Topics

[(Update) notes on AWS]

Hi all, I want to use opnSense to connect to open a site-2-site IPsec VPN with a partner. That does not work.

I configured a policy-based IPsec VPN using the "new" connection-based interface, and in the logs I get this error: "error writing to socket: Can't assign requested address". Naturally, it doesn't work.

As for the setup:

• I am using the AMI image from AWS, it boots and seems to be working just fine
• opnSense is deployed in a VPN, and naturally thinks it's own IP address is something out of a 10.x.x.x network (external elastic IPs can't be seen by EC2 hosts anyway, also we're using an elastic IP for continuity)
• I configured the VPN connection (see images below) according to the documentation: https://docs.opnsense.org/manual/vpnet.html#new-23-1-vpn-ipsec-connections
• Result: it does not work

(Update) notes on AWS

There is only one network interface attached: This instance should basically be a bridge between Road Warriors and the partner's network. (Our road warriors connect to opnSense using a to-be-set-up VPN connection, opnSense enables access to the partner's network via the site-2-site VPN). I am already failing at the site-2-site VPN now.

Could someone please help? Screenshots and log excerpts below. My initial idea is that opnSense has issues with the elastic IP, which is "invisible" to it, usually. But that's just a wild hunch and might be utterly and totally wrong.

Tunnel settings



Tunnel local auth config



Tunnel remote auth config



Tunnel child settings



PSK overview



PSK detail



Log file

Code Select Expand


2024-05-10T16:19:55 Informational   charon  09[IKE] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> establishing IKE_SA failed, peer not responding
2024-05-10T16:19:55 Informational   charon  09[IKE] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> giving up after 5 retransmits
2024-05-10T16:18:39 Informational   charon  04[NET] error writing to socket: Can't assign requested address
2024-05-10T16:18:39 Informational   charon  09[NET] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> sending packet: from <IP1>[500] to <IP2>[500] (304 bytes)
2024-05-10T16:18:39 Informational   charon  09[IKE] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> retransmit 5 of request with message ID 0
2024-05-10T16:17:57 Informational   charon  04[NET] error writing to socket: Can't assign requested address
2024-05-10T16:17:57 Informational   charon  09[NET] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> sending packet: from <IP1>[500] to <IP2>[500] (304 bytes)
2024-05-10T16:17:57 Informational   charon  09[IKE] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> retransmit 4 of request with message ID 0
2024-05-10T16:17:34 Informational   charon  04[NET] error writing to socket: Can't assign requested address
2024-05-10T16:17:34 Informational   charon  09[NET] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> sending packet: from <IP1>[500] to <IP2>[500] (304 bytes)
2024-05-10T16:17:34 Informational   charon  09[IKE] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> retransmit 3 of request with message ID 0
2024-05-10T16:17:21 Informational   charon  04[NET] error writing to socket: Can't assign requested address
2024-05-10T16:17:21 Informational   charon  09[NET] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> sending packet: from <IP1>[500] to <IP2>[500] (304 bytes)
2024-05-10T16:17:21 Informational   charon  09[IKE] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> retransmit 2 of request with message ID 0
2024-05-10T16:17:14 Informational   charon  04[NET] error writing to socket: Can't assign requested address
2024-05-10T16:17:14 Informational   charon  09[NET] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> sending packet: from <IP1>[500] to <IP2>[500] (304 bytes)
2024-05-10T16:17:14 Informational   charon  09[IKE] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> retransmit 1 of request with message ID 0
2024-05-10T16:17:10 Informational   charon  04[NET] error writing to socket: Can't assign requested address
2024-05-10T16:17:10 Informational   charon  15[NET] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> sending packet: from <IP1>[500] to <IP2>[500] (304 bytes)
2024-05-10T16:17:10 Informational   charon  15[ENC] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]


Hallo zusammen, ich möchte zwischen meinen "Standorten" eine VPN Verbindung einrichten. Die Verbindung an sich (!) scheint zu stehen, jedenfalls ist bei "Status overview" das grüne Symbol sichtbar (siehe erstes angehängtes Bild). Ab und zu (!) sehe ich allerdings kurz das rote "x" statt des grünen ">" (also "keine Verbindung).

