OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of mikehps »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - mikehps

Pages: [1]
1
General Discussion / Re: IPSEC NAT
« on: January 23, 2019, 11:41:06 am »
Hi,

Was there a change with OpnSense 18.7.10?

Nat before IPSEC isn't working anymore, but setkey -DP show correct entries:

Code: [Select]
x.x.x.x[any] z.z.z.z[any] any
        in ipsec
        esp/tunnel/x.x.x.x-z.z.z.z/unique:1
        created: Jan 23 11:29:28 2019  lastused: Jan 23 11:29:28 2019
        lifetime: 9223372036854775807(s) validtime: 0(s)
        spid=36 seq=1 pid=84235 scope=global
        refcnt=1
z.z.z.z[any] x.x.x.x[any] any
        out ipsec
        esp/tunnel/z.z.z.z-x.x.x.x/unique:1
        created: Jan 23 11:29:28 2019  lastused: Jan 23 11:29:28 2019
        lifetime: 9223372036854775807(s) validtime: 0(s)
        spid=37 seq=0 pid=84235 scope=global
        refcnt=1

regards,
Michael

2
German - Deutsch / Re: IPSec NAT Probleme
« on: December 14, 2018, 08:50:10 am »
Hi,

https://forum.opnsense.org/index.php?topic=10438.msg48460#msg48460

lg
Michael

3
German - Deutsch / Re: IPSec Transfer-Netz zu anderem Netz
« on: December 11, 2018, 02:27:44 pm »
Hi,

Du bist ziemlich sicher von https://github.com/opnsense/core/issues/1773 betroffen

Workaround: https://forum.opnsense.org/index.php?topic=10497.msg48404#msg48404

P.S: deinem Lan Interface brauchst du für einen IPSEC Tunnel keine virtuelle zusätzliche IP geben. Das wird alles in den IPsec Phase 2 Settings mit Remote/Source Netzwerk angegeben..

lg
Michael

4
General Discussion / Re: IPSEC NAT
« on: December 10, 2018, 06:03:28 pm »
Update:

We are also affected by https://github.com/opnsense/core/issues/1773

Workaround:
Code: [Select]
setkey -f with this file: spdadd <src_net> <dst_net> any -P out ipsec esp/tunnel/<local_wan_ip>-<remote_wan_ip>/unique:<id>;
regards,
Michael

5
General Discussion / Re: IPSEC NAT
« on: December 03, 2018, 11:57:22 am »
unfortunately the customers security settings only allow the given (official IPs) as P2 local and remote network and they are not willing to change their IPSEC settings...

6
General Discussion / IPSEC NAT
« on: December 03, 2018, 11:12:57 am »
Hi,

OpnSense 18.7.8 in place with the following Problem on an IPSEC site-to-site tunnel

IKEv1 Tunnel with two phase 2 Traffic Selectors:

Local LAN: 192.168.100.0/24
Local Subnet Phase 2: a.b.c.132/30
Remote Subnet Phase 2: x.y.z.0/24

Local LAN: 192.168.100.0/24
Local Subnet Phase 2: a.b.c.132/30
Remote Subnet Phase 2: x.y.z.0/24

Tunnel is up and working

BINAT 1:1 Rule on IPSEC Interface
External: x.y.z.134/32
Source: 192.168.100.11/32
Destination: x.y.z.37/32

Manual SPD Entry: 192.168.100.11/32
FW Rules -> IPsec Ipv4 any any allow all (for testing)

However, its not working. The remote end x.y.z.37/32 is not reachable.

Can anyone help pls?

Thanks and regards,
Michael

7
General Discussion / Re: IPSEC TUNNEL and REMOTE 1:1 NAT
« on: December 03, 2018, 10:10:49 am »
jup,
I tried:

* 192.168.100.11/32 as SPD -> not working

Maybe its a problem with routing table? If I try to reach  188.93.251.37/32 the FW logs show Interface WAN (I think it should go through interface IPSEC?)

is it because the phase 2 IPs are official IPs and not private ones?

8
General Discussion / Re: IPSEC TUNNEL and REMOTE 1:1 NAT
« on: December 03, 2018, 08:31:04 am »
Hi,
I've the same problem:

Local LAN: 192.168.100.0/24
Local Subnet Phase 2: 188.93.252.132/30
Remote Subnet Phase 2: 188.93.251.0/24

Tunnel is up and working

BINAT 1:1 Rule on IPSEC Interface
External: 188.93.252.134/32
Source: 192.168.100.11/32
Destination: 188.93.251.37/32

No manual SPD Entries.

Do I have a Config mistake?
regards
Michael

9
Web Proxy Filtering and Caching / Re: forward traffic from haproxy to squid
« on: December 07, 2017, 07:27:51 pm »
thanks Fabian!

10
Web Proxy Filtering and Caching / forward traffic from haproxy to squid
« on: December 07, 2017, 02:13:24 pm »
Hi there,

We are already using the haproxy service, where also SSL Termination happens.
Is it possible to forward the traffic from haproxy to the webproxy (for caching) without enable SSL Interception on Webproxy side?

thanks an best regards,
Michael

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2