Messages

106

22.1 Legacy Series / BUG: There were error(s) loading the rules: /tmp/rules.debug:806: sticky-address

« on: July 25, 2022, 03:23:08 am »

Code: [Select]

2022-07-23T18:51:24 Error opnsense /usr/local/etc/rc.filter_configure: There were error(s) loading the rules: /tmp/rules.debug:806: sticky-address cannot be redefined - The line in question reads [806]: pass in quick on vlan01 route-to {( vlan02 202.202.202.202 )} sticky-address inet proto {tcp udp} from $groveseg to $Marshal_updates port $http_https keep state label "9e64a311a494a21cfdbefcba91dad3a5" # : Allow ServerSEG license check

As soon as a add WAN fail-over capability to rules, this break badly.
I can't seem to pin down exactly what is going on, my best guess is the WAN fail-over "WAN1_failover_WAN2" gateway group is just not working.
Often, I can get the issue to go away by moving the rule to the top of the interface rules, or to the end. But that doesn't always work either.

Trouble shooting steps I have tried

• Deleted the offending rule and made it again (doesn't always fix it)
• Moving the rule around for rule order (also doesn't always fix it)
• Rebooting OPNsense (definitely doesn't fix it)
• Exported the config, looked the config by hand (seems fine) - re-import the config and reboot (doesn't fix it)
• Also occurs when I take an existing rule and change the default gateway to the new WAN fail-over gateway

The WAN fail-over group looks perfect.

Any ideas anyone?

107

Virtual private networks / BUG: Mobile IPsec using EAP-TLS fails incorrectly "no trusted certificate found"

« on: July 25, 2022, 03:11:21 am »

It appears that OPNsense incorrectly requires the client certificate to be installed inside OPNsense. This should NOT be required. If OPNsense has a server certificate issued from an external CA, and, a copy installed of that external CA (just the public cert, no private key), then OPNsense should be able to correctly verify the authenticity of the remote Mobile IPsec client presented client certificate.

Instead, Mobile IPsec fails:
(IP addresses and FQDN's changed for privacy)

Code: [Select]

022-07-21T23:37:23 Informational charon 14[NET] <con9|38> sending packet: from 202.202.202.202[4500] to 101.101.101.101[10673] (80 bytes)
2022-07-21T23:37:23 Informational charon 14[ENC] <con9|38> generating IKE_AUTH response 9 [ EAP/FAIL ]
2022-07-21T23:37:23 Informational charon 14[IKE] <con9|38> EAP method EAP_TLS failed for peer GregsiPhone.domain.local
2022-07-21T23:37:23 Informational charon 14[ENC] <con9|38> parsed IKE_AUTH request 9 [ EAP/RES/TLS ]
2022-07-21T23:37:23 Informational charon 14[NET] <con9|38> received packet: from 101.101.101.101[10673] to 202.202.202.202[4500] (112 bytes)
2022-07-21T23:37:23 Informational charon 14[NET] <con9|38> sending packet: from 202.202.202.202[4500] to 101.101.101.101[10673] (96 bytes)
2022-07-21T23:37:23 Informational charon 14[ENC] <con9|38> generating IKE_AUTH response 8 [ EAP/REQ/TLS ]
2022-07-21T23:37:23 Informational charon 14[TLS] <con9|38> sending fatal TLS alert 'certificate unknown'
2022-07-21T23:37:23 Informational charon 14[TLS] <con9|38> no trusted certificate found for 'GregsiPhone.domain.local' to verify TLS peer
2022-07-21T23:37:23 Informational charon 14[TLS] <con9|38> received TLS intermediate certificate 'DC=local, DC=domain, CN=domain-domainECA-CA'
2022-07-21T23:37:23 Informational charon 14[TLS] <con9|38> received TLS peer certificate 'serialNumber=8714.21901, DC=local, DC=domain, CN=GregsiPhone'
2022-07-21T23:37:23 Informational charon 14[ENC] <con9|38> parsed IKE_AUTH request 8 [ EAP/RES/TLS ]
2022-07-21T23:37:23 Informational charon 14[ENC] <con9|38> received fragment #3 of 3, reassembled fragmented IKE message (1056 bytes)
2022-07-21T23:37:23 Informational charon 14[ENC] <con9|38> parsed IKE_AUTH request 8 [ EF(3/3) ]
2022-07-21T23:37:23 Informational charon 14[NET] <con9|38> received packet: from 101.101.101.101[10673] to 202.202.202.202[4500] (132 bytes)
Consider this case:

• Large installation, many hundreds of mobile phones
• Mobile phones are managed using a Mobile Device Manager (MDM) system
• Using that MDM, the phones obtain a client certificate without intervention using SCEP and the VPN configuration
• VPN auth is EAP-TLS and auto starts for any traffic to "domain.local", requiring no user action

This works with pfSense, but, on migration to OPNsense, we see OPNsense incorrectly appears to require the client certificate to be installed locally within OPNsense which just cannot happen at scale.

108

22.1 Legacy Series / Re: Create new site to site IPsec tunnel fails until you reload fw rules

« on: June 29, 2022, 11:57:13 pm »

DEV any comments?

109

22.1 Legacy Series / Create new site to site IPsec tunnel fails until you reload fw rules

« on: June 28, 2022, 01:07:33 am »

I have noticed, that when you create a new site to site IPsec VPN tunnel, it simply will not become active.

I have done a reasonable amount of diagnostics and my finding is this:
If you create or modify a firewall rule or alias and save, thereby reloading the firewall rules, the site to site VPN tunnel will then come up.

Whats going on?
I think when you press save on the new IPsec tunnel, the OPNsense is not immediately updating the hidden IPsec allow rules on the WAN interface and/or not reloading the firewall rules and therefore IPsec traffic is blocked until a firewall rules reload is manually done.

