Replaced pfSense for OPNsense, IPSEC will not connect (to SonicWALL router)

Started by Rayman, November 02, 2018, 09:50:39 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
November 06, 2018, 11:36:17 PM #15
Keeping this under observation... browsers shouldn't do this, but maybe we need to be more vivid in enforcement.

Long-term this is no issue, the MVC/API code should not be affected by this issue. Worst case saving fails, but that's what the browser gets for disabling JS. ;)


Cheers,
Franco
January 30, 2019, 10:02:37 AM #16
Hi, thanks for this info !

I run in the same error. I tried to configure a side2side vpn with IExplorer. After a few hours and reading this post, I know why :-)
After saving the setting with IE, this error is showing in VPN log File.

Jan 30 09:33:09 charon: 10[NET] <con1-000|8> sending packet: from 192.168.20.40[500] to 192.168.22.132[500] (84 bytes)
Jan 30 09:33:09 charon: 10[ENC] <con1-000|8> generating INFORMATIONAL_V1 request 4075737163 [ HASH D ]
Jan 30 09:33:09 charon: 10[IKE] <con1-000|8> sending DELETE for IKE_SA con1-000[8]
Jan 30 09:33:09 charon: 10[IKE] <con1-000|8> deleting IKE_SA con1-000[8] between 192.168.20.40[C=NL, ST=Zuid-Holland, L=Middelharnis, O=OPNsense]...192.168.22.132[192.168.22.132]
Jan 30 09:33:09 charon: 10[CFG] <con1-000|8> constraint check failed: peer not authenticated by CA 'C=DE, ST=Bavaria, L=xx, O=xx, E=xx@xx, CN=CA_xx'
Jan 30 09:33:09 charon: 10[IKE] <con1-000|8> received DPD vendor ID
Jan 30 09:33:09 charon: 10[ENC] <con1-000|8> parsed ID_PROT response 0 [ ID HASH V ]
Jan 30 09:33:09 charon: 10[NET] <con1-000|8> received packet: from 192.168.22.132[500] to 192.168.20.40[500] (84 bytes)

and this is the main part the file /usr/local/etc/ipsec.conf
  ike = 3des-sha1-modp1024!
  leftauth = psk
  rightauth = psk
  leftcert = /usr/local/etc/ipsec.d/certs/cert-1.crt
  leftsendcert = always
  rightca = "/C=DE/ST=xxx/L=xxx/O=xxx /emailAddress=xxx/CN=xxx/"
  rightid = 192.168.22.132
  rightsubnet = 192.168.22.192/28
  leftsubnet = 192.168.7.0/24
  esp = aes256-sha1-modp1024,3des-sha1-modp1024!


After saving the setting with Chrome, everything works as expected.

With IExplorer, 'My Certificate' and 'My Certificate Authority' fields are showing up, and I can not remove this setting.
With Chrome, this fields are not showing up.

OPNsense 18.7.9-amd64
IE 11.1563.15063.0
Chrome 71.0.3578.98

January 30, 2019, 12:20:17 PM #17
It will be fixed for IE in 19.1 tomorrow.


Cheers,
Franco
Print
Go Up Pages 1 2
User actions