Messages

181

Virtual private networks / Re: IPSec Connection Between Two OPNsense Firewalls

« on: December 10, 2023, 12:59:11 am »

2023-12-09T18:42:11-05:00   Informational   charon   15[IKE] <con2|1> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding[/b]

This mesagge is just informational, I believe FreeBSD doesn't support TFC Padding (not sure), but harmless.
Your subnet configuration probably mismatches.

Could you post your IPSec config from both boxes ? (please remove pre shared keys, etc and/or obfuscate your ip addresses).

Code: [Select]

cat /usr/local/etc/swanctl/swanctl.conf

182

General Discussion / Re: I Set Up A VLAN But Can't Ping Systems On It

« on: December 10, 2023, 12:11:51 am »

I can ping the access point from OPNsense, but not from CORE.

With your access point connected to igb_2 on OPNsense, the IP address of that interface is the gateway for your access point. Did you configure this IP address as gateway into your Access Point ? Depending on type/version/ap of OpenWRT it's something like this:

Code: [Select]

config interface '?'
        ...
option gateway '1.2.3.4' # <--- OPNsense interface IP of igb_2
        ...

Rember that the default logic of a starting config with OpenWRT is to have a LAN/WAN with NAT enabled. But it depends on the AP type, amount of ports, switch yes/no etc. So it's possible if you use this default config you trying to ping the OpenWRT WAN interface which has a firewall enabled. To dubble check if your topology is right, connect another device to igb_2 and configure it just like your AP and see if ping works. If it does, your topology is right but need to give OpenWRT some attention.

You probably like to read the "Dumb Access Point" guide at OpenWRT, this should be the OpenWRT way of doing things you want. When you connect the AP to your switch, you're capable of (don't need to if you don't want) to bridge your existing VLAN's behind one or more SSID'

It might help if you also add the network addresses in your diagram below the names, this helps to understand what you did build. Something like "CORE : 10.1.0.0/24", "DEVICES : 10.2.0.0/24", etc

183

General Discussion / Re: Subnet Usage, Configuration

« on: December 09, 2023, 06:56:32 pm »

Any guesses what is wrong?

Without understanding the "Hetzner" way of doing things, from a network point of view:

You specifiy 1.1.1.2/29, which is in the 1.1.1.0 - 1.1.1.7 network. Without some routes/gateway I can't see how you reach a host or gateway at 1.2.3.4.

You might want to share a network diagram of what you're trying to achieve.

184

Virtual private networks / Re: How do I route all traffic to external VPN?

« on: December 09, 2023, 01:15:46 am »

Where can we find your lean-and-mean, just enough, easy configuration How-To, really like to read it.

Hey, that's my quote...
Could you please quote the full context / post I did respond to? Condescending rhetoric is the last I was thinking of reading the original message:

There's very little support or documentation for any of us messing with External VPN's.  I've been posting here looking for help for days now and rarely does anybody contribute

OPNsense software is way overcomplicating things, as you've seen by simply trying to follow that selective routing guide, it should've been possible in less than half the steps.  And once the guide is done and followed to the tee, they leave you completely dry with how to make use of it afterwards!

185

Virtual private networks / Re: Trying to use Azure Global Secure Access

« on: December 08, 2023, 11:14:28 pm »

I did it for testing to null/sha265 and that works then correctly but then setting to no encryption is a sound idea.

It is ;-)

But regarding your initial question, you're trying to use AESGCM, that's an AEAD cipher which has integrity built in so there's nothing to select (that's IPSec, not OPNsense). You could/should only select a PRF, quote from previous  link:

AEAD (Authenticated Encryption with Associated Data) algorithms can’t be combined with classic encryption ciphers in the same proposal. No separate integrity algorithm must be proposed and therefore Pseudo-Random Functions (PRFs) have to be included explicitly in such proposals.

