Messages

Just to say I've seen issues with the traffic reporting as well.  Basically host traffic is being shown/reported at 1/2 the actual rate. I have an issue opened at Github here https://github.com/opnsense/core/issues/7421. 

It seems odd there aren't more reports -- assuming I'm not missing something. :)   I guess it's just not used much. ¯\(ツ)/¯

I was looking for this also.  Personally I'm waiting (hoping?) for it to be added, as the Kea integration seems pretty raw currently.  (Also doesn't seem to integrate reservation hostnames with DNS forward/reverse lookup?)

Anyway, if you're more ambitious there was info here for options in Kea:

https://kea.readthedocs.io/en/kea-2.2.0/arm/dhcp4-srv.html#custom-dhcpv4-options

And the config files in Opnsense seem to be in /usr/local/etc/kea , although I'm not sure if edits would persist through changes via the UI.

Thanks everyone..  No chance of getting them to update, but in the end their firewall was misconfigured which was the issue.  I have to use the OPNsense IPsec legacy config for their older options, but hopefully we should be able to toss this VPN after a few weeks of development. 

Yep, this is a little brutal if you need to re-configure wg0.   Seems like a new validation rule needs tweaking.  Hope it gets in the next update... soon. :'(

EDIT:  Looks like a fix is coming.  https://github.com/opnsense/core/commit/ca04a7943fdf4c87f1c73990f0447796410de457

Lost mine also..

Code Select Expand


    <gateway_item>
      <interface>wan</interface>
      <gateway>x.x.x.x</gateway>
      <name>WAN_GW</name>
      <priority/>
      <weight/>
      <ipprotocol>inet</ipprotocol>
      <interval/>
      <descr>Spectrum Cable Gateway</descr>
      <defaultgw>1</defaultgw>
    </gateway_item>


Funny.. I was actually looking at that Cisco page for clues until I saw it was using deprecated SS configuration files.  :-X.

Still it didn't seem far off from the configuration I *think* I'm working against, other than the example seemed to show "group 5" being used (1536 bits) instead of 2.

Thank you both for the info and hints! 

Not connected yet, but it's definitely helped me track things further. 

Using the old legacy UI and trial and error it seems they are using SHA1 (at least Phase 1 only connects with aes256-sha1-modp1024).

However for Phase 2 using aes256-sha1-modp1024 I still get the same error logged.  So I'm not sure what to think. I guess I'm making other assumptions like the mode set to "tunnel", etc, not knowing IPsec.

It seems it's time to call to call them and discuss options.  This is just to access a "development/testing VPN" of a company we need to do some integration work with -- which will be easier than the VPN config. :)  They are using a Cisco ASA 5505 which seems to be a little dated from what I can tell. 

Hello,

I'm trying to establish an IPsec VPN with a remote Cisco ASA.  I use OpenVPN and WireGuard regularly, but unfortunately this is my first IPsec attempt. 

I'm running OPNsense 23.7.11 and using the "newer" connections UI for IPsec configuration.  So far I seem to have the "Phase 1" portion working, as I see connected in the "Status Overview" and the following logged:

Code Select Expand


...
2024-01-23T17:11:56-07:00 Informational charon 14[IKE] <0fa995fb-0f0c-4e64-af3c-481ea320004f|1> maximum IKE_SA lifetime 14550s
2024-01-23T17:11:56-07:00 Informational charon 14[IKE] <0fa995fb-0f0c-4e64-af3c-481ea320004f|1> scheduling rekeying in 13110s
2024-01-23T17:11:56-07:00 Informational charon 14[IKE] <0fa995fb-0f0c-4e64-af3c-481ea320004f|1> IKE_SA 0fa995fb-0f0c-4e64-af3c-481ea320004f[1] established between a.a.a.a[a.a.a.a]...b.b.b.b[b.b.b.b]
2024-01-23T17:11:56-07:00 Informational charon 14[IKE] <0fa995fb-0f0c-4e64-af3c-481ea320004f|1> authentication of 'b.b.b.b' with pre-shared key successful
...

However then it logs:

Code Select Expand

2024-01-23T17:11:56-07:00 Informational charon 14[IKE] <0fa995fb-0f0c-4e64-af3c-481ea320004f|1> failed to establish CHILD_SA, keeping IKE_SA
2024-01-23T17:11:56-07:00 Informational charon 14[IKE] <0fa995fb-0f0c-4e64-af3c-481ea320004f|1> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built


Which from Googling seems to mean some issue/mismatch with the ESP proposal in the children of the connection (?).  Currently i have the ESP proposals set to "default" and have the following from the VPN peer (see attachment).  In looking through the list for ESP proposal the only thing I saw that seemed like it might match is "aes256-sha512-modp1024 [DH2]" just going off the DH2 primarily (Duffie-Hellman #2?) But choosing that doesn't seem to help.

