Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - fog

Pages1 2
#1
23.1 Legacy Series / Re: Error with command 'ipsec leases'
March 17, 2023, 07:59:13 AM
thank you. The command is:
Code Select
# swanctl --list-pools --leases
no files found matching '/usr/local/etc/strongswan.opnsense.d/*.conf'
defaultv4            172.16.0.0                        7 / 0 / 65534
  172.16.0.1                     online   'UserA'
  172.16.0.2                     online   'UserB'
  172.16.0.3                     online   'UserC'
  172.16.0.4                     online   'UserD'


Now I can modify my script https://forum.opnsense.org/index.php?topic=24887.msg125557 which assign A records with Unbound DNS:
Replace the line
Code Select
ipsec leases | grep " 172.16" |sed "s/'//g" | while read line
with
Code Select
swanctl --list-pools --leases 2>nul | grep "172.16.*online" |sed "s/'//g" | while read line


#2
23.1 Legacy Series / Error with command 'ipsec leases'
March 16, 2023, 08:38:23 PM
Hi,
In a script I use the command 'ipsec leases' to get all ip of the mobile ipsec vpn.

After update to 23.1.4 I get now the error message of the command: ipsec leases
no files found matching '/usr/local/etc/strongswan.opnsense.d/*.conf'
no pools found

In the Dashboard, Tile IPsec, Tab mobile I see the connected users and ip.

What happend with the command 'ipsec leases' ? In Version 22.7 the call 'ipsec leases' had the output:
no files found matching '/usr/local/etc/strongswan.opnsense.d/*.conf'
Leases in pool '172.16.0.0/16', usage: 2/65534, 2 online
       172.16.0.1   online   'gateway2'
       172.16.0.2   online   'gateway1'

Why is now no pool found?
In the GUI VPN/IPsec/Lease Status I see as pool defaultv4.

But the command 'ipsec leases defaultv4' bring also the error:
no files found matching '/usr/local/etc/strongswan.opnsense.d/*.conf'
pool 'defaultv4' not found


Regards,
fog
#3
22.1 Legacy Series / Re: IPSEC VPN, no Phase 2 entries in GUI
March 22, 2022, 03:28:42 PM
I don't know what happened. But now I don't see any phase 2 entries again. And I click on a phase 1 row.

But...

The Paging Count Dropdown Control of phase 2 has the value -1 ( see image of first post).
If I change to a number (i.e. 7) the phase 2 row is visible.
If I change later Paging Count to 'ALL' no phase 2 entry is visible.
#4
22.1 Legacy Series / Re: IPSEC VPN, no Phase 2 entries in GUI
March 11, 2022, 08:47:47 AM
Thank you. How could I have missed that.
#5
22.1 Legacy Series / Re: IPSEC VPN, no Phase 2 entries in GUI
March 10, 2022, 10:31:12 AM
Any ideas are welcome on how I can show and edit the phase 2 entries again.
#6
22.1 Legacy Series / IPSEC VPN, no Phase 2 entries in GUI
March 08, 2022, 01:07:04 PM
Hi,
after update OPNsense 22.1 in the GUI no ipsec phase 2 entries are shown in /ui/ipsec/tunnels:
All is empty.

But they exists. The vpn are working.

How can I show and edit the phase 2 entries?

Best reagards,
fog


Versions
Versions    OPNsense 22.1.2_1-amd64
FreeBSD 13.0-STABLE
OpenSSL 1.1.1m 14 Dec 2021

#7
21.7 Legacy Series / Re: Unbound DNS script
February 01, 2022, 07:21:29 PM
my script  /root/ipsecdns.sh:

Code Select

#!/bin/sh
#set -x

ipsecconf=/usr/local/etc/unbound.opnsense.d/ipsec.conf
tmpipsecconf=/tmp/ipsec.conf
rm -f $tmpipsecconf