For reference, we use the following two p1/p2 combo's with AESGCM (at one site OPNsense)

Confidential:

Code: [Select]

P1: aes128gcm16-sha384-x25519
P2: aes128gcm16-x25519

Secret:

Code: [Select]

P1: aes256gcm16-sha512-x448
P2: aes256gcm16-x448

PS:

Did a quick read of your linked doc, if I read it correctly your problem isn't AESGCM, looks like there are people in Redmond that smoked some "weird" stuff: They do AESGCM with DHGroup24 (modp2048s256) by default.
I can't see any OpenSSL support for this DH group (see previous link). If it did, Strongswan recommends to disable this group (and others):

The following cryptographic algorithms are weak and prone to attacks and therefore must not be used.
https://docs.strongswan.org/docs/5.9/howtos/securityRecommendations.html

EDIT:

So you might want to submit a feature request and ask for modern DH Groups based on EC (NIST / Brainpool / Curve25119+448) or use "Combination 5" from your link with AES256-SHA256-DHGROUP2, but that's even more weird.

Looks like they support EC DH groups with some custom configuration (non Default). I don't know how you configure this stuff at the Microsoft side, but from OPNsense you could try the following two combo's for P1 & P2. Added the Enums for reference, but I'm also don't have a clue where these refer to ;-).

Option 1

Code: [Select]

P1: aes128gcm16-sha256-ecp256 [Enum 3/1/2]
P2: aes128gcm16-ecp256 [Enum 0/0/4]

Option 2

Code: [Select]

P1: aes256gcm16-sha384-ecp384 [Enum 4/1/3]
P2: aes256gcm16-ecp384 [Enum 2/2/5]

Really like to hear your results, interesting use-case which could become widly used if it's out of tech preview

186

General Discussion / Re: I Set Up A VLAN But Can't Ping Systems On It

« on: December 08, 2023, 06:13:20 pm »

"So only configure your CORE and DEVICES VLAN (with OPT1 or OPT2 as parent) and CONFIGURE those two VLAN interfaces with a gateway address at your OPNsense box, I guess you want 10.0.2.254/24 for CORE and 10.0.3.254/24 for DEVICES."

Hmmm, might have rephrased that one ;-). What I meant to say is that your OPNsense VLAN interfaces are gateways for the specific VLAN they're connected to, but...

Ok, I managed to get it to work.

You did it 

I'll now take a look at the redundant LACP LAG port stuff that netnut mentioned.

Remember that you can have a LACP LAGG with a single port, so use your free OPT2 for that. If you manage to get it work, you can migrate your existing VLAN's to this trunk and add (you're now free OPT1) the other interface to it to make it redundant.

187

General Discussion / Re: I Set Up A VLAN But Can't Ping Systems On It

« on: December 07, 2023, 08:13:52 pm »

First, your DHCP config is perfect, nothing to change there...  I guess you still have VLAN issues, which is understandable (you'll learn along the way), I suggested the following:

i got a new device to run the firewall on (Protectli Vault FW4B)

Nice, excellent device to learn and play with. Because you have a LAN and two OPT ports I suggest you take a slightly different approach than I suggested first. You can get this working with a single LAN interface (as you tried), but the following is more fail safe setup and gives you all the opportunities to play with VLANs and don't lock yourself out.

Configure your device as usual with a regular WAN and LAN interface, this LAN interface will be your "management" network. Now do all your VLAN magic at OPT1 or OPT2 (if you really on fire you can later configure a redundant LACP LAG port to your Cisco, but don't get to excited yet, first thing first...)

So do what you already did (assuming igb0 is WAN, igb1 is LAN, igb2 is OPT1 and igb3 is OPT2), but instead of using the LAN interface (igb1) use your OPT1 or OPT2 to connect your Cisco.
DONT CONFIGURE OPT1 or OPT2 with IP addess information, just assign the VLAN interfaces to it. You can now always use your LAN port to connect to OPNSense and go bezerk on the config of OPT1 /OPT2, if you make a mistake you always have your LAN interface to troubleshoot.

So only configure your CORE and DEVICES VLAN (with OPT1 or OPT2 as parent) and CONFIGURE those two VLAN interfaces with a gateway address at your OPNsense box, I guess you want 10.0.2.254/24 for CORE and 10.0.3.254/24 for DEVICES.

If your finished and still have problems, dump the config of your Cisco switch (please edit any secrets, passwords etc, don't need to share these)

188

Virtual private networks / Re: Trying to use Azure Global Secure Access

« on: December 07, 2023, 07:40:40 pm »

Try this in Phase2:

Code: [Select]

aes128gcm16 or

Code: [Select]

aes256gcm16
See also:
https://docs.strongswan.org/docs/5.9/config/IKEv2CipherSuites.html

189

General Discussion / Re: Help With Static Route for Unraid/WG

« on: December 06, 2023, 01:37:21 am »

https://docs.opnsense.org/manual/routes.html

A static route can be made in the GUI at SYSTEM: ROUTES: CONFIGURATION.  Click the + "plus" sign and create your route, based on your original question:

Network Address: 10.253.0.0/24
Gateway: 192.168.2.193 (From the dropdown list, assuming this is a Gateway Interface available for OPNsense)

There's your static route...

