Gateway not working anymore in routed IPsec (Azure)

Started by alh, April 30, 2021, 07:08:26 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
May 10, 2021, 02:34:40 PM #15
The latest working version is
opnsense-revert -r 21.1.5 strongswan
opnsense-revert -r 21.1.2 opnsense

The error with the Gateway come with
opnsense-revert -r 21.1.3 opnsense

May 30, 2021, 11:10:00 PM #16
The error

The following input errors were detected:

    Cannot add IPv4 Gateway Address because no IPv4 address could be found on the interface.

is not fixed in 21.1.6. I reverted to 21.1.2 again:

opnsense-revert -r 21.1.2 opnsense

June 18, 2021, 10:33:36 AM #17
How about 21.1.7?
June 18, 2021, 11:52:24 AM #18 Last Edit: June 18, 2021, 11:53:59 AM by franco
To be frank, ifconfig output on the relevant IPsec interface with the broken and working state would be a start...


Cheers,
Franco
July 24, 2021, 01:17:39 PM #19 Last Edit: July 24, 2021, 01:38:56 PM by fog
The same problem is also with the actual version 21.1.8_1:

The following input errors were detected:
    Cannot add IPv4 Gateway Address because no IPv4 address could be found on the interface.

21.1.8_1 (error)
Code Select

#ifconfig
ipsec1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
        tunnel inet 116.***.***.*** --> 195.***.***.***
        inet6 fe80::250:56ff:fe00:2340%ipsec1 prefixlen 64 scopeid 0x8
        groups: ipsec
        reqid: 1
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>


21.1.2 (ok)
Code Select

#ifconfig
ipsec1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
        tunnel inet 116.***.***.*** --> 195.***.***.***
        inet6 fe80::250:56ff:fe00:2340%ipsec1 prefixlen 64 scopeid 0x8
        inet 10.36.238.100 --> 10.36.238.1 netmask 0xffffffff
        groups: ipsec
        reqid: 1
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>


The line inet is missing for:
Local Address    10.36.238.100
Remote Address    10.36.238.1

In the log is an error:
2021-07-24T11:27:14   opnsense[58776]   /usr/local/etc/rc.routing_configure: The gw1 IPv4 gateway address is invalid, skipping.

gw1 is the far gateway to Remote Address    10.36.238.1

And now a revert is not working anymore:
Code Select

# opnsense-revert -r 21.1.2 opnsense
Fetching opnsense.txz: ... done
Verifying signature with trusted certificate pkg.opnsense.org.20210104... done
opnsense-21.1.8_1: already unlocked
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
pkg-static: opnsense has a missing dependency: bsdinstaller
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        opnsense: 21.1.2

Number of packages to be installed: 1

The process will require 22 MiB more space.
[1/1] Installing opnsense-21.1.2...
Extracting opnsense-21.1.2: 100%
Updating /etc/shells
Registering root shell
Hooking into /etc/rc
Hooking into /etc/rc.shutdown
configd already running?  (pid=93561).
>>> Invoking update script 'refresh'
Keep version OPNsense\Monit\Monit (1.0.9)
Keep version OPNsense\Firewall\Alias (1.0.0)
Keep version OPNsense\Firewall\Category (1.0.0)
Keep version OPNsense\OpenVPN\Export (0.0.1)
Keep version OPNsense\CaptivePortal\CaptivePortal (1.0.0)
Keep version OPNsense\Core\Firmware (1.0.0)

Fatal error: Uncaught Error: Class 'Phalcon\Validation\Validator' not found in /usr/local/opnsense/mvc/app/models/OPNsense/Base/Validators/NetworkValidator.php:41
Stack trace:
#0 [internal function]: unknown()
#1 [internal function]: Phalcon\Loader->autoLoad('OPNsense\\Base\\V...')
#2 [internal function]: spl_autoload_call('OPNsense\\Base\\V...')
#3 /usr/local/opnsense/mvc/script/run_migrations.php(50): ReflectionClass->__construct('OPNsense\\Base\\V...')
#4 {main}
  thrown in /usr/local/opnsense/mvc/app/models/OPNsense/Base/Validators/NetworkValidator.php on line 41
Writing firmware setting...done.
Writing trust files...done.
Configuring login behaviour...done.
Configuring system logging...done.
=====
Message from opnsense-21.1.2:


--
What are you looking at?


