"
what are these upgrade scripts and where can I find them?
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
25.1, 25.4 Legacy Series / 25.1.12 - firmware: upgrade scripts for automatic GDrive, IPsec and OpenVPN lega
July 31, 2025, 06:35:14 PM #2
25.1, 25.4 Legacy Series / Boot problem with new appliance and new installation at EFI framebuffer
February 19, 2025, 03:22:45 PM
I have the same problem like this poster had 7 years ago.
https://forum.opnsense.org/Archive/17_1_Legacy_Series/17_1_images_will_not_boot
When I go into the boot options with 3, I can do
set kern.vty="vt"
boot
and it boots.
I've edited /boot/loader.conf
like described here: https://www.reddit.com/r/freebsd/comments/mdo0ma/following_a_tutorial/
the default with a new installation is sc.
When I change it to vt, will it survive upgrades? If not, I have to send back the new router and get another one.
Any suggestion on what else I can do? Yes, I could install with CSM and without UEFI, but that shouldn't be necessary.
Thanks
https://forum.opnsense.org/Archive/17_1_Legacy_Series/17_1_images_will_not_boot
When I go into the boot options with 3, I can do
set kern.vty="vt"
boot
and it boots.
I've edited /boot/loader.conf
like described here: https://www.reddit.com/r/freebsd/comments/mdo0ma/following_a_tutorial/
the default with a new installation is sc.
When I change it to vt, will it survive upgrades? If not, I have to send back the new router and get another one.
Any suggestion on what else I can do? Yes, I could install with CSM and without UEFI, but that shouldn't be necessary.
Thanks
#3
25.1, 25.4 Legacy Series / SMART not working correctly?
February 10, 2025, 11:39:19 PM
I have the SMART status of my HDD on my dashboard.
It shows, okay, but the disk has many errors. I only recognized it when I updated to 25.1 and took around 1 hour to install and reboot.
Is it a bug in the SMART plugin?
It shows, okay, but the disk has many errors. I only recognized it when I updated to 25.1 and took around 1 hour to install and reboot.
Is it a bug in the SMART plugin?
Code Select
Error 623 occurred at disk power-on lifetime: 23008 hours (958 days + 16 hours)
When the command that caused the error occurred, the device was active or idle.
After command completion occurred, registers were:
ER ST SC SN CL CH DH
-- -- -- -- -- -- --
40 51 00 e0 f5 18 40 Error: UNC at LBA = 0x0018f5e0 = 1635808
Commands leading to the command that caused the error were:
CR FR SC SN CL CH DH DC Powered_Up_Time Command/Feature_Name
-- -- -- -- -- -- -- -- ---------------- --------------------
60 08 48 e0 f5 18 0a 08 1d+02:41:17.786 READ FPDMA QUEUED
60 08 48 e0 f5 18 0a 08 1d+02:41:17.785 READ FPDMA QUEUED
60 40 38 e8 73 01 00 08 1d+02:41:17.785 READ FPDMA QUEUED
61 40 30 e8 73 01 00 08 1d+02:41:17.785 WRITE FPDMA QUEUED
61 40 28 a8 0b 00 00 08 1d+02:41:17.784 WRITE FPDMA QUEUED
Error 622 occurred at disk power-on lifetime: 23008 hours (958 days + 16 hours)
When the command that caused the error occurred, the device was active or idle.
After command completion occurred, registers were:
ER ST SC SN CL CH DH
-- -- -- -- -- -- --
40 51 01 e0 f5 18 40 Error: UNC at LBA = 0x0018f5e0 = 1635808
Commands leading to the command that caused the error were:
CR FR SC SN CL CH DH DC Powered_Up_Time Command/Feature_Name
-- -- -- -- -- -- -- -- ---------------- --------------------
60 08 40 e0 f5 18 0a 08 1d+02:40:41.447 READ FPDMA QUEUED
60 08 38 c8 60 17 0a 08 1d+02:40:41.442 READ FPDMA QUEUED
60 08 30 f8 04 1c 0a 08 1d+02:40:41.438 READ FPDMA QUEUED
60 40 28 e8 be 16 0a 08 1d+02:40:41.433 READ FPDMA QUEUED
60 08 20 e8 3b c3 0d 08 1d+02:40:41.423 READ FPDMA QUEUED
Error 621 occurred at disk power-on lifetime: 23008 hours (958 days + 16 hours)
When the command that caused the error occurred, the device was active or idle.