If you didn't create or configured a gateway somehow: SYSTEM: GATEWAYS: SINGLE. Configfure a Name, Description, Interface and IP address (192.168.2.193) and repeat step above.


 

190

General Discussion / Re: Help With Static Route for Unraid/WG

« on: December 05, 2023, 11:06:30 pm »

i have looked the the forum but i cant really find an answer for what i need. can any tell me what i need to do to get this fixed.

Always start at the documentation, not the forum... ;-)

https://docs.opnsense.org/manual/routes.html

191

General Discussion / Re: I Set Up A VLAN But Can't Ping Systems On It

« on: December 05, 2023, 08:59:16 pm »

Ok, welp I failed that pretty badly. Just managed to lock myself out of my GUI and TUI for a long time and spent way too long trying to enter the long password.

Step by Step, don't try to do everything at once....

First build your topology, check, check, double check, next are things like DHCP, DNS, etc. So configure your VLANs at OPNSense, configure your switch uplink port (trunk, all vlans) other ports as "access" with desired VLAN and assign IP configuration to OPNsense interfaces and hosts connected to switch.

WAN --- [OPNSENSE] --- BCE1 (VLAN TRUNK)
                                       |
                                       |
                                       |
            VLAN 2 (CORE) / VLAN 3 (DEVICES) / VLAN X (X)
                                       |
                                       |
                                       |
                                [SWITCH]
                 Uplink --->      |--- Port 1 (VLAN 2+3+X TRUNK)
                                       |
                                       |--- Port 2 (VLAN 2 ACCESS)
                                       |
                                       |--- Port 3 (VLAN 3 ACCESS)
                                       |
                                       |--- Port 4 (VLAN X ACCESS)

If you accomplished this step open up your firewall with an allow any any (you're still building your network, fine tuning is done when the fundamentals are right).

Create a firewall rule at both/all VLAN interfaces, like:

Action: Pass
Interface: VLAN?
Direction: In
TCP/IP Version: IP4+IP6
Protocol: any
Source: any
Destination: any

Now connect hosts to your switch access ports one in VLAN 2 and one in VLAN 3, you don't care about DHCP yet, so configure a static IP in the subnet of your choice as configured at OPNsense. Try to ping or whatever between these hosts, if that doesn't work you did something wrong, time to troubleshoot.

If this all works you can enable DHCP, there isn't much to configure, DHCP is made death simple in OPNSense, just assign a pool to the corresponding VLAN interfaces and you're done. Again, step by step....

Ow, and don't use VLAN1 (Default VLAN) in a VLAN design, leave as is and use something between 2 and 4095. VLAN 1 will work and has nothing to do with your "challenge", but at this stage it's a perfect time to ditch VLAN1 from your topology.
Also stay away from "native vlan ids" on Trunk ports (unless you absolutely know what you're doing), so just use tagged VLANs on trunk ports and a single vlan with an access port.

192

General Discussion / Re: I Set Up A VLAN But Can't Ping Systems On It

« on: December 04, 2023, 09:54:03 pm »

I currently have 3 interfaces: LAN, WAN, and DEVICES.
DEVICES is a VLAN assigned to LAN. Both have DHCP enabled, and their subnets are:

Don't mix LAN (raw) and DEVICES (vlan) with a single interface. Use the current LAN physical interface as VLAN parent (trunk), and configure two VLANs (LAN and DEVICES).
Be aware that changing your LAN interface might disconnect you from CLI/GUI, so be sure you prepare your change smart. Configure your downstream switch with both VLAN id's (tagged)

Or start clean, during the setup of OPNsense you've been asked to create VLAN interfaces, do that at this point (create LAN & DEVICES VLAN) and finish setup as usual.

I can't ping systems on DEVICES from LAN even after adding rules on DEVICES to allow any protocol from LAN net to DEVICES net, and I actually can't even ping systems on devices from OPNsense itself.