Aber: Ich bekomme keine Verbindung, und ich sehe in den log files das unten stehende. Ebenfalls sehe ich unter "Interfaces" kein "ipsec" interface (siehe zweites angehängtes Bild).

Frage: Hat jemand eine Idee, was ich hier falsch mache, oder was der nächste Schritt im Debugging wäre?

Grüße & danke im Voraus!
Axel.

Code Select Expand


[...] 04[NET] error writing to socket: Can't assign requested address
[...] 05[NET] <15fca30b-a1b8-45e7-a5ee-e29b8d99d574|4> sending packet: from 7x.3x.11x.xx[500] to 8x.1xx.4x.8x[500] (972 bytes)
[...] 05[IKE] <15fca30b-a1b8-45e7-a5ee-e29b8d99d574|4> retransmit 5 of request with message ID 0
[...] 04[NET] error writing to socket: Can't assign requested address
[...] 05[NET] <15fca30b-a1b8-45e7-a5ee-e29b8d99d574|4> sending packet: from 7x.3x.11x.xx[500] to 8x.1xx.4x.8x[500] (972 bytes)
[...] 05[IKE] <15fca30b-a1b8-45e7-a5ee-e29b8d99d574|4> retransmit 4 of request with message ID 0
[...] 04[NET] error writing to socket: Can't assign requested address
[...] 11[NET] <15fca30b-a1b8-45e7-a5ee-e29b8d99d574|4> sending packet: from 7x.3x.11x.xx[500] to 8x.1xx.4x.8x[500] (972 bytes)
[...] 11[IKE] <15fca30b-a1b8-45e7-a5ee-e29b8d99d574|4> retransmit 3 of request with message ID 0
[...] 04[NET] error writing to socket: Can't assign requested address
[...] 11[NET] <15fca30b-a1b8-45e7-a5ee-e29b8d99d574|4> sending packet: from 7x.3x.11x.xx[500] to 8x.1xx.4x.8x[500] (972 bytes)
[...] 11[IKE] <15fca30b-a1b8-45e7-a5ee-e29b8d99d574|4> retransmit 2 of request with message ID 0
[...] 04[NET] error writing to socket: Can't assign requested address
[...] 11[NET] <15fca30b-a1b8-45e7-a5ee-e29b8d99d574|4> sending packet: from 7x.3x.11x.xx[500] to 8x.1xx.4x.8x[500] (972 bytes)
[...] 11[IKE] <15fca30b-a1b8-45e7-a5ee-e29b8d99d574|4> retransmit 1 of request with message ID 0
[...] 04[NET] error writing to socket: Can't assign requested address


hallo forum, ich brauche jemanden der mir mal opnsense grundzüge erklärt. hintergrund:

• ich möchte ein opnsense als ipsec-vpn-terminator für ein vpc in aws nutzen
• die nutzer sollen nicht gegenseitig aufeinander zugreifen können, und nur auf einen server im vpc
• das aufsetzen in AWS hat bisher IMMER dazu geführt dass ich mich selbst ausgeschlossen habe
• die jetzt funktionierende variante hat offenbar keine aktive firewall
• ich bin lost

dafür würden wir auch 2-3 stunden intro bezahlen, sofern am ende natürlich eine funktionierende variante rauskommt. das szenario ist allerdings konzeptionell in meinen augen so simpel dass wir hier erst einmal selbst wissen sammeln möchten (statt eines managed-service-modells).

gibt es jemanden der dafür bereit stünde? fragen / angebote / etc. gern direkt an mich per mail, ab@a3b3.de.

grüße & danke schon mal vorab! :)

hi forum, i have an opnsense host in an AWS VPC with two NICs in two subnets. it starts, i can get the passwords, i can ssh into it, all is fine.

when i then "sudo" into the main "menu" on the cli and assign the interfaces, the host goes black. no connection at all is possible, on both interfaces. ping does not work.

am i doing something wrong here? why is that happening, and is there - maybe - an easier way to set up opnsense as a VPN gateway, maybe with one interface only?

thanks in advance!