Topics

Hi,
I'm running OPNsense Business Edition 25.10.1_2 and noticed that the Community Edition already ships os-acme-client 4.11, which includes additional DNS providers (Hetzner Cloud).

On Business, the plugin is still on an older version and the provider is therefore not available.

My question:
Is there any supported way to pull os-acme-client 4.11 into the current Business release (25.10.1_2), or is this strictly tied to the Business plugin freeze and only possible with a future Business update?

[Setup (simplified)]

Hello,

I am running OPNsense 25.10.1_2 (Business) as a virtual machine (KVM/Proxmox) and am experiencing a reproducible issue with Suricata IPS in combination with Insight (flowd_aggregate).

Setup (simplified)

• OPNsense running as a VM in ProxMox (9.1)
• Multiple WAN interfaces (Multi-WAN setup)
• Suricata enabled (for WAN interfaces only)
• Insight / Traffic graphs enabled

Observed behavior

• With Suricata disabled → Insight and traffic graphs work normally.
• With IPS enabled + Promiscuous mode OFF → Insight works.
• With IPS enabled + Promiscuous mode ON →

          Traffic graphs stop updating after ~1 minute
          Insight data disappears
          flowd_aggregate fails to start

I see that flowd_aggregate service does not start with:
"WARNING: failed to start flowd_aggregate
Unable to lock on the pidfile"



Is this a known limitation of Suricata IPS + Promiscuous mode on Multi-WAN, especially in virtualized environments?

Is there an official recommendation or roadmap regarding Insight compatibility with netmap/IPS in such setups?


Thanks in advance for any clarification or confirmation


*update*
Looks like it has something to do with the queues setting on the configured VM interfaces in ProxMox. Still investigating...

[Packet Loss or High Latency]

Hi

there is a difference between documentation and the implementation of the trigger levels in gateway groups.
Maybe somebody can confirm how it is implemented, I'm talking here about the Packet Loss or High Latency trigger.

The documentations says, there is a OR - but in the current UI there is a AND. I did some tests and it seems to be a AND operator how it is being ipmlemented.

*added related screenshots

hey

I'm currently running OPNsense on my Proxmox cluster and have encountered an issue where the Suricata service stops after a failover. While I can restart the service manually without any problems, I'd like to fix it - or at least to automate this. I believe that Monit could do that.

I've attempted to set up Monit to monitor the Suricata service I'm not certain about the correct configuration parameters, especially regarding the PID file and the appropriate start/stop commands.

Has anyone ideas how to fix it, or anyone has successfully configured Monit to monitor and automatically restart the Suricata service in OPNsense?

thx

hey

I see some packets are being blocked coming from a S2S wireguard tunnel to the OPNSENSE. On the other side (also OPNSENSE) I don's see any device that is talking on that port.

Does anybody have an idea how to investigate that?

Topology is:
OPNSENSE1 <---S2S WG-->OPNSENSE2

thx

Hi

is there a general difference in using static routes configuration vs configuring routes using FW rules and pointing them to the right gateway?

I did some tests and both works, I see more flexibility in using FW rules. Would like to ask if there is a general case when static routes should be used?

thx

Hi

the service stopped working after updating to 22.10 business edition. This is what I can see in the logs, tried to activate on different interfaces, all the same issue.
Any ideas?

Code Select Expand


2022-10-31T11:39:31 Error suricata [107141] <Error> -- [ERRCODE: SC_ERR_NETMAP_CREATE(263)] - opening devname netmap:ix0/R failed: Cannot allocate memory
2022-10-31T11:39:02 Error suricata [107014] <Error> -- [ERRCODE: SC_ERR_NETMAP_CREATE(263)] - opening devname netmap:igb5^ failed: Cannot allocate memory
2022-10-31T11:38:35 Error suricata [106896] <Error> -- [ERRCODE: SC_ERR_NETMAP_CREATE(263)] - opening devname netmap:igb5^ failed: Cannot allocate memory
2022-10-31T11:38:08 Error suricata [106796] <Error> -- [ERRCODE: SC_ERR_NETMAP_CREATE(263)] - opening devname netmap:igb5^ failed: Cannot allocate memory
2022-10-31T11:12:50 Error suricata [101682] <Error> -- [ERRCODE: SC_ERR_NETMAP_CREATE(263)] - opening devname netmap:igb6^ failed: Cannot allocate memory
2022-10-31T11:10:00 Error suricata [100664] <Error> -- [ERRCODE: SC_ERR_NETMAP_CREATE(263)] - opening devname netmap:igb6^ failed: Cannot allocate memory

greY

Hi,
looks like adding the trunk interface to the protected interfaces breaks the routing between VLANs.
Can anybody confirm?

