1
20.7 Legacy Series / Re: Update from 20.7 to 20.7.3 Stuck
« on: October 19, 2020, 02:24:13 pm »
Thx, rebooted the system today as suggested ... then another update was proceeded ... but no issues there anymore!
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
20.7 Legacy Series / Updating now ... will never stop ... im Stucked!
« on: October 16, 2020, 04:12:51 pm »
Hi,
today I wanted to update my opnsense. Unfortunaly i don't know exactly from which version I was coming from. Was it 20.1? Don't know ...
After updating, then rebooting, then updating a second time and rebooting again ... I think it is now the update to 20.7??? ... update process hat stopped. Or somewhat equal. The Update Now button has the symbol that is showing me, that something is happening, but i think I'm still stucked somewhere.
This is whats happened before:
But since hours I'm waiting vor 49/49. Don't know what to do now. Should i reboot the box ... or better not because I'm ... somwhere ...
Help would be appreciated
today I wanted to update my opnsense. Unfortunaly i don't know exactly from which version I was coming from. Was it 20.1? Don't know ...
After updating, then rebooting, then updating a second time and rebooting again ... I think it is now the update to 20.7??? ... update process hat stopped. Or somewhat equal. The Update Now button has the symbol that is showing me, that something is happening, but i think I'm still stucked somewhere.
This is whats happened before:
Code: [Select]
***GOT REQUEST TO UPGRADE: all***
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (49 candidates): .......... done
Processing candidates (49 candidates): .......... done
The following 49 package(s) will be affected (of 0 checked):
Installed packages to be UPGRADED:
acme.sh: 2.8.6 -> 2.8.7
bind-tools: 9.16.5 -> 9.16.6
ca_root_nss: 3.55 -> 3.57
curl: 7.71.1 -> 7.72.0
gettext-runtime: 0.20.2 -> 0.21
isc-dhcp44-relay: 4.4.2 -> 4.4.2_1
isc-dhcp44-server: 4.4.2 -> 4.4.2_1
json-c: 0.14 -> 0.15
libffi: 3.3 -> 3.3_1
libuv: 1.38.1 -> 1.39.0
mpd5: 5.8_10 -> 5.9
nspr: 4.27 -> 4.29
nss: 3.55 -> 3.57
openldap-sasl-client: 2.4.50 -> 2.4.51
opnsense: 20.7 -> 20.7.3
opnsense-update: 20.7 -> 20.7.3
os-acme-client: 1.34 -> 1.36
perl5: 5.30.3 -> 5.32.0
php73: 7.3.20 -> 7.3.22
php73-ctype: 7.3.20 -> 7.3.22
php73-curl: 7.3.20 -> 7.3.22
php73-dom: 7.3.20 -> 7.3.22
php73-filter: 7.3.20 -> 7.3.22
php73-gettext: 7.3.20 -> 7.3.22
php73-hash: 7.3.20 -> 7.3.22
php73-json: 7.3.20 -> 7.3.22
php73-ldap: 7.3.20 -> 7.3.22
php73-openssl: 7.3.20 -> 7.3.22
php73-pdo: 7.3.20 -> 7.3.22
php73-session: 7.3.20 -> 7.3.22
php73-simplexml: 7.3.20 -> 7.3.22
php73-sockets: 7.3.20 -> 7.3.22
php73-sqlite3: 7.3.20 -> 7.3.22
php73-xml: 7.3.20 -> 7.3.22
php73-zlib: 7.3.20 -> 7.3.22
py37-cffi: 1.14.0_1 -> 1.14.3
py37-dns-lexicon: 3.3.27 -> 3.3.28
py37-six: 1.14.0 -> 1.15.0
py37-sqlite3: 3.7.8_7 -> 3.7.9_7
py37-urllib3: 1.25.7,1 -> 1.25.10,1
python37: 3.7.8_1 -> 3.7.9
rate: 0.9_1 -> 0.9_2
socat: 1.7.3.4 -> 1.7.3.4_1
sqlite3: 3.32.3_1,1 -> 3.33.0,1
squid: 4.11_2 -> 4.13
syslog-ng327: 3.27.1_1 -> 3.27.1_2
unbound: 1.10.1 -> 1.11.0
Installed packages to be REINSTALLED:
ntp-4.2.8p15 (direct dependency changed: perl5)
rrdtool-1.7.2_4 (direct dependency changed: perl5)
Number of packages to be upgraded: 47
Number of packages to be reinstalled: 2
The process will require 2 MiB more space.
