Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - cardins2u

Pages: [1] 2 3 4

19.7 Production Series / Re: IPSec - Issues

« on: July 19, 2019, 05:49:55 am »

I'm so stumpped.
Here's the log.

Logs Right after Reboot:
##############################################

Jul 18 20:46:12   charon: 07[IKE] <con1|3> failed to establish CHILD_SA, keeping IKE_SA
Jul 18 20:46:12   charon: 07[IKE] <con1|3> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Jul 18 20:46:12   charon: 07[ENC] <con1|3> parsed CREATE_CHILD_SA response 4 [ N(NO_PROP) ]
Jul 18 20:46:12   charon: 07[NET] <con1|3> received packet: from 24.18.XXX.XXX[4500] to 96.XXX.XXX.XXX[4500] (76 bytes)
Jul 18 20:46:11   charon: 07[NET] <con1|3> sending packet: from 96.XXX.XXX.XXX[4500] to 24.18.XXX.XXX[4500] (364 bytes)
Jul 18 20:46:11   charon: 07[ENC] <con1|3> generating CREATE_CHILD_SA request 4 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Jul 18 20:46:11   charon: 07[IKE] <con1|3> establishing CHILD_SA con1{14} reqid 1
Jul 18 20:46:11   charon: 09[KNL] creating acquire job for policy 96.XXX.XXX.XXX/32 === 24.18.XXX.XXX/32 with reqid {1}
Jul 18 20:46:10   charon: 09[IKE] <con2|4> failed to establish CHILD_SA, keeping IKE_SA
Jul 18 20:46:10   charon: 09[IKE] <con2|4> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Jul 18 20:46:10   charon: 09[ENC] <con2|4> parsed CREATE_CHILD_SA response 2 [ N(NO_PROP) ]
Jul 18 20:46:10   charon: 09[NET] <con2|4> received packet: from XXX.XXX.XXX.XXX[4500] to 96.XXX.XXX.XXX[4500] (76 bytes)
Jul 18 20:46:10   charon: 09[NET] <con2|4> sending packet: from 96.XXX.XXX.XXX[4500] to XXX.XXX.XXX.XXX[4500] (348 bytes)
Jul 18 20:46:10   charon: 09[ENC] <con2|4> generating CREATE_CHILD_SA request 2 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Jul 18 20:46:10   charon: 09[IKE] <con2|4> establishing CHILD_SA con2{13} reqid 2
Jul 18 20:46:10   charon: 07[KNL] creating acquire job for policy 96.XXX.XXX.XXX/32 === XXX.XXX.XXX.XXX/32 with reqid {2}
Jul 18 20:46:09   charon: 09[IKE] <con1|3> failed to establish CHILD_SA, keeping IKE_SA
Jul 18 20:46:09   charon: 09[IKE] <con1|3> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Jul 18 20:46:09   charon: 09[ENC] <con1|3> parsed CREATE_CHILD_SA response 3 [ N(NO_PROP) ]
Jul 18 20:46:09   charon: 09[NET] <con1|3> received packet: from 24.18.XXX.XXX[4500] to 96.XXX.XXX.XXX[4500] (76 bytes)
Jul 18 20:46:09   charon: 11[NET] <con1|3> sending packet: from 96.XXX.XXX.XXX[4500] to 24.18.XXX.XXX[4500] (364 bytes)
Jul 18 20:46:09   charon: 11[ENC] <con1|3> generating CREATE_CHILD_SA request 3 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Jul 18 20:46:09   charon: 11[IKE] <con1|3> establishing CHILD_SA con1{12} reqid 1
