Topics

1

Virtual private networks / IPSEC site2site (new connection mode) extremly slow

« on: March 12, 2024, 09:16:02 am »

Hello guys,

I have a policy-based IPSEC-tunnel between two networks which is extremly slow.
Site A) has a 100/100Mbit sync fiber-line
Site B) has a 400/50Mbit async line

I'm currently reaching 4!!! Mbit via my VPN-tunnel.
It is only related to IPSEC-VPN. When I use a openVPN roadwarrior connections everything is fine.
The log files do not show any errors or warnings.

My settings are quite basic:
Settings:
Proposals: aes256-sha512-ecp521 [DH21, NIST EC]
Version: IKEv2
MOBIKE: enabled
DPD delay: 10s
Pools: nothing

Authentication: Public key

Children:
Mode: Tunnel
Policies: enabled
Start action: Start
Stop action: Start
DPD action: Start
ESP-proposals: default
Rekay time: 36600


I also tried to enable IPsec normalization with max MSS of 1350 (as I read this on several forums).
The CPU is more or less non-stop idle.

Statistic IPsec-Interface (enc0):
mtu: 1536
received-errors: 0
dropped-packets: 0
send-errors: 0
collisions: 0

Actually I have no idea why it is that slow.

2

General Discussion / NAT portforward for complete subnet

« on: September 26, 2023, 07:22:23 pm »

Hey guys,

I want to redirect a port for a complete subnet.
e.g.
10.10.0.4:1234->10.10.0.4:44444
10.10.0.8:1234->10.10.0.8:44444
10.10.0.10:1234->10.10.0.10:44444
...
So destination and target is always the same. Only the port is changed.
Is there a way to prevent many manual entries?

CU
mts

3

General Discussion / Lets Encrypt Problem with multiple public IPs

« on: July 02, 2019, 01:17:10 pm »

Hello guys,

I have the problem, that Let's Encrypt is not working with multiple public IPs.
I'm using haProxy on our external server IP (xxx.xxx.xxx.68) but let's encr. is calling out  with xxx.xxx.xxx.66

How can I force let's encr. to use another external IP to make the requests?

Code: [Select]

"detail": "Unable to update challenge :: authorization must be pending",
[Sat Jun 29 21:03:10 CEST 2019] response='{
"detail": "Unable to update challenge :: authorization must be pending",
[Sat Jun 29 21:03:10 CEST 2019] original='{
[Sat Jun 29 21:03:10 CEST 2019] code='400'
Date: Sat, 29 Jun 2019 19:03:10 GMT
Expires: Sat, 29 Jun 2019 19:03:10 GMT
Expires: Sat, 29 Jun 2019 19:03:10 GMT
[Sat Jun 29 21:03:10 CEST 2019] responseHeaders='HTTP/1.1 100 Continue
[Sat Jun 29 21:03:10 CEST 2019] _ret='0'
[Sat Jun 29 21:03:09 CEST 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header -g '
[Sat Jun 29 21:03:09 CEST 2019] Http already initialized.
[Sat Jun 29 21:03:09 CEST 2019] _postContentType='application/jose+json'


4

General Discussion / ipsec Net2Net to ipfire

« on: September 28, 2017, 09:25:37 pm »

Hi guys,

i would like to connect an opnsense to ipfire by ipsec RSA.
Is there someone who maybe has an step-by-step instruction what to take care of?

How can I import the CA from ipfire (pem-format) ?
How can I export the cert from opnSense so I can import it to ipfire?

THX
mts

5

German - Deutsch / ipsec Net2Net zu ipfire

« on: September 28, 2017, 09:21:02 pm »

Hallo zusammen,

ich möchte gerade einen ipsec tunnel zu einem ipfire aufbauen (RSA).
Hat jemand zufällig eine Anleitung auf was man achten muss?

Wie importiere ich z.B. das CA vom ipfire ?
Wie exportiere ich das opnSense-Zertifikat zu ipfire?

Danke
mts