OPNsense Forum
Archive => 21.1 Legacy Series => Topic started by: alh on April 30, 2021, 07:08:26 pm
-
After upgrading to 21.5 the gateway setup on the IPsec interface as described in this manual
https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route-azure.html (https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route-azure.html)
does not work anymore. The error message is:
Cannot add IPv4 Gateway Address because no IPv4 address could be found on the interface.
However, I have access to the remote network and all but I do need the gateway for the static route no?
-
Screenshots of P1 and P2 please
-
Here you go, if I understood correctly Phase 1
-
Phase 2
-
And the error message.
-
P1 use start immediate and check if the Tunnel comes up in general
-
The tunnel comes up fine and I can ping the virtual machines on Azure. In the route I find the linked gateway and the gateway itself a bit strange...
-
So does it Work or not? Confused :o
-
It does somehow work (did not dare to reboot) but why is my gateway "defunct" and why can I not add an IP address to it anymore?
-
I have the same issue with routed ipsec between two OPNSense Firewalls:
If I want add a IP to the Gateway for the Ipsec Interface I get only:
The following input errors were detected:
Cannot add IPv4 Gateway Address because no IPv4 address could be found on the interface.
If I leave the IP empty the Gateway is defunct.
How can I add a Gateway for routed ipsec?
-
Screenshots please.
-
I can not add the Gateway.
See step 5 from https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route.html#step-5-define-gateways
Possible it is only a problem in the GUI? Can I add a Gateway in the shell with a command?
-
Sceenshot of P1 and P2 please
-
solved by:
opnsense-revert -r 21.1 strongswan
opnsense-revert -r 21.1 opnsense :(
Now I can add the gateway with ip again. :)
-
It would more help to test reverting only opnsense and not strongswan and then go back version to version to see which one is affecting. Then the devs can find the commit and fix the error
-
The latest working version is
opnsense-revert -r 21.1.5 strongswan
opnsense-revert -r 21.1.2 opnsense
The error with the Gateway come with
opnsense-revert -r 21.1.3 opnsense
-
The error
The following input errors were detected:
Cannot add IPv4 Gateway Address because no IPv4 address could be found on the interface.
is not fixed in 21.1.6. I reverted to 21.1.2 again:
opnsense-revert -r 21.1.2 opnsense
-
How about 21.1.7?
-
To be frank, ifconfig output on the relevant IPsec interface with the broken and working state would be a start...
Cheers,
Franco
-
The same problem is also with the actual version 21.1.8_1:
The following input errors were detected:
Cannot add IPv4 Gateway Address because no IPv4 address could be found on the interface.
21.1.8_1 (error)
#ifconfig
ipsec1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
tunnel inet 116.***.***.*** --> 195.***.***.***
inet6 fe80::250:56ff:fe00:2340%ipsec1 prefixlen 64 scopeid 0x8
groups: ipsec
reqid: 1
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
21.1.2 (ok)
#ifconfig
ipsec1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
tunnel inet 116.***.***.*** --> 195.***.***.***
inet6 fe80::250:56ff:fe00:2340%ipsec1 prefixlen 64 scopeid 0x8
inet 10.36.238.100 --> 10.36.238.1 netmask 0xffffffff
groups: ipsec
reqid: 1
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
The line inet is missing for:
Local Address 10.36.238.100
Remote Address 10.36.238.1
In the log is an error:
2021-07-24T11:27:14 opnsense[58776] /usr/local/etc/rc.routing_configure: The gw1 IPv4 gateway address is invalid, skipping.
gw1 is the far gateway to Remote Address 10.36.238.1
And now a revert is not working anymore:
# opnsense-revert -r 21.1.2 opnsense
Fetching opnsense.txz: ... done
Verifying signature with trusted certificate pkg.opnsense.org.20210104... done
opnsense-21.1.8_1: already unlocked
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
pkg-static: opnsense has a missing dependency: bsdinstaller
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
opnsense: 21.1.2
Number of packages to be installed: 1
The process will require 22 MiB more space.
[1/1] Installing opnsense-21.1.2...
Extracting opnsense-21.1.2: 100%
Updating /etc/shells
Registering root shell
Hooking into /etc/rc
Hooking into /etc/rc.shutdown
configd already running? (pid=93561).