#split at space
set -f; IFS=' '

ipsec leases | grep " 172.16" |sed "s/'//g" | while read line
do
set -- $line
ip=$1; name=$3
echo "local-data: \"${name}.ipsec.example.com A ${ip}\"" >>${tmpipsecconf}
done
set +f; unset IFS

cat ${tmpipsecconf}
if cmp -s "$ipsecconf" "$tmpipsecconf"; then
    printf 'The file "%s" is the same as "%s"\n' "$ipsecconf" "$tmpipsecconf"
else
    printf 'The file "%s" is different from "%s"\n' "$ipsecconf" "$tmpipsecconf"
    mv -f $tmpipsecconf $ipsecconf
    configctl unbound restart
fi


add /usr/local/opnsense/service/conf/actions.d/actions_ipsecdns.conf
Code Select

[reload]
command:/root/ipsecdns.sh > /root/ipsecdns_out.txt 2>&1
parameter:
type:script
message:mobile IPSEC DNS update


restart configd
Code Select
service configd restart

And add cron job on the gui: System>Settings>Cron
#8
21.7 Legacy Series / Re: Unbound DNS script
December 17, 2021, 10:45:40 AM
As described in https://docs.opnsense.org/manual/unbound.html#advanced-configurations
I created "/usr/local/etc/unbound.opnsense.d/ipsec.conf" with
local-data: "gateway1.example.com A 172.16.0.1"
local-data: "gateway1.example.com A 172.16.0.2"

and restarted unbound:
configctl unbound restart

I have to make a cron job to check changes to "ipsec leases" and then update ipsec.conf and restart unbound.
#9
21.7 Legacy Series / Unbound DNS script
September 24, 2021, 08:51:08 AM
It is possible to ad or modify unbound dns host overrides periodically by a crontab script?

I have to call 'ipsec leases' which get:
no files found matching '/usr/local/etc/strongswan.opnsense.d/*.conf'
Leases in pool '172.16.0.0/16', usage: 2/65534, 2 online
       172.16.0.1   online   'gateway2'
       172.16.0.2   online   'gateway1'

Now I have to add or modify host overrides:
gateway2 example.com A 172.16.0.1
gateway1 example.com A 172.16.0.2

There doesn't seem to be a solution to add a static mapping https://forum.opnsense.org/index.php?topic=24667.0
#10
Virtual private networks / Static mappings for ipsec mobile client users
September 08, 2021, 04:23:15 PM
Hi,
i use a setup similar to https://docs.opnsense.org/manual/how-tos/ipsec-road.html for connection of some Sierra Wireless Gateway RV 50 - but only with PSK.
I define users GWY001..GWY004 with unique  IPsec Pre-Shared Key.

All is working, but the IP from the Virtual IPv4 Address Pool depends in the order of registration.
Now has GWY004 the first IP.

It is possible to define static IP's to the users?
Similar to Services: DHCPv4: [LAN]: DHCP Static Mappings for this interface.

If the service VPN: IPsec: Lease Status is restarted, all leases are gone and the IP addresses are reassigned in the order of registration.
Now I have to look in VPN: IPsec: Lease Status to get the IP for a specific gateway.

Or it is possible to add this ip leases to DNS Overrides of Unbound DNS?


Regards,
fog
#11
21.7 Legacy Series / Routed Ipsec failed if last digit of local ip is greater than 32
August 28, 2021, 11:33:59 AM
Hi,
an error occurs if the last digit of the Local Address in phase 2 of a routed ipsec vpn is greater than 32. The General Log show an invalid subnet mask:
Code Select
opnsense[59451] /vpn_ipsec.php: The command '/sbin/ifconfig 'ipsec1' 'inet' '10.36.238.100/-68' '10.36.238.1'' returned exit code '1', the output was 'ifconfig: 10.36.238.100/-68: bad value (width invalid)'


It works with 10.36.238.2 .. 10.36.238.32.
see more errors in https://forum.opnsense.org/index.php?topic=22886.msg117655#msg117655

