Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Mistery

Pages: 1 [2]

20.1 Legacy Series / Re: CARP issue with one single VLAN - backup on both units

« on: May 16, 2020, 05:29:00 pm »

Just want to add the following.

In dmesg log of primary unit the following log lines are shown

ifa_maintain_loopback_route: deletion failed for interface igb0_vlan6: 3
carp: 5@igb0_vlan6: BACKUP -> MASTER (master timed out)
carp: 5@igb0_vlan6: MASTER -> BACKUP (more frequent advertisement received)

Both master and backup carp status
# sysctl -a | grep "net.inet.carp."
net.inet.carp.ifdown_demotion_factor: 240
net.inet.carp.senderr_demotion_factor: 240
net.inet.carp.demotion: 0
net.inet.carp.log: 1
net.inet.carp.preempt: 0
net.inet.carp.allow: 1

20.1 Legacy Series / CARP issue with one single VLAN - backup on both units

« on: May 16, 2020, 04:49:54 pm »

Hi all, I am experiencing an issue with a single CARP interface shown in backup status on both master and backup units. My HA setup consists of a primary unit and a backup unit, with multiple interfaces (WAN, LAN and VLANs on LAN interface). HA is correctly configured and it's working fine for all VIPs except for a single CARP interface for a recently added VLAN, this VIP is shown in backup status on both units.
I tried everything I could to get the issue solved, tried entering maintenance mode, disabling CARP, rebooting both units, removing and adding the CARP interface again.
I have checked the VHID and it's correct on both units, every single interface has a unique VHID assigned.
Does anyone know what could be causing such issue ?

20.1 Legacy Series / Re: IPsec road warrior VPN setup compatible with Windows, Apple and Android

« on: April 25, 2020, 05:54:50 pm »

Furthermore, I just want to also add that using eap-mschapv2 I am getting

charon: 05[IKE] <mobile-users|2> EAP-MS-CHAPv2 verification failed, retry (1)

and this is why I assume there are issues with the authentication mechanism being used my side (local+LDAP instead of radius)

20.1 Legacy Series / Re: IPsec road warrior VPN setup compatible with Windows, Apple and Android

« on: April 25, 2020, 05:32:26 pm »

Quote from: hbc on April 19, 2020, 09:59:30 pm

Did you add the registry option to enable 2048 bits? Else add aes128-sha256-modp1048 to ciphers

Added this as well, however the same error as reported in my previous message is occurring.

Also worth to mention that I tried VPN connection from both Apple device and Windows 7 (enabled MODP2048 via registry setting) and the error is exactly the same

charon: 05[ENC] <mobile-users|9> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

On Windows 7 device the error shown is 13801

20.1 Legacy Series / Re: IPsec road warrior VPN setup compatible with Windows, Apple and Android

« on: April 25, 2020, 05:31:18 pm »

Quote from: hbc on April 19, 2020, 10:00:20 am

See here for tutorial and samples:

https://forum.opnsense.org/index.php?topic=12147.0

So far, not so good...

I have spent the latest few days trying to make this working however to the best of my knowledge I am still unable to finalise this configuration.

I tried many times reconfiguring from scratch using the tutorial above, however I ended up considering the tutorial configuration not completely correct and I wonder if someone used that as described and was able to setup the tunnel.

There are at least a couple questions to mention, one related to misleading info provided in the tutorial where it says

"- Minimal configuration of VPN->IPsec->Mobile Client. No tunnels are created in the WebUI!!!"

however according to the config files attached to the tutorial, there is ipsec.conf from standard OPNsense WebUI configuration, therefore it seems like a tunnel was created there and additional config added to custom folder.

The second question is related to the user authentication mechanism I am using, in the tutorial radius authentication is used, however my side I am using local+LDAP authentication.
LDAP authentication server was correctly configured in System > Access > Servers and it's working fine using tester.

All my VPN connection attempts end up in

charon: 15[ENC] <mobile-users|2> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

Could it be that the above error reported my side when connecting is related to the actual user authentication unsuccessful for any reasons even if using OPNsense authentication tester it works ok ?

