Messages

286

19.1 Legacy Series / Re: IPSEC Tunnel not working anymore

« on: March 14, 2019, 09:55:17 pm »

I have updated from 19.1.2 to 19.1.4 and my IPSec connections (1 x site2site, 2 x mobile) still work fine without installing the patch. Is the latter only needed in case of using VTI?

287

19.1 Legacy Series / Re: Problem with WAN - right setup with FritzBox router

« on: March 06, 2019, 02:39:24 pm »

You can use the Fritzbox in routing mode with additional PPPoE forwarding/passthrough (example with Fritzbox 7412 shown here).

288

19.1 Legacy Series / Re: Kernel panic after upgrade

« on: March 01, 2019, 07:05:06 pm »

I have migrated from 18.7.10_4 to 19.1.2. The migration process worked without any problems.

My system:

• Board: Supermicro A2SDi-4C-HLN4F
• RAM: 8 GB
• Sys: 64 Bit

Many thanks to all the developers and contributors who made this version possible 

289

German - Deutsch / Re: Frage zu Syncookies

« on: February 08, 2019, 07:39:43 pm »

Syncookies sind standardmäßig eingeschaltet. Es betrifft auch nur TCP-Verbindungen, die auf der Opnsense terminieren (also jegliche abhörende TCP-Ports von den laufenden Diensten).

Sollte für die meisten Anwender also relativ belanglos sein, es sei denn, sie haben TCP-Dienste ins Internet exponiert.

290

19.1 Legacy Series / Re: [isolated: see #91] PPPoE reconnect loop

« on: February 04, 2019, 10:14:02 pm »

Last ticket update on https://github.com/opnsense/core/issues/2267 on 26 Jun 2018. As stated elsewhere, please complain early *and* often.

My work queue that is based on 100% self-funding after my 40 hour day job entirely away from OPNsense is maxed out either way. I can only prioritise according to user feedback and progress.


Cheers,
Franco

I know how much time you and the other core members spent in programming within this project, many thanks for that. I help to improve things by testing, investigating bugs, giving hints and so forth. To investigate and isolate the PPPoE bug took me a long time. This bug affects a lot of people, especially those using 1&1 as ISP.

I reported and described the bug at github, so that everybody is able to comprehend what the real issue is. The bug is still open and will not solve itself. Currently, I use a workaround to make Opnsense work. But after a system update, the workaround gets overwritten and I have to reapply the temporary patch which is difficult because of regularly upcoming "state resets".

Ok, do you need any additional input, to proceed in solving this issue?

291

19.1 Legacy Series / [isolated: see #91] PPPoE reconnect loop

« on: January 30, 2019, 06:07:55 pm »

Opnsense 19.1 will be released the next time. Thank you to all who made this happen. I was really happy that the problem with PPPoE reconnect loops will get solved in this version. Unfortunately, a bugfix has been postponed again.

Without a bugfix opnsense stops working after every update and it is difficult to patch the system by hand because every reconnect attempt rises the state reset feature to clean up the NAT tables. This was introduced to keep SIP communication working after ISP initiated IP address change.

The previous part of the whole thread began with Opnsense 18.1: see here.

Is there a chance to get the problem solved before release 19.7?

292

18.1 Legacy Series / Re: [isolated: see #91] PPPoE reconnect loop

« on: January 29, 2019, 06:16:25 pm »

Opnsense 19.1 will be released the next time. Thank you to all who made this happen. I was really happy that the problem with PPPoE reconnect loops will get solved in this version. Unfortunately, a bugfix has been postponed again.

Without a bugfix opnsense stops working after every update and it is difficult to patch the system by hand because every reconnect attempt rises the state reset feature to clean up the NAT tables. This was introduced to keep SIP communication working after ISP initiated IP address change.

Is there a chance to get the problem solved before release 19.7?

[Edit]
The topic is still relevant for upcoming release Opnsense 19.1, so further discussion will move to this forum (see here). Please answer there.

293

18.7 Legacy Series / Re: Kernel panic when unplugging WAN network interface

« on: January 09, 2019, 05:34:50 pm »

The error looks like a software bug in the NIC driver or kernel. Unplugging the interface (network cable) triggers a hardware interrupt (irq259 in the error message). The code behind that accesses a virtual memory address which is not mapped to a physical memory page.

To prevent unknown system behaviour with possibly trashing data the kernel panics into fail stop mode. In this case, the nic driver or kernel needs an update. Is the nic driver seperately installed or shipped with opnsense? In the latter case the BSD kernel team needs a bug report.

