Messages

Hi,

I've analyzed the issue today and it was not related to OpnSense.

The NTP daemon on my Admin Workstation stopped for what ever reasons and due to that the time was out of sync.

br

Hi Mks,
in my case, this isn't the problem.
But i just figured out it may be the "daylight savings time", which seemingly isn't handled correctly by the OPNsense.
In the logs i can see the the timestamp of current actions with my time -1 hour.
Do you know if that could be the problem for the faulty OTP-token?

Also, if this is really the problem, can someone explain, why it just happens with version >=25.1?

Hi,
I've discovered the same issue today.

Will look at it tomorrow and provide an update.

br

Hi Mks,
thank you very much!
As further info: I've updated yesterday to version 25.1.2 and the issue persists.

wild guess. Have you changed the root user's login shell? What is it set to?

Hi cookiemonster,
i didn't change the login shell, it's still the default "opnsense-Shell" or what it is called.
But nevertheless thank you!

Hi, thank you for your answers.
The problem is not the connection via SSH. I already set it up and can connect to the appliance via SSH.
My problem is, that after rebooting, the root login is broken.

When i reboot the appliance, i can't login with the user root with only the password or password + 2FA.
I need to reset it (password and login method) via the CLI.
After resetting it to Local Database only, i can login again.
Then i enable the 2FA for the login again, and the login with 2FA also works again.
But after rebooting, the "loop" begins again.

Hi,

i have 2FA enabled for the WebGUI-login. After updating to 25.1 i couldn't login with the 2FA and also without it (only using the password).

I needed to connect to the machine via SSH an reset the root login and login method.
After that i need to regenerate the OTP seed.
When this is done it works again.

Now, when the appliance is rebooted, i have the same problem.
The issue also persists after upgrading to 25.1.1.

Does anyone else have the same problem or know how i can resolve it?

Thank you in advance!

Do you know, if there is a way to set a "default value" for this?
I want to have a HAProxy on Site B to reverse proxy servers on Site A.

Edit: This post solved my Problem https://forum.opnsense.org/index.php?topic=21553.0

Ahh, thanks for your help.
I tried it via the WebUI in The Interface->Diagnostics->Ping menu.
When i do it directly from the console (with the -S flag) it seems to work fine.

Hi everyone,

i have a IPsec tunnel between my two OPNsense applicances.
It seems to be up and running.
My problem is, from hosts on Site A, i can ping the OPNsense appliance (on the LAN interface) on Site B and vice versa, but from the OPNsenses themselves i cant ping any host (also not the LAN IP of the OPNsenses) on the other side of the tunnel.
I followed the official tutorial for Policy based public key setup.

Does anyone know, how to solve the issue?

Use tcpdump to observe if packets from the peer arrive at all and if they have the peer IP address you think they should.

What would be your approach for filtering? The IPv6 of the other appliance or ports 500/4500?
Or is there any other identifier for the connection?

The IPs may have changed. I would recommend using dynamic dns entries on both ends so that no matter when the IP changes on either side you're only 5 minutes away max from the tunnel(s) coming back online.

I've read, that the IPsec also has problems with the change of the IP-address, thats why i used the static IPv6 of the FritzBox/OPNsense appliance, but i will try it nonetheless, thanks.

Forget what i said. This is my error. I always thought the IPv6 was static. I now figured out, it isn't.

Update: Forgot to paste the tutorial link.
https://docs.opnsense.org/manual/how-tos/ipsec-s2s-conn-route.html

I have two OPNsense appliances. One in Hetzner with a dedicated IPv4 and IPv6 address.

The other one is in my homelab, behind a FritzBox. The Fritzbox has dynamic IPv4, so i use IPv6.

I opened the Port UDP/500 and UDP/4500 on the FirtzBox and Port Forward it to the OPNsense on IPv6.

I do the same for the ESP protocol.

The OPNsense at Hetzner has all Ports for all Protocols opened, and i manage the Firewall Rules via the OPNsense itself.

Both of them allow traffic for all protocols on all ports for the IPv6 of the other appliance.

So heres my Problem:

The tunnel already worked, a few days ago, then i did nothing on both sites for some days, and when i looked back at the Firewalls, i noticed, that the tunnel is no longer working.

I cant figure out where the problem is. In the logs i cant find any entries helping me entries, even in debug mode. The only thing i can see is the following:

14[IKE] <f30738ad-7548-43d0-839a-c0972585c1f3|3> establishing IKE_SA failed, peer not responding

14[IKE] <f30738ad-7548-43d0-839a-c0972585c1f3|3> giving up after 5 retransmits

These entries appear on both sides. For setting up the tunnel i used this tutorial.

The only thing i cahnged was the Start action in the Children. Instead of "Trap" i use "Trap+start". But even after i changed it to only trap, it does not work.

Can anyone hint me in the right direction or has the same problem?