Jul 18 20:46:09   charon: 11[KNL] creating acquire job for policy 96.XXX.XXX.XXX/32 === 24.18.XXX.XXX/32 with reqid {1}
Jul 18 20:46:09   charon: 09[IKE] <con2|4> failed to establish CHILD_SA, keeping IKE_SA
Jul 18 20:46:09   charon: 09[IKE] <con2|4> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Jul 18 20:46:09   charon: 09[ENC] <con2|4> parsed CREATE_CHILD_SA response 1 [ N(NO_PROP) ]
Jul 18 20:46:09   charon: 09[NET] <con2|4> received packet: from XXX.XXX.XXX.XXX[4500] to 96.XXX.XXX.XXX[4500] (76 bytes)
Jul 18 20:46:08   charon: 09[NET] <con2|4> sending packet: from 96.XXX.XXX.XXX[4500] to XXX.XXX.XXX.XXX[4500] (348 bytes)
Jul 18 20:46:08   charon: 09[ENC] <con2|4> generating CREATE_CHILD_SA request 1 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Jul 18 20:46:08   charon: 09[IKE] <con2|4> establishing CHILD_SA con2{11} reqid 2
Jul 18 20:46:08   charon: 09[KNL] creating acquire job for policy 96.XXX.XXX.XXX/32 === XXX.XXX.XXX.XXX/32 with reqid {2}
Jul 18 20:46:06   charon: 09[IKE] <con1|3> failed to establish CHILD_SA, keeping IKE_SA
Jul 18 20:46:06   charon: 09[IKE] <con1|3> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Jul 18 20:46:06   charon: 09[ENC] <con1|3> parsed CREATE_CHILD_SA response 2 [ N(NO_PROP) ]
Jul 18 20:46:06   charon: 09[NET] <con1|3> received packet: from 24.18.XXX.XXX[4500] to 96.XXX.XXX.XXX[4500] (76 bytes)
Jul 18 20:46:06   charon: 09[NET] <con1|3> sending packet: from 96.XXX.XXX.XXX[4500] to 24.18.XXX.XXX[4500] (364 bytes)
Jul 18 20:46:06   charon: 09[ENC] <con1|3> generating CREATE_CHILD_SA request 2 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Jul 18 20:46:06   charon: 09[IKE] <con1|3> establishing CHILD_SA con1{10} reqid 1
Jul 18 20:46:06   charon: 11[KNL] creating acquire job for policy 96.XXX.XXX.XXX/32 === 24.18.XXX.XXX/32 with reqid {1}
Jul 18 20:46:05   charon: 11[IKE] <con2|4> failed to establish CHILD_SA, keeping IKE_SA
Jul 18 20:46:05   charon: 11[IKE] <con2|4> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Jul 18 20:46:05   charon: 11[ENC] <con2|4> parsed CREATE_CHILD_SA response 0 [ N(NO_PROP) ]
Jul 18 20:46:05   charon: 11[NET] <con2|4> received packet: from XXX.XXX.XXX.XXX[4500] to 96.XXX.XXX.XXX[4500] (76 bytes)
Jul 18 20:46:05   charon: 11[NET] <con2|4> sending packet: from 96.XXX.XXX.XXX[4500] to XXX.XXX.XXX.XXX[4500] (348 bytes)
Jul 18 20:46:05   charon: 11[ENC] <con2|4> generating CREATE_CHILD_SA request 0 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Jul 18 20:46:05   charon: 11[IKE] <con2|4> establishing CHILD_SA con2{9} reqid 2
Jul 18 20:46:05   charon: 08[KNL] creating acquire job for policy 96.XXX.XXX.XXX/32 === XXX.XXX.XXX.XXX/32 with reqid {2}
Jul 18 20:46:05   charon: 08[IKE] <con2|2> IKE_SA deleted
Jul 18 20:46:05   charon: 08[ENC] <con2|2> parsed INFORMATIONAL response 3 [ ]

