Messages

He peeps,

i really didnt know where to put this so hope this is ok.

I have one big problem, that is nagging me for some months now. We have our own VPC in AWS, where we are running multiple VMs with AWS EC2.

The OpnSense is our main VPN gateway, that enables us to reach everything inside that VPN of ours.

Here are some data regarding the OPNSense:

- v. 21.7.8
- instance type: t2.small (CPU: Intel(R) Xeon(R) CPU E5-2676 v3 @ 2.40GHz (1 cores), 2GB RAM)
- 10GB hard drive (ssd, gp2).
- services: VPN, ha-proxy, fw - nothing special

Of course, my wish would be to be on the latest version, but everytime i try to update this opnsense to 22.1 (doesnt matter GUI or CLI, i tried everything) the upgrade goes ok, then the vm reboots and does not bott anymore.

I cant find the cause for this. My only explanation would be, that the freebsd 13 upgrade has something to do with the type of the instance? Has anybody had such issues?

I dont know what to do except make a new instance and then manually import the config and so on... but that would be a lot of work.

THanks for your feedback!

Also some additional output from cli:

REMINDER: The NETWORK for Mikrotik has changed from 10.101.11.0/24 to 10.101.12.0/24 ... so dont wonder why this logs are showing another network.

ipsec statusall

Code Select Expand


Listening IP addresses:
10.99.1.10
10.99.0.253
10.99.0.252
10.99.2.253
10.98.0.1
10.98.16.1

Connections:
con1: 10.99.1.10...xx.xxx.xx.xx IKEv2 -> xxx so nas public ip
con1: local: [vpn.nasadomena.com] uses pre-shared key authentication
con1: remote: [xx.xxx.xx.xx] uses pre-shared key authentication
con1: child: 10.99.3.0/24 === 10.101.12.0/24 TUNNEL
con1-001: child: 10.99.0.0/24 === 10.101.12.0/24 TUNNEL
con1-002: child: 10.99.0.0/24 === 10.101.10.0/24 TUNNEL
con1-003: child: 10.99.0.0/24 === 10.101.11.0/24 TUNNEL
con1-004: child: 10.99.0.0/24 === 10.113.12.0/24 TUNNEL
con1-005: child: 10.98.0.0/24 === 10.101.11.0/24 TUNNEL

Routed Connections:
con1-005{29}: ROUTED, TUNNEL, reqid 5
con1-005{29}: 10.98.0.0/24 === 10.101.11.0/24
con1-004{28}: ROUTED, TUNNEL, reqid 4
con1-004{28}: 10.99.0.0/24 === 10.113.12.0/24
con1-003{27}: ROUTED, TUNNEL, reqid 3
con1-003{27}: 10.99.0.0/24 === 10.101.11.0/24
con1-002{26}: ROUTED, TUNNEL, reqid 2
con1-002{26}: 10.99.0.0/24 === 10.101.10.0/24
con1-001{25}: ROUTED, TUNNEL, reqid 1
con1-001{25}: 10.99.0.0/24 === 10.101.12.0/24
con1{24}: ROUTED, TUNNEL, reqid 7
con1{24}: 10.99.3.0/24 === 10.101.12.0/24

