Regarding SNMP Issues and TUNNEL-MIB Queries

Started by hsing, October 25, 2023, 08:43:31 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 25, 2023, 08:43:31 AM
Hello Everyone,

I have recently been exploring SNMP-related functionalities on firewalls. Currently, I am using Net-SNMP on the firewall and have encountered some questions. For example, I can run the command snmpwalk -v 2c -c public localhost without any issues and can retrieve some pre-configured data. Similarly, when using SNMPv3 with snmpwalk -v3 -u test -l authPriv -a SHA -A 123456789 -x AES -X 987654321 localhost, I am also able to fetch data.

I have also tried to fetch the existing data first using the following command:
Code Select
root@OPNsense:~ # snmpget -v3 -u test -l authPriv -a SHA -A 123456789 -x AES -X 987654321 localhost SNMPv2-MIB::sysName.0
SNMPv2-MIB::sysName.0 = STRING: OPNsense.localdomain

Then, I went on to modify it and verified the change as well:
Code Select
root@OPNsense:~ # snmpset -v3 -u test -l authPriv -a SHA -A 123456789 -x AES -X 987654321 localhost SNMPv2-MIB::sysName.0 s "123456"
SNMPv2-MIB::sysName.0 = STRING: 123456

However, I found that I am unable to modify certain data fields. For example:
Code Select
root@OPNsense:~ # snmpset -v3 -u test -l authPriv -a SHA -A 123456789 -x AES -X 987654321 localhost SNMPv2-MIB::sysLocation.0 s "123456"
Error in packet.
Reason: notWritable (That object does not support modification)
Failed object: SNMPv2-MIB::sysLocation.0

I have looked into the content of this MIB file, and it should normally be editable. However, I am not sure what is preventing it from being modified.
Code Select
sysLocation OBJECT-TYPE
    SYNTAX      DisplayString (SIZE (0..255))
    MAX-ACCESS  read-write
    STATUS      current
    DESCRIPTION
            "The physical location of this node (e.g., 'telephone
            closet, 3rd floor').  If the location is unknown, the
            value is the zero-length string."
    ::= { system 6 }

My second question is regarding IPsec VPN. The connection has been correctly configured and is working well.

(Here, I posted IPsec status, which appears to be fine)
Code Select
root@OPNsense:~ # ipsec statusall
no files found matching '/usr/local/etc/strongswan.opnsense.d/*.conf'
Status of IKE charon daemon (strongSwan 5.9.11, FreeBSD 13.2-RELEASE-p3, amd64):
  uptime: 11 minutes, since Oct 25 06:18:41 2023
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6
  loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf curve25519 xcbc cmac hmac kdf gcm drbg attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam whitelist addrblock counters
Listening IP addresses:
  192.168.11.192
  10.2.2.10
  10.3.2.254
Connections:
4e8dca36-8537-4b30-8362-755355e84b39:  10.2.2.10...10.2.1.10  IKEv1/2
4e8dca36-8537-4b30-8362-755355e84b39:   local:  [10.2.2.10] uses public key authentication
4e8dca36-8537-4b30-8362-755355e84b39:   remote: [10.2.1.10] uses public key authentication
a13e50d3-5a37-4cda-832b-d08c78af5004:   child:  10.3.2.0/24 === 10.3.1.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
4e8dca36-8537-4b30-8362-755355e84b39[4]: ESTABLISHED 10 minutes ago, 10.2.2.10[10.2.2.10]...10.2.1.10[10.2.1.10]
4e8dca36-8537-4b30-8362-755355e84b39[4]: IKEv2 SPIs: ac2ed858124d0096_i 57721f5670c951e4_r*, rekeying in 3 hours
4e8dca36-8537-4b30-8362-755355e84b39[4]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521
a13e50d3-5a37-4cda-832b-d08c78af5004{3}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c5b4a38f_i c6968b34_o
a13e50d3-5a37-4cda-832b-d08c78af5004{3}:  AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 47 minutes
a13e50d3-5a37-4cda-832b-d08c78af5004{3}:   10.3.2.0/24 === 10.3.1.0/24

However, when I attempt to check the VPN status via SNMP, I am unable to find the relevant data:
Code Select
root@OPNsense:~ # snmpget -v3 -u test -l authPriv -a SHA -A 123456789 -x AES -X 987654321 localhost TUNNEL-MIB::tunnelIfTable
TUNNEL-MIB::tunnelIfTable = No Such Object available on this agent at this OID

Those are my questions, thank you all.
Print
Go Up Pages1
User actions