##############################################

Logs After Clicking Save - VPN -> IPSEC > Tunnel Settings:
ABSOLUTELY NO CHANGES AT ALL. JUST CLICK SAVE and it works.
##############################################

Jul 18 20:47:45   charon: 10[IKE] <con2|4> CHILD_SA con2{143} established with SPIs ceb2477e_i c9db3f63_o and TS 10.0.0.0/22 === 10.0.52.0/24
Jul 18 20:47:45   charon: 10[CFG] <con2|4> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Jul 18 20:47:45   charon: 10[ENC] <con2|4> parsed CREATE_CHILD_SA response 61 [ SA No TSi TSr ]
Jul 18 20:47:45   charon: 10[NET] <con2|4> received packet: from XXX.XXX.XXX.XXX[4500] to XXX.XXX.XXX.XXX[4500] (204 bytes)
Jul 18 20:47:45   charon: 10[NET] <con2|4> sending packet: from XXX.XXX.XXX.XXX[4500] to XXX.XXX.XXX.XXX[4500] (828 bytes)
Jul 18 20:47:45   charon: 10[ENC] <con2|4> generating CREATE_CHILD_SA request 61 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Jul 18 20:47:45   charon: 10[IKE] <con2|4> establishing CHILD_SA con2{143} reqid 4
Jul 18 20:47:45   charon: 09[KNL] creating acquire job for policy XXX.XXX.XXX.XXX/32 === XXX.XXX.XXX.XXX/32 with reqid {4}
Jul 18 20:47:45   charon: 10[IKE] <con1|3> CHILD_SA con1{142} established with SPIs c3bd7173_i c9b412f6_o and TS 10.0.0.0/22 === 10.0.55.0/24
Jul 18 20:47:45   charon: 10[CFG] <con1|3> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Jul 18 20:47:45   charon: 10[ENC] <con1|3> parsed CREATE_CHILD_SA response 68 [ SA No TSi TSr ]
Jul 18 20:47:45   charon: 10[NET] <con1|3> received packet: from XXX.XXX.XXX.XXX[4500] to XXX.XXX.XXX.XXX[4500] (204 bytes)
Jul 18 20:47:45   charon: 10[NET] <con1|3> sending packet: from XXX.XXX.XXX.XXX[4500] to XXX.XXX.XXX.XXX[4500] (844 bytes)
Jul 18 20:47:45   charon: 10[ENC] <con1|3> generating CREATE_CHILD_SA request 68 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Jul 18 20:47:45   charon: 10[IKE] <con1|3> establishing CHILD_SA con1{142} reqid 3
Jul 18 20:47:45   charon: 10[KNL] creating acquire job for policy XXX.XXX.XXX.XXX/32 === XXX.XXX.XXX.XXX/32 with reqid {3}
Jul 18 20:47:45   charon: 10[CFG] received stroke: route 'con2'
Jul 18 20:47:45   charon: 09[CFG] added configuration 'con2'
Jul 18 20:47:45   charon: 09[CFG] received stroke: add connection 'con2'
Jul 18 20:47:45   charon: 10[CFG] received stroke: route 'con1'
Jul 18 20:47:45   charon: 13[CFG] added configuration 'con1'
Jul 18 20:47:45   charon: 13[CFG] received stroke: add connection 'con1'
Jul 18 20:47:45   charon: 06[CFG] deleted connection 'con2'
Jul 18 20:47:45   charon: 06[CFG] received stroke: delete connection 'con2'
Jul 18 20:47:45   charon: 10[CFG] received stroke: unroute 'con2'
Jul 18 20:47:45   charon: 12[CFG] deleted connection 'con1'
Jul 18 20:47:45   charon: 12[CFG] received stroke: delete connection 'con1'
Jul 18 20:47:45   charon: 10[CFG] received stroke: unroute 'con1'
Jul 18 20:47:45   charon: 06[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls'
Jul 18 20:47:45   charon: 06[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Jul 18 20:47:45   charon: 06[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Jul 18 20:47:45   charon: 06[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Jul 18 20:47:45   charon: 06[CFG] loaded ca certificate "C=US, ST=WA, L=Olympia, O=IH Gateway, OU=InVinHost, CN=OPNSenseCA, E=" from '/usr/local/etc/ipsec.d/cacerts/cca9ae1f.0.crt'
Jul 18 20:47:45   charon: 06[CFG] loaded ca certificate "C=US, ST=VPN, L=VPN, O=VPN, OU=VPN, CN=VPN, N=VPN, E=VPN" from '/usr/local/etc/ipsec.d/cacerts/a72f8721.0.crt'
Jul 18 20:47:45   charon: 06[CFG] loaded ca certificate "C=PA, O=NordVPN, CN=NordVPN Root CA" from '/usr/local/etc/ipsec.d/cacerts/38ce789e.0.crt'
Jul 18 20:47:45   charon: 06[CFG] rereading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Jul 18 20:47:45   charon: 06[CFG] expanding file expression '/usr/local/etc/ipsec.secrets.opnsense.d/*.secrets' failed
Jul 18 20:47:45   charon: 06[CFG] loaded IKE secret for XXX.XXX.XXX.XXX
Jul 18 20:47:45   charon: 06[CFG] loaded IKE secret for XXX.XXX.XXX.XXX
Jul 18 20:47:45   charon: 06[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Jul 18 20:47:45   charon: 06[CFG] rereading secrets
Jul 18 20:47:44   charon: 10[IKE] <con1|3> failed to establish CHILD_SA, keeping IKE_SA
Jul 18 20:47:44   charon: 10[IKE] <con1|3> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Jul 18 20:47:44   charon: 10[ENC] <con1|3> parsed CREATE_CHILD_SA response 67 [ N(NO_PROP) ]
Jul 18 20:47:44   charon: 10[NET] <con1|3> received packet: from XXX.XXX.XXX.XXX[4500] to XXX.XXX.XXX.XXX[4500] (76 bytes)
Jul 18 20:47:44   charon: 10[NET] <con1|3> sending packet: from XXX.XXX.XXX.XXX[4500] to XXX.XXX.XXX.XXX[4500] (364 bytes)
Jul 18 20:47:44   charon: 10[ENC] <con1|3> generating CREATE_CHILD_SA request 67 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Jul 18 20:47:44   charon: 10[IKE] <con1|3> establishing CHILD_SA con1{139} reqid 1
Jul 18 20:47:44   charon: 15[KNL] creating acquire job for policy XXX.XXX.XXX.XXX/32 === XXX.XXX.XXX.XXX/32 with reqid {1}
Jul 18 20:47:44   charon: 15[IKE] <con2|4> failed to establish CHILD_SA, keeping IKE_SA

