Messages

121

22.1 Legacy Series / Re: Opnsense connectivity /switch power issue

« on: March 18, 2022, 04:04:07 pm »

The string should be the same like mine. In most cases the chipset doesn't matter as long as the device supports the mentioned CDC-ECM mode. The only thing you have to check before applying the string is to verify whether vendor and product id match.

First, list all devices:

Code: [Select]

# usbconfig
ugen0.1: <0x8086 XHCI root HUB> at usbus0, cfg=0 md=HOST spd=SUPER (5.0Gbps) pwr=SAVE (0mA)
ugen0.2: <Realtek USB 10/100/1000 LAN> at usbus0, cfg=1 md=HOST spd=HIGH (480Mbps) pwr=ON (350mA)
[…]

Second: Retrieve vendor and product id of your device (the example applies to device 0.2 (ugen0.2) from the list above)

Code: [Select]

# usbconfig -d 0.2 dump_device_desc
ugen0.2: <Realtek USB 10/100/1000 LAN> at usbus0, cfg=1 md=HOST spd=HIGH (480Mbps) pwr=ON (350mA)

[…]
  idVendor = 0x0bda
  idProduct = 0x8153
[…]

--> The resulting tunable is:
Name: hw.usb.quirk.0
Description: what you like to describe
Value: "0x0bda 0x8153 0 0xffff UQ_CFG_INDEX_1" (with blanks but without quotes)

Only the italics part of the value string needs to be adjusted if it differs.

122

22.1 Legacy Series / Re: [Solved] Strange behaviour with realtek USB NIC

« on: March 18, 2022, 03:54:36 pm »

Tunables added in the UI are added to /boot/loader.conf - so that will work.

Thanks for the hint. I have moved the loader tunable to the GUI based configuration

123

Virtual private networks / Re: OPNsense firewall in Azure - traffic not able to pass site2site IPsec connection

« on: March 17, 2022, 10:12:44 pm »

According to the deployment diagram your NSG is only configured for incoming traffic on TCP ports 22 and 443. For IPsec connections you need UDP port 500 for ISAKMP and ESP for the tunnel (respectively UDP port 4500 when using NAT-T for the tunnel)

124

German - Deutsch / Re: Site-2-Site IKEv2 Probleme

« on: March 17, 2022, 10:05:39 pm »

Meiner ersten Vermutung nach ist die Firewall auf der Opnsense für eingehende Verbindungen nicht korrekt konfiguriert. Erlaubst Du eingehende Verbindungen für ESP, UDP/500 und UDP/4500?

125

22.1 Legacy Series / Re: Strange behaviour with realtek USB NIC

« on: March 17, 2022, 09:36:39 pm »

Don't manipulate configuration files. If you use the tunables section in the UI, your settings will be saved to a configuration backup whenever you create one and will survive an update.

In most cases the hint is corrrect. But, according to the manpage it is a loader tunable which must be applied before loading the kernel. I am not sure whether adding this parameter to the tunable section will work. So far all parameters added to the file loader.conf.local (not loader.conf) survived all updates I ever applied since Opnsense 18.x

Is it in this case possible to use the tunable section instead of the configuration file?

Edit:
Or are the tunables automatically written to the loader.conf file

126

22.1 Legacy Series / Re: Opnsense connectivity /switch power issue

« on: March 17, 2022, 09:25:33 pm »

The new adapter arrived yesterday. Unfortunately, the device continuously looses the carrier and causes a lot of errors in USB communication. The same occurs with Linux. In this case it is a device problem and not caused by FreeBSD or the chipset.

But, I found a solution for the realtek adapter (see here: #2)   

127

22.1 Legacy Series / Re: Strange behaviour with realtek USB NIC

« on: March 17, 2022, 09:15:40 pm »

I did some more investigation and found out that the Realtek 8153 chipset family provide two different interfaces. The vendor specific which is the default one when connecting the USB ethernet adapter. The second is based on USB CDC-ECM (USB Communications Device Class - Ethernet Control Model). The second interface mode can be selected by configuring the device to the second USB configuration set (see link, Ch. 6.1.1).

The ECM based interface works well and is used in conjunction with another driver ("if_cdce" instead of "if_ure"). According to its doucmentation the vendor specific interface can perform better than the ECM interface. But for my connected printer it doesn't matter.

In my case the following command sets the device (ugen0.2) into ECM mode:

Code: [Select]

$ usbconfig -d 0.2 set_config 1
For permanently setting the device into this mode usb_quirks helps out. The following line needs to be added to configuration file /boot/loader.conf.local:

Code: [Select]

hw.usb.quirk.0="0x0bda 0x8153 0 0xffff UQ_CFG_INDEX_1"
Details of the configuration string can be found in the manpage of "usb_quirk"

128

22.1 Legacy Series / Re: Opnsense connectivity /switch power issue

« on: March 14, 2022, 06:58:19 pm »

Today, I have ordered a new USB ethernet adapter. The new one uses "AX88179" chipset instead the "Realtek 8153(B)" and is supported by the "axge" driver provided with FreeBSD. If the new adapter works, it won't be worth to investigate time for a solution.

129

22.1 Legacy Series / Re: Strongswan not starting on 22.1

« on: March 13, 2022, 01:08:53 pm »

Please, don't check the file "/var/log/ipsec.log", this is not used anymore. Instead, have a look into the directory "/var/log/ipsec".

