Help Needed Please: IPsec VPN RoadWarrior config--now with a VPN Log

[ooker]

Hi Folks,
I'm using OPNsense 18.1.r_15-amd64. and I'm trying to get IPsec Road Warrior VPN configured.

I'm following the steps here:
https://docs.opnsense.org/manual/how-tos/ipsec-road.html
 
And on Step 4 (Add IPsec Users) it says:
"Add privilege User - VPN - IPsec xauth Dialin by pressing the + under Effective Privileges."

I don't see a "+" under Effective Privileges.  Under Effective Privileges the only button is an edit button (pencil)--If I press this, then I get a list of GUI components, and none of them say "IPsec xauth Dialin".  In fact none of the options have xauth in the title.  I have these selected:

• GUI VPN: IPsec and
• GUI VPN: IPsec: Mobile

Am I doing something wrong, or have the options changed since the documentation was created?

When I configure the native client in OS X, I get this error when I try to connect:  "The VPN server did not respond. Verify the server address and try reconnecting."

Would someone please point me to some updated docs or steps to try to diagnose this issue?

Also, just checking, should the IPsec VPN be working with OPNsense 18.1.r_15
I've applied the patch: opnsense-patch 0ec330d7
per this thread: https://forum.opnsense.org/index.php?topic=6843.0

I would greatly appreciate any tips or pointers.

Thanks!

[Dobbin]

Hi Ooker,

I'm having similar issues following the same steps but I'm on 17.7.11.

For the first issue, for me the search feature at the top of the System Privileges screen returns the correct priv if you search on Xauth. If it doesn't show up I can only assume there is something different in 18.1.

Regarding OSX connectivity issue, this is the issue I have. You need to check the "VPN -> IPSec -> Log file" and see what it is reporting as an issue. For me it appears that I can connect, but the connection is immediately dropped.

Code: [Select]

Jan 16 20:41:34 charon: 12[CFG] lease ZZ.ZZ.ZZZ.1 by 'YYYYY' went offline
Jan 16 20:41:34 charon: 12[IKE] deleting IKE_SA con1[38] between XXX.XXX.XXX.254[XXX.XXX.XXX.254]...XXX.XXX.XXX.36[XXX.XXX.XXX.36]
Jan 16 20:41:34 charon: 12[IKE] deleting IKE_SA con1[38] between XXX.XXX.XXX.254[XXX.XXX.XXX.254]...XXX.XXX.XXX.36[XXX.XXX.XXX.36]
Jan 16 20:41:34 charon: 12[IKE] received DELETE for IKE_SA con1[38]
Jan 16 20:41:34 charon: 12[ENC] parsed INFORMATIONAL_V1 request 2241599222 [ HASH D ]
Jan 16 20:41:34 charon: 12[NET] received packet: from XXX.XXX.XXX.36[500] to XXX.XXX.XXX.254[500] (92 bytes)
Jan 16 20:41:34 charon: 12[IKE] received ATTRIBUTES_NOT_SUPPORTED error notify
Jan 16 20:41:34 charon: 12[ENC] parsed INFORMATIONAL_V1 request 588732055 [ HASH N(ATTR_UNSUP) ]
Jan 16 20:41:34 charon: 12[NET] received packet: from XXX.XXX.XXX.36[500] to XXX.XXX.XXX.254[500] (76 bytes)
Jan 16 20:41:34 charon: 12[NET] sending packet: from XXX.XXX.XXX.254[500] to XXX.XXX.XXX.36[500] (172 bytes)
Jan 16 20:41:34 charon: 12[ENC] generating QUICK_MODE response 2582074704 [ HASH SA No ID ID ]
Jan 16 20:41:34 charon: 12[IKE] received 3600s lifetime, configured 0s
Jan 16 20:41:34 charon: 12[ENC] parsed QUICK_MODE request 2582074704 [ HASH SA No ID ID ]
Jan 16 20:41:34 charon: 12[NET] received packet: from XXX.XXX.XXX.36[500] to XXX.XXX.XXX.254[500] (300 bytes)
Jan 16 20:41:34 charon: 15[NET] sending packet: from XXX.XXX.XXX.254[500] to XXX.XXX.XXX.36[500] (92 bytes)
Jan 16 20:41:34 charon: 15[ENC] generating TRANSACTION response 254410319 [ HASH CPRP(ADDR SUBNET) ]
Jan 16 20:41:34 charon: 15[IKE] assigning virtual IP ZZ.ZZ.ZZZ.1 to peer 'YYYYY'
Jan 16 20:41:34 charon: 15[CFG] reassigning offline lease to 'YYYYY'


[ooker]

Hi Dobbin,

Thanks for your reply. 

