Messages

Thx, rebooted the system today as suggested ... then another update was proceeded ... but no issues there anymore!

Hi,

today I wanted to update my opnsense. Unfortunaly i don't know exactly from which version I was coming from. Was it 20.1? Don't know ...

After updating, then rebooting, then updating a second time and rebooting again ... I think it is now the update to 20.7??? ... update process hat stopped. Or somewhat equal. The Update Now button has the symbol that is showing me, that something is happening, but i think I'm still stucked somewhere.

This is whats happened before:

Code Select Expand

***GOT REQUEST TO UPGRADE: all***
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (49 candidates): .......... done
Processing candidates (49 candidates): .......... done
The following 49 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
acme.sh: 2.8.6 -> 2.8.7
bind-tools: 9.16.5 -> 9.16.6
ca_root_nss: 3.55 -> 3.57
curl: 7.71.1 -> 7.72.0
gettext-runtime: 0.20.2 -> 0.21
isc-dhcp44-relay: 4.4.2 -> 4.4.2_1
isc-dhcp44-server: 4.4.2 -> 4.4.2_1
json-c: 0.14 -> 0.15
libffi: 3.3 -> 3.3_1
libuv: 1.38.1 -> 1.39.0
mpd5: 5.8_10 -> 5.9
nspr: 4.27 -> 4.29
nss: 3.55 -> 3.57
openldap-sasl-client: 2.4.50 -> 2.4.51
opnsense: 20.7 -> 20.7.3
opnsense-update: 20.7 -> 20.7.3
os-acme-client: 1.34 -> 1.36
perl5: 5.30.3 -> 5.32.0
php73: 7.3.20 -> 7.3.22
php73-ctype: 7.3.20 -> 7.3.22
php73-curl: 7.3.20 -> 7.3.22
php73-dom: 7.3.20 -> 7.3.22
php73-filter: 7.3.20 -> 7.3.22
php73-gettext: 7.3.20 -> 7.3.22
php73-hash: 7.3.20 -> 7.3.22
php73-json: 7.3.20 -> 7.3.22
php73-ldap: 7.3.20 -> 7.3.22
php73-openssl: 7.3.20 -> 7.3.22
php73-pdo: 7.3.20 -> 7.3.22
php73-session: 7.3.20 -> 7.3.22
php73-simplexml: 7.3.20 -> 7.3.22
php73-sockets: 7.3.20 -> 7.3.22
php73-sqlite3: 7.3.20 -> 7.3.22
php73-xml: 7.3.20 -> 7.3.22
php73-zlib: 7.3.20 -> 7.3.22
py37-cffi: 1.14.0_1 -> 1.14.3
py37-dns-lexicon: 3.3.27 -> 3.3.28
py37-six: 1.14.0 -> 1.15.0
py37-sqlite3: 3.7.8_7 -> 3.7.9_7
py37-urllib3: 1.25.7,1 -> 1.25.10,1
python37: 3.7.8_1 -> 3.7.9
rate: 0.9_1 -> 0.9_2
socat: 1.7.3.4 -> 1.7.3.4_1
sqlite3: 3.32.3_1,1 -> 3.33.0,1
squid: 4.11_2 -> 4.13
syslog-ng327: 3.27.1_1 -> 3.27.1_2
unbound: 1.10.1 -> 1.11.0

Installed packages to be REINSTALLED:
ntp-4.2.8p15 (direct dependency changed: perl5)
rrdtool-1.7.2_4 (direct dependency changed: perl5)

