Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - space-hunter

#1
Hi, thanks for this info !

I run in the same error. I tried to configure a side2side vpn with IExplorer. After a few hours and reading this post, I know why :-)
After saving the setting with IE, this error is showing in VPN log File.

Jan 30 09:33:09 charon: 10[NET] <con1-000|8> sending packet: from 192.168.20.40[500] to 192.168.22.132[500] (84 bytes)
Jan 30 09:33:09 charon: 10[ENC] <con1-000|8> generating INFORMATIONAL_V1 request 4075737163 [ HASH D ]
Jan 30 09:33:09 charon: 10[IKE] <con1-000|8> sending DELETE for IKE_SA con1-000[8]
Jan 30 09:33:09 charon: 10[IKE] <con1-000|8> deleting IKE_SA con1-000[8] between 192.168.20.40[C=NL, ST=Zuid-Holland, L=Middelharnis, O=OPNsense]...192.168.22.132[192.168.22.132]
Jan 30 09:33:09 charon: 10[CFG] <con1-000|8> constraint check failed: peer not authenticated by CA 'C=DE, ST=Bavaria, L=xx, O=xx, E=xx@xx, CN=CA_xx'
Jan 30 09:33:09 charon: 10[IKE] <con1-000|8> received DPD vendor ID
Jan 30 09:33:09 charon: 10[ENC] <con1-000|8> parsed ID_PROT response 0 [ ID HASH V ]
Jan 30 09:33:09 charon: 10[NET] <con1-000|8> received packet: from 192.168.22.132[500] to 192.168.20.40[500] (84 bytes)

and this is the main part the file /usr/local/etc/ipsec.conf
  ike = 3des-sha1-modp1024!
  leftauth = psk
  rightauth = psk
  leftcert = /usr/local/etc/ipsec.d/certs/cert-1.crt
  leftsendcert = always
  rightca = "/C=DE/ST=xxx/L=xxx/O=xxx /emailAddress=xxx/CN=xxx/"
  rightid = 192.168.22.132
  rightsubnet = 192.168.22.192/28
  leftsubnet = 192.168.7.0/24
  esp = aes256-sha1-modp1024,3des-sha1-modp1024!


After saving the setting with Chrome, everything works as expected.

With IExplorer, 'My Certificate' and 'My Certificate Authority' fields are showing up, and I can not remove this setting.
With Chrome, this fields are not showing up.

OPNsense 18.7.9-amd64
IE 11.1563.15063.0
Chrome 71.0.3578.98

#2
I got the same problem. After 'setenv HTTP_PROXY http://proxy:8080' some errors where fixed.
But some not. IDS Download & Update Rules do not work. It still use no proxy

Fix for me:
   edit /usr/local/opnsense/service/conf/configd.conf and add the proxy export in [environment]

#/usr/local/opnsense/service/conf/configd.conf
[main]
socket_filename:/var/run/configd.socket
pid_filename:/var/run/configd.pid

[environment]
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
HOME=/
HTTP_PROXY=http://proxy:8080
HTTPS_PROXY=http://proxy:8080
http_proxy=http://proxy:8080
https_proxy=http://proxy:8080
FTP_PROXY=http://proxy:8080
ftp_proxy=http://proxy:8080