Messages

A couple of weeks ago I established a site-to-site IPsec VPN to a client's network.
I am running OPNsense V18.110.
He is running SonicOS Enhanced 5.8.1.8-57

The initial configuration went very nicely and everything came up as expected.
The next morning the VPN was down. Restarting both side seemed to fix it. :-/

Now we can't get it to come up. We know of no changes that have been made to the settings on either side other than my upgrading to a newer version of OPNsense.

The IPsec log reports a socket error:

charon: 04[NET] error writing to socket: Permission denied

Here is a recent log after attempting to start the connection:

Date                Message
Jun 25 16:11:13    charon: 04[NET] error writing to socket: Permission denied
Jun 25 16:11:13    charon: 09[NET] sending packet: from my.pub.ip.adr[500] to his.pub.ip.adr[500] (464 bytes)
Jun 25 16:11:13    charon: 09[IKE] retransmit 3 of request with message ID 0
Jun 25 16:11:03    charon: 03[NET] received unsupported IKE version 14.12 from his.pub.ip.adr, sending INVALID_MAJOR_VERSION
Jun 25 16:11:03    charon: 03[NET] sending packet: from my.pub.ip.adr[500] to his.pub.ip.adr[4500] (36 bytes)
Jun 25 16:11:03    charon: 03[ENC] generating INFORMATIONAL response 0 [ N(INVAL_MAJOR) ]
Jun 25 16:11:00    charon: 04[NET] error writing to socket: Permission denied
Jun 25 16:11:00    charon: 09[NET] sending packet: from my.pub.ip.adr[500] to his.pub.ip.adr[500] (464 bytes)
Jun 25 16:11:00    charon: 09[IKE] retransmit 2 of request with message ID 0
Jun 25 16:10:53    charon: 04[NET] error writing to socket: Permission denied
Jun 25 16:10:53    charon: 09[NET] sending packet: from my.pub.ip.adr[500] to his.pub.ip.adr[500] (464 bytes)
Jun 25 16:10:53    charon: 09[IKE] retransmit 1 of request with message ID 0
Jun 25 16:10:49    charon: 04[NET] error writing to socket: Permission denied
Jun 25 16:10:49    charon: 09[NET] sending packet: from my.pub.ip.adr[500] to his.pub.ip.adr[500] (464 bytes)
Jun 25 16:10:49    charon: 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jun 25 16:10:49    charon: 09[IKE] initiating IKE_SA con3[37320] to his.pub.ip.adr
Jun 25 16:10:49    charon: 09[IKE] initiating IKE_SA con3[37320] to his.pub.ip.adr
Jun 25 16:10:49    charon: 06[CFG] received stroke: initiate 'con3'

I've done lots of searching and come up with nothing so far.
Input appreciated.
TIA

So in the end I was able to update Wireshark on my Mac and was then able to properly interpret the tcpdump file from my OPNsense box.

Consider this question closed.

Thanks!

Packet Capture/Packet View isn't showing me enough detail.
I need to drill down into the results.

The issue: I have a site-to-site IPsec VPN to a customer site.
Connections to an application at that site no longer work since installing my OPNsense firewall and creating the new VPN.

Packt Capture shows traffic between the hosts in question, but I can't drill down into it to see what's really happening (SYNx, ACKs, etc.)

Exporting the file and opening it in WireShark was of no use because every packet is just an ENC and I can't drill down into them.

I was hoping that with tshark I could do so with an SSH session to the firewall. Is this incorrect?

Thanks.

Is it possible to install tshark on an OPNsense host?
If so, where can I find documentation on how to do so.

TIA,
D.

 Franco,

Thanks for the additional information.
When I contacted Softlayer, they informed me that PPTP is being retired soon, anyway.

So, time to give up on the PPTP VPN connection and find a new rack host.

Thanks again.
D.

(bump)

No takers on this? :(

@Franco,

That's awesome. Thanks very much.

D.

@franco,

I do not know of a lightweight emacs package for FreeBSD. But then OPNsense is my first real exposure to FreeBSD so that's not a surprise  ;)

I took a look at joe and it has a an "emacs mode" (started with the jmacs command), that seems reasonable. I think it will take care of the biggest problem that I have with nano and VI, that being about 30 years of emacs motor memory in my fingers. :)

Thanks.

Is it possible to install emacs on OPNsense?
I've been unable to find a package for it.

TIA

First, I am aware of the limitations of PPTP. Unfortunately, I currently have no choice.
I currently use Softlayer for my production servers.

They provide a private network without any data limits for managing servers.
You access the private network through a VPN. The choices are IPsec, PPTP, and SSL.
They charge $99USD/month for IPsec, which I can't justify.

I have been using PPTP for years with my previous firewall with great success.

I just upgraded to OPNsense and have been unable to figure out how to set up OPNsense as a PPTP client.

So, the question is how do I set up OPNsense as a PPTP VPN client?
I'll be very happy to get a link to instructions or instructions in a reply.
TIA