IPSec RoadWarrior iPhone no traffic passed.

Started by zombielinux, October 26, 2021, 08:29:14 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 26, 2021, 08:29:14 PM Last Edit: October 26, 2021, 08:39:26 PM by zombielinux
I have followed the RoadWarrior setup here: https://docs.opnsense.org/manual/how-tos/ipsec-road.html

I am able to connect my iPhone (iOS15) to the opnsense VPN gateway, and am given a valid address.

I am not able to reach the internet, the local LAN(s), or the opnsense vpn gateway itself.

Opnsense is not my DNS nor DHCP server, those are handled by a pihole VM elsewhere on the network.

The log file has messages like "querying policy 0.0.0.0/0 === 10.0.0.1/32 out failed, not found" in it, since I replaced the "LAN subnet" described in the documentation with "0.0.0.0/0" as described in a few posts I've seen.

Is there anything else that could be preventing traffic from passing?
October 26, 2021, 09:02:59 PM #1
I followed the same guide and my iphone is working so you would need to actually provide further info at this point for us to see where you went wrong.
October 26, 2021, 09:29:20 PM #2
I guess that's the next question.

I just ripped out the whole configuration and tried it again with the same results.

I have multiple "LAN"s each attached to a specific VLAN.

I've also got my emergency LAN that I use a spare NIC on the OPNSense box to access.

I've tried mapping each of the "LAN Subnet"s to that option with no change.

In the IPSec rules section of the firewall, I've replicated the rule described in the guide to each individual interface.

Part of the problem is knowing exactly where to start looking. It seems most people just follow the guide and are off to the races.
October 27, 2021, 03:20:43 PM #3
Here is my IPSEC authentication log. I think that querying policy might be part of my issue.

