OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of siegfried »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - siegfried

Pages: [1] 2
1
Web Proxy Filtering and Caching / Allowing individual browsers or user-agents?
« on: August 16, 2019, 08:25:49 am »
Hi all,

blocking browser or user-agents using a regex is possible using GUI, but i want also to allow individual user-agents accessing the internet without authentication in the same way. The reason is that some applications are unable to authenticate at the proxy and an URL exception is not an option for this case.

Thanks in advance,
Siegfried

2
19.7 Production Series / Solved: Sensei blocks SNMP
« on: August 07, 2019, 03:26:48 pm »
It seems that the Sensei plugin blocks some SNMP queries via the LAN interface. At the monitoring host SNMP checks (i.e. bandwith usage checks for network interfaces) don't get answers from the firewall box. If i press "Enter Bypass mode" at the status page for the sensei plugin in Opnsense, the checks works fine. But the strange thing is, other SNMP check (query for OID sysDescr.0) works all the time...
Running system is 19.7.2.
Any ideas/hints?

Update: I figured out that the checks works fine if SNMP v1 is used. SNMP packet size for the check was the problem. After reducing the max packet size in the service check configuration the checks are working again with SNMPv2.

3
German - Deutsch / Re: IPsec mit VTI, kein automat. Start bei Datenverkehr
« on: July 30, 2019, 03:16:34 pm »
Nachdem ich das Thema zwischendurch habe ruhen lassen, nun ein neuer Versuch mit 19.7.1 auf der einen Büchse. Leider immer noch dasselbe Verhalten. Hab auch schon die gesamte IPSec config geklöscht, die Kiste zurückgesetzt und das config-Backup wieder draufgenagelt und das VPN neu konfiguriert. Hat nix gebracht.

4
German - Deutsch / Re: IPsec mit VTI, kein automat. Start bei Datenverkehr
« on: May 28, 2019, 09:43:16 pm »
Gerade gefunden: wie es scheint gibt's dazu zwei Tickets.
https://github.com/opnsense/core/issues/2332
https://github.com/opnsense/core/issues/3443
Hab ich also morgen früh im Büro was zu lesen ;-)

5
German - Deutsch / Re: IPsec mit VTI, kein automat. Start bei Datenverkehr
« on: May 28, 2019, 01:03:38 pm »
Leider nichts, was mich weiterbringt. Was ich da finde ist z.T. mehrere Jahre alt...:-(

6
German - Deutsch / Re: IPsec mit VTI, kein automat. Start bei Datenverkehr
« on: May 28, 2019, 08:14:19 am »
Moin minugmail,
in der ipsec.conf steht reqid = 1000

conn con1
  aggressive = no
  fragmentation = yes
  keyexchange = ikev2
  mobike = yes
  reauth = yes
  rekey = yes
  forceencaps = no
  installpolicy = no
 
  dpdaction = none
  left = x.x.x.x
  right = y.y.y.y
 
  leftid = xxx.yyy.de
  ikelifetime = 28800s
  lifetime = 28800s
  ike = aes256-sha512-ecp521!
  leftauth = pubkey
  rightauth = pubkey
  leftcert = /usr/local/etc/ipsec.d/certs/cert-1.crt
  leftsendcert = always
  rightca = "meineCA"
  rightid = xxx.yyy.de
  reqid = 1000
  rightsubnet = 0.0.0.0/0
  leftsubnet = 0.0.0.0/0
  esp = aes256-sha512-ecp521!
  auto = route

7
German - Deutsch / Re: IPsec mit VTI, kein automat. Start bei Datenverkehr
« on: May 27, 2019, 11:08:59 pm »
Quote from: micneu on May 27, 2019, 08:49:04 pm
Sorry, für mich zum Verständnis, was ist „VTI“?


