[SOLVED] IPsec and TCP flows

Started by Yordan Yordanov, April 05, 2015, 04:44:34 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
April 19, 2015, 01:42:25 AM #15
So, finally, I was able to produce the video. Now you can watch the entire process - initial configuration of OPNsense, then IPsec and two tests - with Remote Desktop connection and SSH (10 minutes in total):

https://www.youtube.com/watch?v=1l4IJ60CTpw (Switch to HD for a clearer video. Part of the GUI is not in English but that should not be a problem).

Before I did that I changed the network port with one of the unused as you suggested and there was no change, the issue persists. However I was not able to install the x64 edition on my test computer as the CPU is not 64-bit capable.

Have a look at it when you have time and there's no problem to schedule a tunnel test with my side when you're available. Thanks again.
April 19, 2015, 12:13:55 PM #16
I've looked at the video, but I don't see the issue either. The only thing I noticed was the difference in ping times, when the connection was just enabled you had approx. 25 msec when you had the rdp session running they seemed to have dropped to 3 msec....

I would really like to setup a similar box from my end to test, If you like we could do that on Monday or Tuesday just send me an email so we can arrange that.
We must be missing something, but without the issue at hand it's very difficult to solve.

April 19, 2015, 12:48:27 PM #17
I think there is some convergence time after the tunnel is established until the times reach the normal values of 3-4ms. This was the case with both machines I tested (the hardware appliance and the box I installed OPNsense on).

I'll send you an e-mail today to schedule a test with you tomorrow.
April 21, 2015, 09:18:40 AM #18
Yesterday we we're able to reproduce the issue, and it seems to be related to the non standard kernel patches we've inherited.
At the moment we're re-evaluating the need for those patches and perform cleanups, as soon as we're done it shouldn't happen again  :) .... for now there's a temporary fix by installing a custom kernel and base available at our server.

April 21, 2015, 09:14:49 PM #19
Yes, thank you very much for the time you spent to troubleshoot this.

I'd just like to add that I installed today OPNsense x64 as a Hyper-V virtual machine and set up some VPN tunnels. The issue did not occur and everything works as expected. So it remains unknown why it is only present on the hardware appliance.
May 01, 2015, 05:07:07 PM #20
Hi Yordan,

If you have the time, could you please test again with our new kernel? It will be released on Monday, but if you want to try it before Monday you could upgrade using:

opnsense-update -r 15.1.10 && reboot


Thanks,
May 02, 2015, 03:30:30 PM #21
Hi Ad,

I'll try it out today. Since the device is already in production, how do I revert to the previous kernel if it doesn't work? I think it is 15.1.9.1 with NoPatches.
May 03, 2015, 11:53:23 AM #22
Hi Yordan,

I think the base/kernel image are already removed from our server, but I do have the same build configuration in GitHub (clean_kernel branch) so I can build it again for you.
As soon as the old test base/kernel are back on-line I will drop you a note, so you have a way to revert to the current config. 

Cheers,

Ad
May 03, 2015, 02:26:47 PM #23 Last Edit: May 03, 2015, 02:30:18 PM by Yordan Yordanov
Hi Ad,

I upgraded to build 15.1.10 and the issue is not present which is great news! My dashboard still shows 15.1.9, maybe because I upgraded manually. I checked for updates after it and it showed me that the package manager pkg requires updating. I updated and then it showed that 29 updates are available.


I'm not clicking Upgrade here to avoid reverting to the previous version which will probably have the issue.

This means I won't be needing the custom build for now. Thanks again for everything you did about this. By the way is it possible that the upgrade was not done? The console shows:

Enter an option:


*** Welcome to OPNsense 15.1.9.1-44b610abb (amd64) on gateway ***

However the OS version is from 30.04 which looks quite new:

FreeBSD 10.1-RELEASE-p9 (SMP) #0 b717d68(master): Thu Apr 30 08:38:44 CEST 2015

No error was shown during the manual upgrade, it ended with "Please reboot".
May 03, 2015, 04:03:49 PM #24
Hi Yordan,

Great to hear your issue is fixed in our latests version, about the updates it shows,  these are the none base/kernel updates provided by pkg (like core and all software packages). You could update now or wait a day, tomorrow there will be a new version containing the latests versions.

Looking at the kernel build date and branch, your using the correct version and the update was performed nicely.
(....(master): Thu Apr 30 08:38:44 CEST 2015)

Thanks for testing!

Cheers,

Ad
May 03, 2015, 09:33:58 PM #25
Yordan, you should not see any real update beyond 15.1.9.2. It's safe to upgrade from the GUI. The console upgrade will reinstall an older kernel.

And don't confuse the kernel+system update with the GUI+packages update. Tomorrow you'll be able to bring the GUI up to date with 15.1.10. ;)
May 03, 2015, 09:59:21 PM #26
Great, thanks for the info and the cleaner kernel. :)
Print
Go Up Pages 1 2
User actions