Messages

Actually that did the trick.
I've set it to 1300 (which is in my opinion pretty small) and it works perfectly.

Shoudn't I limit this normalization to traffic between those networks?

I don't see the problem.
perf3 from firewall to firewall shows no problem and I have the full bandwidth, but as soon as I want to use any service like file-transfer, remote-desktop, ... the connection is EXTREMLY slow.

Any hint where I could take a look?

I have to do a one-eighty...

I used iperf now it it shows absolutely no problem... I have all the bandwidth that is available.
I don't know where my problem is.

I'm using remote-desktop from a Mac on site B) to a windows machine on site A).
It is very laggy and slow. Unter "Connection information" it shows a bandwidth of around 4Mbit.
As soon as I open a openVPN roadwarrior-connection from my Mac on site B) it shows 30Mbit.

a) My Mac does something strange
or
b) opnsense somehow slows down data while routing.

Unfortunately I did not use iperf3 as I'm not sure how to use it.
My ipsec-VPN is policy-based, so the is no interface to bind on.

How do I use iperf without an ethernet-interface?

Sorry, I forgot to mention:
The CPU is more or les idle all the time.

The "slow" opnsense on site B) is a Celeron J4125 Quad Core while the "strong" opnsense on site A) is much larger...


> To be sure I changed to aes256-sha256-modp2048[dh14] > no difference.

Hello guys,

I have a policy-based IPSEC-tunnel between two networks which is extremly slow.
Site A) has a 100/100Mbit sync fiber-line
Site B) has a 400/50Mbit async line

I'm currently reaching 4!!! Mbit via my VPN-tunnel.
It is only related to IPSEC-VPN. When I use a openVPN roadwarrior connections everything is fine.
The log files do not show any errors or warnings.

My settings are quite basic:
Settings:
Proposals: aes256-sha512-ecp521 [DH21, NIST EC]
Version: IKEv2
MOBIKE: enabled
DPD delay: 10s
Pools: nothing

Authentication: Public key

Children:
Mode: Tunnel
Policies: enabled
Start action: Start
Stop action: Start
DPD action: Start
ESP-proposals: default
Rekay time: 36600


I also tried to enable IPsec normalization with max MSS of 1350 (as I read this on several forums).
The CPU is more or less non-stop idle.

Statistic IPsec-Interface (enc0):
mtu: 1536
received-errors: 0
dropped-packets: 0
send-errors: 0
collisions: 0

Actually I have no idea why it is that slow.

Hey guys,

I want to redirect a port for a complete subnet.
e.g.
10.10.0.4:1234->10.10.0.4:44444
10.10.0.8:1234->10.10.0.8:44444
10.10.0.10:1234->10.10.0.10:44444
...
So destination and target is always the same. Only the port is changed.
Is there a way to prevent many manual entries?

CU
mts

Hi,

is there anyone who can help me?
My certificates are expiring now and I cannot renew them.

Hello guys,

I have the problem, that Let's Encrypt is not working with multiple public IPs.
I'm using haProxy on our external server IP (xxx.xxx.xxx.68) but let's encr. is calling out  with xxx.xxx.xxx.66

How can I force let's encr. to use another external IP to make the requests?

Code Select Expand


"detail": "Unable to update challenge :: authorization must be pending",
[Sat Jun 29 21:03:10 CEST 2019] response='{
"detail": "Unable to update challenge :: authorization must be pending",
[Sat Jun 29 21:03:10 CEST 2019] original='{
[Sat Jun 29 21:03:10 CEST 2019] code='400'
Date: Sat, 29 Jun 2019 19:03:10 GMT
Expires: Sat, 29 Jun 2019 19:03:10 GMT
Expires: Sat, 29 Jun 2019 19:03:10 GMT
[Sat Jun 29 21:03:10 CEST 2019] responseHeaders='HTTP/1.1 100 Continue
[Sat Jun 29 21:03:10 CEST 2019] _ret='0'
[Sat Jun 29 21:03:09 CEST 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header -g '
[Sat Jun 29 21:03:09 CEST 2019] Http already initialized.
[Sat Jun 29 21:03:09 CEST 2019] _postContentType='application/jose+json'


I could manage to install if by booting in legacy mode, not uefi.