Code Select
2021-10-27T09:14:50 charon[87122] 15[IKE] <con1|3> sending keep alive to $IPHONE_WAN[56385]
2021-10-27T09:14:50 charon[87122] 15[KNL] <con1|3> querying policy 172.19.204.0/24 === 10.10.0.1/32 out failed, not found  
2021-10-27T09:14:30 charon[87122] 15[IKE] <con1|3> sending keep alive to $IPHONE_WAN[56385]
2021-10-27T09:14:30 charon[87122] 15[KNL] <con1|3> querying policy 172.19.204.0/24 === 10.10.0.1/32 out failed, not found
2021-10-27T09:14:28 charon[87122] 15[KNL] <con1|3> querying policy 172.19.204.0/24 === 10.10.0.1/32 out failed, not found
2021-10-27T09:14:11 charon[87122] 14[IKE] <con1|3> CHILD_SA con1{1} established with SPIs ccde62c4_i 0cd97ad8_o and TS 172.19.204.0/24 === 10.10.0.1/32
2021-10-27T09:14:11 charon[87122] 14[ENC] <con1|3> parsed QUICK_MODE request 1242775051 [ HASH ]
2021-10-27T09:14:11 charon[87122] 14[NET] <con1|3> received packet: from $IPHONE_WAN[56385] to $OPNSENSE_WAN[4500] (60 bytes)
2021-10-27T09:14:11 charon[87122] 14[NET] <con1|3> sending packet: from $OPNSENSE_WAN[4500] to $IPHONE_WAN[56385] (172 bytes)
2021-10-27T09:14:11 charon[87122] 14[ENC] <con1|3> generating QUICK_MODE response 1242775051 [ HASH SA No ID ID ]
2021-10-27T09:14:11 charon[87122] 14[CFG] <con1|3> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
2021-10-27T09:14:11 charon[87122] 14[ENC] <con1|3> parsed QUICK_MODE request 1242775051 [ HASH SA No ID ID ]
2021-10-27T09:14:11 charon[87122] 14[NET] <con1|3> received packet: from $IPHONE_WAN[56385] to $OPNSENSE_WAN[4500] (380 bytes)
2021-10-27T09:14:10 charon[87122] 14[NET] <con1|3> sending packet: from $OPNSENSE_WAN[4500] to $IPHONE_WAN[56385] (188 bytes)
2021-10-27T09:14:10 charon[87122] 14[ENC] <con1|3> generating TRANSACTION response 3591551841 [ HASH CPRP(ADDR SUBNET U_SPLITINC DNS DNS U_DEFDOM U_SPLITDNS DOMAIN) ]
2021-10-27T09:14:10 charon[87122] 14[IKE] <con1|3> assigning virtual IP 10.10.0.1 to peer '$USER'
2021-10-27T09:14:10 charon[87122] 14[CFG] <con1|3> assigning new lease to '$USER'
2021-10-27T09:14:10 charon[87122] 14[IKE] <con1|3> peer requested virtual IP %any
2021-10-27T09:14:10 charon[87122] 14[ENC] <con1|3> parsed TRANSACTION request 3591551841 [ HASH CPRQ(ADDR MASK DNS NBNS EXP VER U_BANNER U_DEFDOM U_SPLITDNS U_SPLITINC U_LOCALLAN U_PFS U_SAVEPWD U_FWTYPE U_BKPSRV (28683)) ]
2021-10-27T09:14:10 charon[87122] 14[ENC] <con1|3> unknown attribute type (28683)
2021-10-27T09:14:10 charon[87122] 14[NET] <con1|3> received packet: from $IPHONE_WAN[56385] to $OPNSENSE_WAN[4500] (140 bytes)
2021-10-27T09:14:09 charon[87122] 15[IKE] <con1|3> maximum IKE_SA lifetime 28498s
2021-10-27T09:14:09 charon[87122] 15[IKE] <con1|3> scheduling reauthentication in 27958s
2021-10-27T09:14:09 charon[87122] 15[IKE] <con1|3> IKE_SA con1[3] established between $OPNSENSE_WAN[$OPNSENSE_FQDN]...$IPHONE_WAN[0.0.0.0]
2021-10-27T09:14:09 charon[87122] 15[ENC] <con1|3> parsed TRANSACTION response 1233271016 [ HASH CPA(X_STATUS) ]
2021-10-27T09:14:09 charon[87122] 15[NET] <con1|3> received packet: from $IPHONE_WAN[56385] to $OPNSENSE_WAN[4500] (76 bytes)
2021-10-27T09:14:09 charon[87122] 15[NET] <con1|3> sending packet: from $OPNSENSE_WAN[4500] to $IPHONE_WAN[56385] (76 bytes)
2021-10-27T09:14:09 charon[87122] 15[ENC] <con1|3> generating TRANSACTION request 1233271016 [ HASH CPS(X_STATUS) ]
2021-10-27T09:14:09 charon[87122] 15[IKE] <con1|3> XAuth authentication of '$USER' successful
2021-10-27T09:14:09 charon[87122] 15[IKE] <con1|3> PAM authentication of '$USER' successful
2021-10-27T09:14:09 charon[87122] 15[ENC] <con1|3> parsed TRANSACTION response 3033065133 [ HASH CPRP(X_USER X_PWD) ]
2021-10-27T09:14:09 charon[87122] 15[NET] <con1|3> received packet: from $IPHONE_WAN[56385] to $OPNSENSE_WAN[4500] (92 bytes)
2021-10-27T09:14:09 charon[87122] 15[NET] <con1|3> sending packet: from $OPNSENSE_WAN[4500] to $IPHONE_WAN[56385] (76 bytes)
