Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - BusinessTux

Pages: 1 [2] 3 4

Virtual private networks / Re: Ipsec ikev2 mutual psk how to setup

« on: January 20, 2022, 07:37:20 pm »

As it looks, Mutual PSK is apparently only supported for IKEv1

https://docs.opnsense.org/manual/how-tos/ipsec-rw.html

Virtual private networks / Re: Ipsec ikev2 mutual psk how to setup

« on: January 19, 2022, 08:42:35 pm »

You can find it in the single how-tos as Phase 1 auth method

E.G. https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route.html I can.

Virtual private networks / Re: Ipsec ikev2 mutual psk how to setup

« on: January 19, 2022, 06:30:59 pm »

Hi Rob,

perhaps Google didn't found https://docs.opnsense.org/manual/vpnet.html#ipsec

Ulf

Virtual private networks / Re: OpenVPN Login with Certificate and OTP

« on: January 19, 2022, 06:27:26 pm »

Quote

So, the next time you login to your OpenVPN server you will be promped for an additional password. Provide the 6 digit passcode and you will gain access.

This is for Ubuntu, not for a FreeBSD based System. An there is written: ... an additional password ...

Virtual private networks / Re: OpenVPN Login with Certificate and OTP

« on: January 18, 2022, 06:56:38 am »

Yes, you're right. I haven't read, that you don't want a user.

Without user and password there is no way in my opinion.

Only TOTP isn't available as access server in OPNsense.

Virtual private networks / Re: Second IPsec Site2Site Tunnel down

« on: January 17, 2022, 05:51:32 pm »

Quote

Why do you tick "Dynamic Gateway"? This is only needed for respond-only.

Yes, you're right. This is from one of the many attempts.

Quote

You really should start at the beginning:

On both sites "default", not respond or start, only use IPs instead of names, use PSK instead of certs.
If this work activate one by another.

I will do and report.

Thanks

Virtual private networks / Re: Second IPsec Site2Site Tunnel down

« on: January 17, 2022, 03:07:00 pm »

Thanks.

The DynDNS-Names I use only for Admin-OpenVPN-Connection.

The IPsec connection to the mainofficerouter will be connected from both homeoffice routers via static IP (like to se in screenshot from homeoffice 2 router)

The mainofficerouter is set to respond only in IKE Phase 1

Virtual private networks / Re: OpenVPN Login with Certificate and OTP

« on: January 17, 2022, 10:18:34 am »

Hi Andre,

yes you can. I always wanted to say that

.

You have to configure a TOTP-Server under System > Access > Servers.
I recommend the option "Reverse token order" for better usability.

More on https://docs.opnsense.org/manual/how-tos/two_factor.html

Then you have to "Generate new secret (160 bit)" in the user.

And last you have to use this auth server in the OpenVPN-Configuration.

I've using this with additionally tls certificates

Virtual private networks / Re: No routing via ipsec S2S Tunnel

« on: January 16, 2022, 02:49:25 pm »

I found one more detail.

The mainoffice router said, the tunnel network to homeoffice 2 is down. But why?

Code: [Select]

root@mainofficerouter:~ # ping -t 3 100.64.21.2
PING 100.64.21.2 (100.64.21.2): 56 data bytes
64 bytes from 100.64.21.2: icmp_seq=0 ttl=64 time=34.851 ms
64 bytes from 100.64.21.2: icmp_seq=1 ttl=64 time=35.068 ms
64 bytes from 100.64.21.2: icmp_seq=2 ttl=64 time=35.031 ms

--- 100.64.21.2 ping statistics ---
4 packets transmitted, 3 packets received, 25.0% packet loss
round-trip min/avg/max/stddev = 34.851/34.983/35.068/0.095 ms
root@mainofficerouter:~ # ping -t 3 100.64.22.2
PING 100.64.22.2 (100.64.22.2): 56 data bytes
ping: sendto: Network is down
ping: sendto: Network is down
ping: sendto: Network is down

--- 100.64.22.2 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss

The ipsec status is online for both tunnels

The box versions are

mainofficerouter: OPNsense 21.10.2 (amd64/OpenSSL)
homeoffice 1: OPNsense 21.7.7 (amd64/OpenSSL)
homeoffice 2: OPNsense 21.10.2 (amd64/OpenSSL)

Virtual private networks / Re: No routing via ipsec S2S Tunnel

« on: January 15, 2022, 03:18:33 pm »

The error is back.

