Messages

Hello,

i have a Site-2-Site IPsec Tunnel and would like to provide access to a internal web server via HA Proxy.

I have set up a rule now:
Interface: IPSec
DST: 192.168.150.68:443
Redirect to: 127.0.0.1:8080

On 127.0.0.1:8080 i have my HA proxy running.

The NAT Rule automatically created the matching IPSec Firewall rule.

When i look at the traffic with:
  tcpdump -i enc0 -n host 192.168.150.68

it seems "stuck":

Code Select Expand

10:58:44.631140 (authentic,confidential): SPI 0xc7352ac4: IP 172.25.11.44.50861 > 192.168.150.68.443: Flags [S], seq 2307507940, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
10:58:52.382705 (authentic,confidential): SPI 0xc7352ac4: IP 172.25.11.44.50860 > 192.168.150.68.443: Flags [S], seq 2952205237, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
10:58:52.382737 (authentic,confidential): SPI 0xc7352ac4: IP 172.25.11.44.50859 > 192.168.150.68.443: Flags [S], seq 209436792, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
10:58:52.648383 (authentic,confidential): SPI 0xc7352ac4: IP 172.25.11.44.50861 > 192.168.150.68.443: Flags [S], seq 2307507940, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

i cant see any blocks, too:
grep 192.168.150.68 /var/log/filter/latest.log | grep block

If i set up that NAT rule on another interface, it seems to work.

Any hints?

Hello,

why does a port forward from WAN to DMZ work, even if i dont have that DST ip assiged to my opnsense box.

The Arp Lookup shows the DST IP i forward has the mac 0000.5e00.0108

I can not find that mac address on my opnsense box.

Is this something special?

Cheers,
Michael

Hello,

i have a Firewall with two ISPs.

I would like to access the firewall any time on both WAN Interfaces.
Right now WAN2 is the default route, and if i ssh to the WAN1 IP it will route back via the default GW on WAN2 like this:



How can i opnsense make reply on the interface the SYN came in from?

Cheers,
Michael

Hello,

from time to time i get flooded this in my Logs:


2022-04-14T07:28:28 Error openvpn Authenticate/Decrypt packet error:
bad packet ID (may be a replay): [ #93625413 / time = (1649776931)
2022-04-12 17:22:11 ] -- see the man page entry for --no-replay and
--replay-window for more info or silence this warning with
--mute-replay-warnings

Does that mean, that at Log time "2022-04-14T07:28:28" it received a
packet with a timestamp from "2022-04-12 17:22:11"?

I already set the same time server on both hosts.

I tried optimizing it with MTU and MSSFIX but when reading the error
closely a time diff would make more sense?

Cheers,
Michael

Hello,

after adding OTP to our OpenVPN Server we get errors like:
  TLS Error: local/remote TLS keys are out of sync

and the VPN Stopps/Disconnects after 1h. This happens just for a few but not all users.
I already checked the Time on the OPNSense and Client system.  I also set "reneg-sec 0" on the Server.

Any other ideas why OTP would cause this problem?

Cheers,
Mario

Hello,

since about yesterday i get those errors in my logs:

Code Select Expand


charon 53061 - [meta sequenceId="4143"] 03[NET] received unsupported IKE version 11.9 from 212.185.79.66, sending INVALID_MAJOR_VERSION
charon 53061 - [meta sequenceId="4148"] 03[NET] received unsupported IKE version 3.5 from 212.185.79.66, sending INVALID_MAJOR_VERSION
charon 53061 - [meta sequenceId="4152"] 03[NET] received unsupported IKE version 0.13 from 212.185.79.66, sending INVALID_MAJOR_VERSION


And the traffic of the tunnel seems to stop.

Any idea how i can fix that? The Remote Side has a Sophos UTM and claims not to have/see any errors.

My Last Update was done more that one day ago ( i guess last week).

Any hints on this?

