Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - Lokutos

#1
i have currently an unstable IPSec Side2Side VPN whitch drops the connection multible times a day...
(Only if i use The new Connections Tab, The legacy works ...)

OPNsense 24.7.5_3-amd64


2024-11-08T07:06:58 Informational charon 09[ENC] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> parsed INFORMATIONAL_V1 request 777691194 [ HASH N(DPD) ]
2024-11-08T07:06:58 Informational charon 09[NET] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> received packet: from 1.2.3.4[500] to 9.8.7.6[500] (108 bytes)
2024-11-08T07:05:56 Informational charon 14[NET] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> sending packet: from 9.8.7.6[500] to 1.2.3.4[500] (108 bytes)
2024-11-08T07:05:56 Informational charon 14[ENC] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> generating INFORMATIONAL_V1 request 2195210381 [ HASH N(DPD_ACK) ]
2024-11-08T07:05:56 Informational charon 14[ENC] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> parsed INFORMATIONAL_V1 request 4103523366 [ HASH N(DPD) ]
2024-11-08T07:05:56 Informational charon 14[NET] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> received packet: from 1.2.3.4[500] to 9.8.7.6[500] (108 bytes)
2024-11-08T07:04:52 Informational charon 13[IKE] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|69> received NO_PROPOSAL_CHOSEN error notify
2024-11-08T07:04:52 Informational charon 13[ENC] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|69> parsed INFORMATIONAL_V1 request 0 [ N(NO_PROP) ]
2024-11-08T07:04:52 Informational charon 13[NET] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|69> received packet: from 1.2.3.4[500] to 9.8.7.6[500] (92 bytes)
2024-11-08T07:04:52 Informational charon 13[NET] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> sending packet: from 9.8.7.6[500] to 1.2.3.4[500] (204 bytes)
2024-11-08T07:04:52 Informational charon 13[ENC] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> generating ID_PROT request 0 [ SA V V V V V ]
2024-11-08T07:04:52 Informational charon 13[IKE] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> initiating Main Mode IKE_SA xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2[69] to 1.2.3.4
2024-11-08T06:54:12 Informational charon 10[IKE] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> CHILD_SA not found, ignored
2024-11-08T06:54:12 Informational charon 10[IKE] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> received DELETE for ESP CHILD_SA with SPI c9d78007
2024-11-08T06:54:12 Informational charon 10[IKE] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> closing CHILD_SA 1e40b98e-f586-4c02-9783-f132a3c5fd2b{349} with SPIs c9d78007_i (64089423 bytes) 22e87b7c_o (0 bytes) and TS 10.0.0.0/15 === 192.168.0.0/24
2024-11-08T06:54:12 Informational charon 10[IKE] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> received DELETE for ESP CHILD_SA with SPI 22e87b7c
2024-11-08T06:54:12 Informational charon 10[ENC] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> parsed INFORMATIONAL_V1 request 2650178932 [ HASH D ]
2024-11-08T06:54:12 Informational charon 10[NET] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> received packet: from 1.2.3.4[500] to 9.8.7.6[500] (92 bytes)
2024-11-08T06:54:02 Informational charon 13[NET] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> sending packet: from 9.8.7.6[500] to 1.2.3.4[500] (76 bytes)
2024-11-08T06:54:02 Informational charon 13[ENC] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> generating QUICK_MODE request 3395778535 [ HASH ]
2024-11-08T06:54:02 Informational charon 13[IKE] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> CHILD_SA 1e40b98e-f586-4c02-9783-f132a3c5fd2b{354} established with SPIs cfe6ef46_i 4c087b7c_o and TS 10.0.0.0/15 === 192.168.0.0/24
2024-11-08T06:54:02 Informational charon 13[CFG] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
