"
I noticed this too, when you turn off strict matching the connection works. If strict matching is on, it states in the log that the certificate name doesn't match the username, but they are the same. I have tried to recreate the certificate multiple times, always the same result.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#2
24.7, 24.10 Legacy Series / Re: IPsec issues with 24.7.2
August 23, 2024, 04:21:44 PM
Correction, 8 devices have upgraded to 24.7.2.
#3
24.7, 24.10 Legacy Series / Re: IPsec issues with 24.7.2
August 23, 2024, 04:08:10 PM
I can downgrade one of the other firewalls tonight from 24.7.2 to 24.7.1 while saving the conf files before and after. We have about 15 remaining OPNsense that I think are now running 24.7.2. They all have IPsec connections with our Fortigate. The others are not (yet) misbehaving.
Please let me know if you need other files before and after to compare.
Please let me know if you need other files before and after to compare.
#4
24.7, 24.10 Legacy Series / Re: IPsec issues with 24.7.2
August 23, 2024, 03:34:53 PM
Hi Franco,
I haven't captured the 24.7.2 version of the file because terminal logging was off, but I compared it to one of the other firewalls still running 24.7.2. There may be slight differences in how the VPN is configured. The 02-strongswan.conf is still running 24.7.2.
~ @ ctmac01(xxxxxxx): diff -u *strongswan.conf
--- 01-strongswan.conf 2024-08-23 15:24:40
+++ 02-strongswan.conf 2024-08-23 15:23:12
@@ -9,9 +9,27 @@
init_limit_half_open = 1000
ignore_acquire_ts = yes
syslog {
- identifier = charon
+ ike_name = yes
+ log_level = no
daemon {
- ike_name = yes
+ app = 1
+ asn = 1
+ cfg = 1
+ chd = 1
+ dmn = 1
+ enc = 1
+ esp = 1
+ ike = 1
+ imc = 1
+ imv = 1
+ job = 1
+ knl = 1
+ lib = 1
+ mgr = 1
+ net = 1
+ pts = 1
+ tls = 1
+ tnc = 1
}
}
install_routes = no
@@ -19,4 +37,3 @@
}
}
-include strongswan.opnsense.d/*.conf
Regards,
Jaap
I haven't captured the 24.7.2 version of the file because terminal logging was off, but I compared it to one of the other firewalls still running 24.7.2. There may be slight differences in how the VPN is configured. The 02-strongswan.conf is still running 24.7.2.
~ @ ctmac01(xxxxxxx): diff -u *strongswan.conf
--- 01-strongswan.conf 2024-08-23 15:24:40
+++ 02-strongswan.conf 2024-08-23 15:23:12
@@ -9,9 +9,27 @@
init_limit_half_open = 1000
ignore_acquire_ts = yes
syslog {
- identifier = charon
+ ike_name = yes
+ log_level = no
daemon {
- ike_name = yes
+ app = 1
+ asn = 1
+ cfg = 1
+ chd = 1
+ dmn = 1
+ enc = 1
+ esp = 1
+ ike = 1
+ imc = 1
+ imv = 1
+ job = 1
+ knl = 1
+ lib = 1
+ mgr = 1
+ net = 1
+ pts = 1
+ tls = 1
+ tnc = 1
}
}
install_routes = no
@@ -19,4 +37,3 @@
}
}
-include strongswan.opnsense.d/*.conf
Regards,
Jaap
#5
24.7, 24.10 Legacy Series / IPsec issues with 24.7.2
August 23, 2024, 02:28:54 PM
A couple of firewalls experienced site-to-site IPsec IKEv2 issues after upgrading to 24.7.2. We reverted back to 24.7.1 and it seems to return to normal.
The IPsec connections terminate at a FortiGate, and the connections are either lost and recovered by rebooting the OpnSense, or the connection is lost completely (a reboot doesn't reestablish the connection).
Returning to 24.7.1 has corrected this.
The IPsec connections terminate at a FortiGate, and the connections are either lost and recovered by rebooting the OpnSense, or the connection is lost completely (a reboot doesn't reestablish the connection).
Returning to 24.7.1 has corrected this.
#6
General Discussion / Re: Ping from firewall across VPN
April 20, 2022, 02:48:54 PM
OK found it, you can specify -S <source ip> in the ping command.
So for example:
root@vesenaz:~ # ping -S 192.168.74.1 192.168.73.10
PING 192.168.73.10 (192.168.73.10) from 192.168.74.1: 56 data bytes
64 bytes from 192.168.73.10: icmp_seq=0 ttl=127 time=5.848 ms
64 bytes from 192.168.73.10: icmp_seq=1 ttl=127 time=5.519 ms
64 bytes from 192.168.73.10: icmp_seq=2 ttl=127 time=5.290 ms
So for example:
root@vesenaz:~ # ping -S 192.168.74.1 192.168.73.10
PING 192.168.73.10 (192.168.73.10) from 192.168.74.1: 56 data bytes
64 bytes from 192.168.73.10: icmp_seq=0 ttl=127 time=5.848 ms
64 bytes from 192.168.73.10: icmp_seq=1 ttl=127 time=5.519 ms
64 bytes from 192.168.73.10: icmp_seq=2 ttl=127 time=5.290 ms
#7
General Discussion / Re: Please Make a Donation to OPNsense
April 20, 2022, 02:45:45 PM
Done, $250, thanks for the work!
#8
General Discussion / Ping from firewall across VPN
April 20, 2022, 02:42:20 PM
Hi there,
With Fortigate firewalls one can specify the IP address of an available LAN interface to use as source address in order to ping an address reachable across a VPN, which comes in handy to check if connectivity works.
Does OpnSense have a similar feature available?
Thanks, kind regards,
Jaap
With Fortigate firewalls one can specify the IP address of an available LAN interface to use as source address in order to ping an address reachable across a VPN, which comes in handy to check if connectivity works.
Does OpnSense have a similar feature available?
Thanks, kind regards,
Jaap
Pages1
