Topics

I have an IPsec tunnel between two OPNsense firewalls.
I upgraded both of them today to 21.7.
If I go to VPN/IPsec/Tunnel Settings, both local and remote subnets are /24.
If I then click on the edit icon (Pencil), the next page shows both subnets as /32.
Please see attached snips.
I didn't notice this when I edited the description field and crashed my tunnel upon saving the configuration.
It was easy to fix, once I spotted the problem.
Subsequent testing shows that it does this every time, and it behaves the same way at both ends.
This looks like a bug to me.
If it's intentional, I'm not a fan.

Mantis314

I have two sites both running Protectli appliances with OpnSense 21.1.9 installed.
I have Wireguard site to site VPN configured and working.
The VPN refuses to stay up for long though. It will only stay up for a couple of hours.
I have Keep Alive configured on both ends and set to 25.
The VPN-Wireguard-List Configuration and Handshakes tabs are blank on the remote end.
To get it working again I need to visit the Endpoints tab (on the remote firewall) and click Apply. It will come right back up and work for a couple more hours. Also at this point, the List Configuration and Handshakes tabs are populated again.
What do I need to do to keep the tunnel up?

Thanks in advance for any suggestions.

Mantis314

I'm new to OpnSense.
I have OpnSense 21.1.6 on a Protectli appliance.
I have configured OpenVPN following the RoadWarrior documentation.
LAN subnet = 192.168.13.0/24
OpenVPN subnet/pool = 192.168.16.0/24
I am able to connect successfully and obtain an IP from the OpenVPN pool.
I can access the web interface for my OpnSense firewall.
If I run an Angry IP Scan of my LAN subnet, I can see all the devices on my LAN.
However, I am not able to access anything (other than my firewall) on my LAN via any service I have tried.
I have devices on 22, 80, 443, 3389 etc.
The Angry IP scan shows these ports open on the appropriate devices.
The OpnSense Firewall is 192.168.13.253 and is my default gateway for everything on the LAN.
From a PC on the LAN when I run a tracert to my laptop which is connected via OpenVPN, the trace shows OpnSense sending the traffic back to the OpenVPN client.

C:\Users\Admin>tracert 192.168.16.6

Tracing route to BW-WS1 [192.168.16.6]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  192.168.13.253
  2    51 ms    43 ms    45 ms  BW-WS1 [192.168.16.6]

Trace complete.

Here is a live log view of an attempt to access the web interface on an access point at 192.168.13.251 from a VPN client on 192.168.16.6 showing the traffic is allowed.

srcport,dstport=443src,dst=192.168.13.251

Interface      Time   Source   Destination   Proto   Label   
LAN      Jun 3 21:04:05   192.168.16.6:59481   192.168.13.251:443   tcp   let out anything from firewall host itself   
LAN      Jun 3 21:04:05   192.168.16.6:59480   192.168.13.251:443   tcp   let out anything from firewall host itself   
LAN      Jun 3 21:03:33   192.168.16.6:59459   192.168.13.251:443   tcp   let out anything from firewall host itself   
LAN      Jun 3 21:03:33   192.168.16.6:59458   192.168.13.251:443   tcp   let out anything from firewall host itself   

Why am I able to ping and scan but not do anything else?

BTW all this used to work with my old Sonicwall.
The only thing that has changed is the introduction of the OpnSense firewall.

Any thoughts on what I might be missing?

Thanks,

Bill

Please excuse me if this is covered elsewhere in this forum.
I am new to OpnSense, but not new to firewalls and networking.
I am replacing a pair of old Sonicwalls with a pair of Protectli appliances loaded with the latest version of OpnSense. OPNsense 21.1.6-amd64.
I am trying to create a routed site to site IPsec VPN between my home and my cabin.
I am following the documentation and am running aground when I attempt to create the intermediate network.

(From the documentation)
***********
Gateway Site-A

Name      VPNGW      Set a name for your gateway
Interface           IPSEC1000   Choose the IPsec interface
IP Address           10.111.1.2   Set the peer IP address
Far Gateway   Checked      This has to be checked as it is a point-to-point connection
************

The problem is that IPSEC is not an option when choosing the interface.
Looking in the main menu under Interfaces, IPSEC is not present there either.

I have exactly the same issue on both ends of the tunnel.
I have searched the documentation, this forum, and elsewhere on the Internet.
I found another topic on this forum "Gateway not working anymore in routed IPsec (Azure)" which seems similar.
I was having the same issue with clean installations of 21.1.5 so I thought I would try the new 21.1.6 but the problem remained.
So far I have not found a solution.
I really don't want to plug my old Sonciwalls back in. It's also a 400 mile round trip to do so.
Any advice please?