Messages

Hi,

Was there a change with OpnSense 18.7.10?

Nat before IPSEC isn't working anymore, but setkey -DP show correct entries:

Code Select Expand

x.x.x.x[any] z.z.z.z[any] any
        in ipsec
        esp/tunnel/x.x.x.x-z.z.z.z/unique:1
        created: Jan 23 11:29:28 2019  lastused: Jan 23 11:29:28 2019
        lifetime: 9223372036854775807(s) validtime: 0(s)
        spid=36 seq=1 pid=84235 scope=global
        refcnt=1
z.z.z.z[any] x.x.x.x[any] any
        out ipsec
        esp/tunnel/z.z.z.z-x.x.x.x/unique:1
        created: Jan 23 11:29:28 2019  lastused: Jan 23 11:29:28 2019
        lifetime: 9223372036854775807(s) validtime: 0(s)
        spid=37 seq=0 pid=84235 scope=global
        refcnt=1


regards,
Michael

Hi,

https://forum.opnsense.org/index.php?topic=10438.msg48460#msg48460

lg
Michael

Hi,

Du bist ziemlich sicher von https://github.com/opnsense/core/issues/1773 betroffen

Workaround: https://forum.opnsense.org/index.php?topic=10497.msg48404#msg48404

P.S: deinem Lan Interface brauchst du für einen IPSEC Tunnel keine virtuelle zusätzliche IP geben. Das wird alles in den IPsec Phase 2 Settings mit Remote/Source Netzwerk angegeben..

lg
Michael

Update:

We are also affected by https://github.com/opnsense/core/issues/1773

Workaround:

Code Select Expand

setkey -f with this file: spdadd <src_net> <dst_net> any -P out ipsec esp/tunnel/<local_wan_ip>-<remote_wan_ip>/unique:<id>;

regards,
Michael

unfortunately the customers security settings only allow the given (official IPs) as P2 local and remote network and they are not willing to change their IPSEC settings...

[Tunnel is up and working]

Hi,

OpnSense 18.7.8 in place with the following Problem on an IPSEC site-to-site tunnel

IKEv1 Tunnel with two phase 2 Traffic Selectors:

Local LAN: 192.168.100.0/24
Local Subnet Phase 2: a.b.c.132/30
Remote Subnet Phase 2: x.y.z.0/24

Local LAN: 192.168.100.0/24
Local Subnet Phase 2: a.b.c.132/30
Remote Subnet Phase 2: x.y.z.0/24

Tunnel is up and working

BINAT 1:1 Rule on IPSEC Interface
External: x.y.z.134/32
Source: 192.168.100.11/32
Destination: x.y.z.37/32

Manual SPD Entry: 192.168.100.11/32
FW Rules -> IPsec Ipv4 any any allow all (for testing)

However, its not working. The remote end x.y.z.37/32 is not reachable.

Can anyone help pls?

Thanks and regards,
Michael

jup,
I tried:

* 192.168.100.11/32 as SPD -> not working

Maybe its a problem with routing table? If I try to reach  188.93.251.37/32 the FW logs show Interface WAN (I think it should go through interface IPSEC?)

is it because the phase 2 IPs are official IPs and not private ones?

Hi,
I've the same problem:

Local LAN: 192.168.100.0/24
Local Subnet Phase 2: 188.93.252.132/30
Remote Subnet Phase 2: 188.93.251.0/24

Tunnel is up and working

BINAT 1:1 Rule on IPSEC Interface
External: 188.93.252.134/32
Source: 192.168.100.11/32
Destination: 188.93.251.37/32

No manual SPD Entries.

Do I have a Config mistake?
regards
Michael

thanks Fabian!

Hi there,

We are already using the haproxy service, where also SSL Termination happens.
Is it possible to forward the traffic from haproxy to the webproxy (for caching) without enable SSL Interception on Webproxy side?

thanks an best regards,
Michael