Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - 8191

Pages: [1] 2

22.1 Production Series / Certificate verification on devel stream

« on: June 25, 2022, 10:07:30 pm »

I've started up one of my devel machines after a longer time being offline. I faced the issue with not being able to update due to server certificate validation issues with the let's encrypt upstream. After some recommendations in other threads I removed all Let's Encrypt roots and intermediates from the certificate trust, then I switched to a HTTP mirror and accomplished to update.
Now I'm facing the situation that when trying to change to the devel stream (mirror type 'Development') I get verification errors, but on the community stream updating is possible via the same mirror even using HTTPS (default mirror - pkg.opnsense.org).

Code: [Select]

***GOT REQUEST TO UPDATE***
Currently running OPNsense 22.1.9 (amd64/OpenSSL) at Sat Jun 25 22:00:51 CEST 2022
Updating OPNsense repository catalogue...
Certificate verification failed for /CN=pkg.opnsense.org
34372419584:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:

How is server certificate verification related to the chosen release type?? I'm out of ideas what to try (curl https://pkg.opnsense.org actually works without issues).

22.1 Production Series / Dual-stack IPsec route-based tunnel

« on: January 30, 2022, 05:40:07 pm »

Hi,
anyone already accomplished a dual-stack IPv4 and IPv6 route-based IPsec tunnel? I want to use IPv4 and IPv6 (in Phase 2) in a single tunnel, is this possible?
Whenever I add the IPv6 Phase 2 the tunnel removes the IPv4 network endpoints:

Before (IPv4 only):

Code: [Select]

ipsec2000: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
        tunnel inet 80.123.123.49 --> 51.21.21.19
        inet6 fe80::222:68ff:fe12:b78b%ipsec2000 prefixlen 64 scopeid 0x9
        inet 172.16.0.4 --> 172.16.0.8 netmask 0xffffffff
        groups: ipsec
        reqid: 2000
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

After (IPv4 and IPv6 added on P2):

Code: [Select]

ipsec4: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
        tunnel inet 80.123.123.49 --> 51.21.21.19
        inet6 fe80::222:68ff:fe12:b78b%ipsec4 prefixlen 64 scopeid 0x9
        inet6 fdfa:8191:4040:2000::4 --> fdfa:8191:4040:2000::8 prefixlen 128
        groups: ipsec
        reqid: 4
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

Any ideas?

22.1 Production Series / Cannot establish IPsec tunnel with 22.1

« on: January 04, 2022, 01:53:09 pm »

I'm struggling since a few days to establish a simple IPsec tunnel between two 22.1 systems or a 21.7 and a 22.1 system. Finally I've tried precisely the same configuration between to 21.7 systems and it works.
The error on the 22.1 side is

Code: [Select]

 15[KNL] <con1|3> unable to add SAD entry with SPI c6651939: Invalid argument (22)

I could not find many useful details to this error, except that some specific situation might not be supported by the kernel. But my example is really simple and I've even tried very many other scenarios.

One suspicious thing I saw is during startup of charon is:

Code: [Select]

2022-01-04T13:30:35	Informational	charon	00[NET] enabling UDP decapsulation for IPv4 on port 4500 failed	 
2022-01-04T13:30:35	Informational	charon	00[KNL] unable to set UDP_ENCAP: Protocol not available	 
2022-01-04T13:30:35	Informational	charon	00[NET] installing IKE bypass policy failed	 
2022-01-04T13:30:35	Informational	charon	00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available	 
2022-01-04T13:30:35	Informational	charon	00[NET] installing IKE bypass policy failed	 
2022-01-04T13:30:35	Informational	charon	00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available	 
2022-01-04T13:30:35	Informational	charon	00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed	 
2022-01-04T13:30:35	Informational	charon	00[KNL] unable to set UDP_ENCAP: Invalid argument	 
2022-01-04T13:30:35	Informational	charon	00[NET] installing IKE bypass policy failed	 
2022-01-04T13:30:35	Informational	charon	00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available	 
2022-01-04T13:30:35	Informational	charon	00[NET] installing IKE bypass policy failed	 
2022-01-04T13:30:35	Informational	charon	00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available	 
2022-01-04T13:30:35	Informational	charon	00[DMN] Starting IKE charon daemon (strongSwan 5.9.4, FreeBSD 13.0-STABLE, amd64)

Any ideas?

Attached the complete log from charon startup incl. one session initiation cycle. P1 succeeds, only the SAD of P2 cannot be written.

Development and Code Review / Removal of mail/fetchmail

« on: December 12, 2021, 09:11:21 am »

Hi,

I just recognized that mail/fetchmail was removed (6673bb86). I could not find the reason for this (neither here nor on Github)... Any background information to share here?

20.7 Legacy Series / OpenVPN Client Specific Overrides

« on: December 23, 2020, 10:48:01 am »

Hi,
I'm facing a problem with OpenVPN's Client Specific Overrides: even overrides are configured, no entry is generated to /var/etc/openvpn-csc/<serverid>.

What is the trigger to generate these entries?

