IPSec assistance...

Started by cozzicon, August 09, 2022, 04:02:45 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 09, 2022, 04:02:45 PM
Hello fellow admins...

We've deployed the commercial version of OPNsense and we can't get IPsec working at all.

We can establish our phase 1 tunnel, and our client can see the connection.

When we add a tunnel with a subnet it never shows connected and doesn't pass traffic.

I'm in a bind here, either I have to find the answer by noon ET or I have to rip out OPNsense fro the network. We've been working on this problem for two weeks.

The endpoint we connect to is not under our control, but rather is a customer. It's apparently a Cisco ASA.

The basic config we were given looks like this:

         IKE POLICY (PHASE 1)
IKE Encryption Policy      AES 256      
IKE Authentication         SHA1      
IKE Lifetime (Seconds)      28800 / 480 minutes / 8 hours
Diffie Hellman Group      Group 5       
Identity            IP Address   
Authentication         Pre-shared Key   
Main Mode or Aggressive Mode   Main Mode   
Pre-shared Key         thisisnotourkeybutmaybeitisornotbackwardshuh?

            IPSEC POLICY (PHASE 2)         
IPSEC Encryption Policy      ESP - AES 256            
IPSEC Authentication Policy      SHA1               
Perfect Forward Secrecy & DH Group   Disabled               
IPSEC SA Lifetime Seconds      28800               
IPSEC SA Lifetime Kilobytes      Disabled               
Vendor ID         Disabled               
Compression         Disabled               

There are roughly 12 /24 subnets on the remote endpoint. We configure the tunnels, they never show up in status and will not pass traffic.

Is there an apparent quick fix known issue scenario here? It is possible the problem is on the remote ASA. But I'm going to have to prove that.

Thoughts?


August 09, 2022, 04:05:16 PM #1
Crank up debug level and watch for "no matching proposal" messages? Have you tried tunnel isolation? The networks on both sides match exactly? If there is even a slight mismatch (e.g. wrong netmask for just one subnet), ASA might refuse to bring up phase 2 entirely.

HTH,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
August 09, 2022, 04:09:50 PM #2
Quote from: pmhausen on August 09, 2022, 04:05:16 PM
Crank up debug level and watch for "no matching proposal" messages? Have you tried tunnel isolation? The networks on both sides match exactly? If there is even a slight mismatch (e.g. wrong netmask for just one subnet), ASA might refuse to bring up phase 2 entirely.

HTH,
Patrick

It took us two weeks just to get a network engineer from the client to talk to us. In our meeting yesterday they say they cannot see any phase 2 activity at all. And we don't see it on the status page either.

I'm also not seeing any traffic in the firewall log monitor.

I have re-installed strongswan, reset to defaults ETC.
August 09, 2022, 04:11:39 PM #3
Quote from: cozzicon on August 09, 2022, 04:09:50 PM
Quote from: pmhausen on August 09, 2022, 04:05:16 PM
Crank up debug level and watch for "no matching proposal" messages? Have you tried tunnel isolation? The networks on both sides match exactly? If there is even a slight mismatch (e.g. wrong netmask for just one subnet), ASA might refuse to bring up phase 2 entirely.

HTH,
Patrick

It took us two weeks just to get a network engineer from the client to talk to us. In our meeting yesterday they say they cannot see any phase 2 activity at all. And we don't see it on the status page either.

I'm also not seeing any traffic in the firewall log monitor.

I have re-installed strongswan, reset to defaults ETC.

We're configuring based on what we were given. I can challenge them to recheck the subnets.
August 09, 2022, 04:13:21 PM #4
Quote from: pmhausen on August 09, 2022, 04:05:16 PM
Crank up debug level and watch for "no matching proposal" messages? Have you tried tunnel isolation? The networks on both sides match exactly? If there is even a slight mismatch (e.g. wrong netmask for just one subnet), ASA might refuse to bring up phase 2 entirely.

HTH,
Patrick

Currently testing with only one tunnel and one subnet. Any isolation issue could be dealt with later.
August 09, 2022, 04:14:11 PM #5
tcpdump ...? Do you see IPsec packets after phase 1 is established? NAT-T?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
August 09, 2022, 05:37:20 PM #6
Well- I was hoping there was a known issue or something along those lines.

Looks like I'm going to order a Checkpoint and be done with this. It's time sensitive. 12pm is the cutoff point for me.

Thanks for the assist.
August 09, 2022, 06:11:27 PM #7 Last Edit: August 09, 2022, 06:14:33 PM by pmhausen
I have set up dozens of multi vendor IPsec VPNs in my life and it always boiled down to: read the logs until you spot what they don't agree about. Then fix that.

E.g. having the same lifetime ind seconds for phase 1 amd phase 2 looks weird. phase 2 should be shorter than phase 1. I don't know if this is an issue for OPNsense, but I would not run a setup like this.

HTH,
Patrick

EDIT: are you using NAT-T? if not did you open ESP and AH from your peer to your external address on WAN? If yes, did you open UDP:4500 in addition to UDP:500 on WAN?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions