1
Tutorials and FAQs / Re: HOWTO - Routing Opnsense traffic over SurfsharkVPN
« on: March 29, 2024, 01:32:23 pm »
thank yhou . this is awesome! got me up and running
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
2
General Discussion / Re: Slow Netflix on Nvidia Shield
« on: December 21, 2022, 02:59:01 am »Hello everybody,
when I Route my traffic through my OPNsense, Netflix on my Shield turns barely useable.
I checked it via Speedtest to fast.com and the traffic graph in the gui.
Im using IDPS, Squid and a VPN connection, however even when I deactivate everything its still slow.
Besides the Speedtest via the Netflix app fails and just shows 0, withouth OPNsense it works flawlessly.
Is it possible that im missing some NAT/Outbound rule anywhere?
Thank you in advance.
Regards
did you ever find a solution for this. I'm experiencing the same thing. sometimes the title loads and some times it doesnt.
3
21.1 Legacy Series / IPV6 vLAN - Untagged gets all the vLAN IPv6
« on: February 28, 2021, 09:51:43 pm »
Anyone having this problem.
all my vlan are getting their 'track interface" ipv6 correctly ONLY single IPv6.
How ever Untagged vLAN (my main vlan for every esxi, vsphere, vmware, computers, home computers) all get the same all the IPv6 tagged IPv6s.
So if I sign into using my Wireless access point i get 1 x IPV6.
So if I sign into my wireless untagged I get 10+ IPv6 as many as my vlans.
Anyone has a solution to fix this?
@franco
all my vlan are getting their 'track interface" ipv6 correctly ONLY single IPv6.
How ever Untagged vLAN (my main vlan for every esxi, vsphere, vmware, computers, home computers) all get the same all the IPv6 tagged IPv6s.
So if I sign into using my Wireless access point i get 1 x IPV6.
So if I sign into my wireless untagged I get 10+ IPv6 as many as my vlans.
Anyone has a solution to fix this?
@franco
4
20.7 Legacy Series / Re: Zerotier stops intermittend (unstable) (20.1.7)
« on: June 04, 2020, 05:29:17 am »
I had this issue. This is what I add to help
VPN > Zerotier > Settings
{
"physical": {
"192.168.165.1/24": { "blacklist": true },
"10.0.0.0/16": { "blacklist": true },
"172.168.0.0/12": { "blacklist": true }
},
"settings": {
"primaryPort": 9993,
"portMappingEnabled": false,
"allowSecondaryPort": false,
"allowTcpFallbackRelay": false
}
}
VPN > Zerotier > Settings
{
"physical": {
"192.168.165.1/24": { "blacklist": true },
"10.0.0.0/16": { "blacklist": true },
"172.168.0.0/12": { "blacklist": true }
},
"settings": {
"primaryPort": 9993,
"portMappingEnabled": false,
"allowSecondaryPort": false,
"allowTcpFallbackRelay": false
}
}
5
20.7 Legacy Series / ZeroTier & OSPF
« on: May 26, 2020, 07:03:32 am »
I'm trying to learn how to setup OSPF through ZeroTier.
I'm having issues distributing routes in OSPF.
Can Someone see anything odd about this?
1.) I removed all Managed Routes on ZeroTier
2.) Plugin Installed in OPNSense FRR
3.) Routing > General > Checked Enable
4.) OSPF > Check enable
- Passive - All interface Except ZeroTier Interface
5.) Networks -> Added all networks route over ZeroTier Including ZeroTier Interface
6.) NO WORK
Anyone have a clue what I need to do? no routing table are showing up.
I'm having issues distributing routes in OSPF.
Can Someone see anything odd about this?
1.) I removed all Managed Routes on ZeroTier
2.) Plugin Installed in OPNSense FRR
3.) Routing > General > Checked Enable
4.) OSPF > Check enable
- Passive - All interface Except ZeroTier Interface
5.) Networks -> Added all networks route over ZeroTier Including ZeroTier Interface
6.) NO WORK
Anyone have a clue what I need to do? no routing table are showing up.
6
20.1 Legacy Series / Re: Update to 20.1.7 killed zerotier interface
« on: May 22, 2020, 07:05:15 am »
I'm having the same issues too
sometimes it pings sometimes it doesnt.
My connection was solid before the upgrade.
sometimes it pings sometimes it doesnt.
My connection was solid before the upgrade.
7
20.7 Legacy Series / OPNSense + WAN LTE
« on: May 21, 2020, 11:19:25 pm »
I'm working on setting up a OPNSense for RV customers.
Since they use serveral LTE devices for reliability. When you move from one area to another area you get new ip address.
WAN seem to stick on one ip addres from another city.
How can you set it so WAN renew ip of gateway pings dies?
Overview:
4 VMS
- OPNSense
- Domain Control DHCP, DNS
- 1 File Server
- Windows 10 backup
all of these are tied back using ZeroTier.
I need to find a way so that if DHCP Gateway dies. The wan try to renew/release ip address to get new ip from one location to the new location.
Since they use serveral LTE devices for reliability. When you move from one area to another area you get new ip address.
WAN seem to stick on one ip addres from another city.
How can you set it so WAN renew ip of gateway pings dies?
Overview:
4 VMS
- OPNSense
- Domain Control DHCP, DNS
- 1 File Server
- Windows 10 backup
all of these are tied back using ZeroTier.
I need to find a way so that if DHCP Gateway dies. The wan try to renew/release ip address to get new ip from one location to the new location.
8
20.7 Legacy Series / 2 OPNSense Box Zero Tier
« on: May 21, 2020, 09:08:49 am »
I've been trying to get 2 OPNSense Zero Tier working. Anyone try it?
OPNSense1
- ZeroTier Package Installed
Configured with IP 172.24.204.2
- Interface Assigned
OPNSense2
- ZeroTier Package Installed
Configured with IP 172.24.204.2
- Interface Assigned
From OPNSense GUI I can ping each other OPNSense
BUT from
OPNSense LAN 192.168.X I cannot ping 172.24.204.2
I open all firewall
OPNSense1
- ZeroTier Package Installed
Configured with IP 172.24.204.2
- Interface Assigned
OPNSense2
- ZeroTier Package Installed
Configured with IP 172.24.204.2
- Interface Assigned
From OPNSense GUI I can ping each other OPNSense
BUT from
OPNSense LAN 192.168.X I cannot ping 172.24.204.2
I open all firewall
9
20.1 Legacy Series / IPSec PRoblems after upgrade
« on: April 25, 2020, 03:20:02 am »
I upgraded to version OPNsense 20.1.5-amd64 today and now ipsec are getting these errors.
There are 4 site to site. 1 works and the other 3 doesnt work.
the 3 that doesnt work show this error below.
2020-04-24T18:16:51 charon: 01[CFG] ignoring acquire, connection attempt pending
2020-04-24T18:16:51 charon: 01[KNL] creating acquire job for policy 96.85.x.x.x/32 === 173.16x.x.x.x.x/32 with reqid {3}
2020-04-24T18:16:46 charon: 01[NET] <con3|2> sending packet: from 96.85.xx.x.x[4500] to 173.160.xx.xx[4500] (1052 bytes)
2020-04-24T18:16:46 charon: 01[IKE] <con3|2> retransmit 4 of request with message ID 1
2020-04-24T18:16:45 charon: 01[CFG] ignoring acquire, connection attempt pending
2020-04-24T18:16:45 charon: 05[KNL] creating acquire job for policy 96.85.xx.xx3/32 === 173.16x.x.x.x/32 with reqid {3}
2020-04-24T18:16:42 charon: 05[CFG] ignoring acquire, connection attempt pending
2020-04-24T18:16:42 charon: 05[KNL] creating acquire job for policy 96.85xx.x.x32 === 173.160.1xx.x.x/32 with reqid {3}
There are 4 site to site. 1 works and the other 3 doesnt work.
the 3 that doesnt work show this error below.
2020-04-24T18:16:51 charon: 01[CFG] ignoring acquire, connection attempt pending
2020-04-24T18:16:51 charon: 01[KNL] creating acquire job for policy 96.85.x.x.x/32 === 173.16x.x.x.x.x/32 with reqid {3}
2020-04-24T18:16:46 charon: 01[NET] <con3|2> sending packet: from 96.85.xx.x.x[4500] to 173.160.xx.xx[4500] (1052 bytes)
2020-04-24T18:16:46 charon: 01[IKE] <con3|2> retransmit 4 of request with message ID 1
2020-04-24T18:16:45 charon: 01[CFG] ignoring acquire, connection attempt pending
2020-04-24T18:16:45 charon: 05[KNL] creating acquire job for policy 96.85.xx.xx3/32 === 173.16x.x.x.x/32 with reqid {3}
2020-04-24T18:16:42 charon: 05[CFG] ignoring acquire, connection attempt pending
2020-04-24T18:16:42 charon: 05[KNL] creating acquire job for policy 96.85xx.x.x32 === 173.160.1xx.x.x/32 with reqid {3}
10
20.1 Legacy Series / ipv6 on LAN
« on: February 02, 2020, 01:20:55 pm »
I have WAN & LAN IPv6 set to none. Some how all my internal client getting ipv6 . Tested to see if its routable by going to ipv6 website. Its not routable. How do I stop OPNSense from giving internal networks public ipv6 address?
11
19.7 Legacy Series / NTOPNG - Questions
« on: October 04, 2019, 03:41:15 pm »
Finally I got the time to fiddle around with NTOPNG. I'm loving it!
A few question I would like to ask.
1.) Where do you set how long the data is retention in NTOP?
2.) Can someone recommend settings for NTOPNG?
A few question I would like to ask.
1.) Where do you set how long the data is retention in NTOP?
2.) Can someone recommend settings for NTOPNG?
12
19.7 Legacy Series / Reset System > Access
« on: August 10, 2019, 05:05:24 pm »
Franco,
Is there a way to reset System > Access
I added Root to a couple of groups and now it wont let me remove it.
Also log on as root I cannot install plugin too. Anyway we can reset the System > Access without reseting everything else?
Is there a way to reset System > Access
I added Root to a couple of groups and now it wont let me remove it.
Also log on as root I cannot install plugin too. Anyway we can reset the System > Access without reseting everything else?
13
19.7 Legacy Series / Re: IPSec - Issues
« on: July 19, 2019, 05:49:55 am »
I'm so stumpped.
Here's the log.
Logs Right after Reboot:
##############################################
Jul 18 20:46:12 charon: 07[IKE] <con1|3> failed to establish CHILD_SA, keeping IKE_SA
Jul 18 20:46:12 charon: 07[IKE] <con1|3> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Jul 18 20:46:12 charon: 07[ENC] <con1|3> parsed CREATE_CHILD_SA response 4 [ N(NO_PROP) ]
Jul 18 20:46:12 charon: 07[NET] <con1|3> received packet: from 24.18.XXX.XXX[4500] to 96.XXX.XXX.XXX[4500] (76 bytes)
Jul 18 20:46:11 charon: 07[NET] <con1|3> sending packet: from 96.XXX.XXX.XXX[4500] to 24.18.XXX.XXX[4500] (364 bytes)
Jul 18 20:46:11 charon: 07[ENC] <con1|3> generating CREATE_CHILD_SA request 4 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Jul 18 20:46:11 charon: 07[IKE] <con1|3> establishing CHILD_SA con1{14} reqid 1
Jul 18 20:46:11 charon: 09[KNL] creating acquire job for policy 96.XXX.XXX.XXX/32 === 24.18.XXX.XXX/32 with reqid {1}
Jul 18 20:46:10 charon: 09[IKE] <con2|4> failed to establish CHILD_SA, keeping IKE_SA
Jul 18 20:46:10 charon: 09[IKE] <con2|4> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Jul 18 20:46:10 charon: 09[ENC] <con2|4> parsed CREATE_CHILD_SA response 2 [ N(NO_PROP) ]
Jul 18 20:46:10 charon: 09[NET] <con2|4> received packet: from XXX.XXX.XXX.XXX[4500] to 96.XXX.XXX.XXX[4500] (76 bytes)
Jul 18 20:46:10 charon: 09[NET] <con2|4> sending packet: from 96.XXX.XXX.XXX[4500] to XXX.XXX.XXX.XXX[4500] (348 bytes)
Jul 18 20:46:10 charon: 09[ENC] <con2|4> generating CREATE_CHILD_SA request 2 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Jul 18 20:46:10 charon: 09[IKE] <con2|4> establishing CHILD_SA con2{13} reqid 2
Jul 18 20:46:10 charon: 07[KNL] creating acquire job for policy 96.XXX.XXX.XXX/32 === XXX.XXX.XXX.XXX/32 with reqid {2}
Jul 18 20:46:09 charon: 09[IKE] <con1|3> failed to establish CHILD_SA, keeping IKE_SA
Jul 18 20:46:09 charon: 09[IKE] <con1|3> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Jul 18 20:46:09 charon: 09[ENC] <con1|3> parsed CREATE_CHILD_SA response 3 [ N(NO_PROP) ]
Jul 18 20:46:09 charon: 09[NET] <con1|3> received packet: from 24.18.XXX.XXX[4500] to 96.XXX.XXX.XXX[4500] (76 bytes)
Jul 18 20:46:09 charon: 11[NET] <con1|3> sending packet: from 96.XXX.XXX.XXX[4500] to 24.18.XXX.XXX[4500] (364 bytes)
Jul 18 20:46:09 charon: 11[ENC] <con1|3> generating CREATE_CHILD_SA request 3 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Jul 18 20:46:09 charon: 11[IKE] <con1|3> establishing CHILD_SA con1{12} reqid 1
Jul 18 20:46:09 charon: 11[KNL] creating acquire job for policy 96.XXX.XXX.XXX/32 === 24.18.XXX.XXX/32 with reqid {1}
Jul 18 20:46:09 charon: 09[IKE] <con2|4> failed to establish CHILD_SA, keeping IKE_SA
Jul 18 20:46:09 charon: 09[IKE] <con2|4> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Jul 18 20:46:09 charon: 09[ENC] <con2|4> parsed CREATE_CHILD_SA response 1 [ N(NO_PROP) ]
Jul 18 20:46:09 charon: 09[NET] <con2|4> received packet: from XXX.XXX.XXX.XXX[4500] to 96.XXX.XXX.XXX[4500] (76 bytes)
Jul 18 20:46:08 charon: 09[NET] <con2|4> sending packet: from 96.XXX.XXX.XXX[4500] to XXX.XXX.XXX.XXX[4500] (348 bytes)
Jul 18 20:46:08 charon: 09[ENC] <con2|4> generating CREATE_CHILD_SA request 1 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Jul 18 20:46:08 charon: 09[IKE] <con2|4> establishing CHILD_SA con2{11} reqid 2
Jul 18 20:46:08 charon: 09[KNL] creating acquire job for policy 96.XXX.XXX.XXX/32 === XXX.XXX.XXX.XXX/32 with reqid {2}
Jul 18 20:46:06 charon: 09[IKE] <con1|3> failed to establish CHILD_SA, keeping IKE_SA
Jul 18 20:46:06 charon: 09[IKE] <con1|3> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Jul 18 20:46:06 charon: 09[ENC] <con1|3> parsed CREATE_CHILD_SA response 2 [ N(NO_PROP) ]
Jul 18 20:46:06 charon: 09[NET] <con1|3> received packet: from 24.18.XXX.XXX[4500] to 96.XXX.XXX.XXX[4500] (76 bytes)
Jul 18 20:46:06 charon: 09[NET] <con1|3> sending packet: from 96.XXX.XXX.XXX[4500] to 24.18.XXX.XXX[4500] (364 bytes)
Jul 18 20:46:06 charon: 09[ENC] <con1|3> generating CREATE_CHILD_SA request 2 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Jul 18 20:46:06 charon: 09[IKE] <con1|3> establishing CHILD_SA con1{10} reqid 1
Jul 18 20:46:06 charon: 11[KNL] creating acquire job for policy 96.XXX.XXX.XXX/32 === 24.18.XXX.XXX/32 with reqid {1}
Jul 18 20:46:05 charon: 11[IKE] <con2|4> failed to establish CHILD_SA, keeping IKE_SA
Jul 18 20:46:05 charon: 11[IKE] <con2|4> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Jul 18 20:46:05 charon: 11[ENC] <con2|4> parsed CREATE_CHILD_SA response 0 [ N(NO_PROP) ]
Jul 18 20:46:05 charon: 11[NET] <con2|4> received packet: from XXX.XXX.XXX.XXX[4500] to 96.XXX.XXX.XXX[4500] (76 bytes)
Jul 18 20:46:05 charon: 11[NET] <con2|4> sending packet: from 96.XXX.XXX.XXX[4500] to XXX.XXX.XXX.XXX[4500] (348 bytes)
Jul 18 20:46:05 charon: 11[ENC] <con2|4> generating CREATE_CHILD_SA request 0 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Jul 18 20:46:05 charon: 11[IKE] <con2|4> establishing CHILD_SA con2{9} reqid 2
Jul 18 20:46:05 charon: 08[KNL] creating acquire job for policy 96.XXX.XXX.XXX/32 === XXX.XXX.XXX.XXX/32 with reqid {2}
Jul 18 20:46:05 charon: 08[IKE] <con2|2> IKE_SA deleted
Jul 18 20:46:05 charon: 08[ENC] <con2|2> parsed INFORMATIONAL response 3 [ ]
##############################################
Logs After Clicking Save - VPN -> IPSEC > Tunnel Settings:
ABSOLUTELY NO CHANGES AT ALL. JUST CLICK SAVE and it works.
##############################################
Jul 18 20:47:45 charon: 10[IKE] <con2|4> CHILD_SA con2{143} established with SPIs ceb2477e_i c9db3f63_o and TS 10.0.0.0/22 === 10.0.52.0/24
Jul 18 20:47:45 charon: 10[CFG] <con2|4> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Jul 18 20:47:45 charon: 10[ENC] <con2|4> parsed CREATE_CHILD_SA response 61 [ SA No TSi TSr ]
Jul 18 20:47:45 charon: 10[NET] <con2|4> received packet: from XXX.XXX.XXX.XXX[4500] to XXX.XXX.XXX.XXX[4500] (204 bytes)
Jul 18 20:47:45 charon: 10[NET] <con2|4> sending packet: from XXX.XXX.XXX.XXX[4500] to XXX.XXX.XXX.XXX[4500] (828 bytes)
Jul 18 20:47:45 charon: 10[ENC] <con2|4> generating CREATE_CHILD_SA request 61 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Jul 18 20:47:45 charon: 10[IKE] <con2|4> establishing CHILD_SA con2{143} reqid 4
Jul 18 20:47:45 charon: 09[KNL] creating acquire job for policy XXX.XXX.XXX.XXX/32 === XXX.XXX.XXX.XXX/32 with reqid {4}
Jul 18 20:47:45 charon: 10[IKE] <con1|3> CHILD_SA con1{142} established with SPIs c3bd7173_i c9b412f6_o and TS 10.0.0.0/22 === 10.0.55.0/24
Jul 18 20:47:45 charon: 10[CFG] <con1|3> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Jul 18 20:47:45 charon: 10[ENC] <con1|3> parsed CREATE_CHILD_SA response 68 [ SA No TSi TSr ]
Jul 18 20:47:45 charon: 10[NET] <con1|3> received packet: from XXX.XXX.XXX.XXX[4500] to XXX.XXX.XXX.XXX[4500] (204 bytes)
Jul 18 20:47:45 charon: 10[NET] <con1|3> sending packet: from XXX.XXX.XXX.XXX[4500] to XXX.XXX.XXX.XXX[4500] (844 bytes)
Jul 18 20:47:45 charon: 10[ENC] <con1|3> generating CREATE_CHILD_SA request 68 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Jul 18 20:47:45 charon: 10[IKE] <con1|3> establishing CHILD_SA con1{142} reqid 3
Jul 18 20:47:45 charon: 10[KNL] creating acquire job for policy XXX.XXX.XXX.XXX/32 === XXX.XXX.XXX.XXX/32 with reqid {3}
Jul 18 20:47:45 charon: 10[CFG] received stroke: route 'con2'
Jul 18 20:47:45 charon: 09[CFG] added configuration 'con2'
Jul 18 20:47:45 charon: 09[CFG] received stroke: add connection 'con2'
Jul 18 20:47:45 charon: 10[CFG] received stroke: route 'con1'
Jul 18 20:47:45 charon: 13[CFG] added configuration 'con1'
Jul 18 20:47:45 charon: 13[CFG] received stroke: add connection 'con1'
Jul 18 20:47:45 charon: 06[CFG] deleted connection 'con2'
Jul 18 20:47:45 charon: 06[CFG] received stroke: delete connection 'con2'
Jul 18 20:47:45 charon: 10[CFG] received stroke: unroute 'con2'
Jul 18 20:47:45 charon: 12[CFG] deleted connection 'con1'
Jul 18 20:47:45 charon: 12[CFG] received stroke: delete connection 'con1'
Jul 18 20:47:45 charon: 10[CFG] received stroke: unroute 'con1'
Jul 18 20:47:45 charon: 06[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls'
Jul 18 20:47:45 charon: 06[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Jul 18 20:47:45 charon: 06[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Jul 18 20:47:45 charon: 06[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Jul 18 20:47:45 charon: 06[CFG] loaded ca certificate "C=US, ST=WA, L=Olympia, O=IH Gateway, OU=InVinHost, CN=OPNSenseCA, E=" from '/usr/local/etc/ipsec.d/cacerts/cca9ae1f.0.crt'
Jul 18 20:47:45 charon: 06[CFG] loaded ca certificate "C=US, ST=VPN, L=VPN, O=VPN, OU=VPN, CN=VPN, N=VPN, E=VPN" from '/usr/local/etc/ipsec.d/cacerts/a72f8721.0.crt'
Jul 18 20:47:45 charon: 06[CFG] loaded ca certificate "C=PA, O=NordVPN, CN=NordVPN Root CA" from '/usr/local/etc/ipsec.d/cacerts/38ce789e.0.crt'
Jul 18 20:47:45 charon: 06[CFG] rereading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Jul 18 20:47:45 charon: 06[CFG] expanding file expression '/usr/local/etc/ipsec.secrets.opnsense.d/*.secrets' failed
Jul 18 20:47:45 charon: 06[CFG] loaded IKE secret for XXX.XXX.XXX.XXX
Jul 18 20:47:45 charon: 06[CFG] loaded IKE secret for XXX.XXX.XXX.XXX
Jul 18 20:47:45 charon: 06[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Jul 18 20:47:45 charon: 06[CFG] rereading secrets
Jul 18 20:47:44 charon: 10[IKE] <con1|3> failed to establish CHILD_SA, keeping IKE_SA
Jul 18 20:47:44 charon: 10[IKE] <con1|3> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Jul 18 20:47:44 charon: 10[ENC] <con1|3> parsed CREATE_CHILD_SA response 67 [ N(NO_PROP) ]
Jul 18 20:47:44 charon: 10[NET] <con1|3> received packet: from XXX.XXX.XXX.XXX[4500] to XXX.XXX.XXX.XXX[4500] (76 bytes)
Jul 18 20:47:44 charon: 10[NET] <con1|3> sending packet: from XXX.XXX.XXX.XXX[4500] to XXX.XXX.XXX.XXX[4500] (364 bytes)
Jul 18 20:47:44 charon: 10[ENC] <con1|3> generating CREATE_CHILD_SA request 67 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Jul 18 20:47:44 charon: 10[IKE] <con1|3> establishing CHILD_SA con1{139} reqid 1
Jul 18 20:47:44 charon: 15[KNL] creating acquire job for policy XXX.XXX.XXX.XXX/32 === XXX.XXX.XXX.XXX/32 with reqid {1}
Jul 18 20:47:44 charon: 15[IKE] <con2|4> failed to establish CHILD_SA, keeping IKE_SA
##############################################
Here's the log.
Logs Right after Reboot:
##############################################
Jul 18 20:46:12 charon: 07[IKE] <con1|3> failed to establish CHILD_SA, keeping IKE_SA
Jul 18 20:46:12 charon: 07[IKE] <con1|3> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Jul 18 20:46:12 charon: 07[ENC] <con1|3> parsed CREATE_CHILD_SA response 4 [ N(NO_PROP) ]
Jul 18 20:46:12 charon: 07[NET] <con1|3> received packet: from 24.18.XXX.XXX[4500] to 96.XXX.XXX.XXX[4500] (76 bytes)
Jul 18 20:46:11 charon: 07[NET] <con1|3> sending packet: from 96.XXX.XXX.XXX[4500] to 24.18.XXX.XXX[4500] (364 bytes)
Jul 18 20:46:11 charon: 07[ENC] <con1|3> generating CREATE_CHILD_SA request 4 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Jul 18 20:46:11 charon: 07[IKE] <con1|3> establishing CHILD_SA con1{14} reqid 1
Jul 18 20:46:11 charon: 09[KNL] creating acquire job for policy 96.XXX.XXX.XXX/32 === 24.18.XXX.XXX/32 with reqid {1}
Jul 18 20:46:10 charon: 09[IKE] <con2|4> failed to establish CHILD_SA, keeping IKE_SA
Jul 18 20:46:10 charon: 09[IKE] <con2|4> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Jul 18 20:46:10 charon: 09[ENC] <con2|4> parsed CREATE_CHILD_SA response 2 [ N(NO_PROP) ]
Jul 18 20:46:10 charon: 09[NET] <con2|4> received packet: from XXX.XXX.XXX.XXX[4500] to 96.XXX.XXX.XXX[4500] (76 bytes)
Jul 18 20:46:10 charon: 09[NET] <con2|4> sending packet: from 96.XXX.XXX.XXX[4500] to XXX.XXX.XXX.XXX[4500] (348 bytes)
Jul 18 20:46:10 charon: 09[ENC] <con2|4> generating CREATE_CHILD_SA request 2 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Jul 18 20:46:10 charon: 09[IKE] <con2|4> establishing CHILD_SA con2{13} reqid 2
Jul 18 20:46:10 charon: 07[KNL] creating acquire job for policy 96.XXX.XXX.XXX/32 === XXX.XXX.XXX.XXX/32 with reqid {2}
Jul 18 20:46:09 charon: 09[IKE] <con1|3> failed to establish CHILD_SA, keeping IKE_SA
Jul 18 20:46:09 charon: 09[IKE] <con1|3> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Jul 18 20:46:09 charon: 09[ENC] <con1|3> parsed CREATE_CHILD_SA response 3 [ N(NO_PROP) ]
Jul 18 20:46:09 charon: 09[NET] <con1|3> received packet: from 24.18.XXX.XXX[4500] to 96.XXX.XXX.XXX[4500] (76 bytes)
Jul 18 20:46:09 charon: 11[NET] <con1|3> sending packet: from 96.XXX.XXX.XXX[4500] to 24.18.XXX.XXX[4500] (364 bytes)
Jul 18 20:46:09 charon: 11[ENC] <con1|3> generating CREATE_CHILD_SA request 3 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Jul 18 20:46:09 charon: 11[IKE] <con1|3> establishing CHILD_SA con1{12} reqid 1
Jul 18 20:46:09 charon: 11[KNL] creating acquire job for policy 96.XXX.XXX.XXX/32 === 24.18.XXX.XXX/32 with reqid {1}
Jul 18 20:46:09 charon: 09[IKE] <con2|4> failed to establish CHILD_SA, keeping IKE_SA
Jul 18 20:46:09 charon: 09[IKE] <con2|4> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Jul 18 20:46:09 charon: 09[ENC] <con2|4> parsed CREATE_CHILD_SA response 1 [ N(NO_PROP) ]
Jul 18 20:46:09 charon: 09[NET] <con2|4> received packet: from XXX.XXX.XXX.XXX[4500] to 96.XXX.XXX.XXX[4500] (76 bytes)
Jul 18 20:46:08 charon: 09[NET] <con2|4> sending packet: from 96.XXX.XXX.XXX[4500] to XXX.XXX.XXX.XXX[4500] (348 bytes)
Jul 18 20:46:08 charon: 09[ENC] <con2|4> generating CREATE_CHILD_SA request 1 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Jul 18 20:46:08 charon: 09[IKE] <con2|4> establishing CHILD_SA con2{11} reqid 2
Jul 18 20:46:08 charon: 09[KNL] creating acquire job for policy 96.XXX.XXX.XXX/32 === XXX.XXX.XXX.XXX/32 with reqid {2}
Jul 18 20:46:06 charon: 09[IKE] <con1|3> failed to establish CHILD_SA, keeping IKE_SA
Jul 18 20:46:06 charon: 09[IKE] <con1|3> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Jul 18 20:46:06 charon: 09[ENC] <con1|3> parsed CREATE_CHILD_SA response 2 [ N(NO_PROP) ]
Jul 18 20:46:06 charon: 09[NET] <con1|3> received packet: from 24.18.XXX.XXX[4500] to 96.XXX.XXX.XXX[4500] (76 bytes)
Jul 18 20:46:06 charon: 09[NET] <con1|3> sending packet: from 96.XXX.XXX.XXX[4500] to 24.18.XXX.XXX[4500] (364 bytes)
Jul 18 20:46:06 charon: 09[ENC] <con1|3> generating CREATE_CHILD_SA request 2 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Jul 18 20:46:06 charon: 09[IKE] <con1|3> establishing CHILD_SA con1{10} reqid 1
Jul 18 20:46:06 charon: 11[KNL] creating acquire job for policy 96.XXX.XXX.XXX/32 === 24.18.XXX.XXX/32 with reqid {1}
Jul 18 20:46:05 charon: 11[IKE] <con2|4> failed to establish CHILD_SA, keeping IKE_SA
Jul 18 20:46:05 charon: 11[IKE] <con2|4> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Jul 18 20:46:05 charon: 11[ENC] <con2|4> parsed CREATE_CHILD_SA response 0 [ N(NO_PROP) ]
Jul 18 20:46:05 charon: 11[NET] <con2|4> received packet: from XXX.XXX.XXX.XXX[4500] to 96.XXX.XXX.XXX[4500] (76 bytes)
Jul 18 20:46:05 charon: 11[NET] <con2|4> sending packet: from 96.XXX.XXX.XXX[4500] to XXX.XXX.XXX.XXX[4500] (348 bytes)
Jul 18 20:46:05 charon: 11[ENC] <con2|4> generating CREATE_CHILD_SA request 0 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Jul 18 20:46:05 charon: 11[IKE] <con2|4> establishing CHILD_SA con2{9} reqid 2
Jul 18 20:46:05 charon: 08[KNL] creating acquire job for policy 96.XXX.XXX.XXX/32 === XXX.XXX.XXX.XXX/32 with reqid {2}
Jul 18 20:46:05 charon: 08[IKE] <con2|2> IKE_SA deleted
Jul 18 20:46:05 charon: 08[ENC] <con2|2> parsed INFORMATIONAL response 3 [ ]
##############################################
Logs After Clicking Save - VPN -> IPSEC > Tunnel Settings:
ABSOLUTELY NO CHANGES AT ALL. JUST CLICK SAVE and it works.
##############################################
Jul 18 20:47:45 charon: 10[IKE] <con2|4> CHILD_SA con2{143} established with SPIs ceb2477e_i c9db3f63_o and TS 10.0.0.0/22 === 10.0.52.0/24
Jul 18 20:47:45 charon: 10[CFG] <con2|4> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Jul 18 20:47:45 charon: 10[ENC] <con2|4> parsed CREATE_CHILD_SA response 61 [ SA No TSi TSr ]
Jul 18 20:47:45 charon: 10[NET] <con2|4> received packet: from XXX.XXX.XXX.XXX[4500] to XXX.XXX.XXX.XXX[4500] (204 bytes)
Jul 18 20:47:45 charon: 10[NET] <con2|4> sending packet: from XXX.XXX.XXX.XXX[4500] to XXX.XXX.XXX.XXX[4500] (828 bytes)
Jul 18 20:47:45 charon: 10[ENC] <con2|4> generating CREATE_CHILD_SA request 61 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Jul 18 20:47:45 charon: 10[IKE] <con2|4> establishing CHILD_SA con2{143} reqid 4
Jul 18 20:47:45 charon: 09[KNL] creating acquire job for policy XXX.XXX.XXX.XXX/32 === XXX.XXX.XXX.XXX/32 with reqid {4}
Jul 18 20:47:45 charon: 10[IKE] <con1|3> CHILD_SA con1{142} established with SPIs c3bd7173_i c9b412f6_o and TS 10.0.0.0/22 === 10.0.55.0/24
Jul 18 20:47:45 charon: 10[CFG] <con1|3> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Jul 18 20:47:45 charon: 10[ENC] <con1|3> parsed CREATE_CHILD_SA response 68 [ SA No TSi TSr ]
Jul 18 20:47:45 charon: 10[NET] <con1|3> received packet: from XXX.XXX.XXX.XXX[4500] to XXX.XXX.XXX.XXX[4500] (204 bytes)
Jul 18 20:47:45 charon: 10[NET] <con1|3> sending packet: from XXX.XXX.XXX.XXX[4500] to XXX.XXX.XXX.XXX[4500] (844 bytes)
Jul 18 20:47:45 charon: 10[ENC] <con1|3> generating CREATE_CHILD_SA request 68 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Jul 18 20:47:45 charon: 10[IKE] <con1|3> establishing CHILD_SA con1{142} reqid 3
Jul 18 20:47:45 charon: 10[KNL] creating acquire job for policy XXX.XXX.XXX.XXX/32 === XXX.XXX.XXX.XXX/32 with reqid {3}
Jul 18 20:47:45 charon: 10[CFG] received stroke: route 'con2'
Jul 18 20:47:45 charon: 09[CFG] added configuration 'con2'
Jul 18 20:47:45 charon: 09[CFG] received stroke: add connection 'con2'
Jul 18 20:47:45 charon: 10[CFG] received stroke: route 'con1'
Jul 18 20:47:45 charon: 13[CFG] added configuration 'con1'
Jul 18 20:47:45 charon: 13[CFG] received stroke: add connection 'con1'
Jul 18 20:47:45 charon: 06[CFG] deleted connection 'con2'
Jul 18 20:47:45 charon: 06[CFG] received stroke: delete connection 'con2'
Jul 18 20:47:45 charon: 10[CFG] received stroke: unroute 'con2'
Jul 18 20:47:45 charon: 12[CFG] deleted connection 'con1'
Jul 18 20:47:45 charon: 12[CFG] received stroke: delete connection 'con1'