Meantime I've read the GIT issues Static route to route-based IPsec gateway does not get configured after reboot and IPSec Route missing after WAN DHCP Renew (#3414 related?)

So reconfigured my phase 1 to use a static IP to the central site and certificates for authentication, like described here: https://nwildner.com/posts/2019-09-24-how-to-site2site-opnsense/ with the difference, that I use routed tunnels (VTI).

But homeoffice 2 can't route. If I stop the IPsec-Tunnel in homeoffce 2 und start it again the folling lines are in the ipsec logfile on the mainoffice router (redacted)

Code: [Select]

Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[NET] <8> received packet: from 79.XXX.XXX.190[500] to 80.XXX.XXX.52[500] (464 bytes)
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[ENC] <8> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[IKE] <8> 79.XXX.XXX.190 is initiating an IKE_SA
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[CFG] <8> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[IKE] <8> sending cert request for "C=DE, ST=NRW, L=Bonn, O=Customer GmbH, OU=Customer XCA, CN=CustomerRootCA, E=edv@custdomain.de"
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[IKE] <8> sending cert request for "C=DE, ST=NRW, L=Bonn, O=Customer GmbH, OU=Customer XCA, CN=CustomerVpnCA, E=edv@custdomain.de"
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[IKE] <8> sending cert request for "C=DE, ST=NRW, L=Bonn, O=Customer GmbH, OU=Customer XCA, CN=CustomerMgmtCA, E=edv@custdomain.de"
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[ENC] <8> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[NET] <8> sending packet: from 80.XXX.XXX.52[500] to 79.XXX.XXX.190[500] (537 bytes)
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[NET] <8> received packet: from 79.XXX.XXX.190[4500] to 80.XXX.XXX.52[4500] (1236 bytes)
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[ENC] <8> parsed IKE_AUTH request 1 [ EF(1/3) ]
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[ENC] <8> received fragment #1 of 3, waiting for complete IKE message
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[NET] <8> received packet: from 79.XXX.XXX.190[4500] to 80.XXX.XXX.52[4500] (1236 bytes)
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[ENC] <8> parsed IKE_AUTH request 1 [ EF(2/3) ]
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[ENC] <8> received fragment #2 of 3, waiting for complete IKE message
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[NET] <8> received packet: from 79.XXX.XXX.190[4500] to 80.XXX.XXX.52[4500] (548 bytes)
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[ENC] <8> parsed IKE_AUTH request 1 [ EF(3/3) ]
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[ENC] <8> received fragment #3 of 3, reassembled fragmented IKE message (2832 bytes)
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[ENC] <8> parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[IKE] <8> received cert request for "C=DE, ST=NRW, L=Bonn, O=Customer GmbH, OU=Customer XCA, CN=CustomerVpnCA, E=edv@custdomain.de"
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[IKE] <8> received end entity cert "C=DE, ST=NRW, L=Bonn, O=Customer GmbH, E=site2sitehoro@custdomain.de, CN=Customer_HORO"
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[CFG] <8> looking for peer configs matching 80.XXX.XXX.52[site2siteHQBN@custdomain.de]...79.XXX.XXX.190[site2sitehoro@custdomain.de]
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[CFG] <con2|8> selected peer config 'con2'
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[CFG] <con2|8>   using certificate "C=DE, ST=NRW, L=Bonn, O=Customer GmbH, E=site2sitehoro@custdomain.de, CN=Customer_HORO"
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[CFG] <con2|8>   using trusted intermediate ca certificate "C=DE, ST=NRW, L=Bonn, O=Customer GmbH, OU=Customer XCA, CN=CustomerVpnCA, E=edv@custdomain.de"
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[CFG] <con2|8> checking certificate status of "C=DE, ST=NRW, L=Bonn, O=Customer GmbH, E=site2sitehoro@custdomain.de, CN=Customer_HORO"