Number of packages to be upgraded: 47
Number of packages to be reinstalled: 2

The process will require 2 MiB more space.
58 MiB to be downloaded.
[1/49] Fetching unbound-1.11.0.txz: .......... done
[2/49] Fetching syslog-ng327-3.27.1_2.txz: .......... done
[3/49] Fetching squid-4.13.txz: .......... done
[4/49] Fetching sqlite3-3.33.0,1.txz: .......... done
[5/49] Fetching socat-1.7.3.4_1.txz: .......... done
[6/49] Fetching rrdtool-1.7.2_4.txz: .......... done
[7/49] Fetching rate-0.9_2.txz: ....... done
[8/49] Fetching python37-3.7.9.txz: .......... done
[9/49] Fetching py37-urllib3-1.25.10,1.txz: .......... done
[10/49] Fetching py37-sqlite3-3.7.9_7.txz: .... done
[11/49] Fetching py37-six-1.15.0.txz: ... done
[12/49] Fetching py37-dns-lexicon-3.3.28.txz: .......... done
[13/49] Fetching py37-cffi-1.14.3.txz: .......... done
[14/49] Fetching php73-zlib-7.3.22.txz: ... done
[15/49] Fetching php73-xml-7.3.22.txz: ... done
[16/49] Fetching php73-sqlite3-7.3.22.txz: ... done
[17/49] Fetching php73-sockets-7.3.22.txz: ..... done
[18/49] Fetching php73-simplexml-7.3.22.txz: ... done
[19/49] Fetching php73-session-7.3.22.txz: ..... done
[20/49] Fetching php73-pdo-7.3.22.txz: ...... done
[21/49] Fetching php73-openssl-7.3.22.txz: ........ done
[22/49] Fetching php73-ldap-7.3.22.txz: .... done
[23/49] Fetching php73-json-7.3.22.txz: ... done
[24/49] Fetching php73-hash-7.3.22.txz: .......... done
[25/49] Fetching php73-gettext-7.3.22.txz: . done
[26/49] Fetching php73-filter-7.3.22.txz: ... done
[27/49] Fetching php73-dom-7.3.22.txz: ........ done
[28/49] Fetching php73-curl-7.3.22.txz: .... done
[29/49] Fetching php73-ctype-7.3.22.txz: . done
[30/49] Fetching php73-7.3.22.txz: .......... done
[31/49] Fetching perl5-5.32.0.txz: .......... done
[32/49] Fetching os-acme-client-1.36.txz: ........ done
[33/49] Fetching opnsense-update-20.7.3.txz: ........ done
[34/49] Fetching opnsense-20.7.3.txz: .......... done
[35/49] Fetching openldap-sasl-client-2.4.51.txz: .......... done
[36/49] Fetching ntp-4.2.8p15.txz: .......... done
[37/49] Fetching nss-3.57.txz: .......... done
[38/49] Fetching nspr-4.29.txz: .......... done
[39/49] Fetching mpd5-5.9.txz: .......... done
[40/49] Fetching libuv-1.39.0.txz: .......... done
[41/49] Fetching libffi-3.3_1.txz: ..... done
[42/49] Fetching json-c-0.15.txz: ......... done
[43/49] Fetching isc-dhcp44-server-4.4.2_1.txz: .......... done
[44/49] Fetching isc-dhcp44-relay-4.4.2_1.txz: .......... done
[45/49] Fetching gettext-runtime-0.21.txz: .......... done
[46/49] Fetching curl-7.72.0.txz: .......... done
[47/49] Fetching ca_root_nss-3.57.txz: .......... done
[48/49] Fetching bind-tools-9.16.6.txz: .......... done
[49/49] Fetching acme.sh-2.8.7.txz: .......... done
Checking integrity... done (0 conflicting)
[1/49] Upgrading libffi from 3.3 to 3.3_1...
[1/49] Extracting libffi-3.3_1: .......... done
[2/49] Upgrading python37 from 3.7.8_1 to 3.7.9...
[2/49] Extracting python37-3.7.9: .......... done
