Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - ric91

Pages1
#1
23.1 Legacy Series / [Solved] Zabbix agent 5.4 deinstalled but error shown
May 22, 2023, 02:54:58 PM
Hi there
After upgrading 23.1.5_4 -> 23.1.7_3 I have installed Zabbix agent 6.2. The plugin automatically deinstalled my old Zabbix agent 5.4. The log shows:

Code Select
2023-05-18T20:41:27+02:00 apu2.domain.tld pkg-static 61663 - [meta sequenceId="1"] opnsense upgraded: 23.1.5_4 -> 23.1.7_3
2023-05-18T20:48:22+02:00 apu2.domain.tld pkg 66853 - [meta sequenceId="1"] os-zabbix54-agent-1.12 deinstalled
2023-05-18T20:48:22+02:00 apu2.domain.tld pkg 66853 - [meta sequenceId="2"] zabbix54-agent-5.4.12 deinstalled
2023-05-18T20:48:22+02:00 apu2.domain.tld pkg 66853 - [meta sequenceId="3"] zabbix62-agent-6.2.9 installed
2023-05-18T20:48:32+02:00 apu2.domain.tld pkg 66853 - [meta sequenceId="1"] os-zabbix62-agent-1.13_2 installed

Days later I noticed an error message at the plugin list:

Code Select
os-zabbix54-agent (missing) N/A N/A N/A N/A

Info says: Sorry, plugin details are currently not available.

Additionally I noticed the Zabbix agent log ended at the time I installed Zabbix agent 6.2 and not even show an entry for stopping the agent.

Code Select
# tail /var/log/zabbix/zabbix_agentd.log
63551:20230518:204556.714 IPv6 support:          YES
63551:20230518:204556.714 TLS support:           YES
63551:20230518:204556.714 **************************
63551:20230518:204556.714 using configuration file: /usr/local/etc/zabbix_agentd.conf
63551:20230518:204556.715 agent #0 started [main process]
64096:20230518:204556.728 agent #3 started [listener #2]
63877:20230518:204556.730 agent #1 started [collector]
64177:20230518:204556.730 agent #4 started [listener #3]
63988:20230518:204556.732 agent #2 started [listener #1]
64208:20230518:204556.732 agent #5 started [active checks #1]

Fun fact Zabbix server says Zabbix agent ist still running there in version 5.4., process list on opnsense too.

So I restarted the OPNsense device and now I see both agents installed but missing:

Code Select
os-zabbix6-agent (missing) 1.13_2 50.0KiB OPNsense Zabbix monitoring agent
os-zabbix54-agent (missing) N/A N/A N/A N/A

Seems I messed up some things. Is there any way to get rid of Zabbix agent 5.4 and clean install Zabbix agent 6.2?

Thanks in advance for any hint, Ric.
#2
23.1 Legacy Series / [SOLVED] Outbound traffic on unspecified interface sent from 0.0.0.0
February 27, 2023, 10:18:39 AM
I've done an update to version OPNsense 23.1_6-amd64 last week. After that I noticed erros when trying to fetch new updates:

Code Select
***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 23.1_6 at Mon Feb 27 08:49:43 CET 2023
Fetching changelog information, please wait... fetch: transfer timed out
Updating OPNsense repository catalogue...

I have done a lot of testing, switched mirrors, slept on it two nights and found out it might be a thing like https://forum.opnsense.org/index.php?topic=29992, all traffic from unspecified interface left my opnsense with IP 0.0.0.0 (Wireshark screenshot attached).

There are no manual added entries in the NAT section, outbound NAT is set to Hybrid.
All traffic is working fine. The only remarkable thing is the stuck update function.

It would be very nice if someone could help me out to find a solutiuon for this. Please let me know what I can do to assist.

Thanks in advance, Ric.
#3
18.7 Legacy Series / 18.7.4 - IPsec and macos clients not working
October 15, 2018, 02:02:14 PM
Hi all

We use OPNsense a few years now with OpenVPN clients.

For a new customer we tried to set up IPsec access, they only use Mac-clients and so there should be no additional client software necessary.
Client is a MacBook Pro with macos 10.13.6 installed.

So we set up a new appliance (APU2) with OPNsense 18.7.4 and added IPsec as described in

https://wiki.opnsense.org/manual/how-tos/ipsec-road.html.