20.1 Legacy Series / Re: IPsec road warrior VPN setup compatible with Windows, Apple and Android

« on: April 19, 2020, 03:33:49 pm »

Quote from: hbc on April 19, 2020, 10:00:20 am

See here for tutorial and samples:
https://forum.opnsense.org/index.php?topic=12147.0

Tried implementing the config shown in that tutorial customised for my own environment, I tried to make it as simple as possible however I am still having issues, here are my config files, I have just masked private or confidential info:

# cat /usr/local/etc/ipsec.conf

# This file is automatically generated. Do not edit
config setup
uniqueids = yes

conn con1
aggressive = no
fragmentation = yes
keyexchange = ikev2
mobike = no
reauth = yes
rekey = yes
forceencaps = no
installpolicy = no
type = tunnel
dpdaction = restart
dpddelay = 10s
dpdtimeout = 60s

left = <OPNsense CARP IP WAN>
right = %any

leftid = <OPNsense CARP IP WAN>
ikelifetime = 86400s
lifetime = 3600s
rightsourceip = 192.168.117.0/24
ike = aes256-aesxcbc-ecp521,aes256-sha512-ecp521,aes256-sha384-ecp521,aes256-sha256-ecp521!
leftauth = psk
rightauth = psk
leftsubnet = <OPNsense LAN subnet/24>
esp = aes256-sha256,aes256-sha384,aes256-sha512,aes256-aesxcbc!
auto = start

include ipsec.opnsense.d/*.conf

*************************************************************************

# cat /usr/local/etc/ipsec.secrets

%any : PSK <encrypted key>

include ipsec.secrets.opnsense.d/*.secrets

*************************************************************************

# cat /usr/local/etc/strongswan.conf

# Automatically generated, please do not modify
starter {
load_warning = no
}
charon {
threads = 16
ikesa_table_size = 32
ikesa_table_segments = 4
init_limit_half_open = 1000
ignore_acquire_ts = yes
syslog {
identifier = charon
daemon {
ike_name = yes
}
}
cisco_unity = yes
plugins {
attr {
subnet = <OPNsense LAN subnet/24>
split-include = <OPNsense LAN subnet/24>
dns = <Internal DNS IP address>
nbns = <Internal WINS IP address>
# Search domain and default domain
28674 = <domain name>
28675 = <domain name>
25 = <domain name>
28672 = "<Welcome text>"
}
xauth-pam {
pam_service = ipsec
session = no
trim_email = yes
}
}
}

include strongswan.opnsense.d/*.conf

*************************************************************************

# cat /usr/local/etc/ipsec.opnsense.d/ipsec.mobile.conf

config setup
# Since userID is the right id we allow more than one connection per right id.
# This overrules the OPNsense standard yes in ipsec.conf and is a global parameter!
uniqueids = never

conn mobile
# Default OPNsense
aggressive = no
fragmentation = yes
keyexchange = ikev2
mobike = yes
reauth = yes
rekey = yes
forceencaps = yes
installpolicy = yes
ikelifetime = 28800s
# See https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations
ike = aes256-sha256-modp2048,aes256-sha256-ecp256,aes128-sha256-modp2048!
esp = aes256-sha256-modp2048,aes256-sha256-ecp256,aes128-sha256-modp2048!
left = <OPNsense CARP IP WAN>
leftid = <OPNsense hostname>
leftauth = pubkey
# Lets encrypt certificate
leftcert = /usr/local/etc/ipsec.d/certs/cert-1.crt
leftsendcert = always
rightsendcert = never
right = %any
rightauth = xauth-pam
eap_identity = %any

conn mobile-users
# Include above config
also = mobile
# Split tunneled networks
leftsubnet = <OPNsense LAN subnet/24>
# Virtual IP pool assigned to this group
rightsourceip = <VPN Pool subnet/24>
auto = add

*************************************************************************

After restarting strongswan service I can't connect and log reports the following:

2020-04-19T15:18:44   charon: 15[NET] <mobile-users|2> sending packet: from <OPNsense CARP IP WAN>[4500] to <VPN client IP address>[4500] (80 bytes)
2020-04-19T15:18:44   charon: 15[ENC] <mobile-users|2> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
2020-04-19T15:18:44   charon: 15[IKE] <mobile-users|2> peer supports MOBIKE
2020-04-19T15:18:44   charon: 15[IKE] <mobile-users|2> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
2020-04-19T15:18:44   charon: 15[CFG] <mobile-users|2> no alternative config found
2020-04-19T15:18:44   charon: 15[IKE] <mobile-users|2> peer requested EAP, config unacceptable
2020-04-19T15:18:44   charon: 15[CFG] <mobile-users|2> selected peer config 'mobile-users'
2020-04-19T15:18:44   charon: 15[CFG] <2> looking for peer configs matching <OPNsense CARP IP WAN>[OPNsense hostname]...<VPN client IP address>[PSK key]
2020-04-19T15:18:44   charon: 15[ENC] <2> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
2020-04-19T15:18:44   charon: 15[ENC] <2> unknown attribute type INTERNAL_DNS_DOMAIN
2020-04-19T15:18:44   charon: 15[NET] <2> received packet: from <VPN client IP address>[4500] to <OPNsense CARP IP WAN>[4500] (512 bytes)
2020-04-19T15:18:44   charon: 15[NET] <2> sending packet: from <OPNsense CARP IP WAN>[500] to <VPN client IP address>[500] (456 bytes)
2020-04-19T15:18:44   charon: 15[ENC] <2> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
2020-04-19T15:18:44   charon: 15[IKE] <2> remote host is behind NAT
2020-04-19T15:18:44   charon: 15[CFG] <2> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
2020-04-19T15:18:44   charon: 15[IKE] <2> no matching proposal found, trying alternative config
2020-04-19T15:18:44   charon: 15[CFG] <2> configured proposals: IKE:AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/ECP_521, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_521, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521
2020-04-19T15:18:44   charon: 15[CFG] <2> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
2020-04-19T15:18:44   charon: 15[IKE] <2> <VPN client IP address> is initiating an IKE_SA
2020-04-19T15:18:44   charon: 15[ENC] <2> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
2020-04-19T15:18:44   charon: 15[NET] <2> received packet: from <VPN client IP address>[500] to <OPNsense CARP IP WAN>[500] (604 bytes)