Adding single VLANs seems to be OK, but then not able to protect the LAN...

Deployment mode: Routed Mode (L3 Mode, Reporting + Blocking) with native netmap driver
Engine Version: 1.11.5 View Release Notes Version History
UI Version: 22.9.22
Database Version: 1.11.22092202
OPNsense 22.7.6-amd64

HW offload is default/disabled


greY

Hi
trying to activate business edition from the community edition (22.7.5).
Seems it has an issue getting the right packages

I attached a few screenshots of the configuration, any ideas how to fix it?
Would like to avoid a fresh install of BE if possible.

greY

Hi

my setup is:
- LAN with 3 VLANS (10, 11 and 1010)
- DHCP relay, forwarding do an MS DHCP service
- Sensei 1.8

If sensei is configured for the parent LAN interface, all VLANs will not get IPs over DHCP. If sensei is configured for all VLANS (but LAN), DHCP for all interfaces is working as expected.

Does anybody have an idea what is going on there?

br
greY

Hi

hope, somebody can help to understand or to fix a FW rule issue between LAN and a VLAN.
I have a screenshot attached, with a blocked packet due to a "default deny rule".
At the same time there is a "Default allow LAN to any rule" ;) ... 

Any ideas what's the issue could be? I'm on OPNsense 21.1.1-amd64

thx
greY

Hi
I have users connected over a IPSEC site to site VPN. They cannot access web sites behind haproxy (reverse proxy).

I see passing connections in the firewall logs but nothing in the haproxy logs (only local requests). It seems like a kind of issue with routing from requests coming over IPSEC...

Any ideas how to fix / check this?

hi guys
does here anybody has configured multiple servers behind haproxy (reverse proxy)?
I have the issue that only the last configured rule is being applied - but to all host names. It is also owerwriting all requests.

Hi guys
does anybody here have haproxy with let's encrypt up and running with more than one backend?

I have the issue that only the last configured destination is working, all others will get the wrong certificate (that one from the last configured backend)...

also opened on github: https://github.com/opnsense/plugins/issues/1124

Hallo,

ich habe ein IPSec S2S VPN zwischen einem Unifi USG (WAN yy.yy.yy.yy) und OPNSnese 18.7.9 (WAN xx.xx.xx.xx) - die Verbindung wir initial aufgebaut und es funktioniert soweit wie erwartet.

Problem scheint zu sein, dass eine Re-Authentication nicht funktioniert. Hat jemand etwas vergleichbares am laufen oder hat einen Hinweis?

