[gelöst] VPN Tunnel OPNsense zur FritzBox 7590

Started by lapidu, December 31, 2020, 01:51:06 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 31, 2020, 01:51:06 PM Last Edit: December 31, 2020, 02:52:01 PM by lapidu
Hallo zusammen,

ich habe folgendes Problem. VPN Tunnel steht. Ich komme vom OPNSense LAN ( 192.168.1.0/24 ) in das FritzBox LAN ( 192.168.0.0/24).
Das Problem ist jetzt das ich vom LAN der FritzBox nicht in das LAN von der OPNsense kommt.

Hat jemand eine Idee?

Anbei Netzwerkplan und config des VPN Tunnels

Danke erstmal

Code Select
WAN / Internet
            :
            : PPPoE-Telekom VDSL
            :
      .-----+--------.
      |  DSL Modem|  (Draytek Vigor 165)
      '-----+---------'
            |
        WAN | IP or Protocol
            |
      .-----+------.   
      |  OPNsense
      '-----+------'
            |
        LAN | 192.168.1.0/24
            |
      .-----+------.
      | LAN-Switch |
      '-----+------'
            |
    ...-----+------... (Clients/Servers)

Config File FritzBox

Code Select

vpncfg {
        connections {
                enabled = yes;
                conn_type = conntype_lan;
                name = "xx"; //Name der Verbindung
                always_renew = yes;
                reject_not_encrypted = no;
                dont_filter_netbios = yes;
                localip = 0.0.0.0;
                local_virtualip = 0.0.0.0;
                remoteip = 0.0.0.0;
                remote_virtualip = 0.0.0.0;
                remotehostname = "xxx.dyndns.org";
                localid {
                        fqdn = "xxx.myfritz.net";
                }
                remoteid {
                        fqdn = "email@mail.de";
                }
                mode = phase1_mode_aggressive;
                phase1ss = "alt/aes/sha";
                keytype = connkeytype_pre_shared;
                key = "xxxxxxxxxxxxxxxxx"; //Passwort, max 32 byte lang
                cert_do_server_auth = no;
                use_nat_t = no;
                use_xauth = no;
                use_cfgmode = no;
                phase2localid {
                        ipnet {
                                ipaddr = 192.168.0.0;
                                mask = 255.255.255.0;
                        }
                }
                phase2remoteid {
                        ipnet {
                                ipaddr = 192.168.1.0;
                                mask = 255.255.255.0;
                        }
                }
                phase2ss = "esp-aes256-3des-sha/ah-no/comp-lzs-no/pfs";
                accesslist = "permit ip any 192.168.1.0 255.255.255.0";
        }
        ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
                            "udp 0.0.0.0:4500 0.0.0.0:4500";
}


// EOF


OPNSense VPN Einstellungen

Code Select


IPSec Tunneleinstellungen:
Allgemeine Informationen:
Anschlussart: Start on Traffic
Schlüsselaustauschversion: V1
Internt Protokol: IPv4
Schnittstelle: WAN
Remotegateway: xxx.myfritz.de
Dynamic gateway: Hacken bei Allow any remote gateway to connect

Phase1:
Authentifizierungsmethode: Murtal PSK
Bestimmungsmodus: Aggressive
My identifier: User distinguished name:  email@mail.de
Peer identifier: Distinguished name: xxx.myfritz.de
Pre-Shared Key: xxxxxx

Phase1:
Encryption algorithm: AES 256
Hash: SHA1
DH: 2 (2024)
Zeit: 3600

Hacken bei  Install Policy

Phase 2:
Modus: Tunnel IPv4

Local Network: LAN Subnetz
Remote Network 192.168.0.0/24

Protocol: ESP
Verschlüsselung: AES 256
Hash: SHA1
Gruppe: 2(1024)
Zeit: 3600

December 31, 2020, 02:00:23 PM #1
Hallo,

hast du in den Firewall Regeln der Opnsense eine Regel erstellt, die Traffic der von der Fritzbox über den VPN Tunnel auf das IPSEC Interface eintrifft, auch durchlässt?
Hardware:
DEC740
December 31, 2020, 02:26:05 PM #2
Hallo Cedrik,

nein, wie würde so eine Regel ausschauen?

Danke
December 31, 2020, 02:35:35 PM #3
Diese Regel lässt allen Verkehr zu:

Firewall > Rules > IPSEC -> + Add

Action: Pass
Interface: IPSEC
Direction: in
TCP/IP: IPv4
Protocol: Any
Source: Fritzbox LAN (192.168.0.0/24)
Destination: Opnsense LAN (192.168.1.0/24)
Destination Port Range: from any to any
Hardware:
DEC740
December 31, 2020, 02:51:41 PM #4
Super jetzt funktioniert es.

Vielen Dank für deine Hilfe
December 31, 2020, 08:09:55 PM #5
@lapidu wenn die Fritzbox es erlaubt, solltest du evtl. noch SHA1 durch min. SHA256 und DH2 durch min. DH14 (4096) ersetzen. Bin mir nicht sicher ob die das kann, aber das wäre für mich das absolute Minimum.
Twitter: banym
Mastodon: banym@bsd.network
Blog: https://www.banym.de
January 05, 2021, 12:38:47 PM #6 Last Edit: January 05, 2021, 01:16:02 PM by lapidu
Hallo zusammen,

hier jetzt meine Einstellungen mit der der IPSEC Tunnel endlich stabil läuft.

Code Select
IPSec Tunneleinstellungen:
Allgemeine Informationen:
Anschlussart: Start on Traffic
Schlüsselaustauschversion: V1
Internt Protokol: IPv4
Schnittstelle: WAN
Remotegateway: xxx.myfritz.de
Dynamic gateway: Hacken bei Allow any remote gateway to connect

Phase1:
Authentifizierungsmethode: Murtal PSK
Bestimmungsmodus: Aggressive
My identifier: Distinguished name:  xxx.dyndns.org
Peer identifier: Distinguished name: xxx.myfritz.de
Pre-Shared Key: xxxxxx

Phase1:
Encryption algorithm: 3DES
Hash: SHA1
DH: 2 (2024)
Zeit: 3600

Hacken bei  Install Policy

Phase 2:
Modus: Tunnel IPv4

Local Network: LAN Subnetz
Remote Network 192.168.0.0/24

Protocol: 3DES
Verschlüsselung: AES 128
Hash: SHA1
Gruppe: 2(1024)
Zeit: 3600

FritzBox config
Code Select

               mode = phase1_mode_aggressive;
               phase1ss = "all/all/all";

               phase2ss = "esp-3des-sha/ah-no/comp-no/pfs";
Print
Go Up Pages1
User actions