2021-10-27T09:14:09 charon[87122] 15[ENC] <con1|3> generating TRANSACTION request 3033065133 [ HASH CPRQ(X_USER X_PWD) ]
2021-10-27T09:14:09 charon[87122] 15[NET] <con1|3> sending packet: from $OPNSENSE_WAN[4500] to $IPHONE_WAN[56385] (92 bytes)
2021-10-27T09:14:09 charon[87122] 15[ENC] <con1|3> generating ID_PROT response 0 [ ID HASH ]
2021-10-27T09:14:09 charon[87122] 15[CFG] <3> selected peer config "con1"
2021-10-27T09:14:09 charon[87122] 15[CFG] <3> looking for XAuthInitPSK peer configs matching $OPNSENSE_WAN...$IPHONE_WAN[0.0.0.0]
2021-10-27T09:14:09 charon[87122] 15[ENC] <3> parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
2021-10-27T09:14:09 charon[87122] 15[NET] <3> received packet: from $IPHONE_WAN[56385] to $OPNSENSE_WAN[4500] (108 bytes)
2021-10-27T09:14:09 charon[87122] 15[NET] <3> sending packet: from $OPNSENSE_WAN[500] to $IPHONE_WAN[57425] (244 bytes)
2021-10-27T09:14:09 charon[87122] 15[ENC] <3> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
2021-10-27T09:14:09 charon[87122] 15[IKE] <3> remote host is behind NAT
2021-10-27T09:14:09 charon[87122] 15[IKE] <3> local host is behind NAT, sending keep alives
2021-10-27T09:14:09 charon[87122] 15[ENC] <3> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
2021-10-27T09:14:09 charon[87122] 15[NET] <3> received packet: from $IPHONE_WAN[57425] to $OPNSENSE_WAN[500] (228 bytes)
2021-10-27T09:14:09 charon[87122] 15[NET] <3> sending packet: from $OPNSENSE_WAN[500] to $IPHONE_WAN[57425] (180 bytes)
2021-10-27T09:14:09 charon[87122] 15[ENC] <3> generating ID_PROT response 0 [ SA V V V V V ]
2021-10-27T09:14:09 charon[87122] 15[CFG] <3> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
2021-10-27T09:14:09 charon[87122] 15[IKE] <3> $IPHONE_WAN is initiating a Main Mode IKE_SA
2021-10-27T09:14:09 charon[87122] 15[IKE] <3> received DPD vendor ID
2021-10-27T09:14:09 charon[87122] 15[IKE] <3> received FRAGMENTATION vendor ID
2021-10-27T09:14:09 charon[87122] 15[IKE] <3> received Cisco Unity vendor ID
2021-10-27T09:14:09 charon[87122] 15[IKE] <3> received XAuth vendor ID
2021-10-27T09:14:09 charon[87122] 15[IKE] <3> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
2021-10-27T09:14:09 charon[87122] 15[IKE] <3> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
2021-10-27T09:14:09 charon[87122] 15[IKE] <3> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
2021-10-27T09:14:09 charon[87122] 15[IKE] <3> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
2021-10-27T09:14:09 charon[87122] 15[IKE] <3> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
2021-10-27T09:14:09 charon[87122] 15[IKE] <3> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
2021-10-27T09:14:09 charon[87122] 15[IKE] <3> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
2021-10-27T09:14:09 charon[87122] 15[IKE] <3> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
2021-10-27T09:14:09 charon[87122] 15[IKE] <3> received draft-ietf-ipsec-nat-t-ike vendor ID
2021-10-27T09:14:09 charon[87122] 15[IKE] <3> received NAT-T (RFC 3947) vendor ID
2021-10-27T09:14:09 charon[87122] 15[ENC] <3> parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]
2021-10-27T09:14:09 charon[87122] 15[NET] <3> received packet: from $IPHONE_WAN[57425] to $OPNSENSE_WAN[500] (848 bytes)
2021-10-27T09:14:07 charon[87122] 02[CFG] added configuration 'con1'
2021-10-27T09:14:07 charon[87122] 02[CFG] adding virtual IP address pool 10.10.0.0/24
2021-10-27T09:14:07 charon[87122] 02[CFG] received stroke: add connection 'con1'
October 27, 2021, 03:39:17 PM #4
Yep! That was the issue. The documents need to include checking the "Install Policy" on the Phase 1.

In addition, adding 0.0.0.0/0 to pass ALL traffic over the VPN causes the end client to fail to connect. Adding a different subnet (i.e.172.19.0.0/16) will allow all access to those hosts.

Further, for the "ipsec" rule table, bidirectional pass rules will be needed to each interface.
Print
Go Up Pages1
User actions