LOG - OPNSense

Code Select Expand

Dec 27 18:22:14 charon: 14[NET] <con1|1> sending packet: from xx.xx.xx.xx[4500] to yy.yy.yy.yy[4500] (76 bytes)
Dec 27 18:22:14 charon: 14[ENC] <con1|1> generating CREATE_CHILD_SA response 1 [ N(NO_PROP) ]
Dec 27 18:22:14 charon: 14[IKE] <con1|1> failed to establish CHILD_SA, keeping IKE_SA
Dec 27 18:22:14 charon: 14[IKE] <con1|1> no acceptable proposal found
Dec 27 18:22:14 charon: 14[CFG] <con1|1> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, ESP:BLOWFISH_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, ESP:BLOWFISH_CBC_192/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, ESP:BLOWFISH_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
Dec 27 18:22:14 charon: 14[CFG] <con1|1> received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Dec 27 18:22:14 charon: 14[ENC] <con1|1> parsed CREATE_CHILD_SA request 1 [ SA No TSi TSr ]
Dec 27 18:22:14 charon: 14[NET] <con1|1> received packet: from yy.yy.yy.yy[4500] to xx.xx.xx.xx[4500] (236 bytes)
Dec 27 18:22:14 charon: 14[JOB] CHILD_SA ESP/0xca7a7672/xx.xx.xx.xx not found for rekey
Dec 27 18:22:13 charon: 14[JOB] CHILD_SA ESP/0xca7a7672/xx.xx.xx.xx not found for rekey
Dec 27 18:22:02 charon: 12[IKE] <con1|1> failed to establish CHILD_SA, keeping IKE_SA
Dec 27 18:22:02 charon: 12[IKE] <con1|1> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Dec 27 18:22:02 charon: 12[ENC] <con1|1> parsed CREATE_CHILD_SA response 225 [ N(NO_PROP) ]
Dec 27 18:22:02 charon: 12[NET] <con1|1> received packet: from yy.yy.yy.yy[4500] to xx.xx.xx.xx[4500] (76 bytes)
Dec 27 18:22:02 charon: 12[NET] <con1|1> sending packet: from xx.xx.xx.xx[4500] to yy.yy.yy.yy[4500] (588 bytes)
Dec 27 18:22:02 charon: 12[ENC] <con1|1> generating CREATE_CHILD_SA request 225 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
Dec 27 18:22:02 charon: 12[IKE] <con1|1> establishing CHILD_SA con1{223}
Dec 27 18:22:02 charon: 12[ENC] <con1|1> parsed INFORMATIONAL response 224 [ ]
Dec 27 18:22:02 charon: 12[NET] <con1|1> received packet: from yy.yy.yy.yy[4500] to xx.xx.xx.xx[4500] (76 bytes)
Dec 27 18:22:01 charon: 12[NET] <con1|1> sending packet: from xx.xx.xx.xx[4500] to yy.yy.yy.yy[4500] (76 bytes)
Dec 27 18:22:01 charon: 12[ENC] <con1|1> generating INFORMATIONAL request 224 [ ]
Dec 27 18:22:01 charon: 12[KNL] <con1|1> unable to delete SAD entry with SPI c62702d8: No such process (3)
Dec 27 18:22:01 charon: 12[KNL] <con1|1> unable to delete SAD entry with SPI ca7a7672: No such process (3)
Dec 27 18:22:01 charon: 12[IKE] <con1|1> CHILD_SA closed
Dec 27 18:22:01 charon: 12[IKE] <con1|1> received DELETE for ESP CHILD_SA with SPI c62702d8
Dec 27 18:22:01 charon: 12[ENC] <con1|1> parsed INFORMATIONAL response 223 [ D ]
Dec 27 18:22:01 charon: 12[NET] <con1|1> received packet: from yy.yy.yy.yy[4500] to xx.xx.xx.xx[4500] (76 bytes)
Dec 27 18:22:01 charon: 12[KNL] creating delete job for CHILD_SA ESP/0xc62702d8/yy.yy.yy.yy
Dec 27 18:22:01 charon: 12[NET] <con1|1> sending packet: from xx.xx.xx.xx[4500] to yy.yy.yy.yy[4500] (76 bytes)
Dec 27 18:22:01 charon: 12[ENC] <con1|1> generating INFORMATIONAL request 223 [ D ]
Dec 27 18:22:01 charon: 12[IKE] <con1|1> scheduling CHILD_SA recreate after hard expire
Dec 27 18:22:01 charon: 12[IKE] <con1|1> sending DELETE for ESP CHILD_SA with SPI ca7a7672
Dec 27 18:22:01 charon: 12[IKE] <con1|1> closing expired CHILD_SA con1{1} with SPIs ca7a7672_i c62702d8_o and TS 10.0.0.0/24 === 10.0.10.0/24
Dec 27 18:22:01 charon: 07[KNL] creating delete job for CHILD_SA ESP/0xca7a7672/xx.xx.xx.xx
Dec 27 18:22:00 charon: 07[IKE] <con1|1> CHILD_SA rekeying failed, trying again in 14 seconds
Dec 27 18:22:00 charon: 07[IKE] <con1|1> failed to establish CHILD_SA, keeping IKE_SA
Dec 27 18:22:00 charon: 07[IKE] <con1|1> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Dec 27 18:22:00 charon: 07[ENC] <con1|1> parsed CREATE_CHILD_SA response 222 [ N(NO_PROP) ]
Dec 27 18:22:00 charon: 07[NET] <con1|1> received packet: from yy.yy.yy.yy[4500] to xx.xx.xx.xx[4500] (76 bytes)
Dec 27 18:21:59 charon: 07[NET] <con1|1> sending packet: from xx.xx.xx.xx[4500] to yy.yy.yy.yy[4500] (604 bytes)
Dec 27 18:21:59 charon: 07[ENC] <con1|1> generating CREATE_CHILD_SA request 222 [ N(REKEY_SA) N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
Dec 27 18:21:59 charon: 07[IKE] <con1|1> establishing CHILD_SA con1{222} reqid 1
Dec 27 18:21:58 charon: 12[IKE] <con1|1> CHILD_SA rekeying failed, trying again in 15 seconds
Dec 27 18:21:58 charon: 12[IKE] <con1|1> failed to establish CHILD_SA, keeping IKE_SA
Dec 27 18:21:58 charon: 12[IKE] <con1|1> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Dec 27 18:21:58 charon: 12[ENC] <con1|1> parsed CREATE_CHILD_SA response 221 [ N(NO_PROP) ]
Dec 27 18:21:58 charon: 12[NET] <con1|1> received packet: from yy.yy.yy.yy[4500] to xx.xx.xx.xx[4500] (76 bytes)
Dec 27 18:21:58 charon: 12[NET] <con1|1> sending packet: from xx.xx.xx.xx[4500] to yy.yy.yy.yy[4500] (604 bytes)
Dec 27 18:21:58 charon: 12[ENC] <con1|1> generating CREATE_CHILD_SA request 221 [ N(REKEY_SA) N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
Dec 27 18:21:58 charon: 12[IKE] <con1|1> establishing CHILD_SA con1{221} reqid 1

