Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - mliebherr

#1
Hello,

we run OPNsense 24.1.6 and we have to manually export the User-Certs with -legacy:
/usr/local/bin/openssl pkcs12 -export -legacy -in user.crt -inkey user.key -out User_legacy.p12

In order to be able to create a Mobileconfig with a Mac and import it with iOS.

Is there a GUI workaround for this?
Would it be possible to add a legaxy p12 export button?

Its kind of related to:  https://github.com/opnsense/core/issues/7251

Thanks,
Michael
#2
Hello,

a customers remote site wants to have 0.0.0.0 as remote net in IPSec.
However, if we set this, the Carp Traffic will follow that route, too.

Therefore my HA-Setup breaks becaue the HA Nodes do not reach each other any more.

How do you set up IPsec with a remote net 0.0.0.0 without breaking the local Carp Address?

Thanks,
Michael
#3
22.7 Legacy Series / IPSec Port-Forward does not work
September 29, 2022, 11:08:55 AM
Hello,

i have a Site-2-Site IPsec Tunnel and would like to provide access to a internal web server via HA Proxy.

I have set up a rule now:
Interface: IPSec
DST: 192.168.150.68:443
Redirect to: 127.0.0.1:8080

On 127.0.0.1:8080 i have my HA proxy running.

The NAT Rule automatically created the matching IPSec Firewall rule.

When i look at the traffic with:
  tcpdump -i enc0 -n host 192.168.150.68

it seems "stuck":
10:58:44.631140 (authentic,confidential): SPI 0xc7352ac4: IP 172.25.11.44.50861 > 192.168.150.68.443: Flags [S], seq 2307507940, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
10:58:52.382705 (authentic,confidential): SPI 0xc7352ac4: IP 172.25.11.44.50860 > 192.168.150.68.443: Flags [S], seq 2952205237, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
10:58:52.382737 (authentic,confidential): SPI 0xc7352ac4: IP 172.25.11.44.50859 > 192.168.150.68.443: Flags [S], seq 209436792, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
10:58:52.648383 (authentic,confidential): SPI 0xc7352ac4: IP 172.25.11.44.50861 > 192.168.150.68.443: Flags [S], seq 2307507940, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0


i cant see any blocks, too:
grep 192.168.150.68 /var/log/filter/latest.log | grep block

If i set up that NAT rule on another interface, it seems to work.

Any hints?

#4
22.7 Legacy Series / Port Forwards
August 19, 2022, 10:48:58 AM
Hello,

why does a port forward from WAN to DMZ work, even if i dont have that DST ip assiged to my opnsense box.

The Arp Lookup shows the DST IP i forward has the mac 0000.5e00.0108

I can not find that mac address on my opnsense box.

Is this something special?

Cheers,
Michael
#5
Hello,

i have a Firewall with two ISPs.

I would like to access the firewall any time on both WAN Interfaces.
Right now WAN2 is the default route, and if i ssh to the WAN1 IP it will route back via the default GW on WAN2 like this:



How can i opnsense make reply on the interface the SYN came in from?

Cheers,
Michael
#6
Hello,

from time to time i get flooded this in my Logs:


2022-04-14T07:28:28 Error openvpn Authenticate/Decrypt packet error:
bad packet ID (may be a replay): [ #93625413 / time = (1649776931)
2022-04-12 17:22:11 ] -- see the man page entry for --no-replay and
--replay-window for more info or silence this warning with
--mute-replay-warnings

Does that mean, that at Log time "2022-04-14T07:28:28" it received a
packet with a timestamp from "2022-04-12 17:22:11"?

I already set the same time server on both hosts.

I tried optimizing it with MTU and MSSFIX but when reading the error
closely a time diff would make more sense?

Cheers,
Michael
#7
Hello,

after adding OTP to our OpenVPN Server we get errors like:
  TLS Error: local/remote TLS keys are out of sync

and the VPN Stopps/Disconnects after 1h. This happens just for a few but not all users.
I already checked the Time on the OPNSense and Client system.  I also set "reneg-sec 0" on the Server.

Any other ideas why OTP would cause this problem?