Hi guys.

I have exactly the same problem but I'm not even installing on a virtual machine.
I have a clean and brand new hardware here. As soon as I'm reaching the guided installation the installer hangs.

I manged to setup some first settings but I'm getting the following log:

Sep 29 20:19:53 OPNsense charon: 08[CFG] rereading secrets
Sep 29 20:19:53 OPNsense charon: 08[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Sep 29 20:19:53 OPNsense charon: 08[CFG]   loaded RSA private key from '/usr/local/etc/ipsec.d/private/cert-1.key'
Sep 29 20:19:53 OPNsense charon: 08[CFG] rereading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Sep 29 20:19:53 OPNsense charon: 08[CFG]   loaded ca certificate "C=DE, ST=NRW, L=Dusseldorf, O=xxxxxxxx GmbH, E=info@xxxxxxxx-gmbh.com, CN=int                                                                                                                                 ernal-ca" from '/usr/local/etc/ipsec.d/cacerts/b24f4e25.0.crt'
Sep 29 20:19:53 OPNsense charon: 08[CFG]   loaded ca certificate "C=DE, O=xxxxxxxx GmbH, CN=xxxxxxxx GmbH CA" from '/usr/local/etc/ipsec.d/cace                                                                                                                                 rts/6113c50d.0.crt'
Sep 29 20:19:53 OPNsense charon: 08[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Sep 29 20:19:53 OPNsense charon: 08[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Sep 29 20:19:53 OPNsense charon: 08[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Sep 29 20:19:53 OPNsense charon: 08[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls'
Sep 29 20:19:53 OPNsense charon: 06[CFG] received stroke: delete connection 'con1'
Sep 29 20:19:53 OPNsense charon: 06[CFG] deleted connection 'con1'
Sep 29 20:19:53 OPNsense charon: 08[CFG] received stroke: add connection 'con1'
Sep 29 20:19:53 OPNsense charon: 08[CFG]   loaded certificate "C=DE, ST=NRW, L=Dusseldorf, O=xxxxxxxx GmbH, E=info@xxxxxxxx-gmbh.com, CN=nucMar                                                                                                                                 cHome-CA" from '/usr/local/etc/ipsec.d/certs/cert-1.crt'
Sep 29 20:19:53 OPNsense charon: 08[CFG]   id '192.168.0.10' not confirmed by certificate, defaulting to 'C=DE, ST=NRW, L=Dusseldorf, O=NUCLE                                                                                                                                 US GmbH, E=info@xxxxxxxx-gmbh.com, CN=nucMarcHome-CA'
Sep 29 20:19:53 OPNsense charon: 08[CFG] added configuration 'con1'
Sep 29 20:19:53 OPNsense charon: 06[CFG] received stroke: initiate 'con1'
Sep 29 20:19:53 OPNsense charon: 06[IKE] initiating IKE_SA con1[54] to xxx.xxx.xxx.xxx
Sep 29 20:19:53 OPNsense charon: 06[IKE] initiating IKE_SA con1[54] to xxx.xxx.xxx.xxx
Sep 29 20:19:53 OPNsense charon: 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDI                                                                                                                                 R_SUP) ]
Sep 29 20:19:53 OPNsense charon: 06[NET] sending packet: from 192.168.0.10[500] to xxx.xxx.xxx.xxx[500] (714 bytes)
Sep 29 20:19:56 OPNsense charon: 06[NET] received packet: from xxx.xxx.xxx.xxx[500] to 192.168.0.10[500] (799 bytes)
Sep 29 20:19:56 OPNsense charon: 06[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N                                                                                                                                 (MULT_AUTH) ]
Sep 29 20:19:56 OPNsense charon: 06[IKE] local host is behind NAT, sending keep alives