##############################################

19.7 Production Series / Re: IPSec - Issues

« on: July 18, 2019, 06:45:38 am »

doesnt make sense. the other side nothing changed. I reverted back to old snapshot of the opnsense virtual machine. It worked magically. Restarted OPNSense and IPsec connects comes up without doing anything. Did it a couple of times.

Started the upgrade again. Back on 19.7 and it behaves werid again.

19.7 Production Series / IPSec - Issues

« on: July 18, 2019, 03:00:08 am »

The upgrade to 19.7 went smooth. Everything looks good so far. its functional as is.

The only issues I see is. After reboot IPSec services show as green but no ping or connections. NO SMB connections to server server across the ipsec.

Here's how I fix it every OPNSense Reboot last 10 reboots:

Every Reboot - the IPSec connection doesnt come up. you would have to go to

VPN > IPSec > Tunnel Settings > select one of the tunnel, click save > apply changes

then tunnel works again. I can access SMB on other side again. THis is no changes. Just save and apply. IPSEC works again.

Anyone can produce this?

General Discussion / NordVPN Tutorials/Instructions?

« on: December 27, 2018, 05:45:36 pm »

Anyone got NordVPN working on OPNSense? I'm trying to get it to work following PFSense tutorial. It didnt work out.

pretty please anyone?

18.7 Legacy Series / Re: Traffic shaper: Pipe, Queues and Rules !

« on: August 18, 2018, 08:55:17 am »

YAY I got it working

@Franco !!!!

We should add Alias to Traffic Shaping too! SO we can have multiple sources nets.

