Quote from: onnieoneone on February 23, 2026, 02:41:18 PM[...]The SSH outbound fails because it disappears into the IPsec SPD _before_ it hits enc0, and so gets tracked from lagg0_vlan1018, so the returning traffic that _does_ appear on enc0 has no matching state and gets dropped unless I put some funky firewall rules in place.[...]
Quote from: viragomann on February 25, 2026, 05:35:49 PMI've read a recommendation to disable the default and specify certain proposal instead.I doubt the proposals are the problem because as you can see in the log a cipher is already negotiated.
Quote from: viragomann on February 25, 2026, 05:35:49 PMMaybe it is complaining about the remote site's id. Possibly it's different from the IP address?As you can see or can't see because I redacted the rest of the IP, the remote IP and remote ID are identical.
2026-02-26T07:52:41 Informational charon 10[ENC] <421129> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
2026-02-26T07:52:41 Informational charon 10[CFG] <421129> no matching peer config found
2026-02-26T07:52:41 Informational charon 10[CFG] <421129> looking for peer configs matching 185.xxx.xx.xx[%any]...195.yyy.yyy.yyy[195.yyy.yyy.yyy]
2026-02-26T07:52:41 Informational charon 10[ENC] <421129> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) AUTH N(MSG_ID_SYN_SUP) SA TSi TSr ]
2026-02-26T07:52:41 Informational charon 10[NET] <421129> received packet: from 195.yyy.yyy.yyy[500] to 185.xxx.xx.xx[500] (480 bytes)
2026-02-26T07:52:41 Informational charon 10[NET] <421129> sending packet: from 185.xxx.xx.xx[500] to 195.yyy.yyy.yyy[500] (456 bytes)
2026-02-26T07:52:41 Informational charon 10[ENC] <421129> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
2026-02-26T07:52:41 Informational charon 10[CFG] <421129> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
2026-02-26T07:52:41 Informational charon 10[IKE] <421129> IKE_SA (unnamed)[421129] state change: CREATED => CONNECTING
2026-02-26T07:52:41 Informational charon 10[IKE] <421129> 195.yyy.yyy.yyy is initiating an IKE_SA
2026-02-26T07:52:41 Informational charon 10[IKE] <421129> remote endpoint changed from 0.0.0.0 to 195.yyy.yyy.yyy[500]
2026-02-26T07:52:41 Informational charon 10[IKE] <421129> local endpoint changed from 0.0.0.0[500] to 185.xxx.xx.xx[500]
2026-02-26T07:52:41 Informational charon 10[ENC] <421129> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
2026-02-26T07:52:41 Informational charon 10[NET] <421129> received packet: from 195.yyy.yyy.yyy[500] to 185.xxx.xx.xx[500] (672 bytes)
2026-02-26T07:52:40 Informational charon 10[IKE] <421128> IKE_SA (unnamed)[421128] state change: CONNECTING => DESTROYING
2026-02-26T07:52:40 Informational charon 10[NET] <421128> sending packet: from 185.xxx.xx.xx[500] to 195.yyy.yyy.yyy[500] (80 bytes)(By the way when did the logs change direction from down to up because I saw old posts where the log goes from up to down? :) )2026-02-26T08:18:01 Informational charon 15[CFG] <422831> configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CHACHA20_POLY1305/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048 Quote from: Lip90 on February 23, 2026, 10:24:01 PMNo, unless you have turned on some kind of "Don't allow Clients that don't have a Static DHCP Mapping configured" setting which some DHCP Servers have ??
/usr/local/etc/rc.sshd restartThat's a pure FreeBSD command used "before the service era" so if that worked too then the good old FreeBSD Handbook was all you needed ;)Quote from: allebone on February 25, 2026, 10:04:57 PMIf I follow this guide: https://docs.opnsense.org/manual/dnsmasq.html#configuration-examplesPlease read : https://docs.opnsense.org/manual/radvd.html :)
And enable slaac in Services ‣ Dnsmasq DNS & DHCP ‣ General
Must I then disable Router advertisements on that interface under Services ‣ Router Advertisements? Are these 2 services in conflict?
Quote from: OPNenthu on February 25, 2026, 07:46:02 PMWas a quick reply so did not check everything, but you were on the right track for sure and that's what matters ;)Quote from: nero355 on February 25, 2026, 07:01:03 PMThis document explains all the options and seems to match your experience : https://www.networkmanager.dev/docs/api/latest/settings-ipv6.htmlAh, actually it looks like I was wrong about the NIC with "stable privacy" mode. Per this document:
"Also, the address is stable when the network interface hardware is replaced."