110

22.1 Legacy Series / Re: FRR and BGP or OSFP - can't get Route Maps to select more than 1 prefix list

« on: May 18, 2022, 09:50:24 pm »

The correct way is to add multiple prefix lists with the same names but different priorities

Thanks!

That fixed it. No need for a routemap at all, just make multiple prefix lists with the same name, use that prefix list name as a prefix list out for the BGP neighbor.

Then, I actually use a routemap to set the local-preference to prefer WAN1 vs WAN2

111

22.1 Legacy Series / Re: FRR and BGP or OSFP - can't get Route Maps to select more than 1 prefix list

« on: May 18, 2022, 11:21:10 am »

Code: [Select]

Building configuration...

Current configuration:
!
frr version 7.5.1
frr defaults traditional
hostname ONAfw1.localdomain
log syslog notifications
!
router bgp 65521
 no bgp ebgp-requires-policy
 bgp graceful-restart
 neighbor 172.27.4.2 remote-as 65524
 neighbor 172.27.4.2 bfd
 neighbor 172.27.4.2 update-source ipsec2
 !
 address-family ipv4 unicast
  redistribute kernel
  redistribute connected
  redistribute static
  neighbor 172.27.4.2 next-hop-self
 exit-address-family
 !
 address-family ipv6 unicast
  redistribute kernel
  redistribute connected
  redistribute static
 exit-address-family
!
ip prefix-list sitea-net1 seq 10 permit 192.168.1.0/24
ip prefix-list sitea-net2 seq 20 permit 10.1.55.0/24
!
route-map routemap-out permit 10
 match ip address prefix-list sitea-net1
!
line vty
!
bfd
 peer 172.27.4.2
 !
 peer 172.227.4.2
 !
!
end

112

22.1 Legacy Series / FRR and BGP or OSFP - can't get Route Maps to select more than 1 prefix list

« on: May 18, 2022, 11:18:35 am »

22.1.7_1
FRR version 7.5.1

I can get OSFP to talk to the neighbor or BGP just fine.
The issue is pruning routes.

What I want to do prune the routes sent via OSFP or BGP from site A to site B and back from site B to site A.
But, I need to send a series of routes.

Route Maps using multiple prefix lists seem to be the logical way to do this, but, as soon as I try and save a Route Map with more than 1 Prefix List it will not save stating:
"Related item not found"

What am I doing wrong?

How does anyone else prune OSPF or BGP routing between sites?

113

22.1 Legacy Series / Can we please have a forum topic dedicated to FRR and routing?

« on: May 18, 2022, 11:08:19 am »

Could be quite useful.

Thanks.

114

22.1 Legacy Series / Re: 22.1.7_1 OpenVPN with local user and TOTP cannot authenticate - FIXED

« on: May 17, 2022, 01:18:52 am »

Fixed.

I'd checked the time, but, I re checked again and I noticed this time it was out 40+ seconds. I looked at NTP and for some reason it wasn't updating.

So I chose new NTP pool servers for NZ, and now NTP is sync'd and the time is accurate.

The lesson to remember is clock drift of more than 30 seconds is fatal for TOTP. be very careful with time.

115

22.1 Legacy Series / Re: 22.1.7_1 OpenVPN with local user and TOTP cannot authenticate

« on: May 16, 2022, 09:44:53 pm »

What logs can I gather to check whats wrong?

I am thinking it is related to 22.1.7_1 upgrade.

116

22.1 Legacy Series / Re: 22.1.7_1 OpenVPN with local user and TOTP cannot authenticate

« on: May 16, 2022, 09:13:40 pm »

Thanks, I did think of that though.

The time is correct.

117

22.1 Legacy Series / 22.1.7_1 OpenVPN with local user and TOTP cannot authenticate - FIXED

« on: May 16, 2022, 07:45:10 am »

Since upgrade from 22.1.6, all users cannot authenticate on OpenVPN using "remote Access (SSL/TLS + User Auth) and the backend for auth is local user and TOTP.

Nothing has changed but 22.1.6 upgrade to 22.1.7_1.

Tried:

• Rebooting
• Checking settings (but nothing has changed)
• Reset local user passwords

Code: [Select]

2022-05-16T17:00:05 Error openvpn 101.100.xxx.xxx:55438 TLS Auth Error: Auth Username/Password verification failed for peer
2022-05-16T17:00:05 Warning openvpn 101.100.xxx.xxx:55438 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 255
2022-05-16T17:00:05 Warning openvpn user 'username' could not authenticate.


118

High availability / Re: Hardware fall-over after master gateway goes down - but WAN-interface stays up

« on: March 06, 2022, 07:12:23 pm »

I would replace that single switch with a switch stack.
Then, with careful plugging in across the switch stack, everything will be fully redundant.

119

22.1 Legacy Series / Re: shutdown not working after update from 21.7.8 to 22.1

« on: March 06, 2022, 06:57:05 pm »

I had a similar problem a while ago on older versions.

I fixed it by:
System > Settings > Miscellaneous

And then disable all of the periodic backups:
Periodic RRD Backup > DISABLED
Periodic DHCP Leases Backup > DISABLED
Periodic NetFlow Backup > DISBALED
Periodic Captive Portal Backup > DISABLED

Reboot and the now shutdown and reboot worked great.

120

21.7 Legacy Series / IPSEC MSS claming

« on: January 20, 2022, 03:16:59 am »

If you want to enable MSS clamping on all IPSEC VPN tunnels, then, am I right, you set it here:

Firewall: Settings: Normalization

And, under detailed settings, you can then make a specific rule to enable MSS clamping on the IPSEC interface.

New "Firewall scrub rule"
Select Interface "IPSEC"
Max mss "1400"

See my screenshot.

Is that correct?
Is that all I need to do?