The Audit Health show no problems:
Code Select

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 21.7.1 (amd64/OpenSSL) at Sat Aug 28 11:17:10 CEST 2021
>>> Check installed kernel version
Version 21.7.1 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 21.7.1 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" has 66 dependencies to check.
Checking packages: .................................................................... done
***DONE***

Regards,
fog
#12
21.1 Legacy Series / Re: Gateway not working anymore in routed IPsec (Azure)
August 28, 2021, 11:11:09 AM
Hi,
The same problem is with the actual version 21.7.1.
I located the error in System: Log Files: General
Code Select

opnsense[59451] /vpn_ipsec.php: The command '/sbin/ifconfig 'ipsec1' 'inet' '10.36.238.100/-68' '10.36.238.1'' returned exit code '1', the output was 'ifconfig: 10.36.238.100/-68: bad value (width invalid)'

I modified the Local Address and get an error if the last digit is >32:
Code Select

opnsense[74322] /vpn_ipsec.php: The command '/sbin/ifconfig 'ipsec1' 'inet' '10.36.238.33/-1' '10.36.238.1'' returned exit code '1', the output was 'ifconfig: 10.36.238.33/-1: bad value (width invalid)'
opnsense[80630] /vpn_ipsec.php: The command '/sbin/ifconfig 'ipsec1' 'inet' '10.36.238.34/-2' '10.36.238.1'' returned exit code '1', the output was 'ifconfig: 10.36.238.34/-2: bad value (width invalid)'
opnsense[5480] /vpn_ipsec.php: The command '/sbin/ifconfig 'ipsec1' 'inet' '10.36.238.40/-8' '10.36.238.1'' returned exit code '1', the output was 'ifconfig: 10.36.238.40/-8: bad value (width invalid)'
opnsense[5480] /vpn_ipsec.php: The command '/sbin/ifconfig 'ipsec1' 'inet' '10.36.238.50/-18' '10.36.238.1'' returned exit code '1', the output was 'ifconfig: 10.36.238.50/-18: bad value (width invalid)'
opnsense[59451] /vpn_ipsec.php: The command '/sbin/ifconfig 'ipsec1' 'inet' '10.36.238.100/-68' '10.36.238.1'' returned exit code '1', the output was 'ifconfig: 10.36.238.100/-68: bad value (width invalid)'
opnsense[5480] /vpn_ipsec.php: The command '/sbin/ifconfig 'ipsec1' 'inet' '10.36.2.100/-68' '10.36.2.1'' returned exit code '1', the output was 'ifconfig: 10.36.2.100/-68: bad value (width invalid)'
opnsense[68843] /vpn_ipsec.php: The command '/sbin/ifconfig 'ipsec1' 'inet' '10.36.238.99/-67' '10.36.238.1'' returned exit code '1', the output was 'ifconfig: 10.36.238.99/-67: bad value (width invalid)'
opnsense[5480] /vpn_ipsec.php: The command '/sbin/ifconfig 'ipsec1' 'inet' '10.36.238.254/-222' '10.36.238.1'' returned exit code '1', the output was 'ifconfig: 10.36.238.254/-222: bad value (width invalid)'

Now i use 10.36.238.2 instead of 10.36.238.100 and no error occurs.
And also in the dashboard the ip is shown to the ipsec interface.

There must be an bug in vpn_ipsec.php which add a negative subnet to the ip.
Regards,
fog
#13
21.1 Legacy Series / Re: Gateway not working anymore in routed IPsec (Azure)
August 24, 2021, 06:35:58 PM
Hi,
Does anyone have any idea why the line
Code Select

inet 10.36.238.100 --> 10.36.238.1 netmask 0xffffffff

is missing in ifconfig?
Best Regards,
fog
#14
21.1 Legacy Series / Re: Gateway not working anymore in routed IPsec (Azure)
July 24, 2021, 01:17:39 PM
The same problem is also with the actual version 21.1.8_1:

The following input errors were detected:
    Cannot add IPv4 Gateway Address because no IPv4 address could be found on the interface.

