Messages

Hi,

did you find a solution for this issue? i hope this is not really an issue with 22.1, i use dualstack ikev2 road warrior in production and plan to hop on 22.1 on the next minor update.

I checked it on my side and try to add a phase 2 to a mobile p1

in 21.10 (= 21.7) if i create a p2 for a mobile p1 i get a screen without "remote network", thats what i expect, but in 22.1 you get the "normal" p2 window with a remote network, that does not make any sense for a mobile ipsec, i think its a bug.

It maybe an issue with MTU and MSS Size, there are some posts in this forum about performance issues and ipsec, worth a try.

Hi,

i updated one of my OPNsense machines to 21.7.6 a few days ago and today i rebooted this machine. I got complains that some services are no longer available, after checking i found that NGiNX no longer startup because of a sudden port conflict between lighttpd and NGiNX. I checked the config history and no changes was made, just updating and rebooting.

I can see that lighttpd listen on a high port (that i configured) with SSL and for some reason on port 80, that is also the port that NGiNX wants to bind to. I have no idea whats broken here, lighttpd or NGiNX or maybe letsencrypt? i see two lighttps processes, one with lighty-webConfigurator.conf and another one with lighttpd-acme-challange.

I did two reboots, no success.

Hi,

yes i noticed that for some weeks, sometimes ipsec tunnels are down and ipsec status show that phase 1 is up but all phase 2 are missing. I have to press restart on opnsense to get it fixed, triggering a restart from the peer does not bring the phase 2 back.

Hi,

you need to blacklist the openvpn network, you need this custom parameters in zerotier:

for example:

"physical": {
   "192.168.0.0/24": {
      "blacklist": true

Any ad blockers? i had massive issues connecting to OneDrive (Business) after having stuff like pihole, blocklists etc. running. This only affacted setup OneDrive (Login/Relogin) never the usage.

Hi,

just some feedback from my update experience yesterday. Two OPNsense systems in a carp cluster with:

5x IKEv1
2x IKEv2
35 currently active Mobile IKEv2 clients.

Most of them aes-gcm and some aes-cbc, all of them with sha256. No issues to report, all tunnel and client connections working well after after the update. But i had one little issue today, we got an power outtage and after reboot two tunnels stopped working with authentication failure, only thing that helped was open phase 1 and press apply/save again, authentication errors stopped. Just restarting the connection wasnt enough.

maybe broken IPv6? if ipv6 is configured but broken, you get this timeouts because pkg does not fallback to ipv4 for some reason.

We use OPNsense with Windows 10 Clients and IKEv2, Windows Radius Server with Cert Authentication.

No issues with 21.1.4 > 21.1.5
No issues with Windows 10 Clients (20H2,21H1) with or without May patch.

Is your OPNsense behind another Firewall? the "some clients work, some not" reminds me to MTU issues.

Disable AES-NI Acceleration in system settings and try again, fastest way to find out if acceleration is the issue.

Du kannst statt Basic Auth auch Zertifikate machen. Falls du ein Windows Netzwerk hast, könntest du automatisch Zertifikate ausrollen und darüber das Auth machen, das funktioniert und in meinen Tests merken sich die Browser sogar was du als Zertifikat ausgewählt hast und machen das zukünftig automatisch.

Bezüglich Exchange mach dir mal nicht soviel Hoffnung, mit dem pre auth wird das nix, ich glaube das würde man nur mit ADFS und WAP hinbekommen.

I just put a HA setup in production two weeks ago.

The Firewall itself uses its own IP, internal IPv4 traffic behind the firewall should use outbound nat and the CARP address, same goes for IPSEC and other stuff that you want in HA.

If you have IPv6, check if connectivity is okay. Some of the mirros support IPv6 connectivity, if you have a broken IPv6 then you get timeouts because the updater is not falling back to IPv4.

I found something in the pfsense forums about issues with aes-ni and sha256 hw acceleration, their workaround for now is using qat (which opnsense dont have and requires certain hardware), disable aes-ni, not using sha-256 hash or switch to aes-gcm without the need for a hash. Any of the last three solutions help solving the issue for me.