Messages

Das ist nicht der Fall. Alle drei IP Netze sind als "Tunnel IPv4" eingetragen.

Aber das würde doch auch nicht erklären, warum ich im tcpdump keine IP Pakete von der Gegenseite sehe, oder doch?

Tunnel IPv4.

Ich sollte mein Bild nochmal anpassen:

            |
        LAN | 172.19.2.0 /172.19.29.0
            |
      .-----+------.   
      |  FW01
      '-----+------'   
            |
            LAN 192.168.50.0
            |
      .-----+-----.
      |  Lancom  | LTE Richtung Internet
      '-----+-----'
            | 80.xxx.xxx.xxx
        WAN / Internet
            | 193.xxx.xxx.xxx
      .-----+------.   
      |  OPNsense
      '-----+------'   
            |
        LAN | 10.19.215.0
            |

Das kommt bei:
tcpdump -i re0 -n -s0 -vv host 80.xxx.xxx.xxx

21:27:17.567771 IP (tos 0x0, ttl 64, id 37833, offset 0, flags [none], proto UDP (17), length 164)
    193.xxx.xxx.xxx.4500 > 80.xxx.xxx.xxx.4500: [no cksum] UDP-encap: ESP(spi=0xebc008ae,seq=0xbc), length 136
21:27:18.572762 IP (tos 0x0, ttl 64, id 59131, offset 0, flags [none], proto UDP (17), length 164)
    193.xxx.xxx.xxx.4500 > 80.xxx.xxx.xxx.4500: [no cksum] UDP-encap: ESP(spi=0xebc008ae,seq=0xbd), length 136
21:27:19.573161 IP (tos 0x0, ttl 64, id 56015, offset 0, flags [none], proto UDP (17), length 164)
    193.xxx.xxx.xxx.4500 > 80.xxx.xxx.xxx.4500: [no cksum] UDP-encap: ESP(spi=0xebc008ae,seq=0xbe), length 136
21:27:23.727564 IP (tos 0x0, ttl 64, id 7628, offset 0, flags [none], proto UDP (17), length 29)
    193.xxx.xxx.xxx.4500 > 80.xxx.xxx.xxx.4500: [udp sum ok] isakmp-nat-keep-alive

Ich habe so den Eindruck, dass meine Pakete auf dem Weg zwischen dem Lancom Router und der OPNsense verschwinden. Könnte am LTE liegen.

Hat jemand da Erfahrungen oder kann jemand meinen Eindruck bestätigen? Wäre schön. Danke.

Du meinst den Haken "Richtline Installieren" (Meine Spracheinstellung ist Deutsch)? Ist drin.

ipsec status con1

no files found matching '/usr/local/etc/strongswan.opnsense.d/*.conf'
Routed Connections:
        con1{1}:  ROUTED, TUNNEL, reqid 1
        con1{1}:   10.19.215.0/24 === 172.19.2.0/24 172.19.29.0/24 192.168.50.0/24
Security Associations (0 up, 0 connecting):
  no match


bzw.:

no files found matching '/usr/local/etc/strongswan.opnsense.d/*.conf'
Routed Connections:
        con1{1}:  ROUTED, TUNNEL, reqid 1
        con1{1}:   10.19.215.0/24 === 172.19.2.0/24 172.19.29.0/24 192.168.50.0/24
Security Associations (1 up, 0 connecting):
        con1[1]: ESTABLISHED 3 seconds ago, 193.xxx.xxx.xxx[max@muster.de]...80.xxx.xxx.xxx[max@muster.de]
        con1{2}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cee852e5_i 1a8fd65b_o
        con1{2}:   10.19.215.0/24 === 192.168.50.0/24

Sieht für mich erstmal gut aus.

Eigentlich sieht mein Netz so aus:

          |
        LAN | 172.19.2.0 /172.19.29.0
            |
      .-----+------.   
      |  FW01 
      '-----+------'   
            |
            LAN 192.168.50.0
            |
      .-----+-----.
      |  Lancom  |
      '-----+-----'
            |
        WAN / Internet
            |
      .-----+------.   
      |  OPNsense 
      '-----+------'   
            |
        LAN | 10.19.215.0
            |

      ------+------... (Clients/Servers)
              |
      .-----+--------.
      |  LANcom    |
      '-----+--------'
             |
             |
             |
      .-----+----------.
      | OPNsense   |
      '-----+----------'
             |
    ...-----+------... (Clients/Servers)

Hallo,

ich habe eine IPsec Tunnel zwischen einer OPNsense und einem Lancom Router gebaut. Die IPsec Verbindung kommt hoch.