Here's what I did, and what I see:
On 18.1r1 If I go to System->Access->Users
Click on the edit/pencil for the user in question
Then Click on edit/pencil in Effective Privileges
There is a Search Field under description, and if I type in Xauth I get no results.
In fact, my list only contains results prefixed with "GUI"

Are you seeing other prefixes? 

Based on the description in the docs of "User - VPN - IPsec xauth Dialin" I got the impression that it might have a different prefix other than "GUI"

Examples of what I see:
        ...
   GUI   Status: IPsec
   GUI   Status: IPsec: Leasespage
   GUI   Status: IPsec: SAD
   GUI   Status: IPsec: SPD
        ...

Are you getting options where the first 3 letters are different from GUI?  What is the option that comes back when you search for Xauth?

[franco]

Well, this in the 181.r1 release notes...

https://github.com/opnsense/changelog/blob/3caefd257e834042c364741e6ccb8927c89f568c/doc/18.1/18.1.r1#L77

The Xauth privilege is no longer needed. If you want, you can restrict local authentication to a local group of users. It follows a change done early in 17.7.x which followed a change done in the captive portal some time before that.

Since 18.1 is not officially out the docs still refer to version 17.7 and will be fixed accordingly when it's time.


Cheers,
Franco

[ooker]

Hmmm.  I must have something wrong with my firewall config.  I'm not seeing anything in the IPsec log when I try to connect from my Mac Client.  I have verified that the WAN address is correct.  My Mac Client is accessing the net via a Verizon Jetpack MiFi box.

I've verified that Block Private Networks on the WAN interface is disabled, and the two screenshots show my WAN and IPSEC firewall rules.

Can anyone suggest steps to try to diagnose this further?

For example, should telnet be able to connect to port 500 or port 4500 on my external WAN IP?    Does anyone have a good IPsec VPN troubleshooting guide to recommend?

[ooker]

I have re configured the server and the client and I am at least getting an IPsec VPN Log.  Does anyone have suggestions regarding what may be going on, and/or next steps to diagnose this issue further?
The Mac VPN client now fails with "The negotiation with the VPN server failed. Verify the server address and try reconnecting"

Here is the log data:

Code: [Select]

