OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of mickbee »
  • Show Posts »
  • Topics
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Topics - mickbee

Pages: [1]
1
17.1 Legacy Series / IPSEC fw rules don't trigger
« on: January 21, 2017, 11:46:05 pm »
Hi guys,

another odd issue i came across; the scenario is as follows:

APU2 running OPNsense 16.7.13-amd64 on FreeBSD 10.3-RELEASE-p14, connected via an IPSEC v2 LAN to LAN tunnel with a:
Soekris 5501-70 running OPNsense 17.1.r1-i386 on FreeBSD 11.0-RELEASE-p5

Tunnel seems to be up at the time when I'm making my tests - this is confirmed by seeing the traffic on the Soekris box in the fw log; both boxes' config has apropriate rules for allowing ICMP from a number of networks (using aliases) to networks TCP;ICMP;

The log confirms that pings arrived at the remote box and got blocked; clicking on the green arrow in the log entry creates an easy rule and even after filter reload, all ping attempts get blocked.

Note that the same applies to all (around 10) rules within the IPSEC tab - most rely on aliases for source/destination/dest.port but two are IP -> IP / any and those don't work either.

No other 17.1 boxes (have 2 more but diff hw/vm and on 10.3 instead) display the same behavior.

2
16.7 Legacy Series / IPSEC issues latest stable
« on: December 28, 2016, 03:09:30 pm »
Hi guys,

Thanks for all the great work you're doing, OPNsense is awesome! Saying that after I've been using PFSense for many many years on all sorts of platforms.

To the point, I migrated some PFSense boxes to OPNsense the other day whilst retaining my IPSEC mesh config (with around 9 boxes doing network to network as required). Most settings are as follows:

v2, default conn, IPv4, via the WAN interface (or a virtual IP on the WAN if), main, mutual PSK, IP addresses as identifiers, AES128/SHA1, DH2, default lifetime, no DPD or NAT-T;

Phase2 is LAN to LAN IPv4 tunnel, ESP, Blowfish128/MD5, PFS2 with default lifetime and ping set to target remote gateway internal IPs.

All worked fine on PFsense being super stable, now i'm getting tunnels dropping every few minutes or hours at random, being offline for a few minutes and then going back; some tunnels never go up anymore (always same ones) but examining their respective configs on both ends of that given link (dump xml and check what's in it) shows no inconsistencies.

Is there a known bug? (tried looking, nothing seems to be that) hence my question - unless there are any reasons why the above settings would yield poor results on OPNsense?

thanks and happy new year everyone!

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2020 All rights reserved
  • SMF 2.0.15 | SMF © 2017, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2