58 MiB to be downloaded.
[1/49] Fetching unbound-1.11.0.txz: .......... done
[2/49] Fetching syslog-ng327-3.27.1_2.txz: .......... done
[3/49] Fetching squid-4.13.txz: .......... done
[4/49] Fetching sqlite3-3.33.0,1.txz: .......... done
[5/49] Fetching socat-1.7.3.4_1.txz: .......... done
[6/49] Fetching rrdtool-1.7.2_4.txz: .......... done
[7/49] Fetching rate-0.9_2.txz: ....... done
[8/49] Fetching python37-3.7.9.txz: .......... done
[9/49] Fetching py37-urllib3-1.25.10,1.txz: .......... done
[10/49] Fetching py37-sqlite3-3.7.9_7.txz: .... done
[11/49] Fetching py37-six-1.15.0.txz: ... done
[12/49] Fetching py37-dns-lexicon-3.3.28.txz: .......... done
[13/49] Fetching py37-cffi-1.14.3.txz: .......... done
[14/49] Fetching php73-zlib-7.3.22.txz: ... done
[15/49] Fetching php73-xml-7.3.22.txz: ... done
[16/49] Fetching php73-sqlite3-7.3.22.txz: ... done
[17/49] Fetching php73-sockets-7.3.22.txz: ..... done
[18/49] Fetching php73-simplexml-7.3.22.txz: ... done
[19/49] Fetching php73-session-7.3.22.txz: ..... done
[20/49] Fetching php73-pdo-7.3.22.txz: ...... done
[21/49] Fetching php73-openssl-7.3.22.txz: ........ done
[22/49] Fetching php73-ldap-7.3.22.txz: .... done
[23/49] Fetching php73-json-7.3.22.txz: ... done
[24/49] Fetching php73-hash-7.3.22.txz: .......... done
[25/49] Fetching php73-gettext-7.3.22.txz: . done
[26/49] Fetching php73-filter-7.3.22.txz: ... done
[27/49] Fetching php73-dom-7.3.22.txz: ........ done
[28/49] Fetching php73-curl-7.3.22.txz: .... done
[29/49] Fetching php73-ctype-7.3.22.txz: . done
[30/49] Fetching php73-7.3.22.txz: .......... done
[31/49] Fetching perl5-5.32.0.txz: .......... done
[32/49] Fetching os-acme-client-1.36.txz: ........ done
[33/49] Fetching opnsense-update-20.7.3.txz: ........ done
[34/49] Fetching opnsense-20.7.3.txz: .......... done
[35/49] Fetching openldap-sasl-client-2.4.51.txz: .......... done
[36/49] Fetching ntp-4.2.8p15.txz: .......... done
[37/49] Fetching nss-3.57.txz: .......... done
[38/49] Fetching nspr-4.29.txz: .......... done
[39/49] Fetching mpd5-5.9.txz: .......... done
[40/49] Fetching libuv-1.39.0.txz: .......... done
[41/49] Fetching libffi-3.3_1.txz: ..... done
[42/49] Fetching json-c-0.15.txz: ......... done
[43/49] Fetching isc-dhcp44-server-4.4.2_1.txz: .......... done
[44/49] Fetching isc-dhcp44-relay-4.4.2_1.txz: .......... done
[45/49] Fetching gettext-runtime-0.21.txz: .......... done
[46/49] Fetching curl-7.72.0.txz: .......... done
[47/49] Fetching ca_root_nss-3.57.txz: .......... done
[48/49] Fetching bind-tools-9.16.6.txz: .......... done
[49/49] Fetching acme.sh-2.8.7.txz: .......... done
Checking integrity... done (0 conflicting)
[1/49] Upgrading libffi from 3.3 to 3.3_1...
[1/49] Extracting libffi-3.3_1: .......... done
[2/49] Upgrading python37 from 3.7.8_1 to 3.7.9...
[2/49] Extracting python37-3.7.9: .......... done
[3/49] Upgrading py37-six from 1.14.0 to 1.15.0...
[3/49] Extracting py37-six-1.15.0: .......... done
[4/49] Upgrading py37-cffi from 1.14.0_1 to 1.14.3...
[4/49] Extracting py37-cffi-1.14.3: .......... done
[5/49] Upgrading py37-urllib3 from 1.25.7,1 to 1.25.10,1...
[5/49] Extracting py37-urllib3-1.25.10,1: .......... done
[6/49] Upgrading sqlite3 from 3.32.3_1,1 to 3.33.0,1...
[6/49] Extracting sqlite3-3.33.0,1: .......... done
[7/49] Upgrading php73 from 7.3.20 to 7.3.22...
[7/49] Extracting php73-7.3.22: .......... done
[8/49] Upgrading nspr from 4.27 to 4.29...
[8/49] Extracting nspr-4.29: .......... done
[9/49] Upgrading libuv from 1.38.1 to 1.39.0...
[9/49] Extracting libuv-1.39.0: .......... done
[10/49] Upgrading json-c from 0.14 to 0.15...
[10/49] Extracting json-c-0.15: .......... done
[11/49] Upgrading gettext-runtime from 0.20.2 to 0.21...
[11/49] Extracting gettext-runtime-0.21: .......... done
[12/49] Upgrading ca_root_nss from 3.55 to 3.57...
[12/49] Extracting ca_root_nss-3.57: ...... done
You may need to manually remove /usr/local/etc/ssl/cert.pem if it is no longer needed.
You may need to manually remove /usr/local/openssl/cert.pem if it is no longer needed.
[13/49] Upgrading socat from 1.7.3.4 to 1.7.3.4_1...
[13/49] Extracting socat-1.7.3.4_1: ......... done
[14/49] Upgrading php73-pdo from 7.3.20 to 7.3.22...
[14/49] Extracting php73-pdo-7.3.22: .......... done
[15/49] Upgrading php73-json from 7.3.20 to 7.3.22...
[15/49] Extracting php73-json-7.3.22: .......... done
[16/49] Upgrading php73-hash from 7.3.20 to 7.3.22...
[16/49] Extracting php73-hash-7.3.22: .......... done
[17/49] Upgrading perl5 from 5.30.3 to 5.32.0...
[17/49] Extracting perl5-5.32.0: .......... done
[18/49] Upgrading openldap-sasl-client from 2.4.50 to 2.4.51...
[18/49] Extracting openldap-sasl-client-2.4.51: .......... done
[19/49] Upgrading nss from 3.55 to 3.57...
[19/49] Extracting nss-3.57: .......... done
[20/49] Upgrading curl from 7.71.1 to 7.72.0...
[20/49] Extracting curl-7.72.0: .......... done
[21/49] Upgrading bind-tools from 9.16.5 to 9.16.6...
[21/49] Extracting bind-tools-9.16.6: .......... done
[22/49] Upgrading unbound from 1.10.1 to 1.11.0...
===> Creating groups.
Using existing group 'unbound'.
===> Creating users
Using existing user 'unbound'.
[22/49] Extracting unbound-1.11.0: .......... done
[23/49] Upgrading syslog-ng327 from 3.27.1_1 to 3.27.1_2...
[23/49] Extracting syslog-ng327-3.27.1_2: .......... done
You may need to manually remove /usr/local/etc/syslog-ng.conf if it is no longer needed.
[24/49] Upgrading squid from 4.11_2 to 4.13...
===> Creating groups.
Using existing group 'squid'.
===> Creating users
Using existing user 'squid'.
===> Creating homedir(s)
===> Pre-installation configuration for squid-4.13
[24/49] Extracting squid-4.13: .......... done
You may need to manually remove /usr/local/etc/squid/squid.conf if it is no longer needed.
[25/49] Reinstalling rrdtool-1.7.2_4...