Jan 20 22:43:32 charon: 05[JOB] deleting half open IKE_SA with CLIENT_IP after timeout
Jan 20 22:43:26 charon: 05[NET] sending packet: from FIREWALL_IP[500] to CLIENT_IP[10977] (429 bytes)
Jan 20 22:43:26 charon: 05[IKE] sending retransmit 3 of response message ID 0, seq 1
Jan 20 22:43:13 charon: 05[NET] sending packet: from FIREWALL_IP[500] to CLIENT_IP[10977] (429 bytes)
Jan 20 22:43:13 charon: 05[IKE] sending retransmit 2 of response message ID 0, seq 1
Jan 20 22:43:06 charon: 05[NET] sending packet: from FIREWALL_IP[500] to CLIENT_IP[10977] (429 bytes)
Jan 20 22:43:06 charon: 05[IKE] sending retransmit 1 of response message ID 0, seq 1
Jan 20 22:43:02 charon: 05[NET] sending packet: from FIREWALL_IP[500] to CLIENT_IP[10977] (429 bytes)
Jan 20 22:43:02 charon: 05[ENC] generating AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ]
Jan 20 22:43:02 charon: 05[CFG] selected peer config "con1"
Jan 20 22:43:02 charon: 05[CFG] looking for XAuthInitPSK peer configs matching FIREWALL_IP...CLIENT_IP[groupname@domain.com]
Jan 20 22:43:02 charon: 05[IKE] CLIENT_IP is initiating a Aggressive Mode IKE_SA
Jan 20 22:43:02 charon: 05[IKE] CLIENT_IP is initiating a Aggressive Mode IKE_SA
Jan 20 22:43:02 charon: 05[IKE] received DPD vendor ID
Jan 20 22:43:02 charon: 05[IKE] received Cisco Unity vendor ID
Jan 20 22:43:02 charon: 05[IKE] received XAuth vendor ID
Jan 20 22:43:02 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jan 20 22:43:02 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jan 20 22:43:02 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Jan 20 22:43:02 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Jan 20 22:43:02 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Jan 20 22:43:02 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Jan 20 22:43:02 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Jan 20 22:43:02 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Jan 20 22:43:02 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
Jan 20 22:43:02 charon: 05[IKE] received NAT-T (RFC 3947) vendor ID
Jan 20 22:43:02 charon: 05[IKE] received FRAGMENTATION vendor ID
Jan 20 22:43:02 charon: 05[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
Jan 20 22:43:02 charon: 05[NET] received packet: from CLIENT_IP[10977] to FIREWALL_IP[500] (777 bytes)
Jan 20 22:43:01 charon: 05[NET] sending packet: from FIREWALL_IP[500] to CLIENT_IP[10977] (56 bytes)
Jan 20 22:43:01 charon: 05[ENC] generating INFORMATIONAL_V1 request 1178221751 [ N(NO_PROP) ]
Jan 20 22:43:01 charon: 05[IKE] no proposal found
Jan 20 22:43:01 charon: 05[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jan 20 22:43:01 charon: 05[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Jan 20 22:43:01 charon: 05[IKE] CLIENT_IP is initiating a Aggressive Mode IKE_SA
Jan 20 22:43:01 charon: 05[IKE] CLIENT_IP is initiating a Aggressive Mode IKE_SA
Jan 20 22:43:01 charon: 05[IKE] received DPD vendor ID
Jan 20 22:43:01 charon: 05[IKE] received Cisco Unity vendor ID
Jan 20 22:43:01 charon: 05[IKE] received XAuth vendor ID
Jan 20 22:43:01 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jan 20 22:43:01 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jan 20 22:43:01 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Jan 20 22:43:01 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Jan 20 22:43:01 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Jan 20 22:43:01 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Jan 20 22:43:01 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Jan 20 22:43:01 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Jan 20 22:43:01 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
Jan 20 22:43:01 charon: 05[IKE] received NAT-T (RFC 3947) vendor ID
Jan 20 22:43:01 charon: 05[IKE] received FRAGMENTATION vendor ID


[ooker]

In The VPN->IPsec->Status Overview, my status icon at the right of the display is orange.  Should it be green?  I couldn't find any info on this in the documentation.

[pfs7]

I'm having the same problem with OPNsense 18.7.3-amd64. I followed the instructions per the documentation and my macOS client still can't connect. I also have an orange status icon. I tried to change the detail in my logs with no success even after reboot. The detail I do get is useless. Apparently I can establish Phase1, but don't have a clear picture of what is happening in Phase2. Not being able to get better detail in the logs is most upsetting. A close second is following instructions that are outdated. Here my log output:

Code: [Select]

Sep 23 18:22:41 charon: 12[KNL] fe80::1:1 appeared on igb3
Sep 23 18:22:41 charon: 01[KNL] fe80::1:1 disappeared from igb3
Sep 23 18:22:40 charon: 01[CFG] added configuration 'con1'
Sep 23 18:22:40 charon: 01[CFG] reusing virtual IP address pool 10.10.90.0/28
Sep 23 18:22:40 charon: 01[CFG] received stroke: add connection 'con1'
Sep 23 18:22:40 charon: 12[CFG] deleted connection 'con1'
Sep 23 18:22:40 charon: 12[CFG] received stroke: delete connection 'con1'
Sep 23 18:22:40 charon: 01[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls'
Sep 23 18:22:40 charon: 01[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Sep 23 18:22:40 charon: 01[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Sep 23 18:22:40 charon: 01[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Sep 23 18:22:40 charon: 01[CFG] rereading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Sep 23 18:22:40 charon: 01[CFG] loaded IKE secret for XXX.XXX.XXX.XXX %any
Sep 23 18:22:40 charon: 01[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Sep 23 18:22:40 charon: 01[CFG] rereading secrets