Wenn ich einen Ping absetzte von einem PC hinter der OPNsense, kommt das ICMP Paket am LAN Interface an und wird über das IPsec Interface versendet. Dann kommt das Paket am Zielsystem an. Der Replay kommt bis zum LANcom Router und auf der Strecke zw. Lancom Router und OPNsense verschwindet das Paket.

Ich habe nach der Anleitung gearbeitet (https://docs.opnsense.org/manual/how-tos/ipsec-s2s.html).

Unter VPN > IPsec > Statusübersicht sehe ich ausgehende Bytes aber keinen eingehenden. Was ich mich jetzt frage ist, muss ich ein IPsec Interface manuell anlegen? Ich sehe das leider nur im Log, es ist aber nirgends angelegt. Ich habe den Eindruck, dass ich ein IPsec Interface brauche, um den Traffic zu terminieren. Bin ich mit der Idee falsch? Ich bräuchte mal einen Tipp.

Gruß,
Thomas

bgpd[43001]: can't connect to 192.168.254.1 fd 19 : Permission denied

what does this error message mean? I would have expected an connection refused error.

In the firewall log I see packets from the neighbor and I see packets coming from my wan interface. (port 179)

Hello,

I would like to use BGP routing, but my BGP router does not send or receive any packets. What irritates me most is that my router is not sending any packets to its neighbor.

I'm doing something fundamentally wrong. I no longer have any idea what I'm doing wrong.

Current configuration:
!
frr version 7.4
frr defaults traditional
hostname fw01.test.local
log syslog notifications
!
router bgp 6500
bgp router-id 192.168.254.2
no bgp ebgp-requires-policy
neighbor 192.168.254.1 remote-as 6501
neighbor 192.168.254.1 ebgp-multihop 255
neighbor 192.168.254.1 update-source bge1
!
address-family ipv4 unicast
  network 192.168.10.0/24
  neighbor 192.168.254.1 next-hop-self
exit-address-family
!
line vty
!
end


sh ip bgp neighbors
BGP neighbor is 192.168.254.1, remote AS 6501, local AS 6500, external link
  BGP version 4, remote router ID 0.0.0.0, local router ID 192.168.254.2
  BGP state = Active
  Last read 00:20:53, Last write never
  Hold time is 180, keepalive interval is 60 seconds
  Graceful restart information:
    Local GR Mode: Helper*
    Remote GR Mode: NotApplicable
    R bit: False
    Timers:
      Configured Restart Time(sec): 120
      Received Restart Time(sec): 0
  Message statistics:
    Inq depth is 0
    Outq depth is 0
                         Sent       Rcvd
    Opens:                  0          0
    Notifications:          0          0
    Updates:                0          0
    Keepalives:             0          0
    Route Refresh:          0          0
    Capability:             0          0
    Total:                  0          0
  Minimum time between advertisement runs is 0 seconds
  Update source is bge1

For address family: IPv4 Unicast
  Not part of any update group
  NEXT_HOP is always this router
  Community attribute sent to this neighbor(all)
  0 accepted prefixes

  Connections established 0; dropped 0
  Last reset 00:20:53,  Waiting for peer OPEN
  External BGP neighbor may be up to 255 hops away.
BGP Connect Retry Timer in Seconds: 120
Next connect timer due in 113 seconds
Read thread: off  Write thread: off  FD used: -1

sh bgp summary

IPv4 Unicast Summary:
BGP router identifier 192.168.254.2, local AS number 6500 vrf-id 0
BGP table version 1
RIB entries 1, using 192 bytes of memory
Peers 1, using 14 KiB of memory

Neighbor        V         AS   MsgRcvd   MsgSent   TblVer  InQ OutQ  Up/Down State/PfxRcd   PfxSnt
192.168.254.2   4        6501         0         0        0    0    0    never       Active        0

Total number of neighbors 1