[25/49] Extracting rrdtool-1.7.2_4: .......... done
[26/49] Upgrading rate from 0.9_1 to 0.9_2...
[26/49] Extracting rate-0.9_2: ..... done
[27/49] Upgrading py37-sqlite3 from 3.7.8_7 to 3.7.9_7...
[27/49] Extracting py37-sqlite3-3.7.9_7: ........ done
[28/49] Upgrading py37-dns-lexicon from 3.3.27 to 3.3.28...
[28/49] Extracting py37-dns-lexicon-3.3.28: .......... done
[29/49] Upgrading php73-zlib from 7.3.20 to 7.3.22...
[29/49] Extracting php73-zlib-7.3.22: ....... done
[30/49] Upgrading php73-xml from 7.3.20 to 7.3.22...
[30/49] Extracting php73-xml-7.3.22: ........ done
[31/49] Upgrading php73-sqlite3 from 7.3.20 to 7.3.22...
[31/49] Extracting php73-sqlite3-7.3.22: ........ done
[32/49] Upgrading php73-sockets from 7.3.20 to 7.3.22...
[32/49] Extracting php73-sockets-7.3.22: .......... done
[33/49] Upgrading php73-simplexml from 7.3.20 to 7.3.22...
[33/49] Extracting php73-simplexml-7.3.22: ......... done
[34/49] Upgrading php73-session from 7.3.20 to 7.3.22...
[34/49] Extracting php73-session-7.3.22: .......... done
[35/49] Upgrading php73-openssl from 7.3.20 to 7.3.22...
[35/49] Extracting php73-openssl-7.3.22: ....... done
[36/49] Upgrading php73-ldap from 7.3.20 to 7.3.22...
[36/49] Extracting php73-ldap-7.3.22: ....... done
[37/49] Upgrading php73-gettext from 7.3.20 to 7.3.22...
[37/49] Extracting php73-gettext-7.3.22: ....... done
[38/49] Upgrading php73-filter from 7.3.20 to 7.3.22...
[38/49] Extracting php73-filter-7.3.22: ........ done
[39/49] Upgrading php73-dom from 7.3.20 to 7.3.22...
[39/49] Extracting php73-dom-7.3.22: .......... done
[40/49] Upgrading php73-curl from 7.3.20 to 7.3.22...
[40/49] Extracting php73-curl-7.3.22: ....... done
[41/49] Upgrading php73-ctype from 7.3.20 to 7.3.22...
[41/49] Extracting php73-ctype-7.3.22: ....... done
[42/49] Upgrading opnsense-update from 20.7 to 20.7.3...
[42/49] Extracting opnsense-update-20.7.3: .......... done
[43/49] Reinstalling ntp-4.2.8p15...
[43/49] Extracting ntp-4.2.8p15: .......... done
[44/49] Upgrading mpd5 from 5.8_10 to 5.9...
[44/49] Extracting mpd5-5.9: ......... done
[45/49] Upgrading isc-dhcp44-server from 4.4.2 to 4.4.2_1...
===> Creating groups.
Using existing group 'dhcpd'.
===> Creating users
Using existing user 'dhcpd'.
[45/49] Extracting isc-dhcp44-server-4.4.2_1: .......... done
[46/49] Upgrading isc-dhcp44-relay from 4.4.2 to 4.4.2_1...
[46/49] Extracting isc-dhcp44-relay-4.4.2_1: ....... done
[47/49] Upgrading acme.sh from 2.8.6 to 2.8.7...
===> Creating groups.
Using existing group 'acme'.
===> Creating users
Using existing user 'acme'.
===> Creating homedir(s)
[47/49] Extracting acme.sh-2.8.7: .......... done
[48/49] Upgrading os-acme-client from 1.34 to 1.36...
[48/49] Extracting os-acme-client-1.36: .......... done
Stopping configd...done
Starting configd.
Migrated OPNsense\AcmeClient\AcmeClient from 1.6.1 to 1.6.2
Reloading plugin configuration
Configuring system logging...done.
Reloading template OPNsense/AcmeClient: OKBut since hours I'm waiting vor 49/49. Don't know what to do now. Should i reboot the box ... or better not because I'm ... somwhere ...
Help would be appreciated
3
German - Deutsch / Re: Fragen zum LetsEncrypt AutoRenewal
« on: February 23, 2020, 11:19:56 am »
Hallo,
nee, da wars noch nicht drinnen. Das Häkchen oben war nur oben gesetzt und der schedule Task wohl nur angelegt ... aber nicht zugeordnet (welchen Sinn das hat das zu trennen erschließt sich mir nicht wo wirklich). Na gut, dann werd ich wieder in 90 Tagen gucken, ob es nun läuft, nachdem die Konfiguration dahingehend an 3 Stellen so gesetzt ist. Die Hoffnung steigt, dass es dann beim nächsten mal klappt (wenns nicht irgendwo ein 4. mal eingetragen werden muss).
Dank Dir!
nee, da wars noch nicht drinnen. Das Häkchen oben war nur oben gesetzt und der schedule Task wohl nur angelegt ... aber nicht zugeordnet (welchen Sinn das hat das zu trennen erschließt sich mir nicht wo wirklich). Na gut, dann werd ich wieder in 90 Tagen gucken, ob es nun läuft, nachdem die Konfiguration dahingehend an 3 Stellen so gesetzt ist. Die Hoffnung steigt, dass es dann beim nächsten mal klappt (wenns nicht irgendwo ein 4. mal eingetragen werden muss).
Dank Dir!
4
German - Deutsch / Re: Fragen zum LetsEncrypt AutoRenewal
« on: February 23, 2020, 09:29:15 am »
Hallo,
leider hat das nix gebracht. Das neue, auch schon bereits heruntergeladene LetsEncrypt Zertifikat, wird NICHT automatisch aktiviert. Wenn man mal also nicht zufällig durch ein FW Update die Box eh bootet ... dann wird da leider auch kein Webserver neu gestartet (oder was da genau neu gestartet werden muss).