VPN connection on Apple client device is configured as IKEv2 connection, server IP address <OPNsense CARP IP WAN>, remote ID <OPNsense hostname>, authentication using username and password

Tried connecting from Windows 7 client with VPN connection configured in IKEv2 mode and got the following:

2020-04-19T15:28:12   charon: 16[NET] <17> sending packet: from <OPNsense CARP IP WAN>[500] to <VPN client IP address>[59546] (36 bytes)
2020-04-19T15:28:12   charon: 16[ENC] <17> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
2020-04-19T15:28:12   charon: 16[IKE] <17> received proposals unacceptable
2020-04-19T15:28:12   charon: 16[IKE] <17> remote host is behind NAT
2020-04-19T15:28:12   charon: 16[CFG] <17> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
2020-04-19T15:28:12   charon: 16[CFG] <17> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
2020-04-19T15:28:12   charon: 16[IKE] <17> no matching proposal found, trying alternative config
2020-04-19T15:28:12   charon: 16[CFG] <17> configured proposals: IKE:AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/ECP_521, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_521, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521
2020-04-19T15:28:12   charon: 16[CFG] <17> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
2020-04-19T15:28:12   charon: 16[IKE] <17> <VPN client IP address> is initiating an IKE_SA
2020-04-19T15:28:12   charon: 16[ENC] <17> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
2020-04-19T15:28:12   charon: 16[NET] <17> received packet: from <VPN client IP address>[59546] to <OPNsense CARP IP WAN>[500] (528 bytes)
2020-04-19T15:28:10   charon: 16[NET] <16> sending packet: from <OPNsense CARP IP WAN>[500] to <VPN client IP address>[59546] (36 bytes)
2020-04-19T15:28:10   charon: 16[ENC] <16> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
2020-04-19T15:28:10   charon: 16[IKE] <16> received proposals unacceptable
2020-04-19T15:28:10   charon: 16[IKE] <16> remote host is behind NAT
2020-04-19T15:28:10   charon: 16[CFG] <16> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
2020-04-19T15:28:10   charon: 16[CFG] <16> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
2020-04-19T15:28:10   charon: 16[IKE] <16> no matching proposal found, trying alternative config
2020-04-19T15:28:10   charon: 16[CFG] <16> configured proposals: IKE:AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/ECP_521, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_521, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521
2020-04-19T15:28:10   charon: 16[CFG] <16> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
2020-04-19T15:28:10   charon: 16[IKE] <16> <VPN client IP address> is initiating an IKE_SA
2020-04-19T15:28:10   charon: 16[ENC] <16> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
2020-04-19T15:28:10   charon: 16[NET] <16> received packet: from <VPN client IP address>[59546] to <OPNsense CARP IP WAN>[500] (528 bytes)
2020-04-19T15:28:09   charon: 16[NET] <15> sending packet: from <OPNsense CARP IP WAN>[500] to <VPN client IP address>[59546] (36 bytes)
2020-04-19T15:28:09   charon: 16[ENC] <15> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
2020-04-19T15:28:09   charon: 16[IKE] <15> received proposals unacceptable
2020-04-19T15:28:09   charon: 16[IKE] <15> remote host is behind NAT
2020-04-19T15:28:09   charon: 16[CFG] <15> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
2020-04-19T15:28:09   charon: 16[CFG] <15> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
2020-04-19T15:28:09   charon: 16[IKE] <15> no matching proposal found, trying alternative config
2020-04-19T15:28:09   charon: 16[CFG] <15> configured proposals: IKE:AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/ECP_521, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_521, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521
2020-04-19T15:28:09   charon: 16[CFG] <15> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
2020-04-19T15:28:09   charon: 16[IKE] <15> <VPN client IP address> is initiating an IKE_SA
2020-04-19T15:28:09   charon: 16[ENC] <15> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
2020-04-19T15:28:09   charon: 16[NET] <15> received packet: from <VPN client IP address>[59546] to <OPNsense CARP IP WAN>[500] (528 bytes)