Gesendet von iPad mit Tapatalk Pro

VTI = virtual tunnel interface
Hier ist ein Howto dazu: https://github.com/opnsense/docs/blob/master/source/manual/how-tos/ipsec-s2s-route.rst

8
German - Deutsch / IPsec mit VTI, kein automat. Start bei Datenverkehr
« on: May 27, 2019, 07:52:13 pm »
Guten Abend allerseits,
ich möchte ein Site-2-Site mit VTI aufbauen. Baue ich den Tunnel manuell auf oder setze die Config auf "sofort starten" ist alles schick (also hab ich wohl keine grundsätzlichen Fehler gemacht), aber nur bis der Tunnel dann mal abgebaut wird. Der Tunnel wird nicht automatisch aufgebaut, Anbei die Meldungen dazu (zeitliche Abfolge von oben nach unten):

charon: 15[KNL] received an SADB_ACQUIRE with policy id 2 but no matching policy found
charon: 15[KNL] creating acquire job for policy a.b.c.d/32 === w.x.y.z/32 with reqid {0}
charon: 16[CFG] trap not found, unable to acquire reqid 0

Auf beiden Büchsen läuft 19.1.8, beide zeigen das gleiche Verhalten, Auf der einen ist das einzige Tunnel, auf der anderen laufen noch andere, bisher policy-basierte Tunnel.

Kennt jemand das Problem oder hat eine Idee, wo der Fehler liegt?
Danke vorab,
Siegfried

9
19.1 Legacy Series / Re: IPSEC Tunnel not working anymore
« on: March 21, 2019, 07:46:37 am »
Moin!
Patch solved the issue. Thanks!

10
19.1 Legacy Series / Re: IPSEC Tunnel not working anymore
« on: March 20, 2019, 03:52:07 pm »
Hi all,
same problem here. Since 19.1.4 a tunnel to a Fortigate cluster (2x Fortigate 200E) doesn't work anymore. SAs are created, the counters for incoming traffic are >0, but no outgoing traffic to the Fortigate box.

I'll try the patch later this evening.
Edit: Fortigate Firmware version: 5.6.3

11
19.1 Legacy Series / Re: Certificate check wrong result?
« on: March 18, 2019, 02:03:02 pm »
Solved: the cert has to be set both for keyUsage AND ExtendedKeyUsage for OpenVPN. But in the past (pre 19.1.3) it was possible a server cert just with ExtentedKeyUsage and set the client options.

12
19.1 Legacy Series / [SOLVED] Certificate check wrong result?
« on: March 18, 2019, 12:37:41 pm »
Hello all,

i'm using certificates issued by our internal PKI, all the certs for the boxes are generated with extentedKeyUsage for serverAuth. In the past i was able to make changes in OpenVPN servers. But the GUI is showing me (since update to 19.1.4?) that the cert is not used for server use. So i cannot make any changes in OpenVPN configuration, the GUI is telling me that that "certificate is not intended for server use".
Also a certificate issued by the internal CA is unusable for OpenVPN server (same message)...what's wrong?

Thanks in advance for your help!

13
18.7 Legacy Series / Change OpenVPN kills IPSec tunnels
« on: August 09, 2018, 08:27:37 pm »
Hi again, i deleted and recreate the Open VPN server: same behavior.  Klicking at "save" button in Open VPN kills traffic through IPSec, i have to kill the tunnels manually. Any hints to avoid this?

14
18.7 Legacy Series / Change OpenVPN kills IPSec tunnels
« on: August 09, 2018, 08:15:27 am »
Hi everybody, every time i change something at the Open VPN servers (or also activate/deactivate the server) there is no longer traffice through the IPSec tunnels at the same box. I have to kill the tunnels and then it's fine again (until the next change at the Open VPN). I've never seen this behavior before, so i think it's possible new since 18.7.

15
Development and Code Review / Re: Patching a commit into OPNsense
« on: May 14, 2018, 10:59:32 am »
patch installed, works fine again.
Thanks!

Pages: [1] 2
OPNsense is an OSS project © Deciso B.V. 2015 - 2019 All rights reserved
  • SMF 2.0.15 | SMF © 2017, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2