Jul 18 20:47:45 charon: 10[CFG] received stroke: unroute 'con1'
Jul 18 20:47:45 charon: 06[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls'
Jul 18 20:47:45 charon: 06[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Jul 18 20:47:45 charon: 06[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Jul 18 20:47:45 charon: 06[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Jul 18 20:47:45 charon: 06[CFG] loaded ca certificate "C=US, ST=WA, L=Olympia, O=IH Gateway, OU=InVinHost, CN=OPNSenseCA, E=" from '/usr/local/etc/ipsec.d/cacerts/cca9ae1f.0.crt'
Jul 18 20:47:45 charon: 06[CFG] loaded ca certificate "C=US, ST=VPN, L=VPN, O=VPN, OU=VPN, CN=VPN, N=VPN, E=VPN" from '/usr/local/etc/ipsec.d/cacerts/a72f8721.0.crt'
Jul 18 20:47:45 charon: 06[CFG] loaded ca certificate "C=PA, O=NordVPN, CN=NordVPN Root CA" from '/usr/local/etc/ipsec.d/cacerts/38ce789e.0.crt'
Jul 18 20:47:45 charon: 06[CFG] rereading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Jul 18 20:47:45 charon: 06[CFG] expanding file expression '/usr/local/etc/ipsec.secrets.opnsense.d/*.secrets' failed
Jul 18 20:47:45 charon: 06[CFG] loaded IKE secret for XXX.XXX.XXX.XXX
Jul 18 20:47:45 charon: 06[CFG] loaded IKE secret for XXX.XXX.XXX.XXX
Jul 18 20:47:45 charon: 06[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Jul 18 20:47:45 charon: 06[CFG] rereading secrets
Jul 18 20:47:44 charon: 10[IKE] <con1|3> failed to establish CHILD_SA, keeping IKE_SA
Jul 18 20:47:44 charon: 10[IKE] <con1|3> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Jul 18 20:47:44 charon: 10[ENC] <con1|3> parsed CREATE_CHILD_SA response 67 [ N(NO_PROP) ]
Jul 18 20:47:44 charon: 10[NET] <con1|3> received packet: from XXX.XXX.XXX.XXX[4500] to XXX.XXX.XXX.XXX[4500] (76 bytes)
Jul 18 20:47:44 charon: 10[NET] <con1|3> sending packet: from XXX.XXX.XXX.XXX[4500] to XXX.XXX.XXX.XXX[4500] (364 bytes)
Jul 18 20:47:44 charon: 10[ENC] <con1|3> generating CREATE_CHILD_SA request 67 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Jul 18 20:47:44 charon: 10[IKE] <con1|3> establishing CHILD_SA con1{139} reqid 1
Jul 18 20:47:44 charon: 15[KNL] creating acquire job for policy XXX.XXX.XXX.XXX/32 === XXX.XXX.XXX.XXX/32 with reqid {1}
Jul 18 20:47:44 charon: 15[IKE] <con2|4> failed to establish CHILD_SA, keeping IKE_SA
##############################################
14
19.7 Legacy Series / Re: IPSec - Issues
« on: July 18, 2019, 06:45:38 am »
doesnt make sense. the other side nothing changed. I reverted back to old snapshot of the opnsense virtual machine. It worked magically. Restarted OPNSense and IPsec connects comes up without doing anything. Did it a couple of times.
Started the upgrade again. Back on 19.7 and it behaves werid again.
Started the upgrade again. Back on 19.7 and it behaves werid again.
15
19.7 Legacy Series / IPSec - Issues
« on: July 18, 2019, 03:00:08 am »
The upgrade to 19.7 went smooth. Everything looks good so far. its functional as is.
The only issues I see is. After reboot IPSec services show as green but no ping or connections. NO SMB connections to server server across the ipsec.
Here's how I fix it every OPNSense Reboot last 10 reboots:
Every Reboot - the IPSec connection doesnt come up. you would have to go to
VPN > IPSec > Tunnel Settings > select one of the tunnel, click save > apply changes
then tunnel works again. I can access SMB on other side again. THis is no changes. Just save and apply. IPSEC works again.
Anyone can produce this?
The only issues I see is. After reboot IPSec services show as green but no ping or connections. NO SMB connections to server server across the ipsec.
Here's how I fix it every OPNSense Reboot last 10 reboots:
Every Reboot - the IPSec connection doesnt come up. you would have to go to
VPN > IPSec > Tunnel Settings > select one of the tunnel, click save > apply changes
then tunnel works again. I can access SMB on other side again. THis is no changes. Just save and apply. IPSEC works again.
Anyone can produce this?