"
Thanks for the advice. We actually did that as a workaround.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#2
16.7 Legacy Series / Re: Intermittent traffic flow between OPnsense and Cisco ASA VPN
August 17, 2016, 12:07:49 PM
It seems we fixed it.
We have to allow ESP (IP 50) and UDP (isakmp) traffic sent to the firewall itself.
We have to allow ESP (IP 50) and UDP (isakmp) traffic sent to the firewall itself.
#3
16.7 Legacy Series / TFTP blocked
August 15, 2016, 03:15:14 PM
Hi
I need TFTP for building servers and downloading software internally in our network. Although we have rules that allow UDP/TCP on port 69, the file transfer is blocked:
Aug 15 12:52:50 ny4fw07 filterlog: 175,16777216,,0,ixl2_vlan242,match,pass,in,4,0x0,,64,0,0,DF,17,udp,98,10.132.242.14,10.132.250.203,43011,69,78
Aug 15 12:52:50 ny4fw07 filterlog: 68,16777216,,0,ixl1_vlan250,match,pass,out,4,0x0,,63,0,0,DF,17,udp,98,10.132.242.14,10.132.250.203,43011,69,78
Aug 15 12:52:50 ny4fw07 filterlog: 278,16777216,,0,ixl1_vlan250,match,block,in,4,0x0,,64,64178,0,none,17,udp,68,10.132.250.203,10.132.242.14,48105,43011,48
Aug 15 12:52:57 ny4fw07 filterlog: 278,16777216,,0,ixl1_vlan250,match,block,in,4,0x0,,64,64179,0,none,17,udp,68,10.132.250.203,10.132.242.14,55791,43011,48
I haven't able to find any reference to TFTP in opnsense doc. In pfsense there is a reference that I need a TFTP proxy....
I need TFTP for building servers and downloading software internally in our network. Although we have rules that allow UDP/TCP on port 69, the file transfer is blocked:
Aug 15 12:52:50 ny4fw07 filterlog: 175,16777216,,0,ixl2_vlan242,match,pass,in,4,0x0,,64,0,0,DF,17,udp,98,10.132.242.14,10.132.250.203,43011,69,78
Aug 15 12:52:50 ny4fw07 filterlog: 68,16777216,,0,ixl1_vlan250,match,pass,out,4,0x0,,63,0,0,DF,17,udp,98,10.132.242.14,10.132.250.203,43011,69,78
Aug 15 12:52:50 ny4fw07 filterlog: 278,16777216,,0,ixl1_vlan250,match,block,in,4,0x0,,64,64178,0,none,17,udp,68,10.132.250.203,10.132.242.14,48105,43011,48
Aug 15 12:52:57 ny4fw07 filterlog: 278,16777216,,0,ixl1_vlan250,match,block,in,4,0x0,,64,64179,0,none,17,udp,68,10.132.250.203,10.132.242.14,55791,43011,48
I haven't able to find any reference to TFTP in opnsense doc. In pfsense there is a reference that I need a TFTP proxy....
#4
16.7 Legacy Series / Re: Intermittent traffic flow between OPnsense and Cisco ASA VPN
August 12, 2016, 02:50:40 PM
we have more VPNs in the cisco ASA and they work fine.
#5
16.7 Legacy Series / Intermittent traffic flow between OPnsense and Cisco ASA VPN
August 12, 2016, 02:48:41 PM
Hi all
We are trying to introduce OPNsense in our network so we are quite newbie.
We have managed to establish an IPSec VPN between OPNsense 16.7-amd64 and a cisco ASA5545 running asa912-smp-k8.bin.
Our problem is the traffic is not crossing the VPN while it is established.
For example, trying to ping a machine in the other end, takes more than 1 minute to respond, but the Ipsec is fully established:
$ ping 10.132.43.117
PING 10.132.43.117 (10.132.43.117) 56(84) bytes of data.
....
64 bytes from 10.132.43.117: icmp_seq=1 ttl=63 time=68.2 ms
From the cisco we see sometimes the below:
Total IKE SA: 5
....
4 IKE Peer: 104.255.200.142
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
5 IKE Peer: 104.255.200.142
Type : user Role : responder
Rekey : no State : MM_WAIT_MSG3
From opsense, it doesnt report any problem, as far as I can see. We have increased the logging for "SA Manager", "IKE SA", "IKE Child SA" and still the logs dont show anything noticeable.
Any advice for troubleshooting this problem?
Thanks
tomas
We are trying to introduce OPNsense in our network so we are quite newbie.
We have managed to establish an IPSec VPN between OPNsense 16.7-amd64 and a cisco ASA5545 running asa912-smp-k8.bin.
Our problem is the traffic is not crossing the VPN while it is established.
For example, trying to ping a machine in the other end, takes more than 1 minute to respond, but the Ipsec is fully established:
$ ping 10.132.43.117
PING 10.132.43.117 (10.132.43.117) 56(84) bytes of data.
....
64 bytes from 10.132.43.117: icmp_seq=1 ttl=63 time=68.2 ms
From the cisco we see sometimes the below:
Total IKE SA: 5
....
4 IKE Peer: 104.255.200.142
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
5 IKE Peer: 104.255.200.142
Type : user Role : responder
Rekey : no State : MM_WAIT_MSG3
From opsense, it doesnt report any problem, as far as I can see. We have increased the logging for "SA Manager", "IKE SA", "IKE Child SA" and still the logs dont show anything noticeable.
Any advice for troubleshooting this problem?
Thanks
tomas
Pages1
