Topics

1

16.1 Legacy Series / [SOLVED] Random crashes of hardware appliance

« on: February 26, 2016, 01:41:57 pm »

I have the following router purchased from Applianceshop.eu about an year ago. Since we are using it in production it shows an odd behaviour that I am not able to track - the router just freezes randomly. All of its functions are dead when this happens, however I can still ping its IP addresses. I regularly update the OPNSense version but this has no effect. I actually don't think that the problem is in OPNsense, but rather in the hardware appliance.  I have used OPNSense with other devices without any similar issues. The problem is that I am not sure who is actually supposed to support this device. Currently it is running 16.1.3. It usually happens at least once a month but when it happens, it can reoccur within a couple of minutes after this. I didn't see anything suspicious in the logs, but I would be grateful if someone could help me diagnose the problem somehow. Attached is the dmesg.boot if it helps.

2

15.7 Legacy Series / IPsec Status Overview Empty

« on: January 27, 2016, 06:00:40 pm »

I have 9 configured and running IPsec tunnels on 15.7.24. However nothing is shown on the page VPN - IPsec - Status Overview - the page is empty, only the columns show. I didn't have this problem on 15.1. I have had this problem since the new interface was introduced. Tested with Internet Explorer, Firefox and Chrome - no difference.

3

15.1 Legacy Series / [SOLVED] OS corruption after power failure

« on: May 11, 2015, 02:12:41 pm »

Last night there was a prolonged power outage and the router was rebooted after power was restored. It's all connected to UPS, but the outage lasted 4 hours. After the router booted up, most if its services wouldn't start. I collected some screenshots:

Clicking the START button displays the message "dhcpd has been started", however the button does not change to STARTED and the service doesn't start. Same with ipsec, dnsmasq and apinger:


This output is from the Status -> System Logs menu about the dhcpd service:


Logs for the IPsec daemon:

And here for dnsmasq:


Another error that I think is related to the issue:


I think OPNsense is somehow broken and can't find some of its users. Restoring factory defaults or backed up configuration does not help. Can someone advise how to fix this? I had a very unpleasant morning replacing the router with an older one since DHCP and IPsec are critical services to us. :/

4

15.1 Legacy Series / Router-originating traffic for IPsec tunnel

« on: April 19, 2015, 02:14:56 am »

I need to configure my DNS forwarder with two domain overrides in order to send DNS queries to different DNS servers depending on the domain in the query (conditional forwarding). Each of these DNS servers is in a separate intranet which is connected to the OPNsense router using 2 VPN tunnels - one is OpenVPN and one is IPsec. The forwarding for the DNS names in the intranet connected via OpenVPN works great - the names are resolved as expected. However this is not the case with the names for the other (IPsec-based) connection.

The problem is that the router itself can send traffic into the OpenVPN tunnel bit cannot send into the IPsec tunnel (devices behind the router can communicate with both intranets without problems). I verified this using PING from the router. No firewall rules are configured to prevent this. I suppose this may be caused by the fact that the OpenVPN tunnel is a Point-to-Point tunnel and in the routing table the remote subnet is routed via the OpenVPN interface (ovpns1). No such entry exists for the IPsec subnet - it is routed via the WAN which is kind of awkward but works for devices behind the router. Is there a way to enable the router itself to send packets into the IPsec tunnel like with OpenVPN? Maybe it's a BSD issue, not OPNsense, but anyway. Actually, OpenVPN is so much easier and flawless than IPsec, I'd always prefer to use it, but unfortunately it all depends on the other endpoint...

5

15.1 Legacy Series / [SOLVED] IPsec and TCP flows

« on: April 05, 2015, 04:44:34 pm »

The system is running version 15.1.8.3-c6240d38f (amd64). I have configured three interfaces - 1 LAN and two ISP lines. Currently a rule is sending all the traffic into the first line only which has a public static IPv4 address. Outbound NAT is set to automatic mode.