After command completion occurred, registers were:
ER ST SC SN CL CH DH
-- -- -- -- -- -- --
40 51 01 5f e7 2f 4a Error: UNC 1 sectors at LBA = 0x0a2fe75f = 170911583
Commands leading to the command that caused the error were:
CR FR SC SN CL CH DH DC Powered_Up_Time Command/Feature_Name
-- -- -- -- -- -- -- -- ---------------- --------------------
c8 00 01 5f e7 2f 0a 08 1d+02:40:30.984 READ DMA
c8 00 01 5f e7 2f 0a 08 1d+02:40:24.877 READ DMA
c8 00 01 5f e7 2f 0a 08 1d+02:40:18.729 READ DMA
c8 00 01 5f e7 2f 0a 08 1d+02:40:12.657 READ DMA
c8 00 01 5f e7 2f 0a 08 1d+02:40:06.568 READ DMA
Error 620 occurred at disk power-on lifetime: 23008 hours (958 days + 16 hours)
When the command that caused the error occurred, the device was active or idle.
After command completion occurred, registers were:
ER ST SC SN CL CH DH
-- -- -- -- -- -- --
40 51 01 5f e7 2f 4a Error: UNC 1 sectors at LBA = 0x0a2fe75f = 170911583
Commands leading to the command that caused the error were:
CR FR SC SN CL CH DH DC Powered_Up_Time Command/Feature_Name
-- -- -- -- -- -- -- -- ---------------- --------------------
c8 00 01 5f e7 2f 0a 08 1d+02:40:24.877 READ DMA
c8 00 01 5f e7 2f 0a 08 1d+02:40:18.729 READ DMA
c8 00 01 5f e7 2f 0a 08 1d+02:40:12.657 READ DMA
c8 00 01 5f e7 2f 0a 08 1d+02:40:06.568 READ DMA
c8 00 01 5e e7 2f 0a 08 1d+02:40:00.468 READ DMA
Error 619 occurred at disk power-on lifetime: 23008 hours (958 days + 16 hours)
When the command that caused the error occurred, the device was active or idle.
After command completion occurred, registers were:
ER ST SC SN CL CH DH
-- -- -- -- -- -- --
40 51 01 5f e7 2f 4a Error: UNC 1 sectors at LBA = 0x0a2fe75f = 170911583
Commands leading to the command that caused the error were:
CR FR SC SN CL CH DH DC Powered_Up_Time Command/Feature_Name
-- -- -- -- -- -- -- -- ---------------- --------------------
c8 00 01 5f e7 2f 0a 08 1d+02:40:18.729 READ DMA
c8 00 01 5f e7 2f 0a 08 1d+02:40:12.657 READ DMA
c8 00 01 5f e7 2f 0a 08 1d+02:40:06.568 READ DMA
c8 00 01 5e e7 2f 0a 08 1d+02:40:00.468 READ DMA
c8 00 01 5e e7 2f 0a 08 1d+02:39:54.317 READ DMA
#4
Virtual private networks / Wireguard multiple WAN ports
January 28, 2023, 11:39:22 PM
I'm often in Dubai, VPN is legal but often filtered in Hotels.
I have a Wireguard server running on OPNsense and it's working great but sometimes in the Hotels they start blocking this port. So as an alternative I wanted to add more ports I can use as fallbacks.
First try was to clone the whole Wireguard server with all assigned endpoints.
They get new interfaces wg1 to wg3 but don't appear in the interfaces overview.
Only when I create a new server and not clone one.
So I thought a new config makes more work and I tried to go to the firewall and
and route all ports 51821 to 52825 to the same local port 51820 so Wireguard is working.
I could get it working, so any hints if this is even possible would be helpfull.
I have a Wireguard server running on OPNsense and it's working great but sometimes in the Hotels they start blocking this port. So as an alternative I wanted to add more ports I can use as fallbacks.
First try was to clone the whole Wireguard server with all assigned endpoints.
They get new interfaces wg1 to wg3 but don't appear in the interfaces overview.
Only when I create a new server and not clone one.
So I thought a new config makes more work and I tried to go to the firewall and
and route all ports 51821 to 52825 to the same local port 51820 so Wireguard is working.