Cheers,
Mario
#8
22.1 Legacy Series / ipsec INVALID_MAJOR_VERSION
March 17, 2022, 01:57:03 PM
Hello,

since about yesterday i get those errors in my logs:


charon 53061 - [meta sequenceId="4143"] 03[NET] received unsupported IKE version 11.9 from 212.185.79.66, sending INVALID_MAJOR_VERSION
charon 53061 - [meta sequenceId="4148"] 03[NET] received unsupported IKE version 3.5 from 212.185.79.66, sending INVALID_MAJOR_VERSION
charon 53061 - [meta sequenceId="4152"] 03[NET] received unsupported IKE version 0.13 from 212.185.79.66, sending INVALID_MAJOR_VERSION


And the traffic of the tunnel seems to stop.

Any idea how i can fix that? The Remote Side has a Sophos UTM and claims not to have/see any errors.

My Last Update was done more that one day ago ( i guess last week).

Any hints on this?

I also wonder why i get two subnet tunnels here. One Installed, and one rekeying:



Cheers,
Mario
#9
21.7 Legacy Series / MutiWAN and Reset States
December 01, 2021, 02:35:24 PM
Hello,

we are using MultiWAN with 2 Uplinks with:
- Gateway switching (Allow default gateway switching => enabled)
- Kill States (  Disable State Killing on Gateway Failure  => not ticked)
- Sticky Connections ( Use sticky connections => not ticked)

On top of that i run a OpenVPN Client Connection (TCP)

When i produce the active Gateway failure, the Gateway swichting jumps in, the OpenVPN Tunnel times out and the takeover is fine. It also seems to do a TCP States Reset since my SSH Tunnel/Access dies.

HOWEVER: If i switch back on the Gateway the  Active Gateway switches back to the main one again, BUT the TCP States does not get killed.

The SSH Session is still active. Not states Reset seem to happen.
If i kill the ESTABLISHED connection in the "States Dump" GUI then it will start to connect via the active/correct gateway.

So wonder if:
-if i set up something wrong?
- the state reset just happens by design on the 1st failover
- the state reset function is a bug and should be triggered when jumping back to the primary interface





Thanks,
Michael
#10
Hardware and Performance / Scope7 Hardware
October 28, 2021, 03:38:07 PM
Hello,

is anyone here using hardware from https://www.scope7.de/ and happy with it?

Cheers,
Michael
#11
21.7 Legacy Series / OpenVPN bridge
July 28, 2021, 05:08:41 PM
Hello,

i would like to set up a briged openvpn tunnel.

1.) I created a Bridge (LAN + OpenVPN Interface).
2.) I set the OpenVPN Tunnel to tap
3.) "Bridge Interface" is my LAN Port

However the ARP/Broadcast traffic does not seem to reach the vpn interface.
I can see it it on the LAN and Bridge though.

Any ideas why it wont slip into the tunnel?

Cheers,
Mario
#12
Hello,

i use HA-Proxy and it returns a 503 Page.
I enabled " Detailed Logging " in the Public Services.

All i can see are those start logs:

2021-06-23T15:55:08   haproxy[12619]   Proxy load_balancing_portal_foo_net_Port_443 started.   
2021-06-23T15:55:08   haproxy[12619]   Proxy portal.foo.net_ht-access_8443 started.

Why wont it log my requests/errors?

I also disabled the Service which gave me a timeout, so i guess i actually access/use/hit the HAProxy Service.

Cheers,
Michael
#13
Hello,

my tunnel to a remite Site (Cisco i think) is unstable. Here is some tcpdump snippets:

22:20:48.323405 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cc5), length 152
22:20:48.323421 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cc6), length 152
22:20:48.323437 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cc7), length 152
22:20:48.323470 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cc8), length 152
22:20:48.323487 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cc9), length 152
22:20:48.833110 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cca), length 104
22:20:50.682362 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4ccb), length 88
22:20:51.127368 IP RemoteSite.500 > MySite.500: isakmp: parent_sa ikev2_init
22:20:51.833354 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4ccc), length 104
22:20:53.689542 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4ccd), length 104
22:20:54.134106 IP RemoteSite.500 > MySite.500: isakmp: parent_sa ikev2_init
22:20:54.802874 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cce), length 104
22:20:56.688672 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4ccf), length 104
22:20:56.716580 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cd0), length 104
22:20:57.803060 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cd1), length 104
22:20:57.834224 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cd2), length 104

On my Site the Tunnel seems to be up, looking at the tcpdump the remote side seems to reconnect?