Sep 29 20:19:56 OPNsense charon: 06[IKE] received cert request for "C=DE, ST=NRW, L=Dusseldorf, O=xxxxxxxx GmbH, E=info@xxxxxxxx-gmbh.com, CN=i                                                                                                                                 nternal-ca"
Sep 29 20:19:56 OPNsense charon: 06[IKE] received cert request for "C=DE, ST=NRW, L=Dusseldorf, O=xxxxxxxx GmbH, E=info@xxxxxxxx-gmbh.com, CN=i                                                                                                                                 nternal-ca"
Sep 29 20:19:56 OPNsense charon: 06[IKE] received cert request for "C=DE, O=xxxxxxxx GmbH, CN=xxxxxxxx GmbH CA"
Sep 29 20:19:56 OPNsense charon: 06[IKE] received 1 cert requests for an unknown ca
Sep 29 20:19:56 OPNsense charon: 06[IKE] sending cert request for "C=DE, O=xxxxxxxx GmbH, CN=xxxxxxxx GmbH CA"
Sep 29 20:19:56 OPNsense charon: 06[IKE] authentication of 'C=DE, ST=NRW, L=Dusseldorf, O=xxxxxxxx GmbH, E=info@xxxxxxxx-gmbh.com, CN=nucMarcHo                                                                                                                                 me-CA' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Sep 29 20:19:56 OPNsense charon: 06[IKE] sending end entity cert "C=DE, ST=NRW, L=Dusseldorf, O=xxxxxxxx GmbH, E=info@xxxxxxxx-gmbh.com, CN=nuc                                                                                                                                 MarcHome-CA"
Sep 29 20:19:56 OPNsense charon: 06[IKE] establishing CHILD_SA con1
Sep 29 20:19:56 OPNsense charon: 06[IKE] establishing CHILD_SA con1
Sep 29 20:19:56 OPNsense charon: 06[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TS                                                                                                                                 r N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Sep 29 20:19:56 OPNsense charon: 06[ENC] splitting IKE message with length of 1694 bytes into 2 fragments
Sep 29 20:19:56 OPNsense charon: 06[ENC] generating IKE_AUTH request 1 [ EF(1/2) ]
Sep 29 20:19:56 OPNsense charon: 06[ENC] generating IKE_AUTH request 1 [ EF(2/2) ]
Sep 29 20:19:56 OPNsense charon: 06[NET] sending packet: from 192.168.0.10[4500] to xxx.xxx.xxx.xxx[4500] (1248 bytes)
Sep 29 20:19:56 OPNsense charon: 06[NET] sending packet: from 192.168.0.10[4500] to xxx.xxx.xxx.xxx[4500] (511 bytes)
Sep 29 20:19:57 OPNsense charon: 06[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 192.168.0.10[4500] (65 bytes)
Sep 29 20:19:57 OPNsense charon: 06[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Sep 29 20:19:57 OPNsense charon: 06[IKE] received AUTHENTICATION_FAILED notify error
Sep 29 20:19:58 OPNsense charon: 08[NET] received packet: from xxx.xxx.xxx.xxx[500] to 192.168.0.10[500] (1566 bytes)
Sep 29 20:19:58 OPNsense charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SU                                                                                                                                 P) ]
Sep 29 20:19:58 OPNsense charon: 08[IKE] xxx.xxx.xxx.xxx is initiating an IKE_SA
Sep 29 20:19:58 OPNsense charon: 08[IKE] xxx.xxx.xxx.xxx is initiating an IKE_SA
Sep 29 20:19:58 OPNsense charon: 08[IKE] local host is behind NAT, sending keep alives
Sep 29 20:19:58 OPNsense charon: 08[IKE] sending cert request for "C=DE, ST=NRW, L=Dusseldorf, O=xxxxxxxx GmbH, E=info@xxxxxxxx-gmbh.com, CN=nu                                                                                                                                 cMarcHome-CA"
Sep 29 20:19:58 OPNsense charon: 08[IKE] sending cert request for "C=NL, ST=Zuid-Holland, L=Middelharnis, O=OPNsense"