21.1.8_1 (error)
Code Select

#ifconfig
ipsec1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
        tunnel inet 116.***.***.*** --> 195.***.***.***
        inet6 fe80::250:56ff:fe00:2340%ipsec1 prefixlen 64 scopeid 0x8
        groups: ipsec
        reqid: 1
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>


21.1.2 (ok)
Code Select

#ifconfig
ipsec1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
        tunnel inet 116.***.***.*** --> 195.***.***.***
        inet6 fe80::250:56ff:fe00:2340%ipsec1 prefixlen 64 scopeid 0x8
        inet 10.36.238.100 --> 10.36.238.1 netmask 0xffffffff
        groups: ipsec
        reqid: 1
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>


The line inet is missing for:
Local Address    10.36.238.100
Remote Address    10.36.238.1

In the log is an error:
2021-07-24T11:27:14   opnsense[58776]   /usr/local/etc/rc.routing_configure: The gw1 IPv4 gateway address is invalid, skipping.

gw1 is the far gateway to Remote Address    10.36.238.1

And now a revert is not working anymore:
Code Select

# opnsense-revert -r 21.1.2 opnsense
Fetching opnsense.txz: ... done
Verifying signature with trusted certificate pkg.opnsense.org.20210104... done
opnsense-21.1.8_1: already unlocked
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
pkg-static: opnsense has a missing dependency: bsdinstaller
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        opnsense: 21.1.2

Number of packages to be installed: 1

The process will require 22 MiB more space.
[1/1] Installing opnsense-21.1.2...
Extracting opnsense-21.1.2: 100%
Updating /etc/shells
Registering root shell
Hooking into /etc/rc
Hooking into /etc/rc.shutdown
configd already running?  (pid=93561).
>>> Invoking update script 'refresh'
Keep version OPNsense\Monit\Monit (1.0.9)
Keep version OPNsense\Firewall\Alias (1.0.0)
Keep version OPNsense\Firewall\Category (1.0.0)
Keep version OPNsense\OpenVPN\Export (0.0.1)
Keep version OPNsense\CaptivePortal\CaptivePortal (1.0.0)
Keep version OPNsense\Core\Firmware (1.0.0)

Fatal error: Uncaught Error: Class 'Phalcon\Validation\Validator' not found in /usr/local/opnsense/mvc/app/models/OPNsense/Base/Validators/NetworkValidator.php:41
Stack trace:
#0 [internal function]: unknown()
#1 [internal function]: Phalcon\Loader->autoLoad('OPNsense\\Base\\V...')
#2 [internal function]: spl_autoload_call('OPNsense\\Base\\V...')
#3 /usr/local/opnsense/mvc/script/run_migrations.php(50): ReflectionClass->__construct('OPNsense\\Base\\V...')
#4 {main}
  thrown in /usr/local/opnsense/mvc/app/models/OPNsense/Base/Validators/NetworkValidator.php on line 41
Writing firmware setting...done.
Writing trust files...done.
Configuring login behaviour...done.
Configuring system logging...done.
=====
Message from opnsense-21.1.2:


--
What are you looking at?


The the web gui is empty.

I restored the backup of the opensense vm.

In the console is now shown the ip for ipsec1:

*** fw*******: OPNsense 21.1.2 (amd64/OpenSSL) ***

LAN (vtnet1)    -> v4: 10.36.100.1/24
WAN (vtnet0)    -> v4: 116.***.***.***/26
ipsec (ipsec1) -> v4: 10.36.238.100/32
...

This was missing on 21.1.8
#15
21.1 Legacy Series / Re: Gateway not working anymore in routed IPsec (Azure)
May 30, 2021, 11:10:00 PM
The error

The following input errors were detected:

    Cannot add IPv4 Gateway Address because no IPv4 address could be found on the interface.

is not fixed in 21.1.6. I reverted to 21.1.2 again:

opnsense-revert -r 21.1.2 opnsense

Pages1 2