Messages

Has anyone done the IPSEC VTI implementation in a HA cluster?

I've tried it and the cluster was broken almost immediatelly.

Any working configuration guide or approach i should be aware of?

Thank you

Έχει κάνει κανείς υλοποιήση IPSEC VTI με HA?

Πήγα να το κάνω και διαλύθηκε το σύμπαν, έσπασε το HA, έχασα το remote access.
Έπρεπε να κάνω restore απο backup....

Από'τι κατάλαβα λογικά δεν μπορεί να παίξει γιατί συγκρούονται τα:
1. VTI interfaces, μιας και πρέπει να υπάρχουν και στα 2 για να συχρονίζει το config,
2. Τα IPSEC VTIs μιας και πρέπει να έιναι ενεργό σε ένα απο τα 2.

Έχω καταλάβει λάθος κάτι?

You are correct with your assumption.

For sticky sessions, we always went with F5, Alteon load balancers for specific use-cases like shopping carts etc.
For the above use-cases, our environment would not allow non-officially supported solutions.

Hi boardyuk

Just a clarification which i might have gotten wrong.
You use the HAPROXY as a reverse proxy, and not for load-balancing. Correct?

If that is the case why not use NGINX with the respective reverse proxy config and security modules?

I have never seen HAPROXY deployed as a reverse proxy. Most common deployment are:
Firewall + Forward Proxy (SQUID) + AV (ClamAV) + Reverse Proxy (WAF)

To be honest i haven't deployed the NGINX in opnsense but i believe it will be doable and forwarding paths should be more straightforward in NGINX.

The issue was rectified on the primary instance when LibreSSL was removed in favor or OpenSSL.

The standby still has the same issue for some reason.
Unfortunately, there is no available time to TS it.

Regarding the packets, they reach the firewall OK, the SNMP service for some reason does not respond.

Αυτή τη στιγμή δεν έχω κανένα θέμα μιας και όλα δουλεύουν μια χάρα.
Οι πολιτικές λειτουργούν, τα NAT μία χαρα, τα IPSEC δεν πέφτουν (αν και θα γίνει μετάβαση σε GRE-o-IPSEC) για να φύγουν τα phase-2 SAs.

Βασικά βοήθαει η οποιαδήποτε εμπειρία με firewalls γιατί στο τέλος της ημέρας όλα λίγο πολύ τα ίδια κάνουν.

Με τι ασχολήσε, εσύ?

The steps which I took to configure the HA proxy rule were the following:
1. Create Real servers
2. Create the Health-Check
3. Create the Back-End pool
4. Create the Virtual service.
    For this step i created the virtual service to listen on IP 127.0.0.1 on the TCP port e.g. 12345
5. Create the NAT config with translation to the 127.0.0.1 on the TCP port.

That work flawlessly.

However, the HA proxy service config needs some time to populate the options from the browser and some time errors were produced from firefox. I would recommend selecting HA proxy from the Services and leave it a few seconds for your browser to download all content.

Normally, you don't allow access to the firewall from all IP addresses cause you will be locked out when the threshold is reached.

It's better if you access the firewall through an OpenVPN.

We have enabled a temp lockout mechanism but through the LDAP back-end authentication.

Again, not from the WAN interface but from a private least exposed firewall interface.

Simple log stating a permit from the OpenNMS system to the firewall interface IP address.

Are there any other logs i can check?

I saw that the interface/IP is listening to UDP port 161 and the loopback.
Output below:
root     snmpd      33879 8  udp4   192.168.121.161:161   *:*
root     snmpd      33879 9  udp4   127.0.0.1:161         *:*

In addition, firewall rules permit all traffic to the firewall from the source IP to all interfaces.
I can see the respective log in the live view.

A SNMP version 2c to the firewall returns a "Timeout: No response from 192.168.121.161"
A SNMP version 3 to the firewall returns a "snmpwal: Timeout"

We had the same issue with pfSense that was the main reason we replaced them with opnsense.

Any other suggested steps?

Καλησπέρα.

Εμεις το χρησημοποιούμε εδω και μερικές εβδομάδες και σχετικά μια χαρά ως τώρα.

Πώς είναι η δικιά σου εμπειρία?

Hi Mimugmail

I downgraded to SNMP v 2c and i can SNMPWALL the firewall through the loopback IP 127.0.0.1.

However, when trying the same with the interface IP, even though it is listed as a service IP within the net-snmp I get a time-out.

The logs are a bit strange since while doing the SNMPWALK locally on the device I get an IPSEC ACL permit match log.

Through the NMS i still get the log of permitting the traffic but with no response, hence the timeout again.

Hi All

We just deployed our Data Center firewalls with two OPNSense VM firewalls.
The selection was between VyOS and PFSense.

Each one had its pros and cons.

One major issue that we face is that we cannot integrate the OPNSense firewall cluster to the SNMP monitoring service.

The firewall rules have been created and the flow is depicted as allowed in the firewall policies.

The NET-SNMP plugin has been configured with all needed information and the respective listening IP addresses, MGMT IP and loopback.

The service is reported as active in the service summary.

However, all SNMPWALK attempts fail with a time-out since no response is returned.
The same thing happens from within the OPNSense terminal.
"
snmpwalk -v 3 -u [SNMPv3USER] -a SHA -A [SNMPv3AUTHKEY] -x AES -X [SNMPv3PRIVKEY] 127.0.0.1
"

Are we missing something?

All feedback will be greatly appreciated.

Thank you
Best Regards
Konstantinos