130

22.1 Legacy Series / Re: Opnsense connectivity /switch power issue

« on: March 12, 2022, 11:43:07 pm »

Neither Realtek nor USB NICs in general are recommended. If possible, use some appropriate hardware.

I cannot believe that this a general recommendation of FreeBSD 13. Do you have a reputable source for this? BTW my Realtek USB NIC worked flawlessly under Opnsense 21.x (Hardened BSD).

131

22.1 Legacy Series / Re: Opnsense connectivity /switch power issue

« on: March 12, 2022, 11:11:23 pm »

You probably encountered the same problems like me since updating to Opnsense 22.x (see here). It's either a general or a specific problem related to my realtek USB NIC. Which USB NIC do you use?i

My temporary solution is to shutdown and restart the interface using the CLI.

132

22.1 Legacy Series / Re: Strange behaviour with realtek USB NIC

« on: March 06, 2022, 06:24:39 pm »

I have read that usb NICs aren't supported well by FreeBSD. The NIC itself works well after stoping and starting the interface using ifconfig. Does anybody encounter similar problems or can test this scenario?

133

22.1 Legacy Series / IPsec: Mismatch with multiple roadwarrior profiles

« on: March 06, 2022, 06:17:48 pm »

In the last days I did a lot of investigation regarding my roadwarrior connections. I have four different connection profiles active:

• Mutual RSA + EAP-MSCHAPv2 with IPv4 (used by an android smartphone with the strongswan VPN app)
• Mutual RSA with IPv4 (used by an ubuntu laptop with strongswan and the network manager)
• Mutual RSA with IPv6 (used by an ubuntu laptop with strongswan and the network manager)
• Mutual RSA + EAP-MSCHAPv2 with IPv6 (used by an android smartphone with the strongswan VPN app)

The different profiles are neccessary because for flexibility (internet protocol) and different support by the IPsec clients. I tried to get all profiles to work, but no luck. The android smartphone can successfully authenticate with IPv4 but not IPv6. And the Laptop can instead use IPv6 but not IPv4.

I far as I know Opnsense still allows only to add one roadwarrior (mobile) connection profile. But strongswan itself has not such a limitation. There was a discussion about it in 2018 [1]. Some more investigation offered that the combination of successful and unsuccessful authentication depends on the sequence of profiles in the ipsec.conf configuration file (as noted above).

Related to a specific IP version charon either tries to match an incoming connection to the first configuration entry or to none of them . Corresponding entries in the log file look similar to

• charon selects the wrong profile
  
  • looking for peer configs matching <local ip>[<local id>] ... <remote ip>[<remote id>]
  • selected peer config 'con2'
  • selected peer config 'con2' unacceptable: non-matching authentication done
  • no alternative config found
• charon cannot find a profile match
  
  • looking for peer configs matching <local ip>[<local id>] ... <remote ip>[<remote id>]
  • no matching peer config found

According to the strongswan documention (FAQ - no matching peer config found) [2] charon tries to find the correct profile by comparing the ip addresses and identities (including the type of the identity). I don't know, whether the mismatch is based on the wrong identity type. The FAQ recommends in such cases to check the log file (log level 3). Unfortunately, I cannot find a hint in the log file, which identity type the client has been used.

In my eyes it seems to be a bug in charon (strongswan). Because, in case I only activate the last of the above profiles, the IPv6 based VPN on the smartphone works well even when pinning the identities of the endpoints to their certificate's DN. After adding the IPv6 profile for the laptop (still in the above sequence) the IPv6 based VPN connection of the smartphone fails because charon does not find any matching profile. In the second case I could understand that charon mistakenly selects the wrong profile. But, in this case it cannot find any match (second error description above). That sounds weird.

Does anybody know what I am doing wrong or if there is a really a bug in strongswan (v.5.9.5)?


[1] https://forum.opnsense.org/index.php?topic=9142.msg44734#msg44734
[2] https://wiki.strongswan.org/projects/strongswan/wiki/FAQ

Thanks.

134

22.1 Legacy Series / Re: IPSec usage and security

« on: February 25, 2022, 12:16:12 pm »

Probably I got it, some client certificates (created the same time) expired some times ago. Coincidentally in almost the same period as upgrading the Opnsense 

Edit:
But, I would be glad if we can revive the discussion about security 

135

22.1 Legacy Series / IPSec usage and security

« on: February 25, 2022, 12:07:06 pm »

Yesterday, I have upgraded my Opnsense from 21.7.8 to 22.1.1_3. The upgrade worked flawlessly (thanks to all the developers and the great community). Unfortunately, many of my mobile IPSec connections do not work anymore. I am still investigating and it looks like strongswan rejects the client certificates because of unknown trustworthy. Perhaps, anybody of the early adopters already has experiences with mobile IPSec connections after upgrading to new Opnsense 22.1.x.

Maybe, the problems have something in common with the security related misconfiguration of strongswan I addressed in the past. This all makes me think to either switch to another VPN technology (e.g. Wireguard) or to drop all automatically generated VPN profiles and add my manual ones (provided they won't get overwritten during configuration changes within Opnsense).

Does anybody have some recommendations?