Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Internal Network IPsec clients do not connect to remote VPN through OPNSense
« previous
next »
Print
Pages: [
1
]
Author
Topic: Internal Network IPsec clients do not connect to remote VPN through OPNSense (Read 1372 times)
yvonnik
Newbie
Posts: 3
Karma: 0
Internal Network IPsec clients do not connect to remote VPN through OPNSense
«
on:
June 06, 2023, 06:56:06 pm »
Hello,
I'm new to OPNsense, I'm evaluating it to replace a Fortigate box.
I have managed to replace 95% of the Forti (interfaces, VLANs, inter VLANs rules, IPSec Tunnels...), but I'm blocked for days on an issue that can be a showstopper, and can force me to go back to the Forti.
We have a Guest network, and our customers using it are not able to connect their IPSec clients to get access to their company, which is really ennoying for them (the Mobile coverage is very bad, they cannot use their phones in sharing mode).
I have tried using an Ipsec from inside the admin LAN (which has the "go everywhere" rule), and I have the same problem. The IPSec VPN Phase 1 to the remote host (another forti) connects ok, so the client is trying to start the Phase 2 (ISAKMP), but the answer by the remote forti seems not received by the internal client.
I have attached the log from the Client (TheGreenBow) and from the Forti. The forti seems to be happy negotiating the phase 2, but TheGreenBow does not get any answer.
OPNSense is responsible : the very same client with the very same configuration when using another Internet access (Mobile Phone, another Wifi that is not connected to Opnsense, anything...) just connect without issue.
And another client (on Android) has exactly the same behavior. Not any external Ipsec VPN is reachable through OPNSense. And with the Forti we used before it was working perfectly, without any specific configuration.
Moreover, and it seems related, the "Wifi Calling" of Android phones do not connect either, no matter what. Once again, they are working perfectly with another Internet access. But here, no log available. And no related log on OPNsense with the IP of the phones.
What's weird is that I don't see anything related in OPNSense log (live view), I don't see anything related to the IPSec negociation no phase 1, no phase 2, no blocked packet, nothing...
I've search the web for this behavior, found some issue related, but nothing conclusive, and the posts usually finish with "you have a rule problem", or direct to the manual to create the FW rules.
I know how to create a FW rule, but normally as I have a LAN * * * * rule for TCP/UDP, it should work.
Maybe it's an issue with NAT dropping the returning packets on UDP 500 (but why ?), so I tried Inbound NAT Rules (which I'm not familiar with, Forti is very different on this), with no success. And still nothing in the logs...
Thanks for your help,
Yvon
Logged
yvonnik
Newbie
Posts: 3
Karma: 0
Re: Internal Network IPsec clients do not connect to remote VPN through OPNSense
«
Reply #1 on:
June 08, 2023, 01:57:36 pm »
Hello,
Continuing investigations.
I thought that maybe there was an interaction with strongswan, so I stopped the strongswan service to test. Of course all my IPsec tunnels went down, but still the same behavior. I also made the test to disable Ipsec in VPn/IPSec/Tunnels Settings
What it is really weird is that there is no log entry of any kind when I try to establish a VPN tunnel from one of my PC to an external server, even though the remote forti receive packets, establish phase 1, and start to negotiate P2. As far as OPNsense firewall is concerned, nothing happen !!
The only "bock" rules I have are automaticaly generated, and I have activated the logging.
How can I activate the logging of the "reject all" final rules ?
Logged
yvonnik
Newbie
Posts: 3
Karma: 0
Re: Internal Network IPsec clients do not connect to remote VPN through OPNSense
«
Reply #2 on:
June 08, 2023, 02:36:34 pm »
It seems this is related to
https://forum.opnsense.org/index.php?topic=22798.0
and
https://forum.opnsense.org/index.php?topic=15900.0
.
So I tried to deactivate Reply-to on WAN.
No success...until...
I rebooted OPNsense.
and now the Internal client can open an IPsec tunnel to a remote Ipsec server !! Hurra !!
Big improvement !!
I won't go into the fact that this (disable Reply-to) should be the default with only one Wan, discussed at length in the referenced posts, but it would have really saved days of my time...
However, this seems not to have fixed the Wifi calling issue...
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Internal Network IPsec clients do not connect to remote VPN through OPNSense