Messages

Read many posts over the past week on this with a lot of different answers. Some say use DPD, some not use.
I noticed, when DPD enabled, it is polled every 30 seconds in the VPN log.

Question
What is the optimal setting for DPD Delay, Retries, Action, and Keyingtries for a 24/7 tunnel?

One more thing to clarify. I am using Windows 10 native client and IPsec IKEv2

Thanks for looking.

To stay fair I think "things that are done via GUI" are a good base for such a comparison. I'm sure both can do a lot more under the hood if you know how to make them do it.


Cheers,
Franco

Excellent point

I don't want to interfere, but I have to comment on:

> 9. Access shell within WebGUI

This and other GUI pages to modify file system content or execute commands are a security nightmare. Any auth/privilege bypass will have your firewall wide open to full remote access.

In any case thanks for posting. :)

Cheers,
Franco

My ultimate wish list is #2,4 and 8

Thanks for that BE info. Didn't know about that. Guess my post was useful after all.

This list may be controversial, but I feel it is greatly needed. Personally I use both but prefer OPNsense.

PFsense has the following that OPNsense does not
1. pfblocker - easier setup of GeoIP rules, can do similar manually with OPN
2. Create a rule direct from Firewall Normal View log
3. Has more GUI Widgets
4. Move rule position by dragging
5. Auto Configuration Backup
6. More console widget options
7. Change Boot Environments - useful when downgrading version - workaround mentioned below.
8. States shown on Rules page - useful to see if rule was used
9. Access shell within WebGUI
10. Easier to get answers in the forum. More users.
11. More logs available

OPNsense has the following that PFsense does not
1. Quicker upgrade implementations
2. Image files available online - Not available with PFS Plus
3. Monit
4. Enable logging from Rules page
5. Disable Auto-added VPN rules
6. Backup configuration to Google Drive
7. Restore configuration from Shell
8. More plugins Available
9. View Hidden rules in WebGUI
10. Better Advanced firewall log filter
11. Friendlier, but less likely to get results in the community forum
12. More dedicated to open-source - There are signs that PFS will end their free community edition someday

I am sure there are many other item specific differences. I just mentioned the major ones obvious to me. Feel free to add to this list. I am hoping some of the items from the first list can be eventually added to OPN
This list may help others decide which to use
Thanks for looking

I just setup a new 23.1.2 OPNsense firewall and trying to establish a remote Ipsec VPN connection. I can connect fine, just not getting any remote data from the client. I made sure all the IPsec rules were in place, but what botheres me was to see all these automatic rules in the IPsec Firewall rules. below is what I have. Is this correct?

I mention the Legacy becase many say it is better than dd-client, but I don't want to use it because from what I read, it is going away eventually.

So then I guess it is a bug not correctly parsing the success messages or generating any logs. But it does work as expected in updating the DNS. I just updated to 23.1.2 which has an updated dd-client and strongswan, but the bugs remain.

But isn't the legacy plugin being depreciated?
It actually is updating the DNS, it's just you wouldn't know it looking at OPNsense.
The other issue I have with ddclient is it doesn't set the Proxy flag in Cloudflare. This could be a deal breaker in moving from PFsense, which properly supports Cloudflare Dynamic DNS.

I just install a new OPNsense and updated to 23.1.1_2
After setting the interface and testing the intenet, everything seems to be working.
Next step was to add my Dynamic DNS so I install the dd-client plugin and added my Cloudflare info.
It appears to update the DNS in Clouflare ok, which is good, but the current IP and Updated fields do not populate and there are no logs generated for the update event.

I have tried using both ddclient and OPNsense for the backend. Not really sure what this means.

Am I missing something , or this a bug?

I am now connected. The issue was I had some virtual IP's configured, so the WAN IP was wrong. Once I removed all the Virtual IP's and fixed the WAN address, all worked fine. Now I just need to figure out how to connect the LAN's together.

Thanks to those that helped.

I finally found the settings in /usr/local/stc/swanctl/swanctl.conf and the local_addrs is not correct. It shows an old WAN IP I do not even use anymore. I will try to track down where this is coming from

I read the release notes. strongswan.conf has very little info in it. There might be a bug here. The same VPN client configuration works fine in PFsense and the algorithms and certificates match. My goal here is to migrate the last remaining pfsense firewall to OPNsense. The PFsense Plus box is running 23.01. I am running these VPN tests in a development firewall with its own WAN IP intended to replace the PFsense box.

I don't think I should be seeing in the VPN Log
2023-03-05T11:32:20-07:00   Informational   charon   13[IKE] <2> no IKE config found for <my serverIP>...<ClientIP>, sending NO_PROPOSAL_CHOSEN   
2023-03-05T11:32:20-07:00   Informational   charon   13[ENC] <2> parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]

The release notes do state the changes could lead to connectivity issues in ambiguous cases. If I post at Github, how would I explain this issue? My experience with them is they require specific info.

I also noticed I have no ipsec.conf or ipsec.secrets file in /usr/local/etc, just sample files. Is this correct?

Opened the NetTrace.etl with Event Viewer and had a long list of Unknown Event ID's.
I did get some information from the log in OPNsense that showed

charon   06[IKE] <2> no IKE config found for <ServerIP>...<Client IP>, sending NO_PROPOSAL_CHOSEN

I did just update to 23.1.1_2 from 22.7.11
Did notice new Connections page in VPN. That is nice.
Still Just get Policy match error