The the web gui is empty.

I restored the backup of the opensense vm.

In the console is now shown the ip for ipsec1:

*** fw*******: OPNsense 21.1.2 (amd64/OpenSSL) ***

LAN (vtnet1)    -> v4: 10.36.100.1/24
WAN (vtnet0)    -> v4: 116.***.***.***/26
ipsec (ipsec1) -> v4: 10.36.238.100/32
...

This was missing on 21.1.8
August 24, 2021, 06:35:58 PM #20
Hi,
Does anyone have any idea why the line
Code Select

inet 10.36.238.100 --> 10.36.238.1 netmask 0xffffffff

is missing in ifconfig?
Best Regards,
fog
August 28, 2021, 11:11:09 AM #21 Last Edit: August 28, 2021, 11:37:34 AM by fog
Hi,
The same problem is with the actual version 21.7.1.
I located the error in System: Log Files: General
Code Select

opnsense[59451] /vpn_ipsec.php: The command '/sbin/ifconfig 'ipsec1' 'inet' '10.36.238.100/-68' '10.36.238.1'' returned exit code '1', the output was 'ifconfig: 10.36.238.100/-68: bad value (width invalid)'

I modified the Local Address and get an error if the last digit is >32:
Code Select

opnsense[74322] /vpn_ipsec.php: The command '/sbin/ifconfig 'ipsec1' 'inet' '10.36.238.33/-1' '10.36.238.1'' returned exit code '1', the output was 'ifconfig: 10.36.238.33/-1: bad value (width invalid)'
opnsense[80630] /vpn_ipsec.php: The command '/sbin/ifconfig 'ipsec1' 'inet' '10.36.238.34/-2' '10.36.238.1'' returned exit code '1', the output was 'ifconfig: 10.36.238.34/-2: bad value (width invalid)'
opnsense[5480] /vpn_ipsec.php: The command '/sbin/ifconfig 'ipsec1' 'inet' '10.36.238.40/-8' '10.36.238.1'' returned exit code '1', the output was 'ifconfig: 10.36.238.40/-8: bad value (width invalid)'
opnsense[5480] /vpn_ipsec.php: The command '/sbin/ifconfig 'ipsec1' 'inet' '10.36.238.50/-18' '10.36.238.1'' returned exit code '1', the output was 'ifconfig: 10.36.238.50/-18: bad value (width invalid)'
opnsense[59451] /vpn_ipsec.php: The command '/sbin/ifconfig 'ipsec1' 'inet' '10.36.238.100/-68' '10.36.238.1'' returned exit code '1', the output was 'ifconfig: 10.36.238.100/-68: bad value (width invalid)'
opnsense[5480] /vpn_ipsec.php: The command '/sbin/ifconfig 'ipsec1' 'inet' '10.36.2.100/-68' '10.36.2.1'' returned exit code '1', the output was 'ifconfig: 10.36.2.100/-68: bad value (width invalid)'
opnsense[68843] /vpn_ipsec.php: The command '/sbin/ifconfig 'ipsec1' 'inet' '10.36.238.99/-67' '10.36.238.1'' returned exit code '1', the output was 'ifconfig: 10.36.238.99/-67: bad value (width invalid)'
opnsense[5480] /vpn_ipsec.php: The command '/sbin/ifconfig 'ipsec1' 'inet' '10.36.238.254/-222' '10.36.238.1'' returned exit code '1', the output was 'ifconfig: 10.36.238.254/-222: bad value (width invalid)'

Now i use 10.36.238.2 instead of 10.36.238.100 and no error occurs.
And also in the dashboard the ip is shown to the ipsec interface.

There must be an bug in vpn_ipsec.php which add a negative subnet to the ip.
Regards,
fog
August 28, 2021, 10:48:37 PM #22
Wow, thanks a lot for you persistence in this matter. I hope they fix it soon!
Print
Go Up Pages 1 2
User actions