IPsec windows client

Started by loganx1121, October 14, 2019, 01:14:10 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 14, 2019, 01:14:10 PM
So I used this guide https://wiki.opnsense.org/manual/how-tos/ipsec-rw-srv-mschapv2.html

I did the Certificate stuff on the firewall. I exported the CA and installed it on the client machine. When I try to connect on the Windows client, the VPN logs show my public IP "not confirmed by certificate, defaulting to <the cert I made>", and the client just says "Connecting" forever and doesn't go anywhere. 

I've also posted on the reddit forum with more screen shots if that helps here:

https://www.reddit.com/r/OPNsenseFirewall/comments/dhjwwz/need_some_ipsec_help_pretty_please/

October 14, 2019, 04:47:15 PM #1
Just tinkering around some more. If I modify the client connection to "Use machine certificates" for authentication, I can see the traffic come in on the firewall live logs and I can see it's allowed, but it seems to be hitting the rule I setup for the incoming connections/port forward for the chat server.

I moved this rule to the bottom and now I can't see any of the connection attempts in the logs, whether I have it set for machine cert or MSCHAPv2.
October 15, 2019, 04:44:29 PM #2
So as far as I can tell, the traffic isn't even getting to the firewall.  I have no idea why.  The DDNS I'm using for the IPSec connection is the same one I am using for the port forward and configuration for my XMPP server, which is up and working.  If I "inspect" the firewall rules I was told to add via the guide, and the firewall rule for the IPsec, I see several "evaluations" but no packets, bytes, or states.  But here is something interesting...

- If I leave the client configuration on the Windows 10 machine the way the guide tells me, and I initiate the connection, it just says "Connecting" and never does anything.

- If I switch it to "Use machine certifcates" then it says Connecting, it displays the DDNS name, and then fails with the error "IKE failed to find valid machine certificate"

- If I modify it to say "Use my windows logon credentials", it says Connecting, it displays the DDNS name, but it just hangs after that.

Regardless of which option I choose above, the states, packets, bytes on the rules remain at 0
Print
Go Up Pages1
User actions