the IPSec device), and added a Manual SPD entry for 192.168.0.0/24)
However, hosts from the local Network (192.168.0.0/24) can't get the Tunnel up.

Code: [Select]

ping -S 192.168.0.1 other.side does nothing whereas

Code: [Select]

ping -S 10.203.207.1 other.side pulls the tunnel up (I have added a virtual IP for 10.203.207.1 on the same interface as 192.168.0.1)

Could this bit from the changelog in 19.7.x solve my Problem?

ipsec: use interface IP address in local ID when doing NAT before IPsec

Thanks a lot

7

General Discussion / Names vs uuids

« on: June 07, 2019, 01:17:56 pm »

I have a general question: now that we have alias export/import I have played around a little with this.
Objects have had uuids for quite some time but the name is still the key that is used to reference objects.
Is this planned to change at some time?

Thanks

8

19.1 Legacy Series / Aliases API

« on: February 20, 2019, 03:11:11 pm »

Hi,

sorry for crossposting, I answered to a thread in 18.7 (https://forum.opnsense.org/index.php?topic=10802.0), but this should probably go in here as this api has evolved in 19.1


So, what is wrong with the following code?
 

Code: [Select]


url = 'http://192.168.122.230/api/firewall/alias/addItem/xyzzy'
headers = {'Content-Type': 'application/json'}               
r = requests.post(url,
                 headers=headers,
                 data='{"name":"xyzzy","content":"192.168.5.5","enabled":"1","type":"host"}',
                 verify=False, #'/home/fweis/Documents/2019/OPNSense',
                 auth=(api_key, api_secret))


I also tried this, same result:

Code: [Select]

r = requests.post(url,
                 json={'name':'xyzzy','content':'192.168.5.5','enabled':'1','type':'host'},
                 verify=False,
                 auth=(api_key, api_secret))
Also, where can I find a list of actions in the alias api?

Thanks,

Frank

9

19.1 Legacy Series / IPSec S2S and NAT Problem

« on: February 19, 2019, 01:10:06 pm »

Hi,

I want to set up a Site-2-Site Tunnel, between OPNSense and a third party.
My local Network is 192.168.0.0/24 but the third party requires that I use 10.203.207.0/24
Changing IPs at my side is not an option, as it is not really up to me.

The IPSec is up and running, and if I put a virtual IP of 10.203.207.1 on my local interface, i can ping the other side (ping -S 10.203.207.1 172.16.0.100 works, and I see the trafic on the  enc0 interface).

Code: [Select]

172.16.0.0/16[any] 10.203.207.0/24[any] any
in ipsec
esp/tunnel/1.2.3.4-4.3.2.1/unique:6
created: Feb 19 12:37:34 2019  lastused: Feb 19 12:37:34 2019
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=69 seq=2 pid=20879 scope=global
refcnt=1
10.203.207.0/24[any] 172.160.0.0/16[any] any
out ipsec
esp/tunnel/4.3.2.1-1.2.3.4/unique:6
created: Feb 19 12:37:34 2019  lastused: Feb 19 12:37:34 2019
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=70 seq=0 pid=20879 scope=global
refcnt=1


Now I need to set up NAT, such that traffic from my LAN (192.168.0.0/24) appears to come from  10.203.207.0/24 before it goes into the tunnel.

• When I add 192.168.0.0/24 to the 'Manual SPD entries' in phase two, this causes the traffic to be thrown into the ipsec Tunnel (I see it on enc0, but the source is not modified). I have tried with outbound NAT rules on all possible devices: WAN, LAN and IPSec
• when I clear the 'Manual SPD entries', traffic is never entering the tunnel, but I manage to get the wanted translation (i see traffic as originating from 10.203.207.0/24 on the WAN interface)
• I have tried one-to-one NAT, no success

Any hints would be greatly appreciated!

• I am pretty sure I had this working last year when I evaluated OPNSense with an earlier release. Did something change?
• Is outbound NAT the right place to do this, and if so, on what interface? IPSec, WAN or LAN?
• My outbound NAT is in hybrid mode, but the 'automatic rules' section is empty. Normal?

Thanks,

Frank

10

18.7 Legacy Series / [SOLVED] Firewall rules problem

« on: September 03, 2018, 11:20:19 am »

Hi all,

this might be my own fault, or a lack of understanding on my behalf, so I apologize in advance if I am being dumb.

I do 802.1x on my switches in remote offices, and the switches talk to a radius server through an openvpn tunnel.

I have two symmetrical (floating) rules that should allow this:
radius-servers -> local switch net, accept ports 1812-1813
local switch net -> radius-servers, accept ports 1812-1813

It doesn't work, and I see in the live log that packets (udp, port 1812) are dropped from the radius servers to the switches.

When I include a third rule that allows anything from the radius to the switches, it works like a charm.

I include a screenshot of the three rules.

11

18.7 Legacy Series / Modify default-logo.svg

« on: August 17, 2018, 10:03:45 am »

Hi,

as I will be managing a  bunch of OPNsense boxes from a central location,
it would really help me if the web gui clearly indicated the name of the box IN LARGE, FRIENDLY LETTERS ;-)

One nice way of achieving this would be to replace the OPNsense logo with an image that states the hostname, because that way you even see what you are connecting to before the login.

Any ideas on how to go on about this?

• how do I generate an svg displaying a string from the command line?
• how do I put it in place? Should I create my own theme?

Thanks a lot,

Frank

12

18.7 Legacy Series / [SOLVED] OpenVPN remote network

« on: August 16, 2018, 03:41:22 pm »

Hi,

openvpn clients used to accept x.y.z.t/32 in "IPv4 Remote Network" if there is a single host that needs to go through a tunnel in 18.1,
now (18.7.1) they complain:
"The field 'IPv4 Remote Network' must contain only valid ipv4 CIDR range(s) separated by commas."

I rely on this a lot, for reasons that I have no influence on. Can this be like it was before, so /32 is valid?

Thanks and regards,
Frank

13

18.1 Legacy Series / Interface name annoyance

« on: July 26, 2018, 11:31:25 am »

Hi,

I have discovered that the interface names are not updated when you rename them upon creation in the config file.
e.g. when you first 'Assign' them, they come up with a generic name (OptN). When you give them a nice name their generic name is not replaced in the config file.

This is

• a pity for me: I would like to be able to duplicate a firewall and copy/paste interfaces, rules and aliases
• not consistent everywhere in the gui: eg: ui/diagnostics/systemhealth/ shows the generic name of the interface (see screenshot), after you select the nice name in the menu

In fact there is a difference between the name (internal) and what the user enters (description field, which says (name) in the fields explanation).

I don't know if one should keep name and description and make the name really user editable, or merge name and description, forcing the syntax to something acceptable xml-wise.

What do you think?

14

18.1 Legacy Series / [SOLVED] IPSec Bug?

« on: July 17, 2018, 04:16:28 pm »

Hi,

I have discovered weird behaviour with IPSec:
one local network needs to access two different networks behind the same remove IPSec gateway.
So I figured I create one Phase-1 entry and attach two phase-2 entries (one for each remote net) to it.
It won't work.

Desperate, I went ahead and created two exactly identical Phase-1 entries (same IPs, same shared secret) an attached one Phase-2 to each of them. Works like a charm. Is this expected behaviour?

See attached screenshots for clarity

15

18.1 Legacy Series / Bug: Renaming Aliases and NAT

« on: July 17, 2018, 03:25:24 pm »

Hi,
I have just discovered that when you edit an Alias and change its name, the renaming does not happen in (outgoing) NAT rules, leaving them dangling.

Bug?

Thanks