[3/49] Upgrading py37-six from 1.14.0 to 1.15.0...
[3/49] Extracting py37-six-1.15.0: .......... done
[4/49] Upgrading py37-cffi from 1.14.0_1 to 1.14.3...
[4/49] Extracting py37-cffi-1.14.3: .......... done
[5/49] Upgrading py37-urllib3 from 1.25.7,1 to 1.25.10,1...
[5/49] Extracting py37-urllib3-1.25.10,1: .......... done
[6/49] Upgrading sqlite3 from 3.32.3_1,1 to 3.33.0,1...
[6/49] Extracting sqlite3-3.33.0,1: .......... done
[7/49] Upgrading php73 from 7.3.20 to 7.3.22...
[7/49] Extracting php73-7.3.22: .......... done
[8/49] Upgrading nspr from 4.27 to 4.29...
[8/49] Extracting nspr-4.29: .......... done
[9/49] Upgrading libuv from 1.38.1 to 1.39.0...
[9/49] Extracting libuv-1.39.0: .......... done
[10/49] Upgrading json-c from 0.14 to 0.15...
[10/49] Extracting json-c-0.15: .......... done
[11/49] Upgrading gettext-runtime from 0.20.2 to 0.21...
[11/49] Extracting gettext-runtime-0.21: .......... done
[12/49] Upgrading ca_root_nss from 3.55 to 3.57...
[12/49] Extracting ca_root_nss-3.57: ...... done
You may need to manually remove /usr/local/etc/ssl/cert.pem if it is no longer needed.
You may need to manually remove /usr/local/openssl/cert.pem if it is no longer needed.
[13/49] Upgrading socat from 1.7.3.4 to 1.7.3.4_1...
[13/49] Extracting socat-1.7.3.4_1: ......... done
[14/49] Upgrading php73-pdo from 7.3.20 to 7.3.22...
[14/49] Extracting php73-pdo-7.3.22: .......... done
[15/49] Upgrading php73-json from 7.3.20 to 7.3.22...
[15/49] Extracting php73-json-7.3.22: .......... done
[16/49] Upgrading php73-hash from 7.3.20 to 7.3.22...
[16/49] Extracting php73-hash-7.3.22: .......... done
[17/49] Upgrading perl5 from 5.30.3 to 5.32.0...
[17/49] Extracting perl5-5.32.0: .......... done
[18/49] Upgrading openldap-sasl-client from 2.4.50 to 2.4.51...
[18/49] Extracting openldap-sasl-client-2.4.51: .......... done
[19/49] Upgrading nss from 3.55 to 3.57...
[19/49] Extracting nss-3.57: .......... done
[20/49] Upgrading curl from 7.71.1 to 7.72.0...
[20/49] Extracting curl-7.72.0: .......... done
[21/49] Upgrading bind-tools from 9.16.5 to 9.16.6...
[21/49] Extracting bind-tools-9.16.6: .......... done
[22/49] Upgrading unbound from 1.10.1 to 1.11.0...
===> Creating groups.
Using existing group 'unbound'.
===> Creating users
Using existing user 'unbound'.
[22/49] Extracting unbound-1.11.0: .......... done
[23/49] Upgrading syslog-ng327 from 3.27.1_1 to 3.27.1_2...
[23/49] Extracting syslog-ng327-3.27.1_2: .......... done
You may need to manually remove /usr/local/etc/syslog-ng.conf if it is no longer needed.
[24/49] Upgrading squid from 4.11_2 to 4.13...
===> Creating groups.
Using existing group 'squid'.
===> Creating users
Using existing user 'squid'.
===> Creating homedir(s)
===> Pre-installation configuration for squid-4.13
[24/49] Extracting squid-4.13: .......... done
You may need to manually remove /usr/local/etc/squid/squid.conf if it is no longer needed.
[25/49] Reinstalling rrdtool-1.7.2_4...