294

18.7 Legacy Series / Re: Opnsense as a Gateway for IPSec Roadwarrior (NAT issue)

« on: January 08, 2019, 06:45:01 pm »

@lambrusco:
If incoming VPN packets on the IPsec interface get NATed on the WAN interface, everything should be fine. How did you notice, that NATing works fine?

Could you you please post the following details:

• IPSec network address range
• NAT rule

295

General Discussion / Re: IPSec VPN OPnsense --> Fritzbox (Site2Site)

« on: December 29, 2018, 02:43:52 pm »

Is nobody of the opnsense users connecting to a fritzbox via IPSec VPN?

I thought the fritzbox is a wide-spread CPE for many DSL interfaces and some users have a site2site VPN between opnsense and this box. Maybe, I am wrong?
 

296

18.7 Legacy Series / Re: WebGUI very slow on LAN

« on: December 29, 2018, 02:35:50 pm »

I noticed the same behaviour in the past, especially when loading the dashboard. Yes, I use the firefox browser. But, even if the konqueror works flawlessly, this will not necessarily mean the firefox browser is the problem.

I haven't yet tracked this down, because it was not so important for me.

@J. Lambrecht: You can try to do network profiling using the built-in debugger of firefox. Or you can review the whole communication and latencies using wireshark.

297

General Discussion / IPSec VPN OPnsense --> Fritzbox (Site2Site)

« on: December 20, 2018, 03:18:53 pm »

I am trying to establish a new IPsec VPN connection (site-to-site) between Opnsense and AVM Fritzbox. I previously tested it with Opnsense 18.7.x and a Fritzbox 7412 (v.6.83) in a lab environment. It worked fine.

But now, for production usage I tried to configure the VPN connection between Opnsense 18.7.9 and Fritzbox 7490 (7560CA also tested; both with fiormware v.7.01) again. The VPN connection does not come up. Opnsense sends an IKE packet to the Fritzbox, which is not responding.

Instead the support logfile of Fritzbox shows the following error:

Code: [Select]

1970-01-01 01:11:23 avmike:<<<  identity protection mode[10.2.0.1] ???: V1.0 196 IC 571384ec2fd93cb2 RC 00000000 0000 SA flags=
1970-01-01 01:11:23 avmike:no phase1ss for cert users configured
1970-01-01 01:11:23 avmike:10.2.0.1:500: new_neighbour_template failed
If I unstand correctly, the box assumes that the opnsense requests certificate based authentication. Is that right? But, Opnsense uses PSK.

The configuration in the Fritzbox looks like:

Code: [Select]

vpncfg {
        vpncfg_version = 1;
        connections {
                enabled = yes;
                editable = no;
                conn_type = conntype_lan;
                name = "C-Test_neu12";
                boxuser_id = 0;
                always_renew = no;
                reject_not_encrypted = no;
                dont_filter_netbios = yes;
                localip = 0.0.0.0;
                local_virtualip = 0.0.0.0;
                remoteip = 0.0.0.0;
                remote_virtualip = 0.0.0.0;
                remotehostname = "";
                keepalive_ip = 0.0.0.0;
                localid {
                        fqdn = "SECRET";
                }
                remoteid {
                        fqdn = "SECRET";
                }
                mode = phase1_mode_idp;
                phase1ss = "dh14/aes/sha";
                keytype = connkeytype_pre_shared;
                key = "SECRET";
                cert_do_server_auth = no;
                use_nat_t = no;
                use_xauth = no;
                use_cfgmode = no;
                phase2localid {
                        ipnet {
                                ipaddr = 192.168.10.0;
                                mask = 255.255.255.0;
                        }
                }
                phase2remoteid {
                        ipnet {
                                ipaddr = 10.100.0.0;
                                mask = 255.255.255.0;
                        }
                }
                phase2ss = "esp-aes-sha/ah-all/comp-lzjh-no/pfs";
                accesslist =
                             "permit ip 192.168.10.0 255.255.255.0 10.100.0.0 255.255.255.0";
                app_id = 0;
        }
}
The IKE packet sent by the Opnsense looks like:

Code: [Select]