I could get it working, so any hints if this is even possible would be helpfull.
#5
22.1 Legacy Series / Warnings while updating to 22.1.1_1 from 22.1
February 17, 2022, 10:33:56 PM
I installed the update from the Web UI and got some messages but the update rebooted to fast.
When I do a health check, I get this missing dependencies. What should it do?
>>> Check for missing package dependencies
Checking all packages: .......... done
py37-markupsafe has a missing dependency: python37
py37-markupsafe has a missing dependency: py37-setuptools
py37-markupsafe is missing a required shared library: libpython3.7m.so.1.0
When I do a health check, I get this missing dependencies. What should it do?
>>> Check for missing package dependencies
Checking all packages: .......... done
py37-markupsafe has a missing dependency: python37
py37-markupsafe has a missing dependency: py37-setuptools
py37-markupsafe is missing a required shared library: libpython3.7m.so.1.0
#6
21.7 Legacy Series / LDAPS not working anymore with 21.7.4
November 10, 2021, 09:51:42 AM
I've installed 21.7.4 update yesterday and the OpenVPN clients with AD authentication cannot connect anymore.
I have installed the certificates under System -> Trust -> Authorities and they are still valid.
When I use the internal tester, I get this error.
I have our internal CA, intermediate CA and the DC certificates installed.
How can I fix it?
I have installed the certificates under System -> Trust -> Authorities and they are still valid.
When I use the internal tester, I get this error.
Code Select
The following input errors were detected:
Authentication failed.
error: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate)
ldap_error: Can't contact LDAP serverI have our internal CA, intermediate CA and the DC certificates installed.
How can I fix it?
#7
General Discussion / Bug in HAProxy "Save & Test syntax"?
April 04, 2021, 10:40:02 AM
I have configured some real server, backend pools, public services, conditions and rules.
If HAProxy is enabled, the "Save & Test syntax" is working.
If HAProxy is disabled, I get a lot of warnings.
This happens because the config is invalid when I disable HAProxy
You can see that just global is commented.
Isn't there a better way to enable/disable HAProxy?
Doesn't sound like a good solution to need to enable HAProxy to test the syntax.
If HAProxy is enabled, the "Save & Test syntax" is working.
If HAProxy is disabled, I get a lot of warnings.
Code Select
HAProxy config contains critical errors
[NOTICE] 093/103813 (88702) : haproxy version is 2.2.11-c58c4e4
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:9]: unknown keyword 'uid' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:10]: unknown keyword 'gid' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:11]: unknown keyword 'chroot' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:12]: unknown keyword 'daemon' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:13]: unknown keyword 'stats' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:14]: unknown keyword 'nbproc' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:15]: unknown keyword 'nbthread' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:16]: unknown keyword 'tune.ssl.default-dh-param' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:17]: unknown keyword 'spread-checks' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:18]: unknown keyword 'tune.chksize' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:19]: unknown keyword 'tune.bufsize' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:20]: unknown keyword 'tune.lua.maxmem' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:21]: unknown keyword 'log' out of section.
[ALERT] 093/103813 (88702) : Error(s) found in configuration file : /usr/local/etc/haproxy.conf.staging
[ALERT] 093/103813 (88702) : Fatal errors found in configuration.
This happens because the config is invalid when I disable HAProxy
Code Select
#
# NOTE: HAProxy is currently DISABLED
#global
uid 80
gid 80
You can see that just global is commented.
Isn't there a better way to enable/disable HAProxy?
Doesn't sound like a good solution to need to enable HAProxy to test the syntax.
#8
General Discussion / OpenVPN Server multiple encryption algorithms/ciphers
April 02, 2021, 09:37:03 PM
On the OpenVPN server settings, I can select ONE encryption algorithm.
Some years ago, I have select AES-256-CBC, but the current client logs a warning that this algorithm will be deprecated in the future.
Now I want to migrate slowly to a better algorithm AES-256-GCM as suggested by OpenVPN but I have a lot of users I cannot change immediately.
My idea is to select the new and the old algorithm so new and old configs can connect and in 6 months, I can turn off the old algorithm.
Since OpenVPN 2.4, this is possible, but I cannot do it in the GUI. Can you change that?
Is it possible to configure it on the command line?
Some years ago, I have select AES-256-CBC, but the current client logs a warning that this algorithm will be deprecated in the future.
