Topics

Hello,
I'm looking for a way to add manual SPD entries with the "Connections[new]" interface.
It looks like you can add more networks in "Edit Child", but the networks don't show up in 'setkey -DP" and the traffic goes directly to WAN instead of IPsec. Any idea ?
Regards,
atom

Hello,

I'm currently testing the migration of the IPsec tunnels from ipsec.conf to swanctl.conf.
For this I've upgraded one side of the tunnel to 23.1_6. The migrated tunnel can be started from both sides without any problems. Then I created an analog configuration with "Connections [new]" and deleted the old configuration.
Unfortunately, I find that now the tunnel can only be started from one side (23.1_6).  From the other side this leads to the error NO_PROPOSAL_CHOSEN.
The problem seems to be that the site has no IP address at rightid but a FQDN.
If I change "Local addresses" at this site from FQDN to the current IP address, it is possible to initiate the tunnel from both sites again afterwards.

Regards,
atom

Hello,

after upgrading to 23.1, I noticed that the "Lease Status" does not show the complete DN and the "Remote ID" field is too short.
Is it possible to make "Version" a bit narrower and "Remote ID" a bit wider in the "Status Overview" ?

Regards,
atom

Hello,

I'm on version 22.7.9 and just noticed a change in Live View. The filtered data is only displayed for about 2 minutes. After that they disappear again. This makes it very difficult to search for data because the display period is very short. Is it possible to set it back to the way it was before ?

Regards,
atom

Hello,

Would it be possible to get an alias "port group" analogous to "network group" ?
It would make creating firewall rules easier because you could combine "network group" with "port group".

Thanks a lot,
atom

Hello,

I would like to know if anyone has got Mobile IPsec working with TOTP (Windows 10 native vpn client)

- TOTP for login (ssh/GUI)                             -> works
- Mobile IPsec with Mutual RSA                     -> works
- Mobile IPsec with EAP-MSCHAPv2               -> works

Only Mobile IPsec with EAP-MSCHAPv2 + TOTP does not work.
Can it be because the "IPsec Pre-Shared Key" at the user can only be PSK and not EAP ?

Greetings,
atom

Hello,

I've installed a fresh OPNsense with 22.1.
Then I've tried to enable Mobile Clients according to https://docs.opnsense.org/manual/how-tos/ipsec-rw-srv-mschapv2.html .
Unfortunatly I'm not able to add a phase 2 entry. ( step 3 from the guide )
There is no button "show 0 phase-2 entries".

Regards,
atom

After upgrade to 21.7.8 the acme client does not work anymore.

Code Select Expand


[28-Jan-2022 00:00:27 Europe/Berlin] PHP Fatal error:  Uncaught Error: Call to a member function init() on null in /usr/local/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php:634
Stack trace:
#0 /usr/local/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php(404): OPNsense\AcmeClient\LeCertificate->runAutomations()
#1 /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php(165): OPNsense\AcmeClient\LeCertificate->issue()
#2 /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php(199): main()
#3 {main}
  thrown in /usr/local/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php on line 634


and

Code Select Expand


2022-01-28T00:00:27 php[90929] AcmeClient: automation not supported: restart_gui (14c6af94-6e41-4424-bfe5-67948356ce71)
2022-01-28T00:00:27 php[90929] AcmeClient: running automations for certificate:


Hello,
I'm trying to reset ACME.
Unfortunaly I get the following error after confirming the message 'Wipe all certificate and account data':

An API exception occured
/usr/local/opnsense/mvc/app/models/OPNsense/Base/FieldTypes/BaseField.php:324: lastUpdate not an attribute of accounts.account.5d320db8-243d-48f8-8aa8-bcbc76f52484

and the data are still there.

Regards,
Atom

Hello,

i have a problem with ipsec connections when I want to use more than one network remotely with the same local network phase 2.

1. network
local                                           remote
192.168.100.0/24                      10.0.0.0/24

works until add a second network

2. network
local                                           remote
192.168.100.0/24                     10.10.0.0/24

I got a 'received DELETE for ESP CHILD_SA' and then a 'closing CHILD_SA con' .

Regards,
atom

I have a wish and a question.

Announcements: Would it be possible to mention in the "Full patch notes" also the github number, so that it is easier to find the changes ?

Will there be a separate documentation for 21.1 or has so little changed that the old one still applies ?

Hallo,

ich nutze Wireguard mit einem eigenen Netz 10.10.10.0/24 und Mappe das mit 1:1 NAT auf 192.168.1.0/24.
Erwartet hätte ich, das mit dem NATting z.B. die IP 10.10.10.2 auf die 192.168.1.2 gesetzt wird. Stattdessen wird sie auf 192.168.1.0 umgesetzt.
Ist das so normal ?

So sieht die Regel aus:
Firewall: NAT: One-to-One
Interface: IPsec
Type: NAT
External Network: 192.168.1.0/24
Source: 10.10.10.0/24
Destination: 10.20.0.0/24

Viele Grüße,
atom

Hi,

I see deny messages for pfsync from the WAN address in the firewall log, even though pfsync is configured with IP addresses and not multicast (on both sides).

Regards,
atom

Hello,

I still have two questions of understanding:

1.)  Why do I always get the following error messages in the IPsec log when using VTI ? I do not get any messages on the remote site.

<snip>
Sep 24 11:59:34 opnsense charon[73787]: 09[KNL] <con1|20> querying policy 0.0.0.0/0 === 0.0.0.0.0/0 in failed, not found
Sep 24 11:59:34 opnsense charon [73787]: 09 [KNL] <con1|20> querying policy 0.0.0.0/0 === 0.0.0.0.0/0 out failed, not found
</snip>

2.)  Why is it that when using Let's Encrypt and IPsec with PSK ( without certificates )
    a) Is the file chain.pem copied from the acme-cacerts directory to the ipsec-cacerts directory ?
    b) Is this certificate sent to the remote peer despite the use of PSK ?
   
<snip>   
Sep 24 11:59:37 opnsense charon[73787]: 10[IKE] <22> sending cert request for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
</snip>


Many greetings,
atom

Translated with www.DeepL.com/Translator (free version)

Hallo,

ich habe einen Route-Based Tunnel zu einem Lancom konfiguriert.
Wenn ich jetzt einen weiteren Policy-Based Tunnel konfiguriere zu einem anderen Router, dann wird der IPsec-seitig sauber eingerichtet, aber zusätzlich eine Route für das Netz an mein Default-WAN-Gateway eingetragen, die man mit "netstat -rn" sehen kann.  Dieses Verhalten tritt aber nur auf, wenn das lokale Netz das LAN-Netz ist. Wenn ich ein anderes lokales (VLAN-)Netz nehme dann, tritt das Verhalten nicht auf.

Viele Grüße,
atom

Ich bin neu in der OPNsense-Welt und stehe aktuell ein bisschen auf dem Schlauch.

Der Aufbau sieht so aus:

Router R1 <----IPsec tunnel---- > OPNsense R2 <---IPsec Tunnel ----> Lancom R3

Ich habe mehrere verschiedene Router R1 die Tunnel zu R2 haben. Zwischen R2 und R3 gibt es einen Policy-Based Tunnel mit mehreren Netzen (Phase2).
Jetzt sollen User hinter R3 auf Systeme hinter R1 Zugreifen können. Ich komme aber immer nur von R1 auf R2 oder von R3 auf R2.
Muss ich in "Firewall: Rules: IPsec" alle Kombination von möglichen Verbindungen die erlaubt sind konfigurieren oder Statische Routen definieren oder geht das ganz anders ?