If you want a packet going out of a network segment (LAN) to another network segment (DEVICES), you should configure your rule at the LAN interface. From a firewall point of view a packet is coming INto the LAN firewall interface from LAN network, the rest is covered by stateful filtering ;-).

193

23.7 Legacy Series / Re: Assistance Needed: Routing Issue with OPNsense Firewall and Cisco Layer 3 Switch

« on: December 04, 2023, 09:28:37 pm »

The Cisco team has mentioned that OPNsense needs to be configured to route these subnets internally.

What topology are they proposing ? Without a decent network diagram and lack of information (Gateways ?, DHCP ?, Routing Protocols ?) it's a shot in the dark, but this should work anyway:

- Clean your current WAN config, just the raw interface with _nothing_ configured, this will be your parent interface for both VLANs
- Create two VLANs (130+131) in "INTERFACES: OTHER TYPES: VLAN" with your WAN interface as parent.
- You now have two (WAN) interfaces, WAN1 (VLAN130) and WAN2 (VLAN131).
- Configure both WAN interfaces with the matching subnets, like:

WAN1: 192.168.1.1/29     Gateway (Cisco): 192.168.1.6/29 ?!?!

WAN2: 192.168.1.9/29.    Gateway (Cisco): 192.168.1.14/29 ?!?!


If they only provide a single gateway interface at the Cisco site, you probably can use a single WAN interface at OPNSense, but both sites (Cisco & OPNSense) need some static route magic or BGP.

Provide some details and/or ask the Cisco guys how they would configure the gateway/router (ie OPNsense) if it was a Generic/Cisco device. Everything they can think off can be accomplished with OPNsense.....

194

Development and Code Review / Re: How to sign changelog.txz and generate signature file changelog.txz.sig

« on: November 24, 2023, 06:26:22 pm »

Code: [Select]

gpg --output changelog.txz.sig --sign changelog.txz

195

Virtual private networks / IPSec swanctl - Certificate Management Feature

« on: November 24, 2023, 05:28:42 pm »

After a short learnng curve (and some ignorance on my side) I finished the conversion of my tunnels to the new swanctl connection style config. Have to say the new GUI is a great improvement, starting to really like it!

However... I guess an important certificate management feature is missing (or I'm overlooking something):

In a scenario with two IPsec peers and full X509 Certificate Authentication I can't configure a single raw certificate for the remote peer in OPNsense. The local part of the connection on the OPNsense box is using a key & certificate from the "System : Trust" store, so that's covered. But for the remote part I only can use certificates from this "System : Trust" or the "Key Pairs" section in "VPN : IPsec : Key Pairs". This gives me two challenges:

A) The "System : Trust" only allows certificate uploads WITH a private key. For my remote IPsec peer connection I don't need this private key (only on the remote peer itself), so I certainly don't wan't to distribute this key to the OPNsense box (local peer). If I want to connect to third-parties I don't have access to this key anyway, so that's a no-go too.

B) The "VPN : IPsec : Key Pairs" GUI allows me to import a key pair without a private part (only public key, so no 'pair'). Although the GUI allows this the actual ipsec connection will not be loaded (no messages in GUI) which can be seen in the CLI with 'swanctl -c'. Strongswan want's a complete keypair (so public & private part) and fails because I only submitted the public part in the GUI.
This of course would be a work around, because key pairs aren't certificates and even if I uploaded a complete and functional  key pair for the remote peer I'm missing the build-in Strongswan CA Chain and CRL & OCSP checks which I get with real X509 certificates.
And again I'm sharing private key info on a remote system which isn't needed.

Current Workaround:

Copy the remote peer certificate manually to "/usr/local/etc/swanctl/x509" and leave the "Remote Authentication" fields "Certificates" and "Public Keys" in "VPN : IPsec : Connections" section empty, due to Strongswan's autoloading magic the manually uploaded cert will match the "Id" DN field of my remote peer.

Missing:

A way to upload single X509 certificates for remote peers without the private key part. If the "System : Trust" store would allow certificates without private keys things would work automagicly because this store is already connected to the IPsec configuration. An alternative would be a menu like the existing "VPN : IPsec : Key Pairs" where I can upload peer certificates, like "VPN : IPsec : Certificates" or a combined menu where one could upload key pairs and/or certificates.

Again, I might be missing an existing way to upload single X509 certificates to OPNsense which can be used by Strongswan, in that case I stand corrected...