Messages

Do you know, if there is a way to set a "default value" for this?
I want to have a HAProxy on Site B to reverse proxy servers on Site A.

Edit: This post solved my Problem https://forum.opnsense.org/index.php?topic=21553.0

Ahh, thanks for your help.
I tried it via the WebUI in The Interface->Diagnostics->Ping menu.
When i do it directly from the console (with the -S flag) it seems to work fine.

Hi everyone,

i have a IPsec tunnel between my two OPNsense applicances.
It seems to be up and running.
My problem is, from hosts on Site A, i can ping the OPNsense appliance (on the LAN interface) on Site B and vice versa, but from the OPNsenses themselves i cant ping any host (also not the LAN IP of the OPNsenses) on the other side of the tunnel.
I followed the official tutorial for Policy based public key setup.

Does anyone know, how to solve the issue?

Use tcpdump to observe if packets from the peer arrive at all and if they have the peer IP address you think they should.

What would be your approach for filtering? The IPv6 of the other appliance or ports 500/4500?
Or is there any other identifier for the connection?

The IPs may have changed. I would recommend using dynamic dns entries on both ends so that no matter when the IP changes on either side you're only 5 minutes away max from the tunnel(s) coming back online.

I've read, that the IPsec also has problems with the change of the IP-address, thats why i used the static IPv6 of the FritzBox/OPNsense appliance, but i will try it nonetheless, thanks.

Forget what i said. This is my error. I always thought the IPv6 was static. I now figured out, it isn't.

Update: Forgot to paste the tutorial link.
https://docs.opnsense.org/manual/how-tos/ipsec-s2s-conn-route.html

I have two OPNsense appliances. One in Hetzner with a dedicated IPv4 and IPv6 address.

The other one is in my homelab, behind a FritzBox. The Fritzbox has dynamic IPv4, so i use IPv6.

I opened the Port UDP/500 and UDP/4500 on the FirtzBox and Port Forward it to the OPNsense on IPv6.

I do the same for the ESP protocol.

The OPNsense at Hetzner has all Ports for all Protocols opened, and i manage the Firewall Rules via the OPNsense itself.

Both of them allow traffic for all protocols on all ports for the IPv6 of the other appliance.

So heres my Problem:

The tunnel already worked, a few days ago, then i did nothing on both sites for some days, and when i looked back at the Firewalls, i noticed, that the tunnel is no longer working.

I cant figure out where the problem is. In the logs i cant find any entries helping me entries, even in debug mode. The only thing i can see is the following:

14[IKE] <f30738ad-7548-43d0-839a-c0972585c1f3|3> establishing IKE_SA failed, peer not responding

14[IKE] <f30738ad-7548-43d0-839a-c0972585c1f3|3> giving up after 5 retransmits

These entries appear on both sides. For setting up the tunnel i used this tutorial.

The only thing i cahnged was the Start action in the Children. Instead of "Trap" i use "Trap+start". But even after i changed it to only trap, it does not work.

Can anyone hint me in the right direction or has the same problem?