Ich fand das eh schon seltsam, dass da noch ein extra Haken gemacht werden soll. Ist ja eigentlich klar, dass wenn ich ein Zertifikat herunterlade ... dieses dann auch benutzt werden soll.
Na gut, scheinbar ist das dann halt so.
Gruß
leider hat das nix gebracht. Das neue, auch schon bereits heruntergeladene LetsEncrypt Zertifikat, wird NICHT automatisch aktiviert. Wenn man mal also nicht zufällig durch ein FW Update die Box eh bootet ... dann wird da leider auch kein Webserver neu gestartet (oder was da genau neu gestartet werden muss).
Ich fand das eh schon seltsam, dass da noch ein extra Haken gemacht werden soll. Ist ja eigentlich klar, dass wenn ich ein Zertifikat herunterlade ... dieses dann auch benutzt werden soll.
Na gut, scheinbar ist das dann halt so.
Gruß
5
German - Deutsch / Re: Fragen zum LetsEncrypt AutoRenewal
« on: December 13, 2019, 12:46:59 pm »
Hi,
Dank Dir ... warum das extra gemacht werden muss (gerade vor dem Hintergrund, dass man ohnehin keinen Zeitplan für den Restart angeben kann) erschließt sich mir nicht so wirklich.
Aber gut. Nothing is perfect ... wenn das die Lösung ist, ists prima! Ich nehme an, der Punkt läuft dann immer automatisch durch, wenn der Update Schedule abgearbeitet wurde ...
Ich werd's dann in einem 1/4 Jahr sehen ,)
Gruß
Dank Dir ... warum das extra gemacht werden muss (gerade vor dem Hintergrund, dass man ohnehin keinen Zeitplan für den Restart angeben kann) erschließt sich mir nicht so wirklich.
Aber gut. Nothing is perfect ... wenn das die Lösung ist, ists prima! Ich nehme an, der Punkt läuft dann immer automatisch durch, wenn der Update Schedule abgearbeitet wurde ...
Ich werd's dann in einem 1/4 Jahr sehen ,)
Gruß
6
German - Deutsch / Fragen zum LetsEncrypt AutoRenewal
« on: December 13, 2019, 10:34:07 am »
Hallo,
ich nutze das LetsEncrypt Plugin mit dem AutoRenewal Feature. Was muss man machen, damit das Zertifikat nicht nur ausgetauscht wird ... sondern die WebGUI das auch nutzt?
Kriege alle 1/4 Jahre eine Meldung, dass das Zertifikat abgelaufen ist. Jetzt wollte ich es aber mal wissen, warum das nicht läuft. Mache ich einen Reboot wird das offensichtlich zuvor schon ausgetauschte Zertifikat auch genutzt.
Mit AutoRenewal hätte ich mir eigentlich das so erhofft, dass ich da nie mehr ran müsste ... weil dann alles automatisch passiert?! Das Zertifikat zu tauschen, aber es der WebGui nicht unterzujubeln ist ja nur die halbe Miete. Wie macht ihr das?
Gruß
ich nutze das LetsEncrypt Plugin mit dem AutoRenewal Feature. Was muss man machen, damit das Zertifikat nicht nur ausgetauscht wird ... sondern die WebGUI das auch nutzt?
Kriege alle 1/4 Jahre eine Meldung, dass das Zertifikat abgelaufen ist. Jetzt wollte ich es aber mal wissen, warum das nicht läuft. Mache ich einen Reboot wird das offensichtlich zuvor schon ausgetauschte Zertifikat auch genutzt.
Mit AutoRenewal hätte ich mir eigentlich das so erhofft, dass ich da nie mehr ran müsste ... weil dann alles automatisch passiert?! Das Zertifikat zu tauschen, aber es der WebGui nicht unterzujubeln ist ja nur die halbe Miete. Wie macht ihr das?
Gruß
7
German - Deutsch / Nach Update-grade bootet Box nicht mehr
« on: March 01, 2018, 03:31:07 pm »
Hallo zusammen,
war eine Ecke in Urlaub und nachdem ich wieder kam und meine APU auf Updates geprüft habe, hat er da auch was gefunden. Bin dann dem Link aus dem Dashboard gefolgt. Hab dann auch auf (ich meine "Update") drauf gedrückt.
Dann hatt er zig Dateien? gefunden. Warum keine Version 18? Dachte egal, wird schon werden ... los jetzt.
Danach (zum. viel es mir vorher nicht auf) kam so eine gelbe Bemerkung, dass das die letzte Version in der 17 sei. Ok, nochmal genauer geguckt. Scheinbar bedeutet Update nicht ... Update ... so wie ich es interpretiert habe. Dann stand plötzlich oben drüber eine Zeile mit "Upgrade"?!
Hmmm. Scheinbar wird da ein Unterschied gemacht? Ich rate mal dass ein Update kein Update auf 18 macht, sondern nur in seiner Major Version bleibt? ... und nur ein Upgrade das Update auf eine neue Hauptversion 18 macht?
Vielleicht ... ich hab es aber dann auch nie mehr rausbekommen, weil sich erst die WebGUI nach dem Klick auf Upgrade aufgehangen hat, kurz darauf gingen keine Pings mehr und jetzt ... aus die Maus. Gebrickt? Bootet auf jeden Fall nicht mehr.
Ich werde also wieder von ganz vorne anfangen und eine 18er per USB Stick frisch auf die Büchse aufspielen. Hoffentlich will er mit meiner 17er Config ... davon will ich aber ausgehen wollen.
Aaaaaber, nun die Frage an euch: Wie wäre denn die "optimale" Vorgehensweise gewesen, also so, dass meine Büchse jetzt nicht über den Jordan ist?
Eine Frage die die anderen Foristen wohl kaum beantworten können, aber vielleicht findet sich ja jemand, der die Antwort kennt: Warum wird überhaupt so ein in meinen Augen verwirrender Unterschied zwischen Upgrade und Update gemacht. Begrifflichkeiten, bei denen man nach 2 Monaten wieder neu überlegen müsste, was wohl was sein soll .... aus Sicht der Usability würde ich da keinen Unterschied machen wollen.
war eine Ecke in Urlaub und nachdem ich wieder kam und meine APU auf Updates geprüft habe, hat er da auch was gefunden. Bin dann dem Link aus dem Dashboard gefolgt. Hab dann auch auf (ich meine "Update") drauf gedrückt.