Thanks

20.7 Legacy Series / Why using stunnel via NAT only?

« on: August 02, 2020, 09:24:11 am »

Hi,

the stunnel documentation and as well the GUI help on the plugin's configuration mention, that it's safest to bind stunnel to localhost only and use NAT to forward traffic to stunnel. On the other hand online help for NAT mentions that NAT should not be used as a security measure.

So my question would be:
Why does the author of the stunnel plugin consider binding to a loopback address consider more secure than binding to the interface address, which is protected by pf anyway?

Thanks and BR
Manuel

20.7 Legacy Series / Routed IPsec looses static routes

« on: August 01, 2020, 12:18:54 pm »

Hi,

there was already an issue reported for 20.1, but this seems still not to be resolved for 20.7: static routes which target into a routed IPsec interface (e.g. ipsec2000) keep disappearing. I can observe this on several OPNsense instances and did not really find a workaround, but manually pressing the "Apply" button in the routing configuration.

How to troubleshoot this? Which service is responsible for applying static routes?

Thanks and BR
Manuel

17.1 Legacy Series / OpenVPN and Intermediate Root CA

« on: March 19, 2017, 09:32:52 pm »

Hi,

I'm struggling with OpenVPN and a more or less simple CA hierarchy. My CA chain looks like this:

Code: [Select]

Root CA (external)
   +-- Server Certificate
   \-- Client Sub-CA (internal of OPNsense)
      +-- user1
      +-- user2
      \-- usern

All CAs are installed into OPNsense. As a "Peer Certificate Authority" I have configured the "Client Sub-CA", as this is the CA directly signing the user certificates. The OpenVPN "Server Certificate" is the Server Certificate, which is not signed by the same CA as the user certificates, but its ancestor.

When trying to connect to this OpenVPN server I receive an error of VERIFY ERROR: depth=1, error=unable to get issuer certificate: Client Sub-CA. So OpenVPN is complaining, that it cannot verify the configured "peer certificate authority". This is strange in some way, as I have configured this CA manually as a trusted certification authority, so why shall it's root be validated? $:-\$

Anyway, the solution to this is, simply adding the "Root CA" to the OpenVPN's certificate (/var/etc/openvpn/server1.ca), but my question is if it is a valid and intended behaviour, that OpenVPN questions my configured peer certificate authority.

16.7 Legacy Series / DNS override with source IP "hides" DNS server from LAN

« on: August 15, 2016, 01:37:04 pm »

Hey,

I've discovered a weird problem with the DNS forwarder's override feature, when using the "Source IP" field for the override definition: OPNsense adds a static route for the DNS server configured in the override using the "Source IP" as a gateway (i.e. itself). This now allows the DNS forwarder to reach the DNS server using the "Source IP", but also has a weird implication to all other hosts behind the OPNsense trying to reach the DNS server: they believe the DNS server is in the same subnet as themselves, since OPNsense is sending an ICMP redirect triggered by the static route.

I think an example shows more than all the explanation:

LAN IP: 10.2.0.1/16 (re0)
IPsec tunnel to: 10.1.0.0/16 (via re2, WAN)
DNS override of dnsmasq: 10.1.1.1@10.2.0.1 (=Source IP: 10.2.0.1)
Route added by OPNsense: 10.1.1.1 255.255.255.255 via 10.2.0.1 re0

Host 10.2.1.8/16 wants to reach 10.1.1.1: sends IP packet to OPNsense 10.2.0.1 (IP dest=10.1.1.1, 10.2.0.1 is def. gw.); OPNsense responds with ICMP redirect to re0; 10.2.1.8 sends ARP request for 10.1.1.0 to its subnet (10.2.0.0/16), which obviously never gets answered.

BR
Manuel

16.1 Legacy Series / [SOLVED] Update from OPNsense 15.7.25-amd64 fails

« on: March 12, 2016, 06:43:42 pm »

Hi,

just wanted to update a OPNsense 15.7.25-amd64 box to 16.1, but the update always fails at the same point:

Code: [Select]

root@detroid:~ # opnsense-update 
Updating OPNsense repository catalogue...
OPNsense repository is up-to-date.
All repositories are up-to-date.
Updating OPNsense repository catalogue...
OPNsense repository is up-to-date.
All repositories are up-to-date.
Checking for upgrades (70 candidates): 100%
Processing candidates (70 candidates): 100%
Checking integrity... done (3 conflicting)
Checking integrity... done (0 conflicting)
The following 63 package(s) will be affected (of 0 checked):

...

[6/63] Extracting ca_root_nss-3.22.2: 100%
[7/63] Deinstalling isc-dhcp42-relay-4.2.8...
[7/63] Deleting files for isc-dhcp42-relay-4.2.8:   0%/usr/local/lib/libpkg.so.3: Undefined symbol "openat"

BR,
Manuel

15.7 Legacy Series / Identifiers of IPsec with RSA authentication

« on: January 06, 2016, 09:54:18 am »

Hi,

I'd like to configure an IPsec tunnel with RSA authentication. As identifiers (local and peer) I'd like to use the DN of the used X.509 certificates. What do I need to configure for the My identifier and Peer identifier fields to accomplish that?