[25/49] Extracting rrdtool-1.7.2_4: .......... done
[26/49] Upgrading rate from 0.9_1 to 0.9_2...
[26/49] Extracting rate-0.9_2: ..... done
[27/49] Upgrading py37-sqlite3 from 3.7.8_7 to 3.7.9_7...
[27/49] Extracting py37-sqlite3-3.7.9_7: ........ done
[28/49] Upgrading py37-dns-lexicon from 3.3.27 to 3.3.28...
[28/49] Extracting py37-dns-lexicon-3.3.28: .......... done
[29/49] Upgrading php73-zlib from 7.3.20 to 7.3.22...
[29/49] Extracting php73-zlib-7.3.22: ....... done
[30/49] Upgrading php73-xml from 7.3.20 to 7.3.22...
[30/49] Extracting php73-xml-7.3.22: ........ done
[31/49] Upgrading php73-sqlite3 from 7.3.20 to 7.3.22...
[31/49] Extracting php73-sqlite3-7.3.22: ........ done
[32/49] Upgrading php73-sockets from 7.3.20 to 7.3.22...
[32/49] Extracting php73-sockets-7.3.22: .......... done
[33/49] Upgrading php73-simplexml from 7.3.20 to 7.3.22...
[33/49] Extracting php73-simplexml-7.3.22: ......... done
[34/49] Upgrading php73-session from 7.3.20 to 7.3.22...
[34/49] Extracting php73-session-7.3.22: .......... done
[35/49] Upgrading php73-openssl from 7.3.20 to 7.3.22...
[35/49] Extracting php73-openssl-7.3.22: ....... done
[36/49] Upgrading php73-ldap from 7.3.20 to 7.3.22...
[36/49] Extracting php73-ldap-7.3.22: ....... done
[37/49] Upgrading php73-gettext from 7.3.20 to 7.3.22...
[37/49] Extracting php73-gettext-7.3.22: ....... done
[38/49] Upgrading php73-filter from 7.3.20 to 7.3.22...
[38/49] Extracting php73-filter-7.3.22: ........ done
[39/49] Upgrading php73-dom from 7.3.20 to 7.3.22...
[39/49] Extracting php73-dom-7.3.22: .......... done
[40/49] Upgrading php73-curl from 7.3.20 to 7.3.22...
[40/49] Extracting php73-curl-7.3.22: ....... done
[41/49] Upgrading php73-ctype from 7.3.20 to 7.3.22...
[41/49] Extracting php73-ctype-7.3.22: ....... done
[42/49] Upgrading opnsense-update from 20.7 to 20.7.3...
[42/49] Extracting opnsense-update-20.7.3: .......... done
[43/49] Reinstalling ntp-4.2.8p15...
[43/49] Extracting ntp-4.2.8p15: .......... done
[44/49] Upgrading mpd5 from 5.8_10 to 5.9...
[44/49] Extracting mpd5-5.9: ......... done
[45/49] Upgrading isc-dhcp44-server from 4.4.2 to 4.4.2_1...
===> Creating groups.
Using existing group 'dhcpd'.
===> Creating users
Using existing user 'dhcpd'.
[45/49] Extracting isc-dhcp44-server-4.4.2_1: .......... done
[46/49] Upgrading isc-dhcp44-relay from 4.4.2 to 4.4.2_1...
[46/49] Extracting isc-dhcp44-relay-4.4.2_1: ....... done
[47/49] Upgrading acme.sh from 2.8.6 to 2.8.7...
===> Creating groups.
Using existing group 'acme'.
===> Creating users
Using existing user 'acme'.
===> Creating homedir(s)
[47/49] Extracting acme.sh-2.8.7: .......... done
[48/49] Upgrading os-acme-client from 1.34 to 1.36...
[48/49] Extracting os-acme-client-1.36: .......... done
Stopping configd...done
Starting configd.
Migrated OPNsense\AcmeClient\AcmeClient from 1.6.1 to 1.6.2
Reloading plugin configuration
Configuring system logging...done.
Reloading template OPNsense/AcmeClient: OK