Now I want to migrate slowly to a better algorithm AES-256-GCM as suggested by OpenVPN but I have a lot of users I cannot change immediately.
My idea is to select the new and the old algorithm so new and old configs can connect and in 6 months, I can turn off the old algorithm.
Since OpenVPN 2.4, this is possible, but I cannot do it in the GUI. Can you change that?
Is it possible to configure it on the command line?
#9
20.1 Legacy Series / AD auth LDAP with TLS and certificates question
June 15, 2020, 01:15:46 AM
I've tried all the possible solutions I could find and nothing worked until I created one certificate per domain controller with the IP address in the common name.
Before, I had one certificate for all domain controllers with the different names in the subject alt name section.
Is this not supported?
Before I changed to a single certificate per DC, I always got this error in the logs.
Before, I had one certificate for all domain controllers with the different names in the subject alt name section.
Is this not supported?
Before I changed to a single certificate per DC, I always got this error in the logs.
Code Select
opnsense: LDAP bind error [TLS: hostname does not match CN in peer certificate,Can't contact LDAP server]
#10
General Discussion / Question about haproxy
October 22, 2018, 12:16:21 PM
Currently we have different services running behind our OPNsense box like
otrs, mattermost, svn, website aso.
Only one website is currently running on port 443, all other sites use different
ports. Now I want to change all website to use the standard port 443.
I cannot do let's encrypt on opnsense with haproxy as some sites use client
certificates and they have different requirements for TLS.
Is there a possibility to only inspect the SNI and forward the "raw" TCP to the correct server?
I know that I cannot use ESNI with TLS 1.3 then but I don't care about that.
otrs, mattermost, svn, website aso.
Only one website is currently running on port 443, all other sites use different
ports. Now I want to change all website to use the standard port 443.
I cannot do let's encrypt on opnsense with haproxy as some sites use client
certificates and they have different requirements for TLS.
Is there a possibility to only inspect the SNI and forward the "raw" TCP to the correct server?
I know that I cannot use ESNI with TLS 1.3 then but I don't care about that.
#11
18.7 Legacy Series / haproxy port 443 questions
September 30, 2018, 01:35:52 PM
I have some difficulties setting up haproxy in this configuration:
WAN access to port 443 https distributes access to different backend servers depending on domain name is working.
LAN access to port 443 for OPNsense GUI doesn't work.
I can access it when I change it to e.g. port 9999.
How can I configure this setup? Is it even possible?
WAN access to port 443 https distributes access to different backend servers depending on domain name is working.
LAN access to port 443 for OPNsense GUI doesn't work.
I can access it when I change it to e.g. port 9999.
How can I configure this setup? Is it even possible?
#12
17.7 Legacy Series / [SOLVED] OpenVPN: --ns-cert-type is DEPRECATED
September 21, 2017, 12:48:15 AM
When I connect with OpenVPN I get this warning:
pfSense fixed it already. Perhaps you can include the code.
https://forum.pfsense.org/index.php?topic=129676.0
I get many requests from my users about this warning. Currently I fixed it by manually
editing the config file.
Code Select
WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
pfSense fixed it already. Perhaps you can include the code.
https://forum.pfsense.org/index.php?topic=129676.0
I get many requests from my users about this warning. Currently I fixed it by manually
editing the config file.
#13
17.7 Legacy Series / WAN link state down not comming up correctly
September 14, 2017, 10:36:47 PM
Everything was running fine for 2 weeks. Last night, WAN link state changed to DOWN and UP very often.
In the morning we had no internet access.
I've rebooted our OPNsense box and everything was up again.
I don't know what the problem was. Here is the log from where it started until the reboot.
Can you tell me if this is a bug?
In the morning we had no internet access.
I've rebooted our OPNsense box and everything was up again.
I don't know what the problem was. Here is the log from where it started until the reboot.
Can you tell me if this is a bug?
Code Select
Sep 13 02:40:03 opnsense: /usr/local/etc/rc.newwanip: Interface '' is disabled or empty, nothing to do.