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[CFG] <con2|8> certificate status is not available
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[CFG] <con2|8>   using trusted ca certificate "C=DE, ST=NRW, L=Bonn, O=Customer GmbH, OU=Customer XCA, CN=CustomerRootCA, E=edv@custdomain.de"
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[CFG] <con2|8> checking certificate status of "C=DE, ST=NRW, L=Bonn, O=Customer GmbH, OU=Customer XCA, CN=CustomerVpnCA, E=edv@custdomain.de"
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[CFG] <con2|8> certificate status is not available
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[CFG] <con2|8>   reached self-signed root ca with a path length of 1
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[IKE] <con2|8> authentication of 'site2sitehoro@custdomain.de' with RSA_EMSA_PKCS1_SHA2_256 successful
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[IKE] <con2|8> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[IKE] <con2|8> peer supports MOBIKE
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[IKE] <con2|8> authentication of 'site2siteHQBN@custdomain.de' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[IKE] <con2|7> schedule delete of duplicate IKE_SA for peer 'site2sitehoro@custdomain.de' due to uniqueness policy and suspected reauthentication
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[IKE] <con2|8> IKE_SA con2[8] established between 80.XXX.XXX.52[site2siteHQBN@custdomain.de]...79.XXX.XXX.190[site2sitehoro@custdomain.de]
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[IKE] <con2|8> scheduling reauthentication in 28070s
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[IKE] <con2|8> maximum IKE_SA lifetime 28610s
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[IKE] <con2|8> sending end entity cert "C=DE, ST=NRW, L=Bonn, O=Customer GmbH, E=site2siteHQBN@custdomain.de, CN=Customer_HQBN"
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[CFG] <con2|8> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_512_256/NO_EXT_SEQ
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[IKE] <con2|8> CHILD_SA con2{14} established with SPIs c4725931_i c15fe5c5_o and TS 0.0.0.0/0 === 0.0.0.0/0
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[ENC] <con2|8> generating IKE_AUTH response 1 [ IDr CERT AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[ENC] <con2|8> splitting IKE message (2720 bytes) into 3 fragments
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[ENC] <con2|8> generating IKE_AUTH response 1 [ EF(1/3) ]
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[ENC] <con2|8> generating IKE_AUTH response 1 [ EF(2/3) ]
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[ENC] <con2|8> generating IKE_AUTH response 1 [ EF(3/3) ]
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[NET] <con2|8> sending packet: from 80.XXX.XXX.52[4500] to 79.XXX.XXX.190[4500] (1236 bytes)
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[NET] <con2|8> sending packet: from 80.XXX.XXX.52[4500] to 79.XXX.XXX.190[4500] (1236 bytes)
Jan 15 14:11:30 mainofficerouter.custdomain.de charon[31072]: 15[NET] <con2|8> sending packet: from 80.XXX.XXX.52[4500] to 79.XXX.XXX.190[4500] (420 bytes)
Jan 15 14:11:40 mainofficerouter.custdomain.de charon[31072]: 15[IKE] <con2|7> deleting IKE_SA con2[7] between 80.XXX.XXX.52[site2siteHQBN@custdomain.de]...79.XXX.XXX.190[site2sitehoro@custdomain.de]
Jan 15 14:11:40 mainofficerouter.custdomain.de charon[31072]: 15[IKE] <con2|7> sending DELETE for IKE_SA con2[7]
Jan 15 14:11:40 mainofficerouter.custdomain.de charon[31072]: 15[ENC] <con2|7> generating INFORMATIONAL request 0 [ D ]
Jan 15 14:11:40 mainofficerouter.custdomain.de charon[31072]: 15[NET] <con2|7> sending packet: from 80.XXX.XXX.52[4500] to 79.XXX.XXX.190[4500] (96 bytes)
Jan 15 14:11:40 mainofficerouter.custdomain.de charon[31072]: 15[NET] <con2|7> received packet: from 79.XXX.XXX.190[4500] to 80.XXX.XXX.52[4500] (96 bytes)
Jan 15 14:11:40 mainofficerouter.custdomain.de charon[31072]: 15[ENC] <con2|7> parsed INFORMATIONAL response 0 [ ]
Jan 15 14:11:40 mainofficerouter.custdomain.de charon[31072]: 15[IKE] <con2|7> IKE_SA deleted

