OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: lagus on January 29, 2019, 08:59:09 am

Title: Route Error with several VPN's
Post by: lagus on January 29, 2019, 08:59:09 am
Hello,

I'm trying to switch 100% from another BSD firewall to this one.
Unfortunately, strange behaviours on the routing side prohibit me from fully embracing this one.
I can't (with my limited knowledge) say if this is a bug (I believe it is) or if this is just me and it's user error.

So start out the scenario:
OpenSense running in a VM on an ESXi Host.
Interfaces currently configured
https://ibb.co/6gVBMQc (https://ibb.co/6gVBMQc)


IOT net = IOT devices
PIASE = PrivateInternetAccess OpenVPN
All internal traffic is running on LAN.

I change Gateway with FW rules to route some LAN/IOT traffic out ISP or through my VPN provider (PIASE)

I have been trying to connect my FW to my another over IpSec. I manage to get the tunnel up and "running".
but unable to get any traffic through it (e.g. ping GW's local IP on the other side)
When I'm checking the routes System > Routes > Status and checking the local subnet on the other side:
https://ibb.co/6HjNzNJ (https://ibb.co/6HjNzNJ)
It displays the PIA GW - Not the IpSec gateway?

To add to the mystery I also have troubles creating a Let's Encrypt SSL certificate due to the error message:

Code: [Select]
[Tue Jan 29 09:43:19 EET 2019] checking
[Tue Jan 29 09:43:20 EET 2019] GET
[Tue Jan 29 09:43:20 EET 2019] url='https://acme-v01.api.letsencrypt.org/acme/challenge/a_TNDvMX4Rzj5vEgCS2HzwUEDSY2uB-i-REDACTED/11997528332'
[Tue Jan 29 09:43:20 EET 2019] timeout=
[Tue Jan 29 09:43:20 EET 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
[Tue Jan 29 09:43:21 EET 2019] ret='0'
[Tue Jan 29 09:43:21 EET 2019] REDACTED.net:Verify error:Fetching http://REDACTED.net/.well-known/acme-challenge/J5Bc_vqoO5guim5ZGITwk3aRTCdHp0_REDACTED: [b]Timeout during connect (likely firewall problem)[/b]
(HA Validation method)

I'm starting to suspect that this is because the FW uses PIASE interface and ask for returning connections on the validation method, can this be true? - I can not see any blocked connection requests in the FW log.
I have over and over again checked WAN rules to allow incoming connections on port 443 & 80:
https://ibb.co/z5HMcR5 (https://ibb.co/z5HMcR5)

A Traceroute shows:
Code: [Select]
traceroute acme-v01.api.letsencrypt.org
traceroute to e14990.dscx.akamaiedge.net (2.19.125.202), 64 hops max, 40 byte packets
 1  10.16.11.1 (10.16.11.1)  40.593 ms  42.192 ms  45.477 ms
 2  vl-404.pe1.sto1.se.portlane.net (46.246.29.129)  44.590 ms  28.450 ms  27.204 ms
 3  be-4.cr1.sto1.se.portlane.net (80.67.4.192)  29.515 ms  16.969 ms  16.341 ms
 4  netnod-ix-ge-a-sth-1500.akamai.com (194.68.123.170)  19.279 ms  37.166 ms  19.617 ms

I will also add another OpenVPN Server to connect to another site... But that's currently on hold a bit as I'm afraid it will complicate troubleshooting even more.

So am I wrong in the fact that there's something strange with the way OpnSense creates routes?
Or Is it just me again?

EDIT: Changed to URLs - From Image