Internet Security Association and Key Management Protocol
    Initiator SPI: b7ddbf282036d4cc
    Responder SPI: 0000000000000000
    Next payload: Security Association (1)
    Version: 1.0
        0001 .... = MjVer: 0x1
        .... 0000 = MnVer: 0x0
    Exchange type: Identity Protection (Main Mode) (2)
    Flags: 0x00
        .... ...0 = Encryption: Not encrypted
        .... ..0. = Commit: No commit
        .... .0.. = Authentication: No authentication
    Message ID: 0x00000000
    Length: 196
    Payload: Security Association (1)
        Next payload: Vendor ID (13)
        Reserved: 00
        Payload length: 52
        Domain of interpretation: IPSEC (1)
        Situation: 00000001
            .... .... .... .... .... .... .... ...1 = Identity Only: True
            .... .... .... .... .... .... .... ..0. = Secrecy: False
            .... .... .... .... .... .... .... .0.. = Integrity: False
        Payload: Proposal (2) # 0
            Next payload: NONE / No Next Payload  (0)
            Reserved: 00
            Payload length: 40
            Proposal number: 0
            Protocol ID: ISAKMP (1)
            SPI Size: 0
            Proposal transforms: 1
            Payload: Transform (3) # 1
                Next payload: NONE / No Next Payload  (0)
                Reserved: 00
                Payload length: 32
                Transform number: 1
                Transform ID: KEY_IKE (1)
                Reserved: 0000
                IKE Attribute (t=1,l=2): Encryption-Algorithm: 3DES-CBC
                IKE Attribute (t=2,l=2): Hash-Algorithm: SHA
                IKE Attribute (t=4,l=2): Group-Description: 2048 bit MODP group
                IKE Attribute (t=3,l=2): Authentication-Method: Pre-shared key
                IKE Attribute (t=11,l=2): Life-Type: Seconds
                IKE Attribute (t=12,l=2): Life-Duration: 3600
    Payload: Vendor ID (13) : XAUTH
        Next payload: Vendor ID (13)
        Reserved: 00
        Payload length: 12
        Vendor ID: 09002689dfd6b712
        Vendor ID: XAUTH
    Payload: Vendor ID (13) : RFC 3706 DPD (Dead Peer Detection)
        Next payload: Vendor ID (13)
        Reserved: 00
        Payload length: 20
        Vendor ID: afcad71368a1f1c96b8696fc77570100
        Vendor ID: RFC 3706 DPD (Dead Peer Detection)
    Payload: Vendor ID (13) : CISCO-UNITY 1.0
        Next payload: Vendor ID (13)
        Reserved: 00
        Payload length: 20
        Vendor ID: 12f5f28c457168a9702d9fe274cc0100
        Vendor ID: CISCO-UNITY
        CISCO-UNITY Major version: 1
        CISCO-UNITY Minor version: 0
    Payload: Vendor ID (13) : Cisco Fragmentation
        Next payload: Vendor ID (13)
        Reserved: 00
        Payload length: 24
        Vendor ID: 4048b7d56ebce88525e7de7f00d6c2d380000000
        Vendor ID: Cisco Fragmentation
    Payload: Vendor ID (13) : RFC 3947 Negotiation of NAT-Traversal in the IKE
        Next payload: Vendor ID (13)
        Reserved: 00
        Payload length: 20
        Vendor ID: 4a131c81070358455c5728f20e95452f
        Vendor ID: RFC 3947 Negotiation of NAT-Traversal in the IKE
    Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-02\n
        Next payload: NONE / No Next Payload  (0)
        Reserved: 00
        Payload length: 20
        Vendor ID: 90cb80913ebb696e086381b5ec427b1f
        Vendor ID: draft-ietf-ipsec-nat-t-ike-02\n

Does anybody have a working site-2-site configuration?

298

18.7 Legacy Series / Re: [SOLVED] 18.7.7: Opnsense errors after update

« on: December 11, 2018, 09:55:17 pm »

It's why the project is still alive.

Hopefully, this is not the main intention that this project is still alive 

299

18.7 Legacy Series / Re: [SOLVED] 18.7.7: Opnsense errors after update

« on: December 06, 2018, 05:53:52 pm »

I checked the filesystem again in single user mode (in this mode the root partition is mounted read only). The File system was clean. So, maybe there is a software bug in flow aggregate!?

300

18.7 Legacy Series / Re: [SOLVED] 18.7.7: Opnsense errors after update

« on: December 03, 2018, 08:08:17 pm »

The database is broken again. Maybe it's a bug in some piece of the the software because there are three exisiting issues in github (all closed without solution)

• #1696
• #1017
• #999

All SMART attributes of my SSD look good. But, file system is not clean. I want to give it a try. How can I force file system check at startup (e.g. creating a file "/force_fsck"?)?

Thanks