Sep 13 02:40:03 opnsense: /usr/local/etc/rc.newwanip: IP renewal is starting on 'ovpns5'
Sep 13 02:40:02 configd.py: [63403cdd-e6d7-4007-b78b-4014c07edeb8] rc.newwanip starting ovpns5
Sep 13 02:40:02 kernel: ovpns5: link state changed to UP
Sep 13 02:40:02 configd.py: [e0cfefb7-5a7d-42ae-a54d-701a599ac0e7] Reloading filter
Sep 13 02:39:41 configd.py: [d2b1f58b-3b49-4b14-9bdd-9c06ae7a95ce] Reloading filter
Sep 13 02:39:41 kernel: ovpns5: link state changed to DOWN
Sep 13 02:39:19 opnsense: /usr/local/etc/rc.newwanip: Interface '' is disabled or empty, nothing to do.
Sep 13 02:39:19 opnsense: /usr/local/etc/rc.newwanip: IP renewal is starting on 'ovpns1'
Sep 13 02:39:19 configd.py: [cd83e9ad-8a4c-4ed8-a9f7-24e2da789d76] rc.newwanip starting ovpns1
Sep 13 02:39:19 kernel: ovpns1: link state changed to UP
Sep 13 02:39:19 configd.py: [249d32c0-65af-4bb4-81bc-edbfc399dc96] Reloading filter
Sep 13 02:38:57 configd.py: [dab74afd-ced8-45e1-9dbf-d72399c19407] Reloading filter
Sep 13 02:38:57 kernel: ovpns1: link state changed to DOWN
Sep 13 02:38:36 opnsense: /usr/local/etc/rc.newwanip: Interface '' is disabled or empty, nothing to do.
Sep 13 02:38:35 opnsense: /usr/local/etc/rc.newwanip: IP renewal is starting on 'ovpns2'
Sep 13 02:38:35 configd.py: [27ab7445-31cb-4b51-98c9-87420e82856d] rc.newwanip starting ovpns2
Sep 13 02:38:35 kernel: ovpns2: link state changed to UP
Sep 13 02:38:35 configd.py: [2f5732e1-db7d-43b8-9f2e-c05775d483bd] Reloading filter
Sep 13 02:38:14 configd.py: [467fc001-9fcc-48ca-86b6-7b22f35ae2e0] Reloading filter
Sep 13 02:38:14 kernel: ovpns2: link state changed to DOWN
Sep 13 02:38:14 opnsense: /usr/local/etc/rc.newwanip: Resyncing OpenVPN instances for interface WAN.
Sep 13 02:37:52 configd.py: unable to sendback response [OK ] for [interface][linkup][['start', 'em1']] {a54bba41-7551-40c7-a3dc-16fe8fa6acac}, message was Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 202, in run self.connection.sendall('%s\n' % result) File "/usr/local/lib/python2.7/socket.py", line 228, in meth return getattr(self._sock,name)(*args) error: [Errno 32] Broken pipe
Sep 13 02:37:49 opnsense: /usr/local/etc/rc.linkup: The command '/sbin/route delete -inet '192.168.10.0/24'' returned exit code '1', the output was 'route: route has not been found delete net 192.168.10.0 fib 0: not in table'
Sep 13 02:37:49 opnsense: /usr/local/etc/rc.linkup: The command '/sbin/dhclient -c /var/etc/dhclient_wan.conf em1 > /tmp/em1_output 2> /tmp/em1_error_output' returned exit code '1', the output was ''
Sep 13 02:37:49 opnsense: /usr/local/etc/rc.linkup: HOTPLUG: Configuring interface wan
Sep 13 02:37:49 opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet attached event for wan
Sep 13 02:37:49 configd.py: [724674ff-a5c8-4bd7-809f-702114f51e5f] Linkup starting em1
Sep 13 02:37:49 opnsense: /usr/local/etc/rc.linkup: Clearing states to old gateway 192.168.177.1.
Sep 13 02:37:49 opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet detached event for wan
Sep 13 02:37:49 configd.py: [b6c0122c-38cf-4580-8ce8-171c42dbcf13] Linkup stopping em1
Sep 13 02:37:49 configd_ctl.py: error in configd communication Traceback (most recent call last): File "/usr/local/opnsense/service/configd_ctl.py", line 65, in exec_config_cmd line = sock.recv(65536) timeout: timed out
Sep 13 02:37:29 opnsense: /usr/local/etc/rc.newwanip: ROUTING: setting IPv4 default route to 192.168.177.1
Sep 13 02:37:29 opnsense: /usr/local/etc/rc.newwanip: On (IP address: 192.168.177.55) (interface: WAN[wan]) (real interface: em1).
