Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - Aergan

#1
Hi there,

I've found that Azure Virtual Network Gateway configured as Basic SKU / Gateway 1 is incompatible with any of the options present in the new method of IKE proposals:

Azure Basic Gateway 1 (Gw1) / Generation 1
QuoteIKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024

OPNsense default internal
Quote
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CHACHA20_POLY1305/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048

Annoyingly, custom IKE policies to find parity for OPNsense are only supported by Gateway 2 (Gw2) / Generation 2 and higher in Azure. The cost difference for me for my own use is approx. £28 a month for Gw1 and £68 for 4 days on Gw2 (which quickly exhausted my spending limits).

I can revert to using Legacy for now but I'm concerned that this will be deprecated / removed at some point.
#2
18.1 Legacy Series / IPSec Azure Issue 18.1.4
March 12, 2018, 04:52:36 PM
Hi there,

I upgraded from 18.1.2 through to 18.1.4 and now my IPSec Site to site tunnel to Azure will no longer work correctly after 15~20minutes then results in the following:

Quotecharon: 07[IKE] establishing IKE_SA failed, peer not responding
Mar 12 15:45:27    charon: 07[IKE] giving up after 5 retransmits
Mar 12 15:45:18    charon: 13[CFG] ignoring acquire, connection attempt pending
Mar 12 15:45:18    charon: 14[KNL] creating acquire job for policy x.x.x.x/32 === y.y.y.y/32 with reqid {6}

And connection down.

To get it to reconnect I either have to reboot OPNsense or delete and recreate the connection on Microsoft Azure. Restarting IPsec / disable & reenable does not solve it.

Previously this has been working fine in 17.7 through to 18.1.2.
Connection type is IKEv2.
I've tried both with "Prefer older SA's" enabled and disabled and it seems to have no affect. In an older release of OPNsense I needed to have it enabled but haven't for a long time.
#3
Hi, I had this problem with the last few versions of 16.7 but it's still present in 17.1.1 in that suricata keeps exiting after 15~500 seconds.

Feb 13 09:10:00 kernel: pid 21502 (suricata), uid 0: exited on signal 4 (core dumped)
Feb 13 09:09:18 configd.py: [dc6e5d2e-e377-4dbc-b00f-751ecaa3024c] get suricata daemon status
Feb 13 09:09:16 configd.py: [4ce7e5ed-731a-4bff-a945-98bcbab50da9] start suricata daemon
Feb 13 09:09:16 configd.py: [f3452e49-e5ec-44d8-93da-8dcc8c219cc5] install suricata rules
Feb 13 09:09:15 configd.py: [91bd5288-a8f7-4bb1-8733-25e0b207f888] get suricata daemon status
Feb 13 09:09:02 configd.py: [f4e9e1b0-5bc5-4257-ada1-c7c65a144be0] get suricata daemon status
Feb 13 09:08:34 kernel: pid 48719 (suricata), uid 0: exited on signal 4 (core dumped)
Feb 13 09:07:33 configd.py: [c25d9c01-5880-426c-8a35-da259d2303b6] get suricata daemon status


All hardware acceleration options are turned off

QuoteOPNsense 17.1.1-amd64
FreeBSD 11.0-RELEASE-p7
OpenSSL 1.0.2k 26 Jan 2017
#4
Hi, I'm getting a lot of issues in the WebGUI since upgrading to 16.7.4-amd64. Random parts of the GUI are broken and logging seems to be busted too.

I've tried reverting to a previous config but no dice - any assistance please?
#5
15.7 Legacy Series / Traffic Shaper help
November 23, 2015, 11:28:52 AM
Could anyone help me out with some QoS style traffic rules using the new traffic shaper in OPNsense please?

My connection is 19.5Mbit Down and 3.5Mbit Up (PPPoE). I'd like to prioritise HTTPS traffic and lower traffic for port 1533. I'm not sure I'm applying the correct settings to do so and end up with a non-working traffic.
#6
15.7 Legacy Series / [SOLVED] Status - IPSec
November 06, 2015, 09:30:45 AM
Hi there,

I've seeing an issue with the IPSec Status within: OPNsense 15.7.18_1-amd64

The widget on the homepage doesn't report the status correctly anymore (inactive tunnel, danger) and the status page itself now doesn't report the configuration properly or status.

The IPSec tunnel itself is actually working fine.
#7
Manually starting or restarting IPSec service results in:

QuoteFatal error: Call to undefined function vpn_ipsec_force_reload() in /usr/local/www/status_services.php on line 99

QuoteOPNsense 15.7.5-amd64
FreeBSD 10.1-RELEASE-p15
OpenSSL 1.0.2d 9 Jul 2015

Submitted crash report.
#8
I've set up a HE.net tunnel following the related pfsense documentation:
https://doc.pfsense.org/index.php/Using_IPv6_on_2.1_with_a_Tunnel_Broker

Now, the configuration works but it seems to break the apinger service and cause WebGUI related issues.
When the OPT1 interface is enabled, the Gateway for the tunnel (Under System > Routing) cannot be edited, reports the connection is in IPv4 mode and ignores any changes made to rectify this.

apringer log:
Jul 24 09:58:06 apinger: No usable targets found, exiting
Jul 24 09:58:06 apinger: Starting Alarm Pinger, apinger(40909)
Jul 24 09:58:01 apinger: No usable targets found, exiting
Jul 24 09:58:01 apinger: Starting Alarm Pinger, apinger(36162)
Jul 24 09:47:01 apinger: No usable targets found, exiting
Jul 24 09:47:01 apinger: Starting Alarm Pinger, apinger(3095)
Jul 24 09:43:00 apinger: No usable targets found, exiting
Jul 24 09:43:00 apinger: Starting Alarm Pinger, apinger(18514)
Jul 24 09:40:37 apinger: No usable targets found, exiting
Jul 24 09:40:37 apinger: Starting Alarm Pinger, apinger(32390)
Jul 24 09:40:09 apinger: No usable targets found, exiting


Regardless of this, the tunnel itself actually does work though.
#9
Hi, having an issue viewing Status Queues on OPNsense 15.1.10.1-amd64

status_queues.php
XML error: QUEUE at line 8 cannot occur more than once

Tried a reboot, not resolving it. Doesn't seem to trigger an OPNsense error / crash alert.
Using Firefox 37.0.2 / Windows 8.1, Firefox 37.02 / OS X 10.10.3 and IE11 / Server 2012 R2
#10
Hi, I'm unable to access the GUI menu in "Services > UPnP & NAT-PMP"

QuoteSystem Information:
FreeBSD 10.1-RELEASE-p8 #0 2822f85(master): Sat Mar 21 03:09:56 CET 2015     root@sensey64:/usr/obj/usr/src/sys/SMP
OPNsense 15.1.8.4-4df19f1b1 (amd64)
OpenSSL 1.0.1m 19 Mar 2015

PHP Errors:
[08-Apr-2015 21:35:58 Europe/London] PHP Fatal error:  Cannot redeclare redirectHeader() (previously declared in /usr/local/www/pkg_edit.php:53) in /usr/local/etc/inc/functions.inc on line 63
[08-Apr-2015 21:36:00 Europe/London] PHP Fatal error:  Cannot redeclare redirectHeader() (previously declared in /usr/local/www/pkg_edit.php:53) in /usr/local/etc/inc/functions.inc on line 63

Tried to submit a report via Crash Reporter, but Yes is greyed out and un-selectable.

Errors persist after a reboot.

Edit:
Removed the "disabled=disabled" from:
<button disabled="disabled" name="Submit" type="submit" class="btn btn-primary" value="yes">Yes</button>

and submitted a report, hope that helps.