2024-11-08T06:54:02 Informational charon 13[ENC] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> parsed QUICK_MODE response 3395778535 [ HASH SA No KE ID ID N((24576)) ]
2024-11-08T06:54:02 Informational charon 13[NET] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> received packet: from 1.2.3.4[500] to 9.8.7.6[500] (460 bytes)
2024-11-08T06:54:01 Informational charon 13[NET] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> sending packet: from 9.8.7.6[500] to 1.2.3.4[500] (460 bytes)
2024-11-08T06:54:01 Informational charon 13[ENC] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> generating QUICK_MODE request 3395778535 [ HASH SA No KE ID ID ]
2024-11-08T05:56:16 Informational charon 07[IKE] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> CHILD_SA not found, ignored
2024-11-08T05:56:16 Informational charon 07[IKE] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> received DELETE for ESP CHILD_SA with SPI c74bc301
2024-11-08T05:56:16 Informational charon 07[IKE] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> closing CHILD_SA 1e40b98e-f586-4c02-9783-f132a3c5fd2b{344} with SPIs c74bc301_i (493871 bytes) 87507b7c_o (0 bytes) and TS 10.0.0.0/15 === 192.168.0.0/24
2024-11-08T05:56:16 Informational charon 07[IKE] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> received DELETE for ESP CHILD_SA with SPI 87507b7c
2024-11-08T05:56:16 Informational charon 07[ENC] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> parsed INFORMATIONAL_V1 request 2517905844 [ HASH D ]
2024-11-08T05:56:16 Informational charon 07[NET] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> received packet: from 1.2.3.4[500] to 9.8.7.6[500] (92 bytes)
2024-11-08T05:56:05 Informational charon 07[NET] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> sending packet: from 9.8.7.6[500] to 1.2.3.4[500] (76 bytes)
2024-11-08T05:56:05 Informational charon 07[ENC] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> generating QUICK_MODE request 1167366992 [ HASH ]
2024-11-08T05:56:05 Informational charon 07[IKE] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> CHILD_SA 1e40b98e-f586-4c02-9783-f132a3c5fd2b{349} established with SPIs c9d78007_i 22e87b7c_o and TS 10.0.0.0/15 === 192.168.0.0/24
2024-11-08T05:56:05 Informational charon 07[CFG] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
2024-11-08T05:56:05 Informational charon 07[ENC] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> parsed QUICK_MODE response 1167366992 [ HASH SA No KE ID ID N((24576)) ]
2024-11-08T05:56:05 Informational charon 07[NET] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> received packet: from 1.2.3.4[500] to 9.8.7.6[500] (460 bytes)
2024-11-08T05:56:05 Informational charon 07[NET] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> sending packet: from 9.8.7.6[500] to 1.2.3.4[500] (460 bytes)
2024-11-08T05:56:05 Informational charon 07[ENC] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> generating QUICK_MODE request 1167366992 [ HASH SA No KE ID ID ]
2024-11-08T05:00:49 Informational charon 09[IKE] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> CHILD_SA not found, ignored
2024-11-08T05:00:49 Informational charon 09[IKE] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> received DELETE for ESP CHILD_SA with SPI c83dcbc4
2024-11-08T05:00:49 Informational charon 09[IKE] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> closing CHILD_SA 1e40b98e-f586-4c02-9783-f132a3c5fd2b{341} with SPIs c83dcbc4_i (519342 bytes) 9d287b7c_o (0 bytes) and TS 10.0.0.0/15 === 192.168.0.0/24
2024-11-08T05:00:49 Informational charon 09[IKE] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> received DELETE for ESP CHILD_SA with SPI 9d287b7c
2024-11-08T05:00:49 Informational charon 09[ENC] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> parsed INFORMATIONAL_V1 request 922369621 [ HASH D ]