But since hours I'm waiting vor 49/49. Don't know what to do now. Should i reboot the box ... or better not because I'm ... somwhere ...

Help would be appreciated   ;)

Hallo,

nee, da wars noch nicht drinnen. Das Häkchen oben war nur oben gesetzt und der schedule Task wohl nur angelegt ... aber nicht zugeordnet (welchen Sinn das hat das zu trennen erschließt sich mir nicht wo wirklich). Na gut, dann werd ich wieder in 90 Tagen gucken, ob es nun läuft, nachdem die Konfiguration dahingehend an 3 Stellen so gesetzt ist. Die Hoffnung steigt, dass es dann beim nächsten mal klappt (wenns nicht irgendwo ein 4. mal eingetragen werden muss).  ;D

Dank Dir!

Hallo,

leider hat das nix gebracht. Das neue, auch schon bereits heruntergeladene LetsEncrypt Zertifikat, wird NICHT  automatisch aktiviert. Wenn man mal also nicht zufällig durch ein FW Update die Box eh bootet ... dann wird da leider auch kein Webserver neu gestartet (oder was da genau neu gestartet werden muss).

Ich fand das eh schon seltsam, dass da noch ein extra Haken gemacht werden soll. Ist ja eigentlich klar, dass wenn ich ein Zertifikat herunterlade ... dieses dann auch benutzt werden soll.

Na gut, scheinbar ist das dann halt so.

Gruß

Hi,

Dank Dir ... warum das extra gemacht werden muss (gerade vor dem Hintergrund, dass man ohnehin keinen Zeitplan für den Restart angeben kann) erschließt sich mir nicht so wirklich.

Aber gut. Nothing is perfect ... wenn das die Lösung ist, ists prima! Ich nehme an, der Punkt läuft dann immer automatisch durch, wenn der Update Schedule abgearbeitet wurde ...

Ich werd's dann in einem 1/4 Jahr sehen ,)

Gruß

Hallo,

ich nutze das LetsEncrypt Plugin mit dem AutoRenewal Feature. Was muss man machen, damit das Zertifikat nicht nur ausgetauscht wird ... sondern die WebGUI das auch nutzt?

Kriege alle 1/4 Jahre eine Meldung, dass das Zertifikat abgelaufen ist. Jetzt wollte ich es aber mal wissen, warum das nicht läuft. Mache ich einen Reboot wird das offensichtlich zuvor schon ausgetauschte Zertifikat auch genutzt.

Mit AutoRenewal hätte ich mir eigentlich das so erhofft, dass ich da nie mehr ran müsste ... weil dann alles automatisch passiert?! Das Zertifikat zu tauschen, aber es der WebGui nicht unterzujubeln ist ja nur die halbe Miete. Wie macht ihr das?

Gruß

Hallo zusammen,

war eine Ecke in Urlaub und nachdem ich wieder kam und meine APU auf Updates geprüft habe, hat er da auch was gefunden. Bin dann dem Link aus dem Dashboard gefolgt. Hab dann auch auf (ich meine "Update") drauf gedrückt.

Dann hatt er zig Dateien? gefunden. Warum keine Version 18? Dachte egal, wird schon werden ... los jetzt.

Danach (zum. viel es mir vorher nicht auf) kam so eine gelbe Bemerkung, dass das die letzte Version in der 17 sei. Ok, nochmal genauer geguckt. Scheinbar bedeutet Update nicht ... Update ... so wie ich es interpretiert habe. Dann stand plötzlich oben drüber eine Zeile mit "Upgrade"?!

Hmmm. Scheinbar wird da ein Unterschied gemacht? Ich rate mal dass ein Update kein Update auf 18 macht, sondern nur in seiner Major Version bleibt? ... und nur ein Upgrade das Update auf eine neue Hauptversion 18 macht?

Vielleicht ... ich hab es aber dann auch nie mehr rausbekommen, weil sich erst die WebGUI nach dem Klick auf Upgrade aufgehangen hat, kurz darauf gingen keine Pings mehr und jetzt ... aus die Maus. Gebrickt? Bootet auf jeden Fall nicht mehr.

Ich werde also wieder von ganz vorne anfangen und eine 18er per USB Stick frisch auf die Büchse aufspielen. Hoffentlich will er mit meiner 17er Config ... davon will ich aber ausgehen wollen.

Aaaaaber, nun die Frage an euch: Wie wäre denn die "optimale" Vorgehensweise gewesen, also so, dass meine Büchse jetzt nicht über den Jordan ist?