The Lifetimes/Timeouts match on each side.
I already changed the "Connection method" to respond only.

Here are the settings:



Here are the logs:

2021-04-26T22:22:14   charon[40039]   15[IKE] <con2|17> IKE_SA con2[17] established between MySite[MySite]...RemoteSite[RemoteSite]   
2021-04-26T22:22:14   charon[40039]   15[IKE] <con2|15> destroying duplicate IKE_SA for peer 'RemoteSite', received INITIAL_CONTACT   
2021-04-26T22:22:14   charon[40039]   15[IKE] <con2|17> authentication of 'MySite' (myself) with pre-shared key   
2021-04-26T22:22:14   charon[40039]   15[IKE] <con2|17> authentication of 'RemoteSite' with pre-shared key successful   
2021-04-26T22:22:14   charon[40039]   15[CFG] <con2|17> selected peer config 'con2'   
2021-04-26T22:22:11   charon[40039]   15[NET] <con2|15> sending packet: from MySite[500] to RemoteSite[500] (80 bytes)   
2021-04-26T22:22:11   charon[40039]   15[ENC] <con2|15> generating INFORMATIONAL request 0 [ D ]   
2021-04-26T22:22:11   charon[40039]   15[IKE] <con2|15> sending DELETE for IKE_SA con2[15]   
2021-04-26T22:22:11   charon[40039]   15[IKE] <con2|15> deleting IKE_SA con2[15] between MySite[MySite]...RemoteSite[RemoteSite]   
2021-04-26T22:22:11   charon[40039]   09[CFG] received stroke: terminate 'con2'   
2021-04-26T20:49:19   charon[40039]   05[NET] <con2|15> sending packet: from MySite[500] to RemoteSite[500] (240 bytes)   
2021-04-26T20:49:19   charon[40039]   05[ENC] <con2|15> generating IKE_AUTH response 1 [ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) ]   
2021-04-26T20:49:19   charon[40039]   05[IKE] <con2|15> CHILD_SA con2{21} established with SPIs c0d2b134_i da1200e6_o and TS 172.18.161.0/24 === 10.228.16.0/21   
2021-04-26T20:49:19   charon[40039]   05[CFG] <con2|15> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ   
2021-04-26T20:49:19   charon[40039]   05[IKE] <con2|15> maximum IKE_SA lifetime 86020s   
2021-04-26T20:49:19   charon[40039]   05[IKE] <con2|15> scheduling reauthentication in 85480s   
2021-04-26T20:49:19   charon[40039]   05[IKE] <con2|15> IKE_SA con2[15] established between MySite[MySite]...RemoteSite[RemoteSite]   
2021-04-26T20:49:19   charon[40039]   05[IKE] <con2|1> destroying duplicate IKE_SA for peer 'RemoteSite', received INITIAL_CONTACT   
2021-04-26T20:49:19   charon[40039]   05[IKE] <con2|15> authentication of 'MySite' (myself) with pre-shared key   
2021-04-26T20:49:19   charon[40039]   05[IKE] <con2|15> authentication of 'RemoteSite' with pre-shared key successful   
2021-04-26T20:49:19   charon[40039]   05[CFG] <con2|15> selected peer config 'con2'   
2021-04-26T20:49:14   charon[40039]   05[NET] <con2|1> sending packet: from MySite[500] to RemoteSite[500] (496 bytes)   
2021-04-26T20:49:14   charon[40039]   05[IKE] <con2|1> retransmit 1 of request with message ID 8   
2021-04-26T20:49:10   charon[40039]   05[NET] <con2|1> sending packet: from MySite[500] to RemoteSite[500] (496 bytes)   
2021-04-26T20:49:10   charon[40039]   05[ENC] <con2|1> generating CREATE_CHILD_SA request 8 [ N(REKEY_SA) N(ESP_TFC_PAD_N) SA No KE TSi TSr ]   
2021-04-26T20:49:10   charon[40039]   05[IKE] <con2|1> establishing CHILD_SA con2{20} reqid 2   
2021-04-26T19:06:37   charon[40039]   10[IKE] <con2|1> CHILD_SA closed
#14
Hello,

i have two Sites.

Site A with OpenVPN and connected to Site B with IPSec i dont manage.

Now i would like to route the OpenVPN Traffic into the remote IPSec Site.

