Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - tomas.morales

#1
16.7 Legacy Series / Re: TFTP blocked
August 17, 2016, 12:09:00 PM
Thanks for the advice. We actually did that as a workaround.
#2
It seems we fixed it.

We have to allow ESP (IP 50) and UDP (isakmp) traffic sent to the firewall itself.
#3
16.7 Legacy Series / TFTP blocked
August 15, 2016, 03:15:14 PM
Hi

I need TFTP for building servers and downloading software internally in our network. Although we have rules that allow UDP/TCP on port 69, the file transfer is blocked:


Aug 15 12:52:50 ny4fw07 filterlog: 175,16777216,,0,ixl2_vlan242,match,pass,in,4,0x0,,64,0,0,DF,17,udp,98,10.132.242.14,10.132.250.203,43011,69,78
Aug 15 12:52:50 ny4fw07 filterlog: 68,16777216,,0,ixl1_vlan250,match,pass,out,4,0x0,,63,0,0,DF,17,udp,98,10.132.242.14,10.132.250.203,43011,69,78
Aug 15 12:52:50 ny4fw07 filterlog: 278,16777216,,0,ixl1_vlan250,match,block,in,4,0x0,,64,64178,0,none,17,udp,68,10.132.250.203,10.132.242.14,48105,43011,48
Aug 15 12:52:57 ny4fw07 filterlog: 278,16777216,,0,ixl1_vlan250,match,block,in,4,0x0,,64,64179,0,none,17,udp,68,10.132.250.203,10.132.242.14,55791,43011,48


I haven't able to find any reference to TFTP in opnsense doc. In pfsense there is a reference that I need a TFTP proxy....
#4
we have more VPNs in the cisco ASA and they work fine.
#5
Hi all

We are trying to introduce OPNsense in our network so we are quite newbie.

We have managed to establish an IPSec VPN between  OPNsense 16.7-amd64 and a cisco ASA5545 running  asa912-smp-k8.bin.

Our problem is the traffic is not crossing the VPN while it is established.

For example, trying to ping a machine in the other end, takes more than 1 minute to respond, but the Ipsec is fully established:


$ ping 10.132.43.117
PING 10.132.43.117 (10.132.43.117) 56(84) bytes of data.
....
64 bytes from 10.132.43.117: icmp_seq=1 ttl=63 time=68.2 ms


From the cisco we see sometimes the below:

Total IKE SA: 5
....
4   IKE Peer: 104.255.200.142
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
5   IKE Peer: 104.255.200.142
    Type    : user            Role    : responder
    Rekey   : no              State   : MM_WAIT_MSG3


From opsense, it doesnt report any problem, as far as I can see. We have increased the logging for "SA Manager", "IKE SA", "IKE Child SA" and still the logs dont show anything noticeable.


Any advice for troubleshooting this problem?

Thanks
tomas