18.7 Legacy Series / Re: Traffic shaper: Pipe, Queues and Rules !

« on: August 18, 2018, 08:08:28 am »

Heres what I have so far. I cannot find set direction like you stated.

18.7 Legacy Series / Re: Traffic shaper: Pipe, Queues and Rules !

« on: August 18, 2018, 07:56:09 am »

Quote from: mimugmail on August 18, 2018, 07:36:31 am

1. create a pipe for download, set to 50mbit
2. create a pipe for upload, set to 10mbit
3. create a rule for download, set interface GuestLAN, set direction out, set destination IP your GuestLAN
4. create a rule for upload, set interface GuestLAN, set direction in, set source IP your GuestLAN

Should be enough for this case

awesome! does this apply only traffic to WAN. or Does applies to local traffic as well?

18.7 Legacy Series / Re: Traffic shaper: Pipe, Queues and Rules !

« on: August 18, 2018, 07:07:14 am »

@Franco,

can you post up an example of how to create it? Documentations on the wiki is a bit confusiing. I'm trying to do this traffic shaking for guest vlan too and never been sucessful at it.

could you make a simple tutorial for like 50mb/10mb pipe for guest vlan ?

thanks

18.7 Legacy Series / Re: update cycle 18.7.r1 consantly

« on: July 19, 2018, 08:47:04 pm »

nevermind disregard. It was fairly stupid

upgrade and update are different hahah

18.7 Legacy Series / update cycle 18.7.r1 consantly

« on: July 19, 2018, 08:22:11 pm »

Franco,

I'm getting a upgrade loop.

Upgrade branch: Development

Package Name   Current Version   New Version   Required Action
opnsense   18.7.r1   N/A   obsolete
opnsense-devel   N/A   18.7.r_10   new

after clicking upgrade. It reboots and comes back with this upgrade again stating 18.7.r1 is obsolite and tries to upgrade to 18.7.r_10

18.7 Legacy Series / Re: default vLAn

« on: July 12, 2018, 09:22:59 am »

@Franco

this rule below fixed it

I set LAN net to 10.0.0.6 (DA Server)

then I Set 10.0.0.6 to Lan.Net

now it works fine. Its not fast like having a low grade router *linksys or UBNT usg pro*.

theres like 2-3 second delays but I can live this this.

thanks..
if you have anymore tips or anything flying by. let me know so I can test.

18.7 Legacy Series / Re: default vLAn

« on: July 12, 2018, 08:58:31 am »

nevermind, set to none works. FLushed state tables.

so for lan to lan traffic we should keep this stateful disable?

18.7 Legacy Series / Re: default vLAn

« on: July 12, 2018, 08:36:47 am »

this is the error :

18.7 Legacy Series / Re: default vLAn

« on: July 12, 2018, 08:32:13 am »

@franco

Attach is the firewall rules.

OPNSense in the way then Direct Access sometimes can contact 10.0.0.2 / 10.0.0.3 (domain controllers) - Direct access application on launch will sometimes shows Lost trust with domain controller.

If I take out the OPNSense and use the Unifi USG pro then that doesn't happen.

IPv4 * LAN net * * * * Default allow LAN to any rule

State Tracking -
- None -if I set this to none. It works just fine. 7 fail/10
- Sloppy -If I set this to sloppy 8 fails/10
- Keep - then direct access fail to refresh 8 fails /10 times

Note: Edited - after restart of direct acess server it happens again. took out the opnsense and just use linksys or usg pro from ubnt then it works fine . rebooted it still works......hmm

18.7 Legacy Series / Re: default vLAn

« on: July 11, 2018, 05:44:26 pm »

its all local.

vLAN 1 (default vlan) all local. No VPN
Direct Access server try to communicate with Domain Controllers and it cannot. Its a hit and miss. Sometimes it can and sometimes it cannot.

Without OPNSense in the way and using a regular linksys router it works just fine.

So was just wondering if I'm missing anything. Is all local traffic being filter at the firewall?

Pages: [1] 2 3 4