Despite of the missing field "Peer identifier" which has been explained here:
https://forum.opnsense.org/index.php?topic=3814.msg13466#msg13466
all setup has been done and checked twice.

But the tunnel will not come up.

The logfile looks like:

Code Select

root@firewall:/ # cat /var/log/ipsec.log
Oct 15 13:42:45 firewall charon: 08[IKE] <con1|20> sending retransmit 3 of response message ID 0, seq 1
Oct 15 13:42:45 firewall charon: 08[NET] <con1|20> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (412 bytes)
Oct 15 13:42:47 firewall charon: 08[NET] <21> received packet: from 213.196.002.002[500] to 213.196.001.001[500] (762 bytes)
Oct 15 13:42:47 firewall charon: 08[ENC] <21> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received FRAGMENTATION vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received NAT-T (RFC 3947) vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received draft-ietf-ipsec-nat-t-ike vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received XAuth vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received Cisco Unity vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> received DPD vendor ID
Oct 15 13:42:47 firewall charon: 08[IKE] <21> 213.196.002.002 is initiating a Aggressive Mode IKE_SA
Oct 15 13:42:47 firewall charon: 08[CFG] <21> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Oct 15 13:42:47 firewall charon: 08[CFG] <21> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 15 13:42:47 firewall charon: 08[IKE] <21> no proposal found
Oct 15 13:42:47 firewall charon: 08[ENC] <21> generating INFORMATIONAL_V1 request 176295956 [ N(NO_PROP) ]
Oct 15 13:42:47 firewall charon: 08[NET] <21> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (56 bytes)
Oct 15 13:42:50 firewall charon: 07[NET] <22> received packet: from 213.196.002.002[500] to 213.196.001.001[500] (762 bytes)
Oct 15 13:42:50 firewall charon: 07[ENC] <22> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received FRAGMENTATION vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received NAT-T (RFC 3947) vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received draft-ietf-ipsec-nat-t-ike vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received XAuth vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received Cisco Unity vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> received DPD vendor ID
Oct 15 13:42:50 firewall charon: 07[IKE] <22> 213.196.002.002 is initiating a Aggressive Mode IKE_SA
Oct 15 13:42:50 firewall charon: 07[CFG] <22> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Oct 15 13:42:50 firewall charon: 07[CFG] <22> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 15 13:42:50 firewall charon: 07[IKE] <22> no proposal found
Oct 15 13:42:50 firewall charon: 07[ENC] <22> generating INFORMATIONAL_V1 request 1006362778 [ N(NO_PROP) ]
Oct 15 13:42:50 firewall charon: 07[NET] <22> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (56 bytes)
Oct 15 13:42:50 firewall charon: 07[JOB] <con1|20> deleting half open IKE_SA with 213.196.002.002 after timeout
Oct 15 13:42:53 firewall charon: 07[NET] <23> received packet: from 213.196.002.002[500] to 213.196.001.001[500] (762 bytes)
Oct 15 13:42:53 firewall charon: 07[ENC] <23> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received FRAGMENTATION vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received NAT-T (RFC 3947) vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received draft-ietf-ipsec-nat-t-ike vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received XAuth vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received Cisco Unity vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> received DPD vendor ID
Oct 15 13:42:53 firewall charon: 07[IKE] <23> 213.196.002.002 is initiating a Aggressive Mode IKE_SA
Oct 15 13:42:53 firewall charon: 07[CFG] <23> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Oct 15 13:42:53 firewall charon: 07[CFG] <23> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 15 13:42:53 firewall charon: 07[IKE] <23> no proposal found
Oct 15 13:42:53 firewall charon: 07[ENC] <23> generating INFORMATIONAL_V1 request 1019161556 [ N(NO_PROP) ]
Oct 15 13:42:53 firewall charon: 07[NET] <23> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (56 bytes)
Oct 15 13:42:57 firewall charon: 07[NET] <24> received packet: from 213.196.002.002[500] to 213.196.001.001[500] (762 bytes)