Eine Frage die die anderen Foristen wohl kaum beantworten können, aber vielleicht findet sich ja jemand, der die Antwort kennt: Warum wird überhaupt so ein in meinen Augen verwirrender Unterschied zwischen Upgrade und Update gemacht. Begrifflichkeiten, bei denen man nach 2 Monaten wieder neu überlegen müsste, was wohl was sein soll .... aus Sicht der Usability würde ich da keinen Unterschied machen wollen.

Its definitely working now, without the "!". Permanent without any issue, of course, unless I would make any changes in the ipsec gui.

Ok, the rekeying after 1 hour seems to be working now (newest entry on top):

Dec 6 10:53:47   charon: 02[IKE] CHILD_SA con1-001{7} established with SPIs cf7c0bfd_i 0effb429_o and TS 192.168.111.0/24 === 10.20.0.0/16
Dec 6 10:53:47   charon: 02[IKE] CHILD_SA con1-001{7} established with SPIs cf7c0bfd_i 0effb429_o and TS 192.168.111.0/24 === 10.20.0.0/16
Dec 6 10:53:47   charon: 02[ENC] parsed QUICK_MODE response 2181303872 [ HASH SA No KE ID ID ]
Dec 6 10:53:47   charon: 02[NET] received packet: from 234.234.234.234[500] to 123.123.123.123[500] (364 bytes)
Dec 6 10:53:47   charon: 02[NET] sending packet: from 123.123.123.123[500] to 234.234.234.234[500] (380 bytes)
Dec 6 10:53:47   charon: 02[ENC] generating QUICK_MODE request 2181303872 [ HASH SA No KE ID ID ]
Dec 6 10:53:47   charon: 10[KNL] creating rekey job for CHILD_SA ESP/0x12b549df/234.234.234.234

What I regognized, was, that the tunnel was up, but I wasn't able to send traffic through. But ... ok ... maybe this is not possible if I just type ipsec start to bring the tunnel up. After ipsec stop and enabling in the gui, packets are passing through.

In summary, this seems to solve the issue, if config changes in the gui also don't put that "!" in. I hope so ... also that then ... traffic will passing by.

I've also saw 2 tings in my asa syslog:

06.12.2017 10:08:01   Local:234.234.234.234:500 Remote:123.123.123.123:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 10.20.1.20-10.20.1.20 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 192.168.111.49-192.168.111.49 Protocol: 0 Port Range: 0-65535"

06.12.2017 10:10:00   wall   local 3   Warning         "%ASA-4-750003: Local:234.234.234.234:500 Remote:123.123.123.123:500 Username:123.123.123.123 IKEv2 Negotiation aborted due to ERROR: Received no proposal chosen notify"

The P1 is configured to IKE V1. I don't understand why there is obviously an attempt ... something with IKE V2? Or should i open better a new thread for that question?

[!]

Turning PFS off in QuickMode, didn't chang anything, the issue persists. I've now set the old values PFS1536 on both sides and removed the "!" from every con001-00x in vi, as suggested:

# This file is automatically generated. Do not edit
config setup
  uniqueids = yes
  charondebug=""

conn con1-000
  aggressive = no
  fragmentation = yes
  keyexchange = ikev1

  reauth = yes
  rekey = yes
  forceencaps = no
  installpolicy = yes
  type = tunnel
  dpdaction = clear
  dpddelay = 10s
  dpdtimeout = 60s
  left = 123.123.123.123
  right = ipsec.bla.bla
  leftid = 123.123.123.123
  ikelifetime = 86400s
  lifetime = 3600s
  ike = aes128-sha1-modp1024!
  leftauth = psk
  rightauth = psk
  rightid = 234.234.234.234
  rightsubnet = 10.0.0.0/24
  leftsubnet = 192.168.111.0/24
  esp = aes128-sha1-modp1536!
  auto = start

... and on the CLI /usr/local/etc/rc.d/ipsec onestop and /usr/local/etc/rc.d/ipsec onestart.

