Messages

[What have a done?]

I've recent converted from pfSense and am now running 20.1.7 connecting to a number of IPSEC traditional VPN tunnels.

• The endpoints are a number of different pfSense firewalls, 2.4.4.p3, 2.4.5 and 2.4.5-p1.
• If I restart IPSEC on OPNsense, all the tunnels P1/P2 connect and work.
• After about 1 hour, some, consistently the same tunnels, lose their P2 in OPNsense.

What have a done?
* I have rebooted OPNsense
* Deleted the affected OPNsense tunnels and remade them on OPNsense again
* Minutely compared settings on OPNsense to tunnels that work and never drop and those that do (no * differences detected)

See some IPSEC log entries from OPNsense;

Code Select Expand

2020-06-11T06:55:51 charon: 14[IKE] <con4|21> failed to establish CHILD_SA, keeping IKE_SA
2020-06-11T06:55:51 charon: 14[IKE] <con4|21> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built


Have a look at this whilst in failure mode:
See the last one (con6) - no P2

Thank you for your reply.

The VPN's could be a big issue though, for smaller sites no real problem to hand rebuild, but, 1 site now has 170+ traditional IPSEC VPN tunnels.

*** Is there any chance of tool to convert them?

I think that becomes a show stopper when a pfSense installation runs many VPN tunnels.

Kind of an old topic, I know...

But I see SR-IOV is now supported on Hyper-V with FreeBSD
https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/supported-freebsd-virtual-machines-on-hyper-v


Anyone got this working?

And... one site has a larger number of traditional IPSEC VPN tunnels (over 140)

• Is there an easy way to import VPN tunnels from pfSense to OPNsense?

[Is there any migration tools for pfSense to OPNsense?]

Hi,

Sorry if this has been asked and answered.

I'm a long time pfSense user but I'm quite keen looking at how far OPNsense has come to look at migrating across a number of large customers with signifiant networks. I really am impressed with OPNsense roadmap, speed of development and release cycle.

Is there any migration tools for pfSense to OPNsense?

Really, all I really need is a method to import / migrate;

• address objects
• firewall rules

I can easily export firewall rules and address objects from pfSense. If I could easily import address objects and firewall rules that could be built against interfaces that had the same name in OPNSense, that would massively reduce the migration effort.

I'm quite happy to manually rebuild packages like FRR and HAPROXY and manually create all the right VLANs and interfaces inside OPNsense, it's just the large number loss of the many firewall rules and address objects.
If that bit of heavy lifting can be done, then migration from pfSense to OPNsense becomes a very real possibility and not the mammoth project if would be without this bit of importing rules and address objects.

[Back to my example, and a bit more detail:]

Hi.

First time post here, but, I'm a very experience network engineer with a particular bent on network security and firewalls. I come from a background of originally doing packet filters in routers, to a long time SonicWALL partner, then pfsense and now seriously looking at OPNsense.

What I desperately miss from SonicWALL days was their excellent IPsec failover.

I would change pfsense to OPNsense in a heartbeat if we can get a decent IPsec multi wan failover solution that works. This what all the expensive brand name firewalls do well.

Consider this:
2 sites, siteMAIN and siteBRANCH
Both sites have dual WAN and clustered firewalls

With SonicWALL, it's possible to have the remote static IP address both loaded in phase1 for siteMAIN to siteBRANCH (WAN1 and WAN2) and vice versa. On WAN1 failing at either siteMAIN or siteBRANCH, IPsec rapidly heals and the tunnel continues working, I'm talking about losing only a few pings.
Also, just as critical, the state is NOT lost. I suspect SonicWALL (and others) cleverly do not drop nor reset state on a multi WAN IPsec tunnel.
Perhaps the mechanism is based around knowing the phase2 networks, state is not lost on phase2 local-remote networks.

I notice that using the current system of dynamic DNS to get around IPsec fail-over has some major shortcomings:
1. DDNS takes quite a while to detect and respond to fail-over, upwards of a minute
2. State is lost during the fail-over which wrecks telnet and SSH sessions and that causes network chaos

FreeBSD with pfsync, CARP and the multi WAN  is great. We just need a robust IPsec multi WAN fail-over.

Back to my example, and a bit more detail:

• siteMAIN, WANm1 and WANm2
• siteBRANCH, WANb1 and WANb2

WANm1 fails at siteMAIN:

• Multi WAN at siteMAIN handles the transition from WANm1 to WANm2 no problem for the firewall itself
• The issue is siteBRANCH WANb1 today doesn't accept traffic from WANm2
• State is lost