Oct 15 13:42:57 firewall charon: 07[ENC] <24> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received FRAGMENTATION vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received NAT-T (RFC 3947) vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received XAuth vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received Cisco Unity vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> received DPD vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <24> 213.196.002.002 is initiating a Aggressive Mode IKE_SA
Oct 15 13:42:57 firewall charon: 07[CFG] <24> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Oct 15 13:42:57 firewall charon: 07[CFG] <24> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 15 13:42:57 firewall charon: 07[IKE] <24> no proposal found
Oct 15 13:42:57 firewall charon: 07[ENC] <24> generating INFORMATIONAL_V1 request 2026880497 [ N(NO_PROP) ]
Oct 15 13:42:57 firewall charon: 07[NET] <24> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (56 bytes)
Oct 15 13:42:57 firewall charon: 07[NET] <25> received packet: from 213.196.002.002[500] to 213.196.001.001[500] (762 bytes)
Oct 15 13:42:57 firewall charon: 07[ENC] <25> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received FRAGMENTATION vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received NAT-T (RFC 3947) vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received draft-ietf-ipsec-nat-t-ike vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received XAuth vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received Cisco Unity vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> received DPD vendor ID
Oct 15 13:42:57 firewall charon: 07[IKE] <25> 213.196.002.002 is initiating a Aggressive Mode IKE_SA
Oct 15 13:42:57 firewall charon: 07[CFG] <25> looking for XAuthInitPSK peer configs matching 213.196.001.001...213.196.002.002[expert]
Oct 15 13:42:57 firewall charon: 07[CFG] <25> selected peer config "con1"
Oct 15 13:42:57 firewall charon: 07[ENC] <con1|25> generating AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ]
Oct 15 13:42:57 firewall charon: 07[NET] <con1|25> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (412 bytes)
Oct 15 13:43:00 firewall charon: 07[NET] <con1|25> received packet: from 213.196.002.002[500] to 213.196.001.001[500] (762 bytes)
Oct 15 13:43:00 firewall charon: 07[IKE] <con1|25> received retransmit of request with ID 0, retransmitting response
Oct 15 13:43:00 firewall charon: 07[NET] <con1|25> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (412 bytes)
Oct 15 13:43:01 firewall charon: 07[IKE] <con1|25> sending retransmit 1 of response message ID 0, seq 1
Oct 15 13:43:01 firewall charon: 07[NET] <con1|25> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (412 bytes)
Oct 15 13:43:03 firewall charon: 07[NET] <con1|25> received packet: from 213.196.002.002[500] to 213.196.001.001[500] (762 bytes)
Oct 15 13:43:03 firewall charon: 07[IKE] <con1|25> received retransmit of request with ID 0, retransmitting response
Oct 15 13:43:03 firewall charon: 07[NET] <con1|25> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (412 bytes)
Oct 15 13:43:06 firewall charon: 07[NET] <con1|25> received packet: from 213.196.002.002[500] to 213.196.001.001[500] (762 bytes)
Oct 15 13:43:06 firewall charon: 07[IKE] <con1|25> received retransmit of request with ID 0, retransmitting response
Oct 15 13:43:06 firewall charon: 07[NET] <con1|25> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (412 bytes)
Oct 15 13:43:08 firewall charon: 07[IKE] <con1|25> sending retransmit 2 of response message ID 0, seq 1
Oct 15 13:43:08 firewall charon: 07[NET] <con1|25> sending packet: from 213.196.001.001[500] to 213.196.002.002[500] (412 bytes)
Oct 15 13:43:21 firewall charon: 07[IKE] <con1|25> sending retransmit 3 of response message ID 0, seq 1
Oct 15 13:43:21 firewall charon: 07[NET] <con1|25> sending packet: from 213.196.001.001[500] to 213.196.184.130[500] (412 bytes)
Oct 15 13:43:27 firewall charon: 06[JOB] <con1|25> deleting half open IKE_SA with 213.196.002.002 after timeout


The config file looks like:
Code Select

cat /usr/local/etc/ipsec.conf
# This file is automatically generated. Do not edit
config setup
  uniqueids = yes
  charondebug=""

conn con1
  aggressive = yes
  fragmentation = yes
  keyexchange = ikev1
  mobike = yes
  reauth = yes
  rekey = yes
  forceencaps = no
  installpolicy = yes
  type = tunnel
  dpdaction = none
  left = 213.196.001.001
  right = %any
  leftid = 213.196.001.001
  ikelifetime = 28800s
  lifetime = 3600s
  rightsourceip = 10.8.4.0/24
  ike = aes256-sha1-modp1024!
  leftauth = psk
  rightauth = psk
  rightauth2 = xauth-generic
  leftsubnet = 192.168.7.0/24
  esp = aes256-sha1!
  auto = add


Is there any way to get IPsec working in 18.7.4?

Thanks a lot for your help.
Pages1