>>> Invoking update script 'refresh'
Keep version OPNsense\Monit\Monit (1.0.9)
Keep version OPNsense\Firewall\Alias (1.0.0)
Keep version OPNsense\Firewall\Category (1.0.0)
Keep version OPNsense\OpenVPN\Export (0.0.1)
Keep version OPNsense\CaptivePortal\CaptivePortal (1.0.0)
Keep version OPNsense\Core\Firmware (1.0.0)
Fatal error: Uncaught Error: Class 'Phalcon\Validation\Validator' not found in /usr/local/opnsense/mvc/app/models/OPNsense/Base/Validators/NetworkValidator.php:41
Stack trace:
#0 [internal function]: unknown()
#1 [internal function]: Phalcon\Loader->autoLoad('OPNsense\\Base\\V...')
#2 [internal function]: spl_autoload_call('OPNsense\\Base\\V...')
#3 /usr/local/opnsense/mvc/script/run_migrations.php(50): ReflectionClass->__construct('OPNsense\\Base\\V...')
#4 {main}
thrown in /usr/local/opnsense/mvc/app/models/OPNsense/Base/Validators/NetworkValidator.php on line 41
Writing firmware setting...done.
Writing trust files...done.
Configuring login behaviour...done.
Configuring system logging...done.
=====
Message from opnsense-21.1.2:
--
What are you looking at?
The the web gui is empty.
I restored the backup of the opensense vm.
In the console is now shown the ip for ipsec1:
*** fw*******: OPNsense 21.1.2 (amd64/OpenSSL) ***
LAN (vtnet1) -> v4: 10.36.100.1/24
WAN (vtnet0) -> v4: 116.***.***.***/26
ipsec (ipsec1) -> v4: 10.36.238.100/32
...
This was missing on 21.1.8
-
Hi,
Does anyone have any idea why the line
inet 10.36.238.100 --> 10.36.238.1 netmask 0xffffffff
is missing in ifconfig?
Best Regards,
fog
-
Hi,
The same problem is with the actual version 21.7.1.
I located the error in System: Log Files: General
opnsense[59451] /vpn_ipsec.php: The command '/sbin/ifconfig 'ipsec1' 'inet' '10.36.238.100/-68' '10.36.238.1'' returned exit code '1', the output was 'ifconfig: 10.36.238.100/-68: bad value (width invalid)'
I modified the Local Address and get an error if the last digit is >32:
opnsense[74322] /vpn_ipsec.php: The command '/sbin/ifconfig 'ipsec1' 'inet' '10.36.238.33/-1' '10.36.238.1'' returned exit code '1', the output was 'ifconfig: 10.36.238.33/-1: bad value (width invalid)'
opnsense[80630] /vpn_ipsec.php: The command '/sbin/ifconfig 'ipsec1' 'inet' '10.36.238.34/-2' '10.36.238.1'' returned exit code '1', the output was 'ifconfig: 10.36.238.34/-2: bad value (width invalid)'
opnsense[5480] /vpn_ipsec.php: The command '/sbin/ifconfig 'ipsec1' 'inet' '10.36.238.40/-8' '10.36.238.1'' returned exit code '1', the output was 'ifconfig: 10.36.238.40/-8: bad value (width invalid)'
opnsense[5480] /vpn_ipsec.php: The command '/sbin/ifconfig 'ipsec1' 'inet' '10.36.238.50/-18' '10.36.238.1'' returned exit code '1', the output was 'ifconfig: 10.36.238.50/-18: bad value (width invalid)'
opnsense[59451] /vpn_ipsec.php: The command '/sbin/ifconfig 'ipsec1' 'inet' '10.36.238.100/-68' '10.36.238.1'' returned exit code '1', the output was 'ifconfig: 10.36.238.100/-68: bad value (width invalid)'
opnsense[5480] /vpn_ipsec.php: The command '/sbin/ifconfig 'ipsec1' 'inet' '10.36.2.100/-68' '10.36.2.1'' returned exit code '1', the output was 'ifconfig: 10.36.2.100/-68: bad value (width invalid)'
opnsense[68843] /vpn_ipsec.php: The command '/sbin/ifconfig 'ipsec1' 'inet' '10.36.238.99/-67' '10.36.238.1'' returned exit code '1', the output was 'ifconfig: 10.36.238.99/-67: bad value (width invalid)'
opnsense[5480] /vpn_ipsec.php: The command '/sbin/ifconfig 'ipsec1' 'inet' '10.36.238.254/-222' '10.36.238.1'' returned exit code '1', the output was 'ifconfig: 10.36.238.254/-222: bad value (width invalid)'
Now i use 10.36.238.2 instead of 10.36.238.100 and no error occurs.
And also in the dashboard the ip is shown to the ipsec interface.
There must be an bug in vpn_ipsec.php which add a negative subnet to the ip.
Regards,
fog
-
Wow, thanks a lot for you persistence in this matter. I hope they fix it soon!