Sep 13 02:37:29 opnsense: /usr/local/etc/rc.newwanip: IP renewal is starting on 'em1'
Sep 13 02:37:18 kernel: em1: link state changed to UP
Sep 13 02:37:10 opnsense: /usr/local/etc/rc.linkup: The command '/sbin/route delete -inet '192.168.10.0/24'' returned exit code '1', the output was 'route: route has not been found delete net 192.168.10.0 fib 0: not in table'
Sep 13 02:37:10 opnsense: /usr/local/etc/rc.linkup: The command '/sbin/route add -'inet' default '192.168.177.1'' returned exit code '1', the output was 'route: writing to routing socket: Network is unreachable add net default: gateway 192.168.177.1 fib 0: Network is unreachable'
Sep 13 02:37:10 opnsense: /usr/local/etc/rc.linkup: ROUTING: setting IPv4 default route to 192.168.177.1
Sep 13 02:36:23 kernel: em1: link state changed to DOWN
Sep 13 02:35:49 opnsense: /usr/local/etc/rc.linkup: HOTPLUG: Configuring interface wan
Sep 13 02:35:49 opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet attached event for wan
Sep 13 02:35:49 configd.py: [a54bba41-7551-40c7-a3dc-16fe8fa6acac] Linkup starting em1
Sep 13 02:35:49 kernel: em1: link state changed to UP
Sep 13 02:35:44 opnsense: /usr/local/etc/rc.linkup: Clearing states to old gateway 192.168.177.1.
Sep 13 02:35:44 opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet detached event for wan
Sep 13 02:35:44 configd.py: [bf9e83d3-05a9-44a5-82c3-f3800368d9ad] Linkup stopping em1
Sep 13 02:35:44 kernel: em1: link state changed to DOWN
#14
German - Deutsch / Plötzlich 8 IPSec Tunnel weg. Fehler in OPNsense
August 29, 2017, 01:09:18 AM
Von jetzt auf gleich sind 8 IPSec Tunnel offline und lassen sich nicht mehr starten.
Nach längerem Debuggen hab ich folgendes in den Logs gefunden.
Ich hab aber kein MODP_2048 konfiguriert sonder MODP_1536.
Ich habe in Phase 2 geschaut. Egal was ich unter PFS einstelle, wenn ich
cat /usr/local/etc/ipsec.conf
aufrufe steht IMMER
esp = aes256-sha512-modp2048!
Ich kann AES ändern und SHA ändern usw. Aber -modp2048 bleibt IMMER stehen hinter jeder esp Einstellung und bei jeder IPSec Verbindung. Woher kommt das plötzlich?
Selbst Phase 2 Einträge löschen und neu anlegen ändert nichts.
Ach ja. An der Oberfläche stimmt alles was ich eingestellt habe.
Egal welche PFS Einstellung, sie ist immer da. Nur der Eintrag in der ipsec.conf ist IMMER falsch.
Nach längerem Debuggen hab ich folgendes in den Logs gefunden.
QuoteAug 29 00:42:09 charon: 16[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA2_512_256/MODP_2048/NO_EXT_SEQ
Aug 29 00:42:09 charon: 16[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA2_512_256/MODP_1536/NO_EXT_SEQ
Ich hab aber kein MODP_2048 konfiguriert sonder MODP_1536.
Ich habe in Phase 2 geschaut. Egal was ich unter PFS einstelle, wenn ich
cat /usr/local/etc/ipsec.conf
aufrufe steht IMMER
esp = aes256-sha512-modp2048!
Ich kann AES ändern und SHA ändern usw. Aber -modp2048 bleibt IMMER stehen hinter jeder esp Einstellung und bei jeder IPSec Verbindung. Woher kommt das plötzlich?
Selbst Phase 2 Einträge löschen und neu anlegen ändert nichts.
Ach ja. An der Oberfläche stimmt alles was ich eingestellt habe.
Egal welche PFS Einstellung, sie ist immer da. Nur der Eintrag in der ipsec.conf ist IMMER falsch.
#15
German - Deutsch / Unterschiedliche Firewallregeln für verschiedene IPSec Verbindungen
August 28, 2017, 04:14:52 PM
Bei Site-2-Site Tunneln habe ich gar kein Problem mit den Firewallregeln.