20.1 Legacy Series / Re: IPsec road warrior VPN setup compatible with Windows, Apple and Android

« on: April 19, 2020, 10:11:30 am »

The configuration lines reported in previous messages were automatically generated by OPNsense GUI and were working fine with Apple devices, so yes, I found an IKEv1 Mutual PSK+XAuth configuration to be working fine and wanted to try to move that configuration to custom folder /usr/local/etc/ipsec.opnsense.d to add at later time additional connections IKEv2 for Windows devices.
The certificate is installed server side and using Letsencrypt CA anyway.

20.1 Legacy Series / Re: IPsec road warrior VPN setup compatible with Windows, Apple and Android

« on: April 19, 2020, 09:37:18 am »

I tried manually configuring strongswan via custom config saved in folder /usr/local/etc/ipsec.conf.d however I wasn't able to make it working.

I tried a very simple custom configuration starting from the working configuration saved in /usr/local/etc/ipsec.conf by OPNsense GUI.

I have cut from /usr/local/etc/ipsec.conf the below config lines generated by OPNsense GUI

config setup
uniqueids = yes

conn con1
aggressive = no
fragmentation = yes
keyexchange = ikev1
mobike = yes
reauth = yes
rekey = yes
forceencaps = no
installpolicy = yes
type = tunnel

inactivity = 1800s
left = <WAN CARP IP address>
right = %any

leftid = <WAN CARP IP address>
ikelifetime = 28800s
lifetime = 3600s
rightsourceip = 192.168.117.0/24
ike = aes256-sha256-modp2048,aes256-sha256-modp1024,aes256-sha1-modp2048,aes256-sha1-modp1024!
leftauth = psk
rightauth = psk
rightauth2 = xauth-pam
leftsubnet = 172.19.6.0/24
esp = aes256-sha1,aes256-sha256,aes192-sha1,aes192-sha256,aes128-sha1,aes128-sha256,blowfish256-sha1,blowfish256-sha256,blowfish192-sha1,blowfish192-sha256,blowfish128-sha1,blowf
ish128-sha256,3des-sha1,3des-sha256!
auto = add

and pasted the above lines in a custom config file /usr/local/etc/ipsec.conf.d/apple.conf then I restarted the strongswan service.

The above are the config lines generated by GUI and found to be working using Apple devices.

Tried connecting to VPN however it didn't work as expected. Restoring the above configuration in OPNsense GUI the VPN service is working fine.

My goal was to test configuring strongswan using custom config files instead of GUI and using a valid working configuration, I was expecting it to work smoothly so to start adding new connections for Windows and Android devices.

Am I missing anything ? Any hints ?

20.1 Legacy Series / Re: IPsec road warrior VPN setup compatible with Windows, Apple and Android

« on: April 18, 2020, 10:16:49 pm »

Quote from: hbc on April 18, 2020, 08:16:24 pm

You have much more options for tuning and compatibility when directly editing your configuration. And with those directories, configuration is preserved during updates.

Thank you for pointing this out, I have no experience in manually editing strongswan configurations however I will give it a try.
I am just wondering what happens to the custom configuration in case of a OPNsense HA cluster, are custom configurations synchronised to backup node as well ?

20.1 Legacy Series / IPsec road warrior VPN setup compatible with Windows, Apple and Android

« on: April 18, 2020, 06:40:15 pm »

I am struggling with setting up road warrior VPN to allow remote clients to connect to corporate network, remote clients running different OS, Windows 7 and above, Mac OS/X and some Apple IOS and Android mobile clients.
I can't get a proper configuration working, I have followed all the wiki pages and tried multiple configurations many times and the only configuration I could get working on Apple Mac and IOS mobile clients is Mutual PSK + XAuth with V1 key exchange.
All other configurations I tried as per wiki pages are not working, including IKEv2 EAP-MSCHAPv2 (tried and reviewed many times the configuration).
I have read many topics on this forum and couldn't find a clear path to configure IPsec VPN and it seems like the wiki pages are lacking some details.
I would appreciate any help from someone who already experienced the same issues and could share some deeper details on how to configure IPsec VPN to allow different clients to connect.
Thanks in advance everybody.

20.1 Legacy Series / Assigning static virtual IPs to IPsec VPN users

« on: February 15, 2020, 05:35:46 pm »

Hello, I searched a lot about this subject however couldn't find any specific information related to IPsec VPN tunnels.
Is there any way to assign static virtual IPs to local VPN users ?

Pages: 1 [2]