For me it seems to be a successfully connect.

But in contrast to the IPsec interface to homeoffice 1 there is no tunnel line in ifconfig:

Code: [Select]

root@pmainofficerouter:~ # ifconfig ipsec1
ipsec1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
        tunnel inet 80.XXX.XXX.52 --> 91.XXX.XXX.162
        inet6 fe80::42a6:b7ff:fe3c:f8cd%ipsec1 prefixlen 64 scopeid 0x14
        inet 100.64.21.1 --> 100.64.21.2 netmask 0xfffffffc
        groups: ipsec
        reqid: 1
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
root@pmainofficerouter:~ # ifconfig ipsec2
ipsec2: flags=8011<UP,POINTOPOINT,MULTICAST> metric 0 mtu 1400
        inet 100.64.22.1 --> 100.64.22.2 netmask 0xfffffffc
        inet6 fe80::42a6:b7ff:fe3c:f8cd%ipsec2 prefixlen 64 tentative scopeid 0x15
        groups: ipsec
        reqid: 2
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

mainofficerouter ipsec1 = homeoffice 1
mainofficerouter ipsec2 = homeoffice 2

The static routes via the IPsec tunnel a online on both routers

Code: [Select]

root@mainofficerouter:~ # date ; netstat -rn | grep ipsec
Sat Jan 15 14:28:45 CET 2022
10.0.1.0/24        100.64.21.2        UGS      ipsec1
10.0.2.0/24        100.64.21.2        UGS      ipsec1
10.0.5.0/24        100.64.21.2        UGS      ipsec1
10.1.12.0/24       100.64.22.2        UGS      ipsec2
10.1.21.0/24       100.64.21.2        UGS      ipsec1
10.1.21.253        100.64.21.2        UGHS     ipsec1
10.1.22.0/24       100.64.22.2        UGS      ipsec2
10.1.22.2          100.64.22.2        UGHS     ipsec2
10.1.62.0/24       100.64.22.2        UGS      ipsec2
100.64.21.2        ipsec1             UHS      ipsec1
100.64.22.2        ipsec2             UHS      ipsec2
fe80::%ipsec1/64                  link#20                       U        ipsec1
fe80::42a6:b7ff:fe3c:f8cd%ipsec1  link#20                       UHS         lo0
fe80::%ipsec2/64                  link#21                       U        ipsec2
fe80::42a6:b7ff:fe3c:f8cd%ipsec2  link#21                       UHS         lo0

Code: [Select]

root@homeoffice2router:~ # date ; netstat -rn | grep ipsec
Sat Jan 15 14:29:55 CET 2022
10.0.1.0/24        100.64.22.1        UGS      ipsec1
10.0.2.0/24        100.64.22.1        UGS      ipsec1
10.1.1.0/24        100.64.22.1        UGS      ipsec1
10.1.2.0/24        100.64.22.1        UGS      ipsec1
10.1.2.2           100.64.22.1        UGHS     ipsec1
10.1.4.0/24        100.64.22.1        UGS      ipsec1
100.64.22.1        ipsec1             UHS      ipsec1
fe80::%ipsec1/64                  link#18                       U        ipsec1
fe80::de58:bcff:fee0:38ca%ipsec1  link#18                       UHS         lo0

route on both opnsense shows the correct routings

Code: [Select]

root@homeoffice2router:~ # route -n show 10.1.1.18
   route to: 10.1.2.2
destination: 10.1.2.2
    gateway: 100.64.22.1
        fib: 0
  interface: ipsec1
      flags: <UP,GATEWAY,HOST,DONE,STATIC>
 recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0      1400         1         0