LOG USG:

Code Select Expand

Dec 27 18:01:17 04[KNL] creating delete job for ESP CHILD_SA with SPI c2691399 and reqid {9}
Dec 27 18:01:18 14[KNL] creating acquire job for policy 10.0.10.248/32[udp/53190] === 10.0.0.1/32[udp/domain] with reqid {9}
Dec 27 18:01:18 09[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 18:04:03 03[KNL] creating delete job for ESP CHILD_SA with SPI c54b5f4e and reqid {9}
Dec 27 18:04:07 07[KNL] creating acquire job for policy 10.0.10.248/32[udp/53190] === 10.0.0.1/32[udp/domain] with reqid {9}
Dec 27 18:04:07 06[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 18:06:52 06[KNL] creating delete job for ESP CHILD_SA with SPI c7b48a1a and reqid {9}
Dec 27 18:06:58 13[KNL] creating acquire job for policy 10.0.10.35/32[udp/57351] === 10.0.0.2/32[udp/ldap] with reqid {9}
Dec 27 18:06:58 05[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 18:09:43 16[KNL] creating delete job for ESP CHILD_SA with SPI ca2da94e and reqid {9}
Dec 27 18:09:46 14[KNL] creating acquire job for policy 10.0.10.247/32[udp/43198] === 10.0.0.1/32[udp/domain] with reqid {9}
Dec 27 18:09:46 03[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 18:12:31 03[KNL] creating delete job for ESP CHILD_SA with SPI c17c60b9 and reqid {9}
Dec 27 18:12:34 01[KNL] creating acquire job for policy 10.0.10.10/32[udp/ntp] === 10.0.0.2/32[udp/ntp] with reqid {9}
Dec 27 18:12:34 07[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 18:15:19 04[KNL] creating delete job for ESP CHILD_SA with SPI c18b1a25 and reqid {9}
Dec 27 18:15:21 09[KNL] creating acquire job for policy 10.0.10.10/32[tcp/53470] === 10.0.0.10/32[tcp/webmin] with reqid {9}
Dec 27 18:15:21 14[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 18:18:06 14[KNL] creating delete job for ESP CHILD_SA with SPI cf80d564 and reqid {9}
Dec 27 18:18:06 03[KNL] creating acquire job for policy 10.0.10.36/32[udp/65109] === 10.0.0.4/32[udp/domain] with reqid {9}
Dec 27 18:18:06 07[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 18:20:51 06[KNL] creating delete job for ESP CHILD_SA with SPI caf65c20 and reqid {9}
Dec 27 18:20:57 13[KNL] creating acquire job for policy 10.0.10.2/32[tcp/63902] === 10.0.0.2/32[tcp/loc-srv] with reqid {9}
Dec 27 18:20:57 05[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 18:23:42 16[KNL] creating delete job for ESP CHILD_SA with SPI cb037b0d and reqid {9}
Dec 27 18:23:43 14[KNL] creating acquire job for policy 10.0.10.2/32[tcp/63918] === 10.0.0.2/32[tcp/ldap] with reqid {9}
Dec 27 18:23:43 11[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 18:26:28 14[KNL] creating delete job for ESP CHILD_SA with SPI c752c11f and reqid {9}
Dec 27 18:26:30 07[KNL] creating acquire job for policy 10.0.10.2/32[tcp/63932] === 10.0.0.2/32[tcp/loc-srv] with reqid {9}
Dec 27 18:26:30 01[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 18:29:15 13[KNL] creating delete job for ESP CHILD_SA with SPI c322f689 and reqid {9}
Dec 27 18:29:17 16[KNL] creating acquire job for policy 10.0.10.35/32[udp/61295] === 10.0.0.4/32[udp/domain] with reqid {9}
Dec 27 18:29:17 16[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 18:32:02 04[KNL] creating delete job for ESP CHILD_SA with SPI cf7ba97e and reqid {9}
Dec 27 18:32:04 09[KNL] creating acquire job for policy 10.0.10.249/32[udp/42332] === 10.0.0.1/32[udp/domain] with reqid {9}
Dec 27 18:32:04 11[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 18:34:49 16[KNL] creating delete job for ESP CHILD_SA with SPI c17d055c and reqid {9}
Dec 27 18:34:55 14[KNL] creating acquire job for policy 10.0.10.36/32[udp/62771] === 10.0.0.4/32[udp/domain] with reqid {9}
Dec 27 18:34:55 07[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 18:37:40 05[KNL] creating delete job for ESP CHILD_SA with SPI c7f33e28 and reqid {9}
Dec 27 18:37:42 09[KNL] creating acquire job for policy 10.0.10.2/32[tcp/63971] === 10.0.0.2/32[tcp/loc-srv] with reqid {9}