2024-11-08T05:00:49 Informational charon 09[NET] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> received packet: from 1.2.3.4[500] to 9.8.7.6[500] (92 bytes)
2024-11-08T05:00:38 Informational charon 09[NET] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> sending packet: from 9.8.7.6[500] to 1.2.3.4[500] (76 bytes)
2024-11-08T05:00:38 Informational charon 09[ENC] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> generating QUICK_MODE request 2849869096 [ HASH ]
2024-11-08T05:00:38 Informational charon 09[IKE] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> CHILD_SA 1e40b98e-f586-4c02-9783-f132a3c5fd2b{344} established with SPIs c74bc301_i 87507b7c_o and TS 10.0.0.0/15 === 192.168.0.0/24
2024-11-08T05:00:38 Informational charon 09[CFG] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
2024-11-08T05:00:38 Informational charon 09[ENC] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> parsed QUICK_MODE response 2849869096 [ HASH SA No KE ID ID N((24576)) ]
2024-11-08T05:00:38 Informational charon 09[NET] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> received packet: from 1.2.3.4[500] to 9.8.7.6[500] (460 bytes)
2024-11-08T05:00:38 Informational charon 09[NET] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> sending packet: from 9.8.7.6[500] to 1.2.3.4[500] (460 bytes)
2024-11-08T05:00:38 Informational charon 09[ENC] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> generating QUICK_MODE request 2849869096 [ HASH SA No KE ID ID ]
2024-11-08T04:05:06 Informational charon 04[IKE] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> CHILD_SA not found, ignored
2024-11-08T04:05:06 Informational charon 04[IKE] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> received DELETE for ESP CHILD_SA with SPI cfcad067
2024-11-08T04:05:06 Informational charon 04[IKE] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> closing CHILD_SA 1e40b98e-f586-4c02-9783-f132a3c5fd2b{338} with SPIs cfcad067_i (496398 bytes) 32f87b7c_o (0 bytes) and TS 10.0.0.0/15 === 192.168.0.0/24
2024-11-08T04:05:06 Informational charon 04[IKE] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> received DELETE for ESP CHILD_SA with SPI 32f87b7c
2024-11-08T04:05:06 Informational charon 04[ENC] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> parsed INFORMATIONAL_V1 request 2509887601 [ HASH D ]
2024-11-08T04:05:06 Informational charon 04[NET] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> received packet: from 1.2.3.4[500] to 9.8.7.6[500] (92 bytes)
2024-11-08T04:04:55 Informational charon 08[NET] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> sending packet: from 9.8.7.6[500] to 1.2.3.4[500] (76 bytes)
2024-11-08T04:04:55 Informational charon 08[ENC] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> generating QUICK_MODE request 2009410859 [ HASH ]
2024-11-08T04:04:55 Informational charon 08[IKE] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> CHILD_SA 1e40b98e-f586-4c02-9783-f132a3c5fd2b{341} established with SPIs c83dcbc4_i 9d287b7c_o and TS 10.0.0.0/15 === 192.168.0.0/24
2024-11-08T04:04:55 Informational charon 08[CFG] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
2024-11-08T04:04:55 Informational charon 08[ENC] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> parsed QUICK_MODE response 2009410859 [ HASH SA No KE ID ID N((24576)) ]
2024-11-08T04:04:55 Informational charon 08[NET] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> received packet: from 1.2.3.4[500] to 9.8.7.6[500] (460 bytes)
2024-11-08T04:04:55 Informational charon 08[NET] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> sending packet: from 9.8.7.6[500] to 1.2.3.4[500] (460 bytes)
2024-11-08T04:04:55 Informational charon 08[ENC] <xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx3a2|67> generating QUICK_MODE request 2009410859 [ HASH SA No KE ID ID ]