Code: [Select]

root@mainofficerouter:~ # route -n show 10.1.22.111
   route to: 10.1.22.111
destination: 10.1.22.0
       mask: 255.255.255.0
    gateway: 100.64.22.2
        fib: 0
  interface: ipsec2
      flags: <UP,GATEWAY,DONE,STATIC>
 recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0      1400         1         0

Nevertheless, a traceroute from both sides ends on the respective opensense

Traceroute from homeoffice 2 pc to domain controller

Code: [Select]

C:\WINDOWS\system32>ipconfig

Windows-IP-Konfiguration


Ethernet-Adapter Ethernet:

   Verbindungsspezifisches DNS-Suffix: intra.customdomain.de
   IPv6-Adresse. . . . . . . . . . . : XXXX.XX:XXXX:XXXX::2000
   IPv6-Adresse. . . . . . . . . . . : XXXX.XX:XXXX:XXXX:8821:11ff:6c2a:716
   Verbindungslokale IPv6-Adresse  . : fe80::8821:11ff:6c2a:716%7
   IPv4-Adresse  . . . . . . . . . . : 10.1.22.111
   Subnetzmaske  . . . . . . . . . . : 255.255.255.0
   Standardgateway . . . . . . . . . : fe80::de58:bcff:fee0:38cb%7
                                       10.1.22.1

C:\WINDOWS\system32>tracert -d 10.1.2.2

Routenverfolgung zu 10.1.2.2 über maximal 30 Hops

  1     2 ms     1 ms     9 ms  10.1.22.1
  2     *        *        *     Zeitüberschreitung der Anforderung.
  3  ^C
C:\WINDOWS\system32>

Traceroute from domain controller to homeoffice 2 pc

Code: [Select]

root@10.1.2.2:~# traceroute -n 10.1.22.111
traceroute to 10.1.22.111 (10.1.22.111), 30 hops max, 60 byte packets
 1  10.1.2.1  0.177 ms  0.161 ms  0.139 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  *^C

Which information do you need additionally?

Please give me a hint, where I can search for my error.

Virtual private networks / Re: [solved] No routing via ipsec S2S Tunnel

« on: January 14, 2022, 11:06:21 am »

Today there was no routing again.
After some restarts of all three devices the tunnels where up, but no routing.

I've doublecheck System/Routes/Status. The static routes I entered were not present.

My workaround: Edit one static route and save it without to change someting.

After that both ipsec routings where online again.

Virtual private networks / Re: No routing via ipsec S2S Tunnel

« on: January 12, 2022, 05:57:14 pm »

~~After about two weeks and very stable tunnels notice to myself: a reboot will not hurt~~

Virtual private networks / Re: No routing via ipsec S2S Tunnel

« on: December 30, 2021, 07:14:58 am »

Not good for debugging, but good for me.

This morning the ipsec connection to home office 1 was down. After I restartet ipsec vpn (in settings) the tunnel was online, but there was no routing. I saw the ping from home office 1 in the firewall log of the main office as passed to the lokal intranet of the main office. But there was no reply.

For my understanding the tunnel was online, but the main office gateway doesn't route.

After a restart of the OPNsense in main office both tunnels where working. I hope, this will be for a long time.

Where can I find additionial informations about routing problems in the OPNsense?
What can I restart to get routing back to work without restart the hardware?

Thanks
Ulf

Virtual private networks / Re: No routing via ipsec S2S Tunnel

« on: December 29, 2021, 08:04:24 pm »

Here more screenshots

Virtual private networks / [Solved] Second IPsec Site2Site Tunnel down

« on: December 29, 2021, 08:02:53 pm »

Hi at all,

I have a problem with a setup on three locations with with two ipsec S2S tunnels to the main office.

