"
:D I should have spotted that, shouldn't I? Will do.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
20.7 Legacy Series / Re: Suggested Corrections re Azure Route Based VPN Instructions
August 29, 2020, 09:55:56 AM #2
20.7 Legacy Series / Suggested Corrections re Azure Route Based VPN Instructions
August 28, 2020, 06:01:17 PM
Hi, a few things I noticed when going through the instructions:
1.
https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route-azure.html#step-1-phase-1-opnsense
This section suggests using a description "IPsec Azure". However, I had issues with this later on when creating the gateway object (https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route-azure.html#step-6-define-gateways) because when I had a description entered, the description (alias) for the network interface appeared in the drop down list, but when I tried entering the IP address in the gateway field, it errored something about there being no IP address on that interface. Interestingly, if I left the description field blank, the device name appears in the drop down list appears instead and it works. But if I _then_ add a description field in the Phase 1 field (that is, after creating the gateway object), it no longer errors. Therefore, I recommend in the instructions to lave the description field blank on the Phase 1 config to avoid the same problem. (It is clear from the instructions that later on, you've done the same thing because the instructions later say to use the interface IPSEC1000, not IPsecAzure ;-) )
2.
https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route-azure.html#step-2-phase-2-opnsense
There is no button that says "Show 0 Phase 2 Entries". There is, however, a button that says "Add phase 2 entry"
The statement "you might already know from OpenVPN" I think doesn't belong here.
3.
https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route-azure.html#phase-2-proposal-sa-key-exchange
After hitting "Save" the Apply button disappears (I assume that Save also Applies?)
4.
https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route-azure.html#step-3-set-mss-clamping
Should there be an "Apply" after hitting Save?
5.
https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route-azure.html#id3
This says "Under Firewall -> Rules -> IPsec". I notice that there is also an interface called "AzureIPsec". It looks like the firewall is seeing both "IPsec" and "AzureIPsec". Is this a bug? Also, when I look at the automatically created rules in IPsec, it has already created an IP4+6 "any to any" rule already, so the manualy addition of this rule is superfluous?
EDIT: OK, I didn't notice the arrow direction. My bad. ;-)
6.
https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route-azure.html#step-6-define-gateways
This says to set the interface to IPSEC1000, but there is no interface IPSEC1000. There is, however, an interface "IPsecAzure" (if a Description was enterred earlier). Again, there seems to be a discrepancy between the device and the interface name. See my first point above.
There is a "Save" instruction missing at the end of this section.
7.
https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route-azure.html#step-7-add-static-routes
There is a "Apply" instruction missing at the end of this section.
HTH
1.
https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route-azure.html#step-1-phase-1-opnsense
This section suggests using a description "IPsec Azure". However, I had issues with this later on when creating the gateway object (https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route-azure.html#step-6-define-gateways) because when I had a description entered, the description (alias) for the network interface appeared in the drop down list, but when I tried entering the IP address in the gateway field, it errored something about there being no IP address on that interface. Interestingly, if I left the description field blank, the device name appears in the drop down list appears instead and it works. But if I _then_ add a description field in the Phase 1 field (that is, after creating the gateway object), it no longer errors. Therefore, I recommend in the instructions to lave the description field blank on the Phase 1 config to avoid the same problem. (It is clear from the instructions that later on, you've done the same thing because the instructions later say to use the interface IPSEC1000, not IPsecAzure ;-) )
2.
https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route-azure.html#step-2-phase-2-opnsense
There is no button that says "Show 0 Phase 2 Entries". There is, however, a button that says "Add phase 2 entry"
The statement "you might already know from OpenVPN" I think doesn't belong here.
3.
https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route-azure.html#phase-2-proposal-sa-key-exchange
After hitting "Save" the Apply button disappears (I assume that Save also Applies?)
4.
https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route-azure.html#step-3-set-mss-clamping
Should there be an "Apply" after hitting Save?
5.
This says "Under Firewall -> Rules -> IPsec". I notice that there is also an interface called "AzureIPsec". It looks like the firewall is seeing both "IPsec" and "AzureIPsec". Is this a bug? Also, when I look at the automatically created rules in IPsec, it has already created an IP4+6 "any to any" rule already, so the manualy addition of this rule is superfluous?
EDIT: OK, I didn't notice the arrow direction. My bad. ;-)
6.
https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route-azure.html#step-6-define-gateways
This says to set the interface to IPSEC1000, but there is no interface IPSEC1000. There is, however, an interface "IPsecAzure" (if a Description was enterred earlier). Again, there seems to be a discrepancy between the device and the interface name. See my first point above.
There is a "Save" instruction missing at the end of this section.
7.
https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route-azure.html#step-7-add-static-routes
There is a "Apply" instruction missing at the end of this section.
HTH
#3
18.7 Legacy Series / MTU Problem
October 19, 2018, 09:08:51 PM
OPNsense 18.7.5_1-amd64
FreeBSD 11.1-RELEASE-p14
OpenSSL 1.0.2p 14 Aug 2018
I might be misunderstanding how it is supposed to work, but if I set MTU to, say, 1300 and then ping that interface with the "do not fragment" option from a machine on the same LAN as the interface, I'd expect Opnsense to tell me that the packet needs to be fragmented. But it doesn't -I just get no reply.
How do I configure Opnsense to tell me that the packet needs to be fragments, assuming that MTU isn't the option I need? (I don't really want to have to set a small MTU on all my servers.)
Thanks
Mark
FreeBSD 11.1-RELEASE-p14
OpenSSL 1.0.2p 14 Aug 2018
I might be misunderstanding how it is supposed to work, but if I set MTU to, say, 1300 and then ping that interface with the "do not fragment" option from a machine on the same LAN as the interface, I'd expect Opnsense to tell me that the packet needs to be fragmented. But it doesn't -I just get no reply.
How do I configure Opnsense to tell me that the packet needs to be fragments, assuming that MTU isn't the option I need? (I don't really want to have to set a small MTU on all my servers.)
Thanks
Mark
#4
17.7 Legacy Series / VPN MSS Clamping Option?
October 11, 2017, 10:04:12 AM
Hi there, OK, I'm being stupid or blind or both! I can see other posts about this option, but I just can't seem to find it in the GUI. Can someone please tell me where in the GUI it is?
Many thanks
m
Many thanks
m
Pages1