Dann hatt er zig Dateien? gefunden. Warum keine Version 18? Dachte egal, wird schon werden ... los jetzt.
Danach (zum. viel es mir vorher nicht auf) kam so eine gelbe Bemerkung, dass das die letzte Version in der 17 sei. Ok, nochmal genauer geguckt. Scheinbar bedeutet Update nicht ... Update ... so wie ich es interpretiert habe. Dann stand plötzlich oben drüber eine Zeile mit "Upgrade"?!
Hmmm. Scheinbar wird da ein Unterschied gemacht? Ich rate mal dass ein Update kein Update auf 18 macht, sondern nur in seiner Major Version bleibt? ... und nur ein Upgrade das Update auf eine neue Hauptversion 18 macht?
Vielleicht ... ich hab es aber dann auch nie mehr rausbekommen, weil sich erst die WebGUI nach dem Klick auf Upgrade aufgehangen hat, kurz darauf gingen keine Pings mehr und jetzt ... aus die Maus. Gebrickt? Bootet auf jeden Fall nicht mehr.
Ich werde also wieder von ganz vorne anfangen und eine 18er per USB Stick frisch auf die Büchse aufspielen. Hoffentlich will er mit meiner 17er Config ... davon will ich aber ausgehen wollen.
Aaaaaber, nun die Frage an euch: Wie wäre denn die "optimale" Vorgehensweise gewesen, also so, dass meine Büchse jetzt nicht über den Jordan ist?
Eine Frage die die anderen Foristen wohl kaum beantworten können, aber vielleicht findet sich ja jemand, der die Antwort kennt: Warum wird überhaupt so ein in meinen Augen verwirrender Unterschied zwischen Upgrade und Update gemacht. Begrifflichkeiten, bei denen man nach 2 Monaten wieder neu überlegen müsste, was wohl was sein soll .... aus Sicht der Usability würde ich da keinen Unterschied machen wollen.
8
17.7 Legacy Series / Re: IPSEC Rekey P2 Issue
« on: December 06, 2017, 06:49:13 pm »
Its definitely working now, without the "!". Permanent without any issue, of course, unless I would make any changes in the ipsec gui.
9
17.7 Legacy Series / Re: IPSEC Rekey P2 Issue
« on: December 06, 2017, 11:22:36 am »
Ok, the rekeying after 1 hour seems to be working now (newest entry on top):
Dec 6 10:53:47 charon: 02[IKE] CHILD_SA con1-001{7} established with SPIs cf7c0bfd_i 0effb429_o and TS 192.168.111.0/24 === 10.20.0.0/16
Dec 6 10:53:47 charon: 02[IKE] CHILD_SA con1-001{7} established with SPIs cf7c0bfd_i 0effb429_o and TS 192.168.111.0/24 === 10.20.0.0/16
Dec 6 10:53:47 charon: 02[ENC] parsed QUICK_MODE response 2181303872 [ HASH SA No KE ID ID ]
Dec 6 10:53:47 charon: 02[NET] received packet: from 234.234.234.234[500] to 123.123.123.123[500] (364 bytes)
Dec 6 10:53:47 charon: 02[NET] sending packet: from 123.123.123.123[500] to 234.234.234.234[500] (380 bytes)
Dec 6 10:53:47 charon: 02[ENC] generating QUICK_MODE request 2181303872 [ HASH SA No KE ID ID ]
Dec 6 10:53:47 charon: 10[KNL] creating rekey job for CHILD_SA ESP/0x12b549df/234.234.234.234
What I regognized, was, that the tunnel was up, but I wasn't able to send traffic through. But ... ok ... maybe this is not possible if I just type ipsec start to bring the tunnel up. After ipsec stop and enabling in the gui, packets are passing through.
In summary, this seems to solve the issue, if config changes in the gui also don't put that "!" in. I hope so ... also that then ... traffic will passing by.
I've also saw 2 tings in my asa syslog:
06.12.2017 10:08:01 Local:234.234.234.234:500 Remote:123.123.123.123:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 10.20.1.20-10.20.1.20 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 192.168.111.49-192.168.111.49 Protocol: 0 Port Range: 0-65535"
06.12.2017 10:10:00 wall local 3 Warning "%ASA-4-750003: Local:234.234.234.234:500 Remote:123.123.123.123:500 Username:123.123.123.123 IKEv2 Negotiation aborted due to ERROR: Received no proposal chosen notify"
The P1 is configured to IKE V1. I don't understand why there is obviously an attempt ... something with IKE V2? Or should i open better a new thread for that question?
Dec 6 10:53:47 charon: 02[IKE] CHILD_SA con1-001{7} established with SPIs cf7c0bfd_i 0effb429_o and TS 192.168.111.0/24 === 10.20.0.0/16
Dec 6 10:53:47 charon: 02[IKE] CHILD_SA con1-001{7} established with SPIs cf7c0bfd_i 0effb429_o and TS 192.168.111.0/24 === 10.20.0.0/16
Dec 6 10:53:47 charon: 02[ENC] parsed QUICK_MODE response 2181303872 [ HASH SA No KE ID ID ]
Dec 6 10:53:47 charon: 02[NET] received packet: from 234.234.234.234[500] to 123.123.123.123[500] (364 bytes)
Dec 6 10:53:47 charon: 02[NET] sending packet: from 123.123.123.123[500] to 234.234.234.234[500] (380 bytes)
Dec 6 10:53:47 charon: 02[ENC] generating QUICK_MODE request 2181303872 [ HASH SA No KE ID ID ]
Dec 6 10:53:47 charon: 10[KNL] creating rekey job for CHILD_SA ESP/0x12b549df/234.234.234.234
What I regognized, was, that the tunnel was up, but I wasn't able to send traffic through. But ... ok ... maybe this is not possible if I just type ipsec start to bring the tunnel up. After ipsec stop and enabling in the gui, packets are passing through.