Source auf Netzwerk A/B/C und ich kann je nach Site-2-Site VPN unterschiedliche
Regeln definieren.
Wie erstelle ich aber unterschiedliche RoadWarrior VPN Regeln?
Bei unserer bisherigen ZyWALL habe ich einfach unterschiedliche "VPN Zonen"
definieren können und in den Firewallregeln konnte ich dann dort das VPN auswählen und so die Firewall konfigurieren.
Wie unterscheide ich jetzt einen RoadWarrior Admin von einem RoadWarrior User?
Der Admin hat Zugriff auf alles, der User nur auf einzelne Server und Dienste.
In dem Zusammenhang: wie kann man unterschiedliche Phase 1/2 für unterschiedliche Benutzer (Admin/User) definieren?
Source auf Netzwerk A/B/C und ich kann je nach Site-2-Site VPN unterschiedliche
Regeln definieren.
Wie erstelle ich aber unterschiedliche RoadWarrior VPN Regeln?
Bei unserer bisherigen ZyWALL habe ich einfach unterschiedliche "VPN Zonen"
definieren können und in den Firewallregeln konnte ich dann dort das VPN auswählen und so die Firewall konfigurieren.
Wie unterscheide ich jetzt einen RoadWarrior Admin von einem RoadWarrior User?
Der Admin hat Zugriff auf alles, der User nur auf einzelne Server und Dienste.
In dem Zusammenhang: wie kann man unterschiedliche Phase 1/2 für unterschiedliche Benutzer (Admin/User) definieren?
#16
17.7 Legacy Series / IPSec Tunnel Settings no alias possible
August 27, 2017, 07:03:22 PM
Why I cannot use an network alias in tunnel settings for the remote network?
I can enter an address manually or a network. But the alias would be much easier and better.
Is there a reason for it? Could you improve it?
Btw: Thanks for a great product
I can enter an address manually or a network. But the alias would be much easier and better.
Is there a reason for it? Could you improve it?
Btw: Thanks for a great product
#17
17.1 Legacy Series / Multiple IPSec Phase1 for roadwarriors with different access rights.
May 20, 2017, 01:24:51 AM
Since v5.0.0 strongswan supports aggressive mode with PSK and right=%any.
And with aggressive mode it is possible to use different PSK and IDs for different Phase 1s.
How can I configure this as I need different Phase 1 settings for different PSKs with different
access rights.
And with aggressive mode it is possible to use different PSK and IDs for different Phase 1s.
How can I configure this as I need different Phase 1 settings for different PSKs with different
access rights.
#18
17.1 Legacy Series / Multiple IPSec VPNs with different firewall rules
April 15, 2017, 12:08:23 AM
I have my main office with address: 192.168.0.x/24
Office 2 with 192.168.10.x/24
Office 3 with 192.168.10.x/24
and one road warrior IPSec VPN.
How can I configure the road warrior VPN to have full access to the main office
and Office 2 and Office 3 only access to specific hosts and ports?
With ZyWALL I could configure different Zones for every VPN and assign different rules.
Here I have configured the rules based on the IP range for now, but with road warrior VPN, I don't know the IPs.
I couldn't find any good documentation or I missed it.
Thanks for your help.
Office 2 with 192.168.10.x/24
Office 3 with 192.168.10.x/24
and one road warrior IPSec VPN.
How can I configure the road warrior VPN to have full access to the main office
and Office 2 and Office 3 only access to specific hosts and ports?
With ZyWALL I could configure different Zones for every VPN and assign different rules.
Here I have configured the rules based on the IP range for now, but with road warrior VPN, I don't know the IPs.
I couldn't find any good documentation or I missed it.
Thanks for your help.
#19
17.1 Legacy Series / [SOLVED] Username length limit 16
February 25, 2017, 10:03:05 PM
OPNsense has a limit of 16 characters when creating users.
FreeBSD changed it to 32.
There was a post in pfSense forum how to change the php file and it worked.
https://forum.pfsense.org/index.php?topic=109508.0
Perhaps you can include this fix.
Thanks.
FreeBSD changed it to 32.
There was a post in pfSense forum how to change the php file and it worked.
https://forum.pfsense.org/index.php?topic=109508.0
Perhaps you can include this fix.
Thanks.
Pages1