I've configured two routed IPSec Tunnels, like described here: https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route.html.

Homeoffice 1 Main Office Homeoffice 2
100.64.21.2/30 100.64.21.1/30
100.64.22.1/30 100.64.22.2/30

The tunnel to Homeoffice 1 works like a charm. The tunnel to Homeoffice2 is active, but routing isn't functionally.

In short:
- WAN-Rules in Firewall (IPSec, ISAKMP, ESP) are active on all three locations
- Gateways for both home office are created and configured as "far gateway"
- Routes for the remote networks of both home offices are created in the main office
- Routes for the networks of the main office are created in both home offices
- Firewall-Rules on ipsec interface in the main office are created
- Firewall-Rules on ipsec interface in the home offices are created

Traceroute main office to Homeoffice 1: works
Traceroute main office to Homeoffice 2: hangs on main office gateway

The route to home office 2 is in the active routing table of then main office gateway.

But the mainofficerouter says network is down:

Code: [Select]

root@mainofficerouter:~ # ping -t 3 100.64.22.2
PING 100.64.22.2 (100.64.22.2): 56 data bytes
ping: sendto: Network is down

I doublechecked all configurations twice, but I can't figure it out.

The box versions are

mainofficerouter: OPNsense 21.10.2 (amd64/OpenSSL)
homeoffice 1: OPNsense 21.7.7 (amd64/OpenSSL)
homeoffice 2: OPNsense 21.10.2 (amd64/OpenSSL)

My ipsec.conf (completely generated)

Code: [Select]

root@mainofficerouter:~ # cat /usr/local/etc/ipsec.conf
# This file is automatically generated. Do not edit
config setup
  uniqueids = yes

conn con1
  aggressive = no
  fragmentation = yes
  keyexchange = ikev2
  mobike = yes
  reauth = yes
  rekey = yes
  forceencaps = no
  installpolicy = no
  type = tunnel





  left = 80.153.119.52
  right = custwar02.edvnet.biz
  rightallowany = yes
  leftid = userfqdn:site2siteHQBN@cust-bonn.de
  ikelifetime = 28800s
  lifetime = 3600s
  ike = aes256-sha512-modp2048!
  leftauth = pubkey
  rightauth = pubkey
  leftcert = /usr/local/etc/ipsec.d/certs/cert-1.crt
  leftsendcert = always
  rightca = "/C=DE/ST=NRW/L=Bonn/O=cust XXXXXX GmbH/OU=cust XCA/CN=custVpnCA/emailAddress=edv@cust-bonn.de/"
  rightid = userfqdn:site2sitehowa@cust-bonn.de
  reqid = 1
  rightsubnet = 0.0.0.0/0
  leftsubnet = 0.0.0.0/0
  esp = aes256-sha512-modp2048!
  auto = add

conn con2
  aggressive = no
  fragmentation = yes
  keyexchange = ikev2
  mobike = yes
  reauth = yes
  rekey = yes
  forceencaps = no
  installpolicy = no
  type = tunnel





  left = 80.153.119.52
  right = custror02.edvnet.biz
  rightallowany = yes
  leftid = userfqdn:site2siteHQBN@cust-bonn.de
  ikelifetime = 28800s
  lifetime = 3600s
  ike = aes256-sha512-modp2048!
  leftauth = pubkey
  rightauth = pubkey
  leftcert = /usr/local/etc/ipsec.d/certs/cert-2.crt
  leftsendcert = always
  rightca = "/C=DE/ST=NRW/L=Bonn/O=cust XXXXXX GmbH/OU=cust XCA/CN=custVpnCA/emailAddress=edv@cust-bonn.de/"
  rightid = userfqdn:site2sitehoro@cust-bonn.de
  reqid = 2
  rightsubnet = 0.0.0.0/0
  leftsubnet = 0.0.0.0/0
  esp = aes256-sha512-modp2048!
  auto = add

include ipsec.opnsense.d/*.conf

Where is my error?

Pages: 1 [2] 3 4