In summary, this seems to solve the issue, if config changes in the gui also don't put that "!" in. I hope so ... also that then ... traffic will passing by.
I've also saw 2 tings in my asa syslog:
06.12.2017 10:08:01 Local:234.234.234.234:500 Remote:123.123.123.123:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 10.20.1.20-10.20.1.20 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 192.168.111.49-192.168.111.49 Protocol: 0 Port Range: 0-65535"
06.12.2017 10:10:00 wall local 3 Warning "%ASA-4-750003: Local:234.234.234.234:500 Remote:123.123.123.123:500 Username:123.123.123.123 IKEv2 Negotiation aborted due to ERROR: Received no proposal chosen notify"
The P1 is configured to IKE V1. I don't understand why there is obviously an attempt ... something with IKE V2? Or should i open better a new thread for that question?
10
17.7 Legacy Series / Re: IPSEC Rekey P2 Issue
« on: December 06, 2017, 09:41:43 am »
Turning PFS off in QuickMode, didn't chang anything, the issue persists. I've now set the old values PFS1536 on both sides and removed the "!" from every con001-00x in vi, as suggested:
# This file is automatically generated. Do not edit
config setup
uniqueids = yes
charondebug=""
conn con1-000
aggressive = no
fragmentation = yes
keyexchange = ikev1
reauth = yes
rekey = yes
forceencaps = no
installpolicy = yes
type = tunnel
dpdaction = clear
dpddelay = 10s
dpdtimeout = 60s
left = 123.123.123.123
right = ipsec.bla.bla
leftid = 123.123.123.123
ikelifetime = 86400s
lifetime = 3600s
ike = aes128-sha1-modp1024!
leftauth = psk
rightauth = psk
rightid = 234.234.234.234
rightsubnet = 10.0.0.0/24
leftsubnet = 192.168.111.0/24
esp = aes128-sha1-modp1536!
auto = start
Unfortunaly there is noting with ipsec in ...
root@wall:~ # cd /usr/local/etc/rc.d
root@wall:/usr/local/etc/rc.d # ls -la
total 156
drwxr-xr-x 2 root wheel 1024 Nov 30 21:29 .
drwxr-xr-x 29 root wheel 5632 Nov 30 21:54 ..
-rwxr-xr-x 1 root wheel 1720 Nov 21 06:54 acme_http_challenge
-r-xr-xr-x 1 root wheel 443 Oct 3 20:27 apinger
-rwxr-xr-x 1 root wheel 5571 Nov 21 06:56 captiveportal
-r-xr-xr-x 1 root wheel 682 Oct 3 22:11 choparp
-rwxr-xr-x 1 root wheel 1579 Nov 21 06:56 configd
-r-xr-xr-x 1 root wheel 1181 Oct 3 22:59 dhcp6c
-r-xr-xr-x 1 root wheel 881 Oct 3 22:59 dhcp6relay
-r-xr-xr-x 1 root wheel 1005 Oct 3 22:59 dhcp6s
-r-xr-xr-x 1 root wheel 2747 Oct 3 21:40 dnsmasq
-r-xr-xr-x 1 root wheel 404 Oct 3 23:46 expiretable
-r-xr-xr-x 1 root wheel 729 Oct 3 22:27 flowd
-rwxr-xr-x 1 root wheel 1145 Nov 21 06:56 flowd_aggregate
-r-xr-xr-x 1 root wheel 12216 Oct 3 23:11 isc-dhcpd
lrwxr-xr-x 1 root wheel 9 Nov 30 19:55 isc-dhcpd6 -> isc-dhcpd
-r-xr-xr-x 1 root wheel 1828 Oct 3 23:10 isc-dhcrelay
lrwxr-xr-x 1 root wheel 12 Nov 30 19:55 isc-dhcrelay6 -> isc-dhcrelay
-r-xr-xr-x 1 root wheel 509 Oct 3 23:46 kpropd
-r-xr-xr-x 1 root wheel 3330 Oct 4 00:49 lighttpd
-r-xr-xr-x 1 root wheel 838 Oct 3 23:16 mpd5
-r-xr-xr-x 1 root wheel 12193 Nov 21 01:08 named
-rwxr-xr-x 1 root wheel 4767 Nov 21 06:56 netflow
-r-xr-xr-x 1 root wheel 4694 Nov 21 02:38 openssh
-r-xr-xr-x 1 root wheel 4341 Oct 3 23:57 openvpn
-r-xr-xr-x 1 root wheel 1228 Nov 21 00:36 php-fpm
-r-xr-xr-x 1 root wheel 444 Oct 3 23:28 radvd
-r-xr-xr-x 1 root wheel 1936 Oct 3 23:30 samplicator
-r-xr-xr-x 1 root wheel 3875 Oct 4 01:02 squid
-r-xr-xr-x 1 root wheel 576 Oct 4 00:05 strongswan
-r-xr-xr-x 1 root wheel 2048 Nov 21 02:51 suricata
-r-xr-xr-x 1 root wheel 1235 Nov 21 01:14 unbound
root@wall:/usr/local/etc/rc.d #
root@wall:/usr/local/etc/rc.d # find / -name ipsec
/etc/rc.d/ipsec
/usr/local/libexec/ipsec
/usr/local/opnsense/scripts/ipsec
/usr/local/etc/inc/plugins.inc.d/ipsec
/usr/local/lib/ipsec
/usr/local/sbin/ipsec
/var/db/etcupdate/current/etc/rc.d/ipsec
root@wall:/usr/local/etc/rc.d #
But there is a dir /etc/rc.d/ ... maybe that one? There is also a file called ipsec which looks like this:
#!/bin/sh
#
# $FreeBSD$
#
# PROVIDE: ipsec
# REQUIRE: FILESYSTEMS
# BEFORE: DAEMON mountcritremote
# KEYWORD: nojail
. /etc/rc.subr
name="ipsec"
desc="Internet Protocol Security protocol"
rcvar="ipsec_enable"
start_precmd="ipsec_prestart"
start_cmd="ipsec_start"
stop_precmd="test -f $ipsec_file"
stop_cmd="ipsec_stop"
reload_cmd="ipsec_reload"
extra_commands="reload"
ipsec_program="/sbin/setkey"
# ipsec_file is set by rc.conf
ipsec_prestart()
{
if [ ! -f "$ipsec_file" ]; then
warn "$ipsec_file not readable; ipsec start aborted."
stop_boot
return 1
fi
return 0
}
ipsec_start()
{
echo "Installing ipsec manual keys/policies."