Anyway, looking for any suggestions at this point as I feel like I've jumped into the deep end with IPsec vs WG and OpenVPN.

Thanks!

FWIW, I ran into rising CPU with Unbound stats enabled as well.  They eventually leveled out, but I ended up turning them off since it was substantial.  Not sure if the patch mentioned is worth testing or not?

Is it me or are the download mirrors on https://opnsense.org/download/ missing files?   I tried the DVD and VGA images on about 6 and got 404s.  Maybe a file naming issue?

Just some notes and answers for anyone heading down this same path, or future me. :)

If you do a single drive ZFS install of OPNsense, the drive is drive is actually added to the pool by GPT lablel (gpt/zfs0) rather than partition name (e.g. ada0p3).  So you'll have to take that into account in the zpool attach command.  (Curiously if a mirror is configured during install the drives seem to be added by partition name)

In the end I ran into trouble with the adapter I was going to use to add the second drive.  To the point where I actually re-installed because of all the write errors I saw.  :-\  So to answer my question above about swap, when OPNsense does a ZFS mirrored install it appears to add a separate swap partition on each drive and includes both in fstab.

All good now, but was hoping to avoid the re-install and config fire drill.  Glad to see re-applying the backup config works well though! :)

I guess I'm thinking the same thing, but what seems odd is that the "yet to be calculated" tail end isn't void of data for the interfaces -- it's just showing some portion of it, it seems.  Obviously not the end of the world, but tricky to know where the valid end of the graph displayed is :)

[feel]

Thanks!  I'm going to give it a shot tonight.

I hadn't considered the swap partition, but it seems like that would be safest in case ada0 has a complete meltdown.

I'm am a little curious if OPNsense would normally create a GEOM mirror for swap when choosing ZFS mirroring during install though -- as I generally like to keep as close to "stock" under the hood as possible. :)

In any case I took a stab at what I feel might be the procedure, but people feel free to pick it apart if I'm way off!

Code Select Expand


swapoff -a
dd if=/dev/zero of=/dev/ada0p3
dd if=/dev/zero of=/dev/ada1p3
gmirror label -v -b round-robin swap /dev/ada0p3 /dev/ada1p3

# Check if there is a mirror now?
gmirror status
ls /dev/mirror/swap

# If so edit /etc/fstab to ..
/dev/mirror/swap none swap sw 0 0

swapon -a


Thanks again,

-James

I have an existing (single drive) ZFS based install which I'd like to add an (identical) mirror drive to -- ideally with out a re-install and config reload.

I feel the the following should do it, but considering my experience with BSD and ZFS are limited, perhaps someone could confirm? :)

Output from "gpart show":

Code Select Expand


=>        40  1000215136  ada0  GPT  (477G)
          40      532480     1  efi  (260M)
      532520        1024     2  freebsd-boot  (512K)
      533544         984        - free -  (492K)
      534528    16777216     3  freebsd-swap  (8.0G)
    17311744   982902784     4  freebsd-zfs  (469G)
  1000214528         648        - free -  (324K)


Thinking this should do it?

Code Select Expand


gpart backup ada0 | gpart restore -F ada1
dd if=/dev/ada0p1 of=/dev/ada1p1
dd if=/dev/ada0p2 of=/dev/ada1p2
zpool attach zroot ada0p4 ada1p4


Thanks!

-James

Hello... 

Noticed something odd with Insight reporting.  Sorry if it's not specific to 22.1-rc1 (that I'm running) as this is my first/only OPNsense install.  (Needed 22.1 for my hardware with Intel I225-V interfaces)

Basically it seems like the most recent data (up to 20+ minutes) doesn't really contain complete stats/totals -- which are then updated later (periodically?). 

Hard to explain, but here is an example with a running 7Mbps video stream.  The stream was running continuously when both shots were taken.  On this first shot you'll see the stream "seems" to have dropped off at maybe 20 minutes ago (10:40) -- although it's still running:



Re-loading Insights 11 minutes later, we see the previous stream data has now filled in:



Seems odd.  If complete/tabulated data is only available periodically, I guess I would assume the graphs would only show to that point. But maybe not?

Things have been solid for me (so far) with 22.1-rc1 and the I225-V interfaces though! :)

-James