1
24.7 Production Series / Re: FIXED: After Applying 24.7.4_1 IPSec fails to initiate Phase 2
« on: September 16, 2024, 04:20:18 pm »
Fixed it by choosing an encryption protocol instead of setting the encryption to default
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
2
24.7 Production Series / FIXED: After Applying 24.7.4_1 IPSec fails to initiate Phase 2
« on: September 16, 2024, 03:51:37 pm »
Hi,
after applying the hotfix 24.7.4_1 on my two Opnsense boxes during the IpSec negotiation I see the error:
Any ideas if there is some conection to the update?
after applying the hotfix 24.7.4_1 on my two Opnsense boxes during the IpSec negotiation I see the error:
Code: [Select]
"parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]"
received NO_PROPOSAL_CHOSEN notify errorAny ideas if there is some conection to the update?
3
24.7 Production Series / Re: Can't install new certificate
« on: August 06, 2024, 11:18:50 pm »
I had exactly the same issue with a digicert certificate. When I imported it it showed up as self signed, although the Digicert issuein CA is my Authorities store.
After some try and error this is how I solved it:
After this you should see the certificate with the correct CA assigned.
After some try and error this is how I solved it:
- Import the certificate it will show up as self signed.
- Edit the certificate make sure the action is is set to "Reissue and Replace certificate and make sure you select the correct CA
- Click Save --> You will get an error
- Change the Action to "Create a certificate Signing Request" and Save. You should now see the certificate with the correct CA
- Click on edit and select "Import Certificate (Signed by CA) it should be the only option
- Save it.
After this you should see the certificate with the correct CA assigned.
4
24.1 Legacy Series / Re: WAN link going down, Firewall blocking all incoming traffic due to Default deny
« on: February 29, 2024, 04:05:17 pm »
I am of course just guessing, but based on what you shared you see that traffic is reaching your WAN interface and then is dropped/blocked. So I personally do not think that the ISP is blocking you, as you might not be able to see anything in this case.
Are you sure that you are not behind some carrier grade natting and got in an IPrange for private usage with your WAN port, as this then would trigger the default rules.
Are you sure that you are not behind some carrier grade natting and got in an IPrange for private usage with your WAN port, as this then would trigger the default rules.
5
Zenarmor (Sensei) / Re: Devices detecting the same devices over and over.
« on: February 20, 2024, 06:44:38 pm »
Not all of them.
Some are servers, some are mobiles. Some are VM's and some are physical
Some are servers, some are mobiles. Some are VM's and some are physical
6
24.1 Legacy Series / Re: Fixed: After upgrade Web GUI only available if I stop ha_proxy
« on: February 19, 2024, 06:52:23 pm »
Glad to hear that!
7
24.1 Legacy Series / Re: After upgrade Web GUI only available if I stop ha_proxy
« on: February 19, 2024, 01:45:08 pm »
I faced a similar issue and it turned out that after the update to 24.1 haproxy simply was working listening on all IP interfaces for port 443.
That is the only option for me as I am getting a dynamic IP Address on my WAN port so I cannot bind Haproxy to a specific one and had to us e0.0.0.0:443
So the first workaround was to move the admin website to a different port than 443
Then I fixed it by implementing a VIP where I used port forward to redirect all traffic for 443 to a different port on that VIP and then used haproxy to proxy that.
See:
https://github.com/opnsense/plugins/issues/722
Most important thing here was to redirect port 443 in the Nat to a different Port on the VIP for example 40443 and then bind haproxy to that IP/port
That is the only option for me as I am getting a dynamic IP Address on my WAN port so I cannot bind Haproxy to a specific one and had to us e0.0.0.0:443
So the first workaround was to move the admin website to a different port than 443
Then I fixed it by implementing a VIP where I used port forward to redirect all traffic for 443 to a different port on that VIP and then used haproxy to proxy that.
See:
https://github.com/opnsense/plugins/issues/722
Most important thing here was to redirect port 443 in the Nat to a different Port on the VIP for example 40443 and then bind haproxy to that IP/port
8
Zenarmor (Sensei) / Devices detecting the same devices over and over.
« on: February 02, 2024, 09:25:15 pm »
When I review my setup, I see the same devices being "discovered" as new devices over and over again although the devices themselves remain the same. It might be that the IP Address is changing but in an environment with DHCP that should be expected.
Is there any intention to make this more reliable?
At the moment it is impossible to create a Policy to block untrusted devices and assume all new devices are untrusted.
Is there any intention to make this more reliable?
At the moment it is impossible to create a Policy to block untrusted devices and assume all new devices are untrusted.
9
24.1 Legacy Series / Re: HAProxy - wrong ssl certificater after upgrade to 24.1
« on: January 31, 2024, 08:33:38 pm »10
24.1 Legacy Series / Re: Google Drive backups no longer function
« on: January 31, 2024, 07:56:17 pm »
Got that franco, thank you for clarification
11
24.1 Legacy Series / Re: Google Drive backups no longer function
« on: January 31, 2024, 07:49:49 pm »
The info in the bugtracker to solve the issue did not work for me, but it pointed me into the right direction:
https://www.practicalnetworking.net/practical-tls/openssl-3-and-legacy-providers/
I modified the /usr/local/openssl/openssl.cnf file
restarted webgui --> Backup worked
https://www.practicalnetworking.net/practical-tls/openssl-3-and-legacy-providers/
I modified the /usr/local/openssl/openssl.cnf file
Code: [Select]
[provider_sect]
default = default_sect
legacy = legacy_sect
and Code: [Select]
[default_sect]
activate = 1
[legacy_sect]
activate = 1restarted webgui --> Backup worked
12
24.1 Legacy Series / Re: Google Drive backups no longer function
« on: January 31, 2024, 11:46:17 am »
I can confirm the same behavior.
13
24.1 Legacy Series / Re: WORKAROUNDED: Certificate Admin website changes no Access possible
« on: January 30, 2024, 11:36:20 pm »
Finally fixed it by implementing the recommendation to forward all Traffic to a dedicated VIP for the Haproxy as in
https://github.com/opnsense/plugins/issues/722
https://github.com/opnsense/plugins/issues/722
14
24.1 Legacy Series / Re: Certificate Admin website changes no Access possible
« on: January 30, 2024, 10:55:52 pm »
Workarounded:
After some digging I found a Workaround so far.
Because I have a dynamic IP I bound my haproxy public service on 0.0.0.0:443 which is the same port the Admin website is running. The admin website is only listening on the LAN interface and so far that configuration worked. Looks like there is a change/bug as already discussed, that configures HAProxy to listen on all interfaces blocking the configured port.
So the workaround so far is to reconfigure the admin interface to listen to another port.
This does not make me fully happy but it works.
After some digging I found a Workaround so far.
Because I have a dynamic IP I bound my haproxy public service on 0.0.0.0:443 which is the same port the Admin website is running. The admin website is only listening on the LAN interface and so far that configuration worked. Looks like there is a change/bug as already discussed, that configures HAProxy to listen on all interfaces blocking the configured port.
So the workaround so far is to reconfigure the admin interface to listen to another port.
This does not make me fully happy but it works.
15
24.1 Legacy Series / Re: Certificates Shuffled for Admin Website HSTS
« on: January 30, 2024, 08:53:18 pm »
Strange thing here is that after a reload of the services for some time the admin website works and then suddenly the cert is exchanged and access is impossible due to the HSTS settings. Only option at the moment is to apply an older config through the shell, then for some minutes it works with the correct certificate before starting again.
So far I reverted back to 23.7 and hope for a solution.
So far I reverted back to 23.7 and hope for a solution.