${ipsec_program} -f $ipsec_file
}
ipsec_stop()
{
echo "Clearing ipsec manual keys/policies."
# Still not 100% sure if we would like to do this.
# It is very questionable to do this during shutdown session
# since it can hang any of the remaining IPv4/v6 sessions.
#
${ipsec_program} -F
${ipsec_program} -FP
}
ipsec_reload()
{
echo "Reloading ipsec manual keys/policies."
${ipsec_program} -f "$ipsec_file"
}
load_rc_config $name
run_rc_command "$1"
Now, I'm a little bit confused, what to do now. I guessed something like ipsec start ... some thing happens but nothing changes.
So I rebooted opnsense and enabled ipsec via gui. But ... then my deleted "!" from config was back again.
# This file is automatically generated. Do not edit
config setup
uniqueids = yes
charondebug=""
conn con1-000
aggressive = no
fragmentation = yes
keyexchange = ikev1
reauth = yes
rekey = yes
forceencaps = no
installpolicy = yes
type = tunnel
dpdaction = clear
dpddelay = 10s
dpdtimeout = 60s
left = 123.123.123.123
right = ipsec.bla.bla
leftid = 123.123.123.123
ikelifetime = 86400s
lifetime = 3600s
ike = aes128-sha1-modp1024!
leftauth = psk
rightauth = psk
rightid = 234.234.234.234
rightsubnet = 10.0.0.0/24
leftsubnet = 192.168.111.0/24
esp = aes128-sha1-modp1536!
auto = start
... and on the CLI /usr/local/etc/rc.d/ipsec onestop and /usr/local/etc/rc.d/ipsec onestart.
Unfortunaly there is noting with ipsec in ...
root@wall:~ # cd /usr/local/etc/rc.d
root@wall:/usr/local/etc/rc.d # ls -la
total 156
drwxr-xr-x 2 root wheel 1024 Nov 30 21:29 .
drwxr-xr-x 29 root wheel 5632 Nov 30 21:54 ..
-rwxr-xr-x 1 root wheel 1720 Nov 21 06:54 acme_http_challenge
-r-xr-xr-x 1 root wheel 443 Oct 3 20:27 apinger
-rwxr-xr-x 1 root wheel 5571 Nov 21 06:56 captiveportal
-r-xr-xr-x 1 root wheel 682 Oct 3 22:11 choparp
-rwxr-xr-x 1 root wheel 1579 Nov 21 06:56 configd
-r-xr-xr-x 1 root wheel 1181 Oct 3 22:59 dhcp6c
-r-xr-xr-x 1 root wheel 881 Oct 3 22:59 dhcp6relay
-r-xr-xr-x 1 root wheel 1005 Oct 3 22:59 dhcp6s
-r-xr-xr-x 1 root wheel 2747 Oct 3 21:40 dnsmasq
-r-xr-xr-x 1 root wheel 404 Oct 3 23:46 expiretable
-r-xr-xr-x 1 root wheel 729 Oct 3 22:27 flowd
-rwxr-xr-x 1 root wheel 1145 Nov 21 06:56 flowd_aggregate
-r-xr-xr-x 1 root wheel 12216 Oct 3 23:11 isc-dhcpd
lrwxr-xr-x 1 root wheel 9 Nov 30 19:55 isc-dhcpd6 -> isc-dhcpd
-r-xr-xr-x 1 root wheel 1828 Oct 3 23:10 isc-dhcrelay
lrwxr-xr-x 1 root wheel 12 Nov 30 19:55 isc-dhcrelay6 -> isc-dhcrelay
-r-xr-xr-x 1 root wheel 509 Oct 3 23:46 kpropd
-r-xr-xr-x 1 root wheel 3330 Oct 4 00:49 lighttpd
-r-xr-xr-x 1 root wheel 838 Oct 3 23:16 mpd5
-r-xr-xr-x 1 root wheel 12193 Nov 21 01:08 named
-rwxr-xr-x 1 root wheel 4767 Nov 21 06:56 netflow
-r-xr-xr-x 1 root wheel 4694 Nov 21 02:38 openssh
-r-xr-xr-x 1 root wheel 4341 Oct 3 23:57 openvpn
-r-xr-xr-x 1 root wheel 1228 Nov 21 00:36 php-fpm
-r-xr-xr-x 1 root wheel 444 Oct 3 23:28 radvd
-r-xr-xr-x 1 root wheel 1936 Oct 3 23:30 samplicator
-r-xr-xr-x 1 root wheel 3875 Oct 4 01:02 squid
-r-xr-xr-x 1 root wheel 576 Oct 4 00:05 strongswan
-r-xr-xr-x 1 root wheel 2048 Nov 21 02:51 suricata
-r-xr-xr-x 1 root wheel 1235 Nov 21 01:14 unbound
root@wall:/usr/local/etc/rc.d #
root@wall:/usr/local/etc/rc.d # find / -name ipsec
/etc/rc.d/ipsec
/usr/local/libexec/ipsec
/usr/local/opnsense/scripts/ipsec
/usr/local/etc/inc/plugins.inc.d/ipsec
/usr/local/lib/ipsec
/usr/local/sbin/ipsec
/var/db/etcupdate/current/etc/rc.d/ipsec
root@wall:/usr/local/etc/rc.d #
But there is a dir /etc/rc.d/ ... maybe that one? There is also a file called ipsec which looks like this:
#!/bin/sh
#
# $FreeBSD$
#
# PROVIDE: ipsec
# REQUIRE: FILESYSTEMS
# BEFORE: DAEMON mountcritremote
# KEYWORD: nojail
. /etc/rc.subr
name="ipsec"
desc="Internet Protocol Security protocol"
rcvar="ipsec_enable"
start_precmd="ipsec_prestart"
start_cmd="ipsec_start"
stop_precmd="test -f $ipsec_file"
stop_cmd="ipsec_stop"
reload_cmd="ipsec_reload"
extra_commands="reload"
ipsec_program="/sbin/setkey"
# ipsec_file is set by rc.conf
ipsec_prestart()
{
if [ ! -f "$ipsec_file" ]; then
warn "$ipsec_file not readable; ipsec start aborted."
stop_boot
return 1
fi
return 0
}
ipsec_start()
{
echo "Installing ipsec manual keys/policies."