I've tried with "ASN.1 destinguished Name" with and without value in the corresponding text field, but I always receive the error charon: 13[IKE] <con2|8> no private key found for '<detroid.lan.xxx.net>'. My cert has a DN like CN=detroid.lan.xxx.net,emailAddress=detroid@lan.xxx.net,O=xxx,L=Vienna,ST=Vienna,C=AT.

Anyone already accomplished a IPsec RSA tunnel without explicitly configuring the certificate DNs?

I just recognized, that ipsec did not even load my certificate... Calling ipsec listall only lists CA certificates, no end entity certificates. Also the configured certificate is not listed in ipsec.secrets. Shouldn't it be there?

Thanks,
Manuel

15.7 Legacy Series / 100% CPU load

« on: January 05, 2016, 09:51:43 am »

Hi,

one of my OPNsense boxes has almost constant 100% CPU load since a few days. Interestingly the top command of FreeBSD does not work as expected by me, i.e. the sum of the CPU column does not match the total CPU load (see also e.g. this thread on unix.SE).

How can I find out what's causing the high CPU load?

Here some command output:

Code: [Select]

root@detroid:~ # vmstat 5
 procs      memory      page                    disks     faults         cpu
 r b w     avm    fre   flt  re  pi  po    fr  sr ad0 da0   in   sy   cs us sy id
 2 0 0   1876M  3094M   108   0   0   0   185  10   0   0  781  868  875 70 19 11
 2 0 0   1866M  3102M 22626   0   0   0 24790  21   7   0 2445 12832  909 78 22  0
 2 0 0   1822M  3105M 22811   0   0   0 24790  21   7   0 2359 12778  697 79 21  0
 2 0 0   1690M  3100M 22781   0   0   0 24228  21   7   0 2374 12581  736 78 22  0
 2 0 0   1880M  3090M 22707   0   0   0 23975  21   9   0 2372 24626  759 79 21  0
 3 0 0   1876M  3092M 22881   0   0   0 24790  21   7   0 2423 12801  823 76 24  0
 2 0 0   1872M  3096M 22802   0   0   0 24817  20  14   0 2450 12769  908 79 21  0
 2 0 0   1760M  3101M 22705   0   0   0 24739  22   7   0 2430 12682  846 78 22  0
 2 0 0   1884M  3091M 22942   0   0   0 24172  21   7   0 2406 12734  805 80 20  0
 2 0 0   1879M  3092M 22943   0   0   0 24790  20   7   0 2376 12788  737 78 22  0
 2 0 0   1872M  3097M 23947   0   0   0 26480  21   7   0 2367 14015  799 76 24  0

Code: [Select]

last pid: 96282;  load averages:  2.10,  2.15,  2.11                                                       up 32+22:38:05  09:47:15
81 processes:  4 running, 76 sleeping, 1 waiting
CPU: 62.5% user,  0.0% nice, 37.5% system,  0.0% interrupt,  0.0% idle
Mem: 47M Active, 270M Inact, 499M Wired, 412M Buf, 3100M Free
Swap: 
 Not displaying idle processes.
  PID USERNAME    THR PRI NICE   SIZE    RES STATE   C   TIME    WCPU COMMAND
   11 root          2 155 ki31     0K    32K RUN     1 177.9H   1.07% idle
   12 root         16 -72    -     0K   256K WAIT    1 568:38   0.39% intr
14978 root          1  52    0 16972K  2456K wait    1 184:12   0.20% sh
65062 root          1  52    0 16972K  2456K wait    0 207:45   0.10% sh
59697 root          1  20    0 21824K  2964K CPU0    0   0:00   0.10% top
95634 root          1  72    0   113M 22216K RUN     0   0:00   0.00% php
96282 root          1  72    0   109M 20504K CPU1    1   0:00   0.00% php

The system has a AMD G-T40E processor with 2 cores.

Thanks,
Manuel

15.7 Legacy Series / Interface configuration IPv6: None

« on: December 31, 2015, 09:32:18 am »

Hi,

currently when configuring an interface to IPv6: None, the interface still gets a local-link IP, if IPv6 is globally enabled. Is that intended?

Manuel

15.7 Legacy Series / [SOLVED] Firewall rule group interfaces

« on: December 31, 2015, 09:07:37 am »

Hi,

am I doing something wrong, or is it a bug to not being able to create firewall rules for "Group" interfaces?

In my understanding the idea of group interfaces is, that a single created firewall rule will be applied to several interfaces at the same time (similar to "floating rules"). So I've created a group interface, assigned two interfaces and I can see the corresponding tab in the "Firewall: Rules" view. Nevertheless, when clicking the add button, I am not able to select the group interface from the interface list...

Thanks,
Manuel

15.7 Legacy Series / [SOLVED] Web UI HTTPS Intermediate Certificates

« on: December 28, 2015, 07:28:43 pm »

Hi,
is it possible to configure lighttpd to send also intermediate certificates of the configured web UI certificate chain?

Thanks,
Manuel

Pages: [1] 2