I am not able to add a 2nd Phase2 Net, since this is already being used.
I want to NAT (one way) in the OPNSense which is in between.

My Setup Looks like this:



I can see a icmp request coming in at the OpenVPN Tunnel interface:

~ # tcpdump -i ovpns10 -n icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ovpns10, link-type NULL (BSD loopback), capture size 262144 bytes
16:41:42.359229 IP 10.242.19.6 > 10.228.22.210: ICMP echo request, id 1, seq 17849, length 998

But it then leaves my WAN Interface (Default route):

~ # tcpdump -i igb1 -n icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb1, link-type EN10MB (Ethernet), capture size 262144 bytes
16:42:24.983414 IP 212.87.134.194 > 10.228.22.210: ICMP echo request, id 26116, seq 17850, length 998

And seems not beeting NATed. Why did the rule here not match?
I espected it to change it t 172.18.161.254 > 10.228.22.210

Cheers,
Michael



#15
20.1 Legacy Series / IPSec Logs spammed by DPD
July 13, 2020, 08:30:35 AM
Hello,

in my ipsec logs i see tons of dpd entries:

2020-07-13T08:27:09   charon: 05[ENC] <con3-000|199> parsed INFORMATIONAL_V1 request 1868979696 [ HASH N(DPD_ACK) ]
2020-07-13T08:27:09   charon: 05[NET] <con3-000|199> received packet: from 195.123.123.132[500] to 212.123.123.132[500] (108 bytes)
2020-07-13T08:27:09   charon: 05[NET] <con3-000|199> sending packet: from 212.123.123.132[500] to 195.123.123.132[500] (108 bytes)
2020-07-13T08:27:09   charon: 05[ENC] <con3-000|199> generating INFORMATIONAL_V1 request 754577938 [ HASH N(DPD) ]
2020-07-13T08:27:09   charon: 05[IKE] <con3-000|199> sending DPD request
2020-07-13T08:26:59   charon: 11[ENC] <con3-000|199> parsed INFORMATIONAL_V1 request 4129560268 [ HASH N(DPD_ACK) ]
2020-07-13T08:26:59   charon: 11[NET] <con3-000|199> received packet: from 195.123.123.132[500] to 212.123.123.132[500] (108 bytes)
2020-07-13T08:26:59   charon: 11[NET] <con3-000|199> sending packet: from 212.123.123.132[500] to 195.123.123.132[500] (108 bytes)
2020-07-13T08:26:59   charon: 11[ENC] <con3-000|199> generating INFORMATIONAL_V1 request 3506761780 [ HASH N(DPD) ]
2020-07-13T08:26:59   charon: 11[IKE] <con3-000|199> sending DPD request
2020-07-13T08:26:49   charon: 11[ENC] <con3-000|199> parsed INFORMATIONAL_V1 request 645149682 [ HASH N(DPD_ACK) ]
2020-07-13T08:26:49   charon: 11[NET] <con3-000|199> received packet: from 195.123.123.132[500] to 212.123.123.132[500] (108 bytes)
2020-07-13T08:26:49   charon: 11[NET] <con3-000|199> sending packet: from 212.123.123.132[500] to 195.123.123.132[500] (108 bytes)
2020-07-13T08:26:49   charon: 11[ENC] <con3-000|199> generating INFORMATIONAL_V1 request 178883678 [ HASH N(DPD) ]
2020-07-13T08:26:49   charon: 11[IKE] <con3-000|199> sending DPD request
2020-07-13T08:26:39   charon: 11[ENC] <con3-000|199> parsed INFORMATIONAL_V1 request 4084736993 [ HASH N(DPD_ACK) ]
2020-07-13T08:26:39   charon: 11[NET] <con3-000|199> received packet: from 195.123.123.132[500] to 212.123.123.132[500] (108 bytes)
2020-07-13T08:26:39   charon: 11[NET] <con3-000|199> sending packet: from 212.123.123.132[500] to 195.123.123.132[500] (108 bytes)
2020-07-13T08:26:39   charon: 11[ENC] <con3-000|199> generating INFORMATIONAL_V1 request 611242534 [ HASH N(DPD) ]
2020-07-13T08:26:39   charon: 11[IKE] <con3-000|199> sending DPD request
2020-07-13T08:26:29   charon: 05[ENC] <con3-000|199> parsed INFORMATIONAL_V1 request 2305290029 [ HASH N(DPD_ACK) ]
2020-07-13T08:26:29   charon: 05[NET] <con3-000|199> received packet: from 195.123.123.132[500] to 212.123.123.132[500] (108 bytes)
2020-07-13T08:26:29   charon: 05[NET] <con3-000|199> sending packet: from 212.123.123.132[500] to 195.123.123.132[500] (108 bytes)
2020-07-13T08:26:29   charon: 05[ENC] <con3-000|199> generating INFORMATIONAL_V1 request 2173662243 [ HASH N(DPD) ]
2020-07-13T08:26:29   charon: 05[IKE] <con3-000|199> sending DPD request
2020-07-13T08:26:19   charon: 05[ENC] <con3-000|199> parsed INFORMATIONAL_V1 request 1597707906 [ HASH N(DPD_ACK) ]
2020-07-13T08:26:19   charon: 05[NET] <con3-000|199> received packet: from 195.123.123.132[500] to 212.123.123.132[500] (108 bytes)
2020-07-13T08:26:19   charon: 05[NET] <con3-000|199> sending packet: from 212.123.123.132[500] to 195.123.123.132[500] (108 bytes)
2020-07-13T08:26:19   charon: 05[ENC] <con3-000|199> generating INFORMATIONAL_V1 request 2626876554 [ HASH N(DPD) ]
2020-07-13T08:26:19   charon: 05[IKE] <con3-000|199> sending DPD request
2020-07-13T08:26:09   charon: 11[ENC] <con3-000|199> parsed INFORMATIONAL_V1 request 568638514 [ HASH N(DPD_ACK) ]
2020-07-13T08:26:09   charon: 11[NET] <con3-000|199> received packet: from 195.123.123.132[500] to 212.123.123.132[500] (108 bytes)
2020-07-13T08:26:09   charon: 15[NET] <con3-000|199> sending packet: from 212.123.123.132[500] to 195.123.123.132[500] (108 bytes)
2020-07-13T08:26:09   charon: 15[ENC] <con3-000|199> generating INFORMATIONAL_V1 request 4215212232 [ HASH N(DPD) ]
2020-07-13T08:26:09   charon: 15[IKE] <con3-000|199> sending DPD request
2020-07-13T08:25:59   charon: 15[ENC] <con3-000|199> parsed INFORMATIONAL_V1 request 2770676844 [ HASH N(DPD_ACK) ]
2020-07-13T08:25:59   charon: 15[NET] <con3-000|199> received packet: from 195.123.123.132[500] to 212.123.123.132[500] (108 bytes)
2020-07-13T08:25:59   charon: 15[NET] <con3-000|199> sending packet: from 212.123.123.132[500] to 195.123.123.132[500] (108 bytes)
2020-07-13T08:25:59   charon: 15[ENC] <con3-000|199> generating INFORMATIONAL_V1 request 1988059217 [ HASH N(DPD) ]