Security Associations (1 up, 0 connecting):
con1[46]: ESTABLISHED 6 minutes ago, 10.99.1.10[vpn.nasadomena.com]...xx.xx.xx.xx[xx.xx.xx.xx]
con1[46]: IKEv2 SPIs: 3b2c3caf12c2ab2b_i* 924ee645628a06d8_r, pre-shared key reauthentication in 7 hours
con1[46]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
con1-005{141}: INSTALLED, TUNNEL, reqid 5, ESP in UDP SPIs: c1e77d0d_i 0e5d311f_o
con1-005{141}: AES_CBC_256/HMAC_SHA2_256_128, 1471 bytes_i (2 pkts, 1s ago), 346480 bytes_o (2720 pkts, 1s ago), rekeying in 36 minutes
con1-005{141}: 10.98.0.0/24 === 10.101.11.0/24
con1-003{142}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: ca1f9729_i 07391316_o
con1-003{142}: AES_CBC_256/HMAC_SHA2_256_128, 1608 bytes_i (2 pkts, 132s ago), 1416 bytes_o (6 pkts, 121s ago), rekeying in 38 minutes
con1-003{142}: 10.99.0.0/24 === 10.101.11.0/24
con1-004{143}: INSTALLED, TUNNEL, reqid 4, ESP in UDP SPIs: ce70238c_i 0f721d42_o
con1-004{143}: AES_CBC_256/HMAC_SHA2_256_128, 3068964 bytes_i (4684 pkts, 0s ago), 2472976 bytes_o (4944 pkts, 0s ago), rekeying in 43 minutes
con1-004{143}: 10.99.0.0/24 === 10.113.12.0/24
con1-001{144}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c6722e19_i 0fadf2ff_o
con1-001{144}: AES_CBC_256/HMAC_SHA2_256_128, 462192 bytes_i (605 pkts, 184s ago), 0 bytes_o (0 pkts, 171s ago), rekeying in 44 minutes
con1-001{144}: 10.99.0.0/24 === 10.101.12.0/24
con1-002{145}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: c90d0896_i 0f443b19_o
con1-002{145}: AES_CBC_256/HMAC_SHA2_256_128, 2747596 bytes_i (3486 pkts, 152s ago), 1524 bytes_o (11 pkts, 14s ago), rekeying in 45 minutes
con1-002{145}: 10.99.0.0/24 === 10.101.10.0/24


As you can see the routed, tunnel ist set up, but then under "installed, tunnel" this is nowhere present.

If i do then a ipsec up con1 this route is also installed, tunnel, but dissapears when the rekey takes place. I really dont unserstand this behaviour.



Matt

Hello!

I have a problem that i alone am unable to solve and with high hopes, that with your help i can find the solution i came here to this community.

Topology:
Point A: OPNsense 21.7.2_1-amd64 as a virtual maschine in AWS EC2
Point B: Mikrotik RB2011UiAS with RouterOS 6.48.1

Betwenn those two points i have a single IPSec IKEv2 Tunnel with multiple phase 2 entries. All the phase 2 entries are working without any problems but i had to add a new one, because i got a new subnet in AWS EC2 that i need to reach from Point B.

So what i did was simply to copy one of the existing entries and just changed the networks that i need. Here a screenshot how this looks:



The new entry is the one that hast the local subnet defined as 10.99.3.0/24 and goes to remote network 10.101.11.0/24

The same is of course configured on the point B on mikrotik:



After i confirm the changes on OPNSense and on mikrotik i get some debug messages on both sides.

Code Select Expand


OPNSense:
021-09-14T20:37:05 charon 62079 09 KNL   con1 10  updating policy 10.101.11.0/24 === 10.99.3.0/24 in
2021-09-14T20:37:05 charon 62079 09 KNL   con1 10  deleting policy 10.101.11.0/24 === 10.99.3.0/24 in
2021-09-14T20:37:05 charon 62079 09 KNL   con1 10  no local address found in traffic selector 10.99.3.0/24
2021-09-14T20:37:05 charon 62079 09 KNL   con1 10  getting a local address in traffic selector 10.99.3.0/24
2021-09-14T20:37:05 charon 62079 09 KNL   con1 10  policy 10.101.11.0/24 === 10.99.3.0/24 in already exists, increasing refcount
2021-09-14T20:31:24 charon 62079 11 KNL   con1 8  updating policy 10.101.11.0/24 === 10.99.3.0/24 in
2021-09-14T20:31:24 charon 62079 11 KNL   con1 8  deleting policy 10.101.11.0/24 === 10.99.3.0/24 in
2021-09-14T20:31:24 charon 62079 11 KNL   con1 8  no local address found in traffic selector 10.99.3.0/24
2021-09-14T20:31:24 charon 62079 11 KNL   con1 8  getting a local address in traffic selector 10.99.3.0/24
2021-09-14T20:31:18 charon 62079 14 KNL   con1 6  updating policy 10.101.11.0/24 === 10.99.3.0/24 in
2021-09-14T20:31:18 charon 62079 14 KNL   con1 6  deleting policy 10.101.11.0/24 === 10.99.3.0/24 in



On te mikrotik i only get the info, that there no phase 2 is present for this network. Also on OPNSense, when i go under Status Overview for IPSec i cant see this route to be added.

I really have no clue what i am doing wrong. I hope i provided enough informations so that you can help me out for which i thank you in advance!

Kind regards,
Matjaz