but I'd have to do that individually for all IPSEC connections on all WAN interfaces.
Quote from: franco on August 23, 2024, 03:12:29 pmCan you share the difference of /usr/local/etc/strongswan.conf between version 24.7.1 and 24.7.2? (diff -u)Privately is fine too: franco@opnsense.orgQuote from: franco on August 23, 2024, 04:02:19 pmDoes anyone use strongswan.opnsense.d/*.conf overrides affected here?Cheers,Franco
Can you share the difference of /usr/local/etc/strongswan.conf between version 24.7.1 and 24.7.2? (diff -u)Privately is fine too: franco@opnsense.org
Does anyone use strongswan.opnsense.d/*.conf overrides affected here?
# Automatically generated, please do not modifystarter { load_warning = no}charon { threads = 16 ikesa_table_size = 32 ikesa_table_segments = 4 init_limit_half_open = 1000 ignore_acquire_ts = yes syslog { identifier = charon daemon { ike_name = yes } } install_routes = no plugins { }}include strongswan.opnsense.d/*.conf
# Automatically generated, please do not modifystarter { load_warning = no}charon { threads = 16 ikesa_table_size = 32 ikesa_table_segments = 4 init_limit_half_open = 1000 ignore_acquire_ts = yes syslog { ike_name = yes log_level = no daemon { app = 1 asn = 1 cfg = 1 chd = 1 dmn = 1 enc = 1 esp = 1 ike = 1 imc = 1 imv = 1 job = 1 knl = 1 lib = 1 mgr = 1 net = 1 pts = 1 tls = 1 tnc = 1 } } install_routes = no plugins { }}include strongswan.opnsense.d/*.conf
There is no need to add the same rules twice. That said, I'd recommend to set up proper firewall rules manually and untick that "magic" checkbox. Avoid all similar disruption in the future.
I dont see "magic" rules except for the Tunnel Settings (legacy) site to sites
Finally reaching out for some help after following this thread and applying both patches Franco released the other day, and I am still struggling with IPSEC tunnels dropping. I am terminating between a Sonicwall 2650 and OPNSense, prior to 24.7.2 no issues, now having issues w/ P2 dropping. Below is the issue I think and I have validated that proposals match:2024-08-28T10:25:58-05:00 Informational charon 06[IKE] no acceptable proposal found 2024-08-28T10:25:58-05:00 Informational charon 06[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_GCM_16_256/MODP_2048/NO_EXT_SEQ 2024-08-28T10:25:58-05:00 Informational charon 06[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ 2024-08-28T10:25:58-05:00 Informational charon 06[ENC] parsed CREATE_CHILD_SA request 31 [ SA No TSi TSr ]