does someone have me a hint?
#2
23.1 Legacy Series / Re: New IPSEC guides?
March 20, 2023, 02:02:22 AM
What do you need?

first answer, yes the Log file is used... (switch to debug give most errors if something not work)


if you give me you info what kind of VPN you want to create i can give you a guide how to setup.

VTI or policy based?
(i recomend VTI / Routed)
#3
Virtual private networks / VTI FQDN [new] Config
March 20, 2023, 01:34:16 AM
I am migrating my VTI Routed Based VPN's from the Old Config Style to the new "Connection" Style.

Currently, I use FQDN's everywhere  but now I'm struggling.

In the menus VPN -> IPsec -> Virtual tunnel Interface
I have to create an Interface, but I'm unable to enter a FQDN for the other or my local address.
I have to use the WAN IP's,
but if I want to connect a Firewall with a DNS name, it shows me an error (Not valid IP Address)

If I create it with an IP and only use a FQDN in the Connection, there is no traffic ...

is it with the new config style not possible to use FQDN's ?


#4
Virtual private networks / Wireguard and OSPF
January 15, 2023, 03:36:23 PM
Just searching for agreement or better solution ;-)

I have

Site A / Site B / Site C (and many others)
now i want to switch from IPsec top WireGuard.

Current config is
every Firewall has one Side2Side IPsec VPN with a routed based Phase 2
for this Side2Side, I have configured an Interface with no IP Config.

This results in the end

Side A        Site B       Site C
10.0.0.1     10.0.0.2    10.0.0.3

and IPSec Tunnels from
Site A 10.0.0.1 <-> Site B 10.0.0.2
Site B 10.0.0.2 <-> Site C 10.0.0.3
Site C 10.0.0.3 <-> Site A 10.0.0.1

And over all, OSPF working...


Now i want to switch to WireGuard

so in my understanding i have to create one Tunnel per connection like IPsec before
but i have to assign the ip in the Interface -> Witch result in not possible because IP can only assign to one Interface.

In the other way that i just use one WireGuard setting and add all Endpoints/Other sites to it, it's not possible to add the 0.0.0.0/0 (or required 224.0.0.0/24) to all endpoints.

So is it right that i have to use one WireGuard Tunnel each connection
and have to use a different IP local for each connection?

This result in
and IPsec Tunnels from
Site A 10.0.0.1 <-> Site B 10.0.0.2
Site B 10.0.0.3 <-> Site C 10.0.0.4
Site C 10.0.0.5 <-> Site A 10.0.0.6

And get way complicated for more than 3 sites.
#5
22.1 Legacy Series / Re: Slow boot IPSec VTI
September 28, 2022, 10:38:43 AM
Report is already done...
https://github.com/opnsense/core/issues/6052

Do not use possible save the issue but it result for me in wrong resolutions of the overrides for local domains...
#6
22.1 Legacy Series / Re: Slow boot IPSec VTI
September 28, 2022, 10:23:21 AM
if i check my log:

2022-09-28T10:13:26   Error   php   /usr/local/etc/rc.bootup: The command '/sbin/ifconfig 'ipsec5' 'inet' tunnel '136.243.195.58' 'fqdn.off.otherfirewall' up' returned exit code '1', the output was 'ifconfig: error in parsing address string: Name does not resolve'   
2022-09-28T10:11:56   Error   php   /usr/local/etc/rc.bootup: Device ipsec5 required for ipsec5, configuring now

so it sounds for me that the issue is that dns not working in this state ...

after change it to a IP (Temporary becouse its not a solution for me)
(Change the Ipsec tunnel setting vpn gateway)
it is booting fast ...
#7
22.1 Legacy Series / Re: Slow boot IPSec VTI
September 28, 2022, 10:09:17 AM
Still exist in 22.7 and cant find a solution ... anyone?
#8
22.1 Legacy Series / Re: Slow boot IPSec VTI
July 20, 2022, 02:52:10 PM
Sorry, but unfortunately I can't offer or find a solution myself
#9
22.1 Legacy Series / Slow boot IPSec VTI
July 03, 2022, 03:21:17 PM
Hi, i have setup 2 IPSec VTI tunnels, since then a have issues with the boot time,

in the console, it stays at the interface log line for around 2 minutes...

The IPsec connections work fast if i restart the service or just stop and start the connection in VPN: IPsec: Status Overview.

Is there any hint?
#10
I think, i get the same issue...

I added a rule that says source "Openvpn net" all others are * on the Openvpn Interface

But, i'm unable to get any traffic passed.
If i change the source to a self created alias, it works.