I also wonder why i get two subnet tunnels here. One Installed, and one rekeying:



Cheers,
Mario

Hello,

we are using MultiWAN with 2 Uplinks with:
- Gateway switching (Allow default gateway switching => enabled)
- Kill States (  Disable State Killing on Gateway Failure  => not ticked)
- Sticky Connections ( Use sticky connections => not ticked)

On top of that i run a OpenVPN Client Connection (TCP)

When i produce the active Gateway failure, the Gateway swichting jumps in, the OpenVPN Tunnel times out and the takeover is fine. It also seems to do a TCP States Reset since my SSH Tunnel/Access dies.

HOWEVER: If i switch back on the Gateway the  Active Gateway switches back to the main one again, BUT the TCP States does not get killed.

The SSH Session is still active. Not states Reset seem to happen.
If i kill the ESTABLISHED connection in the "States Dump" GUI then it will start to connect via the active/correct gateway.

So wonder if:
-if i set up something wrong?
- the state reset just happens by design on the 1st failover
- the state reset function is a bug and should be triggered when jumping back to the primary interface





Thanks,
Michael

Hello,

is anyone here using hardware from https://www.scope7.de/ and happy with it?

Cheers,
Michael

Hello,

i would like to set up a briged openvpn tunnel.

1.) I created a Bridge (LAN + OpenVPN Interface).
2.) I set the OpenVPN Tunnel to tap
3.) "Bridge Interface" is my LAN Port

However the ARP/Broadcast traffic does not seem to reach the vpn interface.
I can see it it on the LAN and Bridge though.

Any ideas why it wont slip into the tunnel?

Cheers,
Mario

thanks fabian.

verify error:num=10:certificate has expired
notAfter=Jun 10 04:43:13 2021 GMT


But why wont it log it in the ha logs?

Hello,

i use HA-Proxy and it returns a 503 Page.
I enabled " Detailed Logging " in the Public Services.

All i can see are those start logs:

2021-06-23T15:55:08   haproxy[12619]   Proxy load_balancing_portal_foo_net_Port_443 started.   
2021-06-23T15:55:08   haproxy[12619]   Proxy portal.foo.net_ht-access_8443 started.

Why wont it log my requests/errors?

I also disabled the Service which gave me a timeout, so i guess i actually access/use/hit the HAProxy Service.

Cheers,
Michael

Hello,

my tunnel to a remite Site (Cisco i think) is unstable. Here is some tcpdump snippets:

22:20:48.323405 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cc5), length 152
22:20:48.323421 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cc6), length 152
22:20:48.323437 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cc7), length 152
22:20:48.323470 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cc8), length 152
22:20:48.323487 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cc9), length 152
22:20:48.833110 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cca), length 104
22:20:50.682362 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4ccb), length 88
22:20:51.127368 IP RemoteSite.500 > MySite.500: isakmp: parent_sa ikev2_init
22:20:51.833354 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4ccc), length 104
22:20:53.689542 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4ccd), length 104
22:20:54.134106 IP RemoteSite.500 > MySite.500: isakmp: parent_sa ikev2_init
22:20:54.802874 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cce), length 104
22:20:56.688672 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4ccf), length 104
22:20:56.716580 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cd0), length 104
22:20:57.803060 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cd1), length 104
22:20:57.834224 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cd2), length 104

On my Site the Tunnel seems to be up, looking at the tcpdump the remote side seems to reconnect?

The Lifetimes/Timeouts match on each side.
I already changed the "Connection method" to respond only.

Here are the settings:



Here are the logs:

2021-04-26T22:22:14   charon[40039]   15[IKE] <con2|17> IKE_SA con2[17] established between MySite[MySite]...RemoteSite[RemoteSite]   
2021-04-26T22:22:14   charon[40039]   15[IKE] <con2|15> destroying duplicate IKE_SA for peer 'RemoteSite', received INITIAL_CONTACT   
2021-04-26T22:22:14   charon[40039]   15[IKE] <con2|17> authentication of 'MySite' (myself) with pre-shared key   
2021-04-26T22:22:14   charon[40039]   15[IKE] <con2|17> authentication of 'RemoteSite' with pre-shared key successful   
2021-04-26T22:22:14   charon[40039]   15[CFG] <con2|17> selected peer config 'con2'   
2021-04-26T22:22:11   charon[40039]   15[NET] <con2|15> sending packet: from MySite[500] to RemoteSite[500] (80 bytes)   
2021-04-26T22:22:11   charon[40039]   15[ENC] <con2|15> generating INFORMATIONAL request 0 [ D ]   
2021-04-26T22:22:11   charon[40039]   15[IKE] <con2|15> sending DELETE for IKE_SA con2[15]   
2021-04-26T22:22:11   charon[40039]   15[IKE] <con2|15> deleting IKE_SA con2[15] between MySite[MySite]...RemoteSite[RemoteSite]   
2021-04-26T22:22:11   charon[40039]   09[CFG] received stroke: terminate 'con2'   
2021-04-26T20:49:19   charon[40039]   05[NET] <con2|15> sending packet: from MySite[500] to RemoteSite[500] (240 bytes)   
2021-04-26T20:49:19   charon[40039]   05[ENC] <con2|15> generating IKE_AUTH response 1 [ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) ]   
2021-04-26T20:49:19   charon[40039]   05[IKE] <con2|15> CHILD_SA con2{21} established with SPIs c0d2b134_i da1200e6_o and TS 172.18.161.0/24 === 10.228.16.0/21   
2021-04-26T20:49:19   charon[40039]   05[CFG] <con2|15> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ   
2021-04-26T20:49:19   charon[40039]   05[IKE] <con2|15> maximum IKE_SA lifetime 86020s   
2021-04-26T20:49:19   charon[40039]   05[IKE] <con2|15> scheduling reauthentication in 85480s   
2021-04-26T20:49:19   charon[40039]   05[IKE] <con2|15> IKE_SA con2[15] established between MySite[MySite]...RemoteSite[RemoteSite]   
2021-04-26T20:49:19   charon[40039]   05[IKE] <con2|1> destroying duplicate IKE_SA for peer 'RemoteSite', received INITIAL_CONTACT   
2021-04-26T20:49:19   charon[40039]   05[IKE] <con2|15> authentication of 'MySite' (myself) with pre-shared key   
2021-04-26T20:49:19   charon[40039]   05[IKE] <con2|15> authentication of 'RemoteSite' with pre-shared key successful   
2021-04-26T20:49:19   charon[40039]   05[CFG] <con2|15> selected peer config 'con2'   
2021-04-26T20:49:14   charon[40039]   05[NET] <con2|1> sending packet: from MySite[500] to RemoteSite[500] (496 bytes)   
2021-04-26T20:49:14   charon[40039]   05[IKE] <con2|1> retransmit 1 of request with message ID 8   
2021-04-26T20:49:10   charon[40039]   05[NET] <con2|1> sending packet: from MySite[500] to RemoteSite[500] (496 bytes)   
2021-04-26T20:49:10   charon[40039]   05[ENC] <con2|1> generating CREATE_CHILD_SA request 8 [ N(REKEY_SA) N(ESP_TFC_PAD_N) SA No KE TSi TSr ]   
2021-04-26T20:49:10   charon[40039]   05[IKE] <con2|1> establishing CHILD_SA con2{20} reqid 2   
2021-04-26T19:06:37   charon[40039]   10[IKE] <con2|1> CHILD_SA closed

Thanks for your help. At least you brought me to the right direction. :)

Solution: "Manual SPD entries" in the IPSec Phase2:

Register additional Security Policy Database entries
Strongswan automatically creates SPD policies for the networks defined in this phase2. If you need to allow other networks to use this ipsec tunnel, you can add them here as a comma-separated list.When configured, you can use network address translation to push packets through this tunnel from these networks.
e.g. 192.168.1.0/24, 192.168.2.0/24

Then the paket got passed to the enc0 interface and the Outgoing NAT Rule was hit.

well, you are right. I changed it to  IPSec.
However the ping still leaves the WAN (igb1) interface.
(Therefore the outbound nat rule in IPSEC will not match?)

I changed the Interface to "Openvpn".
I cleared the NAT Table and ran the icmp Ping again.
The Ping still leaves the WAN (igb1) interface. I would have expected it to jump into my enc0 VPN tunnel?!



What am i doing wrong?