${ipsec_program} -f $ipsec_file
}
ipsec_stop()
{
echo "Clearing ipsec manual keys/policies."
# Still not 100% sure if we would like to do this.
# It is very questionable to do this during shutdown session
# since it can hang any of the remaining IPv4/v6 sessions.
#
${ipsec_program} -F
${ipsec_program} -FP
}
ipsec_reload()
{
echo "Reloading ipsec manual keys/policies."
${ipsec_program} -f "$ipsec_file"
}
load_rc_config $name
run_rc_command "$1"
Now, I'm a little bit confused, what to do now. I guessed something like ipsec start ... some thing happens but nothing changes.
So I rebooted opnsense and enabled ipsec via gui. But ... then my deleted "!" from config was back again.
11
17.7 Legacy Series / Re: IPSEC Rekey P2 Issue
« on: December 05, 2017, 05:23:46 pm »
Of course, I'll give it a try tomorrow. First I'll have a look if my workaround is solving the issue and if my thougts are going into the right direction.
12
17.7 Legacy Series / Re: IPSEC Rekey P2 Issue
« on: December 05, 2017, 03:33:52 pm »
Ok, i can confirm now, that P1 is set to "immediately". This morning I disabled and enabled IPSec so the tunnel comes up. Meanwhile a rekeying was in progress ... and the tunnel was broken afterwards. And I think here's the problem (found in opnsense ipsec logs):
Dec 5 15:18:48 charon: 14[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
Dec 5 15:18:48 charon: 14[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_MD5_96/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_MD5_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_MD5_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ, ESP:DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:DES_CBC/HMAC_MD5_96/NO_EXT_SEQ
The received proposals and configured proposals are not matching ... when rekeying. But the proposals must be proper, why was the tunnel up bevore. Especially the MODP_1536, i think it's about the PerfectForwardSecrecy seems to be the problem.
With pfsense I had over years the same proposals.
Now i reconfigured opnsense and my asa in the company to make no pfs in P2. I think, this will solve the issue as a workaround ... i can give a feedback tomorrow.
But, on the other hand, if its working then ... something is going wrong with the proposals which should be fixed in the future. Let us see ...
Dec 5 15:18:48 charon: 14[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
Dec 5 15:18:48 charon: 14[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_MD5_96/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_MD5_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_MD5_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ, ESP:DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:DES_CBC/HMAC_MD5_96/NO_EXT_SEQ
The received proposals and configured proposals are not matching ... when rekeying. But the proposals must be proper, why was the tunnel up bevore. Especially the MODP_1536, i think it's about the PerfectForwardSecrecy seems to be the problem.
With pfsense I had over years the same proposals.
Now i reconfigured opnsense and my asa in the company to make no pfs in P2. I think, this will solve the issue as a workaround ... i can give a feedback tomorrow.
But, on the other hand, if its working then ... something is going wrong with the proposals which should be fixed in the future. Let us see ...
13
17.7 Legacy Series / Re: IPSEC Rekey P2 Issue
« on: December 04, 2017, 10:23:40 am »
Just checked the settings in my asa. The connection-type is already "answer-only" (not "bidirectional" and not "originate-only"). So it should be already configured as like you would suggest.b At the moment i cant take a look remotely to my opnsense. But I'm 99,99% sure, that opnsense is configured to "immediately". For 100% I've to look this evening.
14
17.7 Legacy Series / IPSEC Rekey P2 Issue
« on: December 04, 2017, 10:05:29 am »
Hi!
coming in origin from monowall years ago, meanwhile i used pfsense also for some years at home and at some of my customers. I've heard about opnsense and want to give it a try. My first experience was positive. Installation on my old APU was flawless, things seam to work out of the box.
On the second day i decided to setup the IPSec Tunnels to my comapny as well. One P1 and 4 P2. Its almost the same settings and look and feel like pfsense (as its a fork) and so I felt immediately at home. The tunnel was configured in a few moments and I was pleased about it.
Next Day ... no tunnel anymore. Logs are full of errors. Stopping IPSec an starting again brings the tunnel up. When the first P2 rekey happens ... it's all over ... and never comes back. My Cicso ASA on the other side states in syslog, that there is a P2 Error.
opnsense showing in P2 logs, NO_PROPOSAL_CHOOSEN which is the same meaning. P1 always is coming up. P2 initial also, but ... not when rekeying. Why should there now a P2 error, when P2 is coming initial up? Seems strange to me.
Does anybody maybe got an idea?
coming in origin from monowall years ago, meanwhile i used pfsense also for some years at home and at some of my customers. I've heard about opnsense and want to give it a try. My first experience was positive. Installation on my old APU was flawless, things seam to work out of the box.
On the second day i decided to setup the IPSec Tunnels to my comapny as well. One P1 and 4 P2. Its almost the same settings and look and feel like pfsense (as its a fork) and so I felt immediately at home. The tunnel was configured in a few moments and I was pleased about it.
Next Day ... no tunnel anymore. Logs are full of errors. Stopping IPSec an starting again brings the tunnel up. When the first P2 rekey happens ... it's all over ... and never comes back. My Cicso ASA on the other side states in syslog, that there is a P2 Error.
opnsense showing in P2 logs, NO_PROPOSAL_CHOOSEN which is the same meaning. P1 always is coming up. P2 initial also, but ... not when rekeying. Why should there now a P2 error, when P2 is coming initial up? Seems strange to me.
Does anybody maybe got an idea?
Pages: [1]