OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 18.7 Legacy Series »
  • Replaced pfSense for OPNsense, IPSEC will not connect (to SonicWALL router)
« previous next »
  • Print
Pages: 1 [2]

Author Topic: Replaced pfSense for OPNsense, IPSEC will not connect (to SonicWALL router)  (Read 14767 times)

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 17661
  • Karma: 1611
    • View Profile
Re: Replaced pfSense for OPNsense, IPSEC will not connect (to SonicWALL router)
« Reply #15 on: November 06, 2018, 11:36:17 pm »
Keeping this under observation... browsers shouldn't do this, but maybe we need to be more vivid in enforcement.

Long-term this is no issue, the MVC/API code should not be affected by this issue. Worst case saving fails, but that's what the browser gets for disabling JS. ;)


Cheers,
Franco
Logged

space-hunter

  • Newbie
  • *
  • Posts: 2
  • Karma: 1
    • View Profile
Re: Replaced pfSense for OPNsense, IPSEC will not connect (to SonicWALL router)
« Reply #16 on: January 30, 2019, 10:02:37 am »
Hi, thanks for this info !

I run in the same error. I tried to configure a side2side vpn with IExplorer. After a few hours and reading this post, I know why :-)
After saving the setting with IE, this error is showing in VPN log File.

Jan 30 09:33:09 charon: 10[NET] <con1-000|8> sending packet: from 192.168.20.40[500] to 192.168.22.132[500] (84 bytes)
Jan 30 09:33:09 charon: 10[ENC] <con1-000|8> generating INFORMATIONAL_V1 request 4075737163 [ HASH D ]
Jan 30 09:33:09 charon: 10[IKE] <con1-000|8> sending DELETE for IKE_SA con1-000[8]
Jan 30 09:33:09 charon: 10[IKE] <con1-000|8> deleting IKE_SA con1-000[8] between 192.168.20.40[C=NL, ST=Zuid-Holland, L=Middelharnis, O=OPNsense]...192.168.22.132[192.168.22.132]
Jan 30 09:33:09 charon: 10[CFG] <con1-000|8> constraint check failed: peer not authenticated by CA 'C=DE, ST=Bavaria, L=xx, O=xx, E=xx@xx, CN=CA_xx'
Jan 30 09:33:09 charon: 10[IKE] <con1-000|8> received DPD vendor ID
Jan 30 09:33:09 charon: 10[ENC] <con1-000|8> parsed ID_PROT response 0 [ ID HASH V ]
Jan 30 09:33:09 charon: 10[NET] <con1-000|8> received packet: from 192.168.22.132[500] to 192.168.20.40[500] (84 bytes)

and this is the main part the file /usr/local/etc/ipsec.conf
  ike = 3des-sha1-modp1024!
  leftauth = psk
  rightauth = psk
  leftcert = /usr/local/etc/ipsec.d/certs/cert-1.crt
  leftsendcert = always
  rightca = "/C=DE/ST=xxx/L=xxx/O=xxx /emailAddress=xxx/CN=xxx/"
  rightid = 192.168.22.132
  rightsubnet = 192.168.22.192/28
  leftsubnet = 192.168.7.0/24
  esp = aes256-sha1-modp1024,3des-sha1-modp1024!


After saving the setting with Chrome, everything works as expected.

With IExplorer, 'My Certificate' and 'My Certificate Authority' fields are showing up, and I can not remove this setting.
With Chrome, this fields are not showing up.

OPNsense 18.7.9-amd64
IE 11.1563.15063.0
Chrome 71.0.3578.98

Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 17661
  • Karma: 1611
    • View Profile
Re: Replaced pfSense for OPNsense, IPSEC will not connect (to SonicWALL router)
« Reply #17 on: January 30, 2019, 12:20:17 pm »
It will be fixed for IE in 19.1 tomorrow.


Cheers,
Franco
Logged
  • Print
Pages: 1 [2]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 18.7 Legacy Series »
  • Replaced pfSense for OPNsense, IPSEC will not connect (to SonicWALL router)
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2