Unfortunaly there is noting with ipsec in ...

root@wall:~ # cd /usr/local/etc/rc.d
root@wall:/usr/local/etc/rc.d # ls -la
total 156
drwxr-xr-x   2 root  wheel   1024 Nov 30 21:29 .
drwxr-xr-x  29 root  wheel   5632 Nov 30 21:54 ..
-rwxr-xr-x   1 root  wheel   1720 Nov 21 06:54 acme_http_challenge
-r-xr-xr-x   1 root  wheel    443 Oct  3 20:27 apinger
-rwxr-xr-x   1 root  wheel   5571 Nov 21 06:56 captiveportal
-r-xr-xr-x   1 root  wheel    682 Oct  3 22:11 choparp
-rwxr-xr-x   1 root  wheel   1579 Nov 21 06:56 configd
-r-xr-xr-x   1 root  wheel   1181 Oct  3 22:59 dhcp6c
-r-xr-xr-x   1 root  wheel    881 Oct  3 22:59 dhcp6relay
-r-xr-xr-x   1 root  wheel   1005 Oct  3 22:59 dhcp6s
-r-xr-xr-x   1 root  wheel   2747 Oct  3 21:40 dnsmasq
-r-xr-xr-x   1 root  wheel    404 Oct  3 23:46 expiretable
-r-xr-xr-x   1 root  wheel    729 Oct  3 22:27 flowd
-rwxr-xr-x   1 root  wheel   1145 Nov 21 06:56 flowd_aggregate
-r-xr-xr-x   1 root  wheel  12216 Oct  3 23:11 isc-dhcpd
lrwxr-xr-x   1 root  wheel      9 Nov 30 19:55 isc-dhcpd6 -> isc-dhcpd
-r-xr-xr-x   1 root  wheel   1828 Oct  3 23:10 isc-dhcrelay
lrwxr-xr-x   1 root  wheel     12 Nov 30 19:55 isc-dhcrelay6 -> isc-dhcrelay
-r-xr-xr-x   1 root  wheel    509 Oct  3 23:46 kpropd
-r-xr-xr-x   1 root  wheel   3330 Oct  4 00:49 lighttpd
-r-xr-xr-x   1 root  wheel    838 Oct  3 23:16 mpd5
-r-xr-xr-x   1 root  wheel  12193 Nov 21 01:08 named
-rwxr-xr-x   1 root  wheel   4767 Nov 21 06:56 netflow
-r-xr-xr-x   1 root  wheel   4694 Nov 21 02:38 openssh
-r-xr-xr-x   1 root  wheel   4341 Oct  3 23:57 openvpn
-r-xr-xr-x   1 root  wheel   1228 Nov 21 00:36 php-fpm
-r-xr-xr-x   1 root  wheel    444 Oct  3 23:28 radvd
-r-xr-xr-x   1 root  wheel   1936 Oct  3 23:30 samplicator
-r-xr-xr-x   1 root  wheel   3875 Oct  4 01:02 squid
-r-xr-xr-x   1 root  wheel    576 Oct  4 00:05 strongswan
-r-xr-xr-x   1 root  wheel   2048 Nov 21 02:51 suricata
-r-xr-xr-x   1 root  wheel   1235 Nov 21 01:14 unbound
root@wall:/usr/local/etc/rc.d #

root@wall:/usr/local/etc/rc.d # find / -name ipsec
/etc/rc.d/ipsec
/usr/local/libexec/ipsec
/usr/local/opnsense/scripts/ipsec
/usr/local/etc/inc/plugins.inc.d/ipsec
/usr/local/lib/ipsec
/usr/local/sbin/ipsec
/var/db/etcupdate/current/etc/rc.d/ipsec
root@wall:/usr/local/etc/rc.d #


But there is a dir /etc/rc.d/ ... maybe that one? There is also a file called ipsec which looks like this:

#!/bin/sh
#
# $FreeBSD$
#

# PROVIDE: ipsec
# REQUIRE: FILESYSTEMS
# BEFORE:  DAEMON mountcritremote
# KEYWORD: nojail

. /etc/rc.subr

name="ipsec"
desc="Internet Protocol Security protocol"
rcvar="ipsec_enable"
start_precmd="ipsec_prestart"
start_cmd="ipsec_start"
stop_precmd="test -f $ipsec_file"
stop_cmd="ipsec_stop"
reload_cmd="ipsec_reload"
extra_commands="reload"
ipsec_program="/sbin/setkey"
# ipsec_file is set by rc.conf

ipsec_prestart()
{
        if [ ! -f "$ipsec_file" ]; then
                warn "$ipsec_file not readable; ipsec start aborted."
                stop_boot
                return 1
        fi
        return 0
}

ipsec_start()
{
        echo "Installing ipsec manual keys/policies."
        ${ipsec_program} -f $ipsec_file
}

ipsec_stop()
{
        echo "Clearing ipsec manual keys/policies."

        # Still not 100% sure if we would like to do this.
        # It is very questionable to do this during shutdown session
        # since it can hang any of the remaining IPv4/v6 sessions.
        #
        ${ipsec_program} -F
        ${ipsec_program} -FP
}

ipsec_reload()
{
        echo "Reloading ipsec manual keys/policies."
        ${ipsec_program} -f "$ipsec_file"
}

load_rc_config $name
run_rc_command "$1"


Now, I'm a little bit confused, what to do now. I guessed something like ipsec start ... some thing happens but nothing changes.

So I rebooted opnsense and enabled ipsec via gui. But ... then my deleted "!" from config was back again.

Of course, I'll give it a try tomorrow. First I'll have a look if my workaround is solving the issue and if my thougts are going into the right direction.

Ok, i can confirm now, that P1 is set to "immediately". This morning I disabled and enabled IPSec so the tunnel comes up. Meanwhile a rekeying was in progress ... and the tunnel was broken afterwards. And I think here's the problem (found in opnsense ipsec logs):

Dec 5 15:18:48   charon: 14[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ

Dec 5 15:18:48   charon: 14[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_MD5_96/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_MD5_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_MD5_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ, ESP:DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:DES_CBC/HMAC_MD5_96/NO_EXT_SEQ

The received proposals and configured proposals are not matching ... when rekeying. But the proposals must be proper, why was the tunnel up bevore. Especially the MODP_1536, i think it's about the PerfectForwardSecrecy seems to be the problem.

With pfsense I had over years the same proposals.

Now i reconfigured opnsense and my asa in the company to make no pfs in P2. I think, this will solve the issue as a workaround ... i can give a feedback tomorrow.

But, on the other hand, if its working then ... something is going wrong with the proposals which should be fixed in the future. Let us see ...

Just checked the settings in my asa. The connection-type is already "answer-only" (not "bidirectional" and not "originate-only"). So it should be already configured as like you would suggest.b At the moment i cant take a look remotely to my opnsense. But I'm 99,99% sure, that opnsense is configured to "immediately". For 100% I've to look this evening.

Hi!

coming in origin from monowall years ago, meanwhile i used pfsense also for some years at home and at some of my customers. I've heard about opnsense and want to give it a try. My first experience was positive. Installation on my old APU was flawless, things seam to work out of the box.

On the second day i decided to setup the IPSec Tunnels to my comapny as well. One P1 and 4 P2. Its almost the same settings and look and feel like pfsense (as its a fork) and so I felt immediately at home. The tunnel was configured in a few moments and I was pleased about it.

Next Day ... no tunnel anymore. Logs are full of errors. Stopping IPSec an starting again brings the tunnel up. When the first P2 rekey happens ... it's all over ... and never comes back. My Cicso ASA on the other side states in syslog, that there is a P2 Error.

opnsense showing in P2 logs, NO_PROPOSAL_CHOOSEN which is the same meaning. P1 always is coming up. P2 initial also, but ... not when rekeying. Why should there now a P2 error, when P2 is coming initial up? Seems strange to me.

Does anybody maybe got an idea?