Dec 27 18:37:42 13[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 18:40:27 13[KNL] creating delete job for ESP CHILD_SA with SPI c005197d and reqid {9}
Dec 27 18:40:28 11[KNL] creating acquire job for policy 10.0.10.35/32[udp/50850] === 10.0.0.4/32[udp/domain] with reqid {9}
Dec 27 18:40:28 03[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 18:43:13 01[KNL] creating delete job for ESP CHILD_SA with SPI c5d2257e and reqid {9}
Dec 27 18:43:13 15[KNL] creating acquire job for policy 10.0.10.10/32[tcp/44374] === 10.0.0.10/32[tcp/webmin] with reqid {9}
Dec 27 18:43:13 06[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 18:45:58 14[KNL] creating delete job for ESP CHILD_SA with SPI cf48c9d0 and reqid {9}
Dec 27 18:46:10 05[KNL] creating acquire job for policy 10.0.10.10/32[tcp/45756] === 10.0.0.10/32[tcp/webmin] with reqid {9}
Dec 27 18:46:10 13[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 18:48:55 14[KNL] creating delete job for ESP CHILD_SA with SPI c03f73ae and reqid {9}
Dec 27 18:48:56 04[KNL] creating acquire job for policy 10.0.10.2/32[tcp/64015] === 10.0.0.2/32[tcp/loc-srv] with reqid {9}
Dec 27 18:48:56 05[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 18:51:41 16[KNL] creating delete job for ESP CHILD_SA with SPI c512e977 and reqid {9}
Dec 27 18:52:19 07[KNL] creating acquire job for policy 10.0.10.247/32[udp/43198] === 10.0.0.1/32[udp/domain] with reqid {9}
Dec 27 18:52:19 06[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 18:55:04 15[KNL] creating delete job for ESP CHILD_SA with SPI c70209a6 and reqid {9}
Dec 27 18:55:07 05[KNL] creating acquire job for policy 10.0.10.10/32[tcp/52598] === 10.0.0.10/32[tcp/webmin] with reqid {9}
Dec 27 18:55:07 09[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 18:55:40 01[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> deleting IKE_SA peer-xx.xx.xx.xx-tunnel-0[3] between yy.yy.yy.yy[yy.yy.yy.yy]...xx.xx.xx.xx[xx.xx.xx.xx]
Dec 27 18:55:40 01[IKE] <peer-xx.xx.xx.xx-tunnel-0|3> IKE_SA deleted
Dec 27 18:55:42 06[IKE] <4> xx.xx.xx.xx is initiating an IKE_SA
Dec 27 18:55:42 07[IKE] <peer-xx.xx.xx.xx-tunnel-0|4> IKE_SA peer-xx.xx.xx.xx-tunnel-0[4] established between yy.yy.yy.yy[yy.yy.yy.yy]...xx.xx.xx.xx[xx.xx.xx.xx]
Dec 27 18:55:42 07[IKE] <peer-xx.xx.xx.xx-tunnel-0|4> CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9} established with SPIs c62702d8_i ca7a7672_o and TS 10.0.10.0/24 === 10.0.0.0/24
Dec 27 18:57:52 03[KNL] creating delete job for ESP CHILD_SA with SPI cf4db89e and reqid {9}
Dec 27 19:25:44 16[IKE] <peer-xx.xx.xx.xx-tunnel-0|4> closing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9} with SPIs c62702d8_i (649276 bytes) ca7a7672_o (10290589 bytes) and TS 10.0.10.0/24 === 10.0.0.0/24
Dec 27 19:25:56 04[KNL] creating acquire job for policy 10.0.10.249/32[udp/42332] === 10.0.0.1/32[udp/domain] with reqid {9}
Dec 27 19:25:56 09[IKE] <peer-xx.xx.xx.xx-tunnel-0|4> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 19:28:41 13[KNL] creating delete job for ESP CHILD_SA with SPI c83837e9 and reqid {9}
Dec 27 19:28:55 05[KNL] creating acquire job for policy 10.0.10.247/32[udp/43198] === 10.0.0.1/32[udp/domain] with reqid {9}
Dec 27 19:28:55 01[IKE] <peer-xx.xx.xx.xx-tunnel-0|4> establishing CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9}
Dec 27 19:28:59 11[IKE] <peer-xx.xx.xx.xx-tunnel-0|4> deleting IKE_SA peer-xx.xx.xx.xx-tunnel-0[4] between yy.yy.yy.yy[yy.yy.yy.yy]...xx.xx.xx.xx[xx.xx.xx.xx]
Dec 27 19:28:59 11[IKE] <peer-xx.xx.xx.xx-tunnel-0|4> IKE_SA deleted
Dec 27 19:29:01 06[IKE] <5> xx.xx.xx.xx is initiating an IKE_SA
Dec 27 19:29:01 14[IKE] <peer-xx.xx.xx.xx-tunnel-0|5> IKE_SA peer-xx.xx.xx.xx-tunnel-0[5] established between yy.yy.yy.yy[yy.yy.yy.yy]...xx.xx.xx.xx[xx.xx.xx.xx]
Dec 27 19:29:01 14[IKE] <peer-xx.xx.xx.xx-tunnel-0|5> CHILD_SA peer-xx.xx.xx.xx-tunnel-2{9} established with SPIs c5c0811a_i c0da16a2_o and TS 10.0.10.0/24 === 10.0.0.0/24

