Topics

1

17.1 Legacy Series / 17.1.1 ipsec reneg delays

« on: February 22, 2017, 01:44:53 pm »

I have configured site to site ipsec from one opnsense to another and clients have intermittent connection issues through the connection. At some point the tunnel drops and renegotiation is not successful for several minutes.

Going through the log, i stumbled upon this:
peer A:
Feb 22 14:30:02 peerA charon: 06[IKE] sending cert request for -----cert information deleted as this is a public forum----
Feb 22 14:30:02 peerA charon: 06[IKE] sending cert request for -----cert information deleted as this is a public forum----

peer B:
Feb 22 14:30:02 peerB charon: 12[IKE] received 2 cert requests for an unknown ca
 


Ipsec negotiation succeeds 2 minutes(!) later.

The strange thing is that ipsec is configured to use Mutual PSK, not certificates. The certificates in question are used for OpenVPN clients on peer A.


Why does ipsec use these certificates at all?
Am I right to suspect that this is the cause for the delay that one peer tries to authenticate using these CAs?

2

16.7 Legacy Series / OpenVPN certificate CRL automation

« on: January 05, 2017, 05:19:58 pm »

We are signing our VPN user certificates outside OPNsense box.

Where does OPNsense save the CRL that is imported through the web gui?

Can I upload the CRL to OPNSense box without importing it through the web GUI? For instance with scp. Or have OPNsense pull the CRL from another server at an interval?

3

16.7 Legacy Series / LAN goes down even on minor configuration changes

« on: September 07, 2016, 10:09:05 am »

Hi,

i'm testing the opnsense for the first time. I noticed the LAN goes down (no ping, etc) even on the most minute changes.
For instance when creating a new DNS Forwarder host override and applying settings results in the router being offline for ~20 seconds. Same when adding a static DHCP mapping.

Is this normal for opnsense? Does it always take the interface down in addition to restarting dnsmasq on those changes.