Sep 29 20:19:58 OPNsense charon: 08[IKE] sending cert request for "C=DE, ST=NRW, L=Dusseldorf, O=xxxxxxxx GmbH, E=info@xxxxxxxx-gmbh.com, CN=in                                                                                                                                 ternal-ca"
Sep 29 20:19:58 OPNsense charon: 08[IKE] sending cert request for "C=DE, O=xxxxxxxx GmbH, CN=xxxxxxxx GmbH CA"
Sep 29 20:19:58 OPNsense charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_AL                                                                                                                                 G) N(MULT_AUTH) ]
Sep 29 20:19:58 OPNsense charon: 08[NET] sending packet: from 192.168.0.10[500] to xxx.xxx.xxx.xxx[500] (799 bytes)
Sep 29 20:20:00 OPNsense charon: 08[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 192.168.0.10[4500] (1248 bytes)
Sep 29 20:20:00 OPNsense charon: 08[ENC] parsed IKE_AUTH request 1 [ EF(1/2) ]
Sep 29 20:20:00 OPNsense charon: 08[ENC] received fragment #1 of 2, waiting for complete IKE message
Sep 29 20:20:00 OPNsense charon: 08[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 192.168.0.10[4500] (475 bytes)
Sep 29 20:20:00 OPNsense charon: 08[ENC] parsed IKE_AUTH request 1 [ EF(2/2) ]
Sep 29 20:20:00 OPNsense charon: 08[ENC] received fragment #2 of 2, reassembling fragmented IKE message
Sep 29 20:20:00 OPNsense charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(IPCOMP_SUP) SA TSi TSr N(MOB                                                                                                                                 IKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Sep 29 20:20:00 OPNsense charon: 08[IKE] received cert request for "C=DE, ST=NRW, L=Dusseldorf, O=xxxxxxxx GmbH, E=info@xxxxxxxx-gmbh.com, CN=i                                                                                                                                 nternal-ca"
Sep 29 20:20:00 OPNsense charon: 08[IKE] received cert request for "C=DE, ST=NRW, L=Dusseldorf, O=xxxxxxxx GmbH, E=info@xxxxxxxx-gmbh.com, CN=i                                                                                                                                 nternal-ca"
Sep 29 20:20:00 OPNsense charon: 08[IKE] received cert request for "C=DE, O=xxxxxxxx GmbH, CN=xxxxxxxx GmbH CA"
Sep 29 20:20:00 OPNsense charon: 08[IKE] received 1 cert requests for an unknown ca
Sep 29 20:20:00 OPNsense charon: 08[IKE] received end entity cert "C=DE, O=xxxxxxxx GmbH, CN=xxxxxxxx-server.com"
Sep 29 20:20:00 OPNsense charon: 08[CFG] looking for peer configs matching 192.168.0.10[C=DE, ST=NRW, L=Dusseldorf, O=xxxxxxxx GmbH, E=info@nu                                                                                                                                 cleus-gmbh.com, CN=internal-ca]...xxx.xxx.xxx.xxx[C=DE, O=xxxxxxxx GmbH, CN=xxxxxxxx-server.com]
Sep 29 20:20:00 OPNsense charon: 08[CFG] no matching peer config found
Sep 29 20:20:00 OPNsense charon: 08[IKE] peer supports MOBIKE
Sep 29 20:20:00 OPNsense charon: 08[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Sep 29 20:20:00 OPNsense charon: 08[NET] sending packet: from 192.168.0.10[4500] to xxx.xxx.xxx.xxx[4500] (65 bytes)

Do you have any suggestion what's wrong?

Hi guys,

i would like to connect an opnsense to ipfire by ipsec RSA.
Is there someone who maybe has an step-by-step instruction what to take care of?

How can I import the CA from ipfire (pem-format) ?
How can I export the cert from opnSense so I can import it to ipfire?

THX
mts

Hallo zusammen,

ich möchte gerade einen ipsec tunnel zu einem ipfire aufbauen (RSA).
Hat jemand zufällig eine Anleitung auf was man achten muss?

Wie importiere ich z.B. das CA vom ipfire ?
Wie exportiere ich das opnSense-Zertifikat zu ipfire?

Danke
mts