Die Verbindung funktioniert wieder für einge Minuten, wenn der VPN Server an der OPNSense neu gestartet wird.

VG

Hi guys!
after upgrade from 17.1.11 to 17.7 no internet connection is possible.

-WAN interface is online and gets an IP over DHCP
-WAN DHCP gateway is also shown as online

But still no connection is possible (no ping, no dns lookup possible)

Do you have any ideas where to check for the issue?

Alex

Hi folks,
I have a site 2 site vpn between two OPNSENSE boxes. The connection itself is up and running.  My issue is that I cannot access each site from the other.

The server side configured firewall is like this


The firewall monitoring (server) is still showing some blocks


I don't understand this behaviour. What's wrong here?

br,Alex

--> fixed it by disabling IPV6 and allowing "Dynamic IPs" on Server

[System >> Access >> Tester]

I'm following this guide to configure a two-factor authentication
https://docs.opnsense.org/manual/how-tos/two_factor.html

After it I'm going to System >> Access >> Tester and always get an "Authentication failed." message.

Can anybody confirm that two factor authentication is working? I'm using this app https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2

Hi
I'm on OPNSense 16.1.8. Before this issue I tried to switch between the DNS Forwarder and DNS Resolver.
THe DNS Lookup is now only working from the OPNSense box itself. From the connected PC's Im able to ping IP addresses from Internet but unable to open any sites.
I already tried the factory reset als well ... with no success.

Thx for any hints to fix/troubleshoot this.