Messages

Correction, 8 devices have upgraded to 24.7.2.

I can downgrade one of the other firewalls tonight from 24.7.2 to 24.7.1 while saving the conf files before and after. We have about 15 remaining OPNsense that I think are now running 24.7.2. They all have IPsec connections with our Fortigate. The others are not (yet) misbehaving.

Please let me know if you need other files before and after to compare.

Hi Franco,

I haven't captured the 24.7.2 version of the file because terminal logging was off, but I compared it to one of the other firewalls still running 24.7.2. There may be slight differences in how the VPN is configured. The 02-strongswan.conf is still running 24.7.2.

~ @ ctmac01(xxxxxxx): diff -u *strongswan.conf
--- 01-strongswan.conf   2024-08-23 15:24:40
+++ 02-strongswan.conf   2024-08-23 15:23:12
@@ -9,9 +9,27 @@
     init_limit_half_open = 1000
     ignore_acquire_ts = yes
     syslog {
-        identifier = charon
+        ike_name = yes
+        log_level = no
         daemon {
-            ike_name = yes
+            app = 1
+            asn = 1
+            cfg = 1
+            chd = 1
+            dmn = 1
+            enc = 1
+            esp = 1
+            ike = 1
+            imc = 1
+            imv = 1
+            job = 1
+            knl = 1
+            lib = 1
+            mgr = 1
+            net = 1
+            pts = 1
+            tls = 1
+            tnc = 1
         }
     }
     install_routes = no
@@ -19,4 +37,3 @@
     }
}

-include strongswan.opnsense.d/*.conf

Regards,
Jaap

A couple of firewalls experienced site-to-site IPsec IKEv2 issues after upgrading to 24.7.2. We reverted back to 24.7.1 and it seems to return to normal.

The IPsec connections terminate at a FortiGate, and the connections are either lost and recovered by rebooting the OpnSense, or the connection is lost completely (a reboot doesn't reestablish the connection).

Returning to 24.7.1 has corrected this.

OK found it, you can specify -S <source ip> in the ping command.

So for example:
root@vesenaz:~ # ping -S 192.168.74.1 192.168.73.10
PING 192.168.73.10 (192.168.73.10) from 192.168.74.1: 56 data bytes
64 bytes from 192.168.73.10: icmp_seq=0 ttl=127 time=5.848 ms
64 bytes from 192.168.73.10: icmp_seq=1 ttl=127 time=5.519 ms
64 bytes from 192.168.73.10: icmp_seq=2 ttl=127 time=5.290 ms

Done, $250, thanks for the work!

Hi there,

With Fortigate firewalls one can specify the IP address of an available LAN interface to use as source address in order to ping an address reachable across a VPN, which comes in handy to check if connectivity works.

Does OpnSense have a similar feature available?

Thanks, kind regards,
Jaap