Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - Spirit

Pages1

German - Deutsch / OpenConnect Startup - no-dtls

November 24, 2021, 03:40:17 PM

Hallo,

ich bin dabei mich über die OPNsense an eine ASA anzuhängen. Die Daten für die Client Konfiguration sind allerdings für den Windows Client aufbreitet und ich taste mich grad durch die Fehler.
An dieser folgenden Stelle komme ich aber erst einmal nicht weiter.

Meldung aus dem OPNsense Log:
DTLS handshake failed: Resource temporarily unavailable, try again.

Ich habe dazu gefunden das man DTLS über den Eintrag
--no-dtls
in der openconnect.conf unter /usr/sbin/ deaktivieren kann. Allerdings scheint der Eintrag nicht geogen zu werden und ist nach deaktivieren von openconnect in der GUI wieder verschwunden.

Hoffe jemand kann mit hier weiter helfen
Danke
Eike

19.1 Legacy Series / Re: OpenConnect -> no Route set with NAT

April 01, 2019, 11:17:22 AM

Still hope for some help, if the question is to unclear, please tell me what information is neccessary.

German - Deutsch / Re: OpenConnect auto reconnect

March 22, 2019, 12:00:57 PM

Okay, schade aber scheint mit dem Gateway Monitoring zu funzen.

Habe ich eine Möglichkeit, das die Verbindung nach einem Neustart der Firewall mit gestartet wird?

German - Deutsch / Re: OpenConnect auto reconnect

March 22, 2019, 09:34:04 AM

Habe das Problem lösen können. Auch wenn ein ICMP gebklockt wird, hält er die Leitung offen.
Habe ein weiteres Gate konfiguriert und frage eine IP aus dem Tunnel ab.
Somit bleibt die Verbindung offen.

Sollte es trotz allem eine reconnect funktion für den Tunnel geben, wäre ich an dieser Info weiterhin interessiert.

Danke

19.1 Legacy Series / OpenConnect -> no Route set with NAT

March 21, 2019, 02:49:48 PM

Hello,

i have configured a OpenConnect connection to a ASA. It works fine itself, but there is one issue. I need to NAT the connection.
Without NAT when i do a connect, there is a set of Route added as needed by Openconnect.
When i switch to "Hybrid outbound NAT rule generation (automatically generated rules are applied after manual rules)", then no more roles are not added to the list of Route automaticaly. I did not change anything to the Openconnect configuration, but adding a NAT result in the missing Route.
I do not wan´t to add the Route manualy, as they where change by time without notice to me.

any hind to get the Route add with NAT is a great help.

Thanks

German - Deutsch / Re: OpenConnect auto reconnect

March 21, 2019, 08:11:18 AM

Die ASA trennt die Session wenn 30 Minuten kein Traffic drüber gelaufen ist. Ist die gleiche Policy wie dort die Roadworrier haben. Auf die Einstellung ASA seitig kann ich leider keinen Einfluss nehmen.

German - Deutsch / OpenConnect auto reconnect

March 20, 2019, 10:35:34 PM

Hallo,

Ich habe bei mir OpenConnect zur Verbindung zu einer ASA eingerichtet. Die Verbindung funktioniert problemlos, aber leider verbindet es sich nicht automatisch bei traffic oder baut einfach die Verbindung wieder automatisch aus. Zu einer möglichen Konfiguration finde ich keine Einstellungen. Es werden nur ein paar einzelne Verbindungen über dieses Tunnel geschoben.

18.1 Legacy Series / Multible Networks within IPSEC Phase2

April 11, 2018, 10:19:46 PM

Hello,

i have a running IPSec configuration, but i whould need additional Networks to add to the configuration.
The remote network is 192.168.100.1/22 (working config) but i´ll nee to add a 172.x.x.x/24 and also 10.y.y.y/20 network It seems to be only possible to add one network but not more within the Template.

Running OPNSense 18.1.6

Try to find information within the Forum but without success.

Thx for Help
Eike

General Discussion / Local CA, remains even if deleted

September 02, 2017, 12:36:18 PM

Hi,

i found some stange behavior to the local CA.

Here the Story to reproduce the issue.
I installed one BFW ready with CA and a VPN (VPN without CA but PSK)
After i was done, i took a backup und put it into FW number 2.
Created a new CA, removed the CA from FW1 (was there due to the backup/restore) and change VPN, local Network and WAN IPs.

Now i found this in the VPN log from FW2 (Sanitize the Logfile):

Sep 2 11:58:35    charon: 08[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Sep 2 11:58:35    charon: 08[CFG] loaded ca certificate "C=DE, ST=Land, L=Stadt1, O=friend1, E=xxx@gmx.de, CN=internal-ca-CO-FW02" from '/usr/local/etc/ipsec.d/cacerts/xxxxxxxx.0.crt'
Sep 2 11:58:35    charon: 08[CFG] loaded ca certificate "C=DE, ST=NRW, L=Stadt2, O=me, E=yyy@email.com, CN=internal-ca-FW01" from '/usr/local/etc/ipsec.d/cacerts/yyyyyyyy.0.crt'
Sep 2 11:58:35    charon: 08[CFG] rereading ca certificates from '/usr/local/etc/ipsec.d/cacerts'

It seems the he is still reading the yyyyyyyy.0.crt which was deleted by me within the console. It is also not visible any more.

I reproduced the issue with version 17.7

#10

General Discussion / Re: Install via SSH (nano deployment)

September 01, 2017, 06:11:42 PM

Even it is late, thanks for the hint.
Two boxes working right now

#11

General Discussion / [SOLVED] Install via SSH (nano deployment)

July 31, 2017, 05:08:23 PM

Hi,

i have i uses Cyberroam Firewall (600MhZ/512MB RAM/SSD 128GB) enhances RAM to 1GB for installation.
I could not use other deploment process as nano, as i was not able to boot from anything else.
So i preinstalled the nano image on the 128GB SSD.

Firewall ist running fine but only on the 4GB Partition.

Whould like to run the installation on the disk.
I managed to activate the SSH via GUI but i can not login by the installer, root ist possible but there ist no installer option.

Thanks for any Help

Pages1