It seems to work okay until I tried to set up several IPsec tunnels. Most of them were connected although the interface shows that they are disconnected, but this is a known issue. The problem is that all the VPN connections are very unstable. When pinging remote hosts, there are no lost packets at all. However, when I log on using Remote Desktop the connection is lost every 30-35 seconds and it takes about 20 seconds to reconnect itself. The tunnel itself does not get disconnected - after my Remote Desktop session stops responding, I continue to receive ICMP echo replies. I have not tested with UDP traffic as I don't have an application that uses UDP. Additionally, RDP connections to the Internet directly work OK. This is what I have tested so far:

1. Changing IKE version - tunnels do not connect. Only one tunnel connects, but the other side is running pfSense which supports IKEv2. However the issue persists with IKEv2 too.
2. Disabling ISP balancing (I had previously configured ISP balancing but disabled it to troubleshoot the issue), enabling only ISP Failover to alternate line. The issue persists.
3. Setting Prefer older IPSec SAs. The issue persists.
4. Setting Do not install LAN SPD - unchecks itself automatically after Save and reloading the page. The issue persists.
5. Setting Enable TCP MSS clamping on VPN traffic - tried with 1200 and 1400 bytes, the issue still persists.

I also did a tcpdump for one of the tunnels during which I just typed some text in Notepad on the remote computer which looks like this:

Code: [Select]

16:49:37.542263 IP my.side > their.side: ESP(spi=0xc3028c6c,seq=0xa2d), length 84
16:49:37.554964 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xa92), length 92
16:49:37.575476 IP my.side > their.side: ESP(spi=0xc3028c6c,seq=0xa2e), length 84
16:49:37.586123 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xa93), length 92
16:49:37.607720 IP my.side > their.side: ESP(spi=0xc3028c6c,seq=0xa2f), length 84
16:49:37.617368 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xa94), length 92
16:49:37.641175 IP my.side > their.side: ESP(spi=0xc3028c6c,seq=0xa30), length 84
16:49:37.648702 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xa95), length 92
16:49:37.674312 IP my.side > their.side: ESP(spi=0xc3028c6c,seq=0xa31), length 84
16:49:37.680109 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xa96), length 92
16:49:37.707601 IP my.side > their.side: ESP(spi=0xc3028c6c,seq=0xa32), length 84
16:49:37.711110 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xa97), length 92
16:49:37.739768 IP my.side > their.side: ESP(spi=0xc3028c6c,seq=0xa33), length 84
16:49:37.742396 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xa98), length 92
16:49:37.773296 IP my.side > their.side: ESP(spi=0xc3028c6c,seq=0xa34), length 84
16:49:37.789533 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xa99), length 156
16:49:37.806428 IP my.side > their.side: ESP(spi=0xc3028c6c,seq=0xa35), length 84
16:49:37.820509 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xa9a), length 132
16:49:37.839801 IP my.side > their.side: ESP(spi=0xc3028c6c,seq=0xa36), length 84
16:49:37.851763 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xa9b), length 100
16:49:37.872443 IP my.side > their.side: ESP(spi=0xc3028c6c,seq=0xa37), length 84
16:49:37.883013 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xa9c), length 92
16:49:37.905261 IP my.side > their.side: ESP(spi=0xc3028c6c,seq=0xa38), length 84
16:49:37.914280 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xa9d), length 92
16:49:37.938347 IP my.side > their.side: ESP(spi=0xc3028c6c,seq=0xa39), length 84
16:49:37.945486 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xa9e), length 92
16:49:37.971371 IP my.side > their.side: ESP(spi=0xc3028c6c,seq=0xa3a), length 84

When the RDP session stopped responding, this is what I captured:

Code: [Select]

16:49:37.976871 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xa9f), length 92
16:49:38.101861 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xaa0), length 92
16:49:38.195728 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xaa1), length 116
16:49:38.852116 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xaa2), length 116
16:49:39.133557 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xaa3), length 372
16:49:39.289521 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xaa4), length 84
16:49:40.055345 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xaa5), length 412
16:49:40.133263 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xaa6), length 100
16:49:41.133313 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xaa7), length 92
16:49:41.398770 IP my.side > their.side: ESP(spi=0xc3028c6c,seq=0xa3b), length 84
16:49:41.399912 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xaa8), length 76

So my side stops responding for a period, but I don't know why. The line quality is excellent, when plugging it into another router, there are no issues, the VPN connections are established successfully and operate normally. However I have to replace the old router with OPNsense.

I am very frustrated by this issue as I have been trying to work it out for weeks, but no result. Could someone help me with this, maybe I am missing something?