how can i trim the logs down to the usefull stuff? Those DPD Infos are not very useful

Cheers,
Michael
#16
Hello,

my goal is to set up a reverse proxy to allow https access to my exchange server only with signed certs.

Here is my setup: https://image.ibb.co/hrpUMU/opnsense_HA_Proxy.jpg

There is an  option called: "Verify SSL Certificate" in the Real Servers TAB.

I guess this is for the communication between HA_Proxy and the Real Backend Server.

Can i enable this "Verify SSL Certificate" for the public side, too?

For my Test scenario i used HTTP as a backend to make sure i dont have some ssl mistakes here.

In a nutshell: Where can i enable "Verify SSL Certificate" on the WAN/Public side?

Thanks, Mario
#17
17.7 Legacy Series / Virtual PPPoE IP Alias
December 22, 2017, 01:33:58 PM
Hello!

i am trying to set up a VIP on my PPPoE Interface.
If i do that in the GUI the system does a:

/sbin/ifconfig pppoe1 inet xxx.xxx.149.33/29 alias
It Returns: ifconfig: ioctl (SIOCAIFADDR): Destination address required

I think it should be:
/sbin/ifconfig pppoe1 inet xxx.xxx.149.33/29 alias ppoe-isp-gw-ip
  => Because that works and makes my vip available to the world.

Am i wrong?
Am i using Opnsense wrong?
Or is it a bug?

Thanks.