[MERGED INTO 17.1.4] SafeStack base and IPsec IPv4 TCP connection aborts

Started by franco, March 16, 2017, 09:00:49 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
March 30, 2017, 10:17:41 AM #15
opnsense-update wasn't updated so it's still on 17.1.3 and since you installed the test kernel which is 17.1.3-next it tried to reapply the known good one.

It's not unfixable, yet I think something changed in FreeBSD with the python setup tools package that is causing this.

First step is to identify the extra packages you installed:

# pkg query -e '%a = 0' %o

Next step would be to remove the offending packages, then the update should be fixed. Last step is putting your extra packages back based on the latest ports code (we may have to add them to our mirror packages to make sure future upgrades work ok for you).
March 30, 2017, 10:36:31 AM #16
Ok here the output

# pkg query -e '%a = 0' %o

Code Select

devel/git
www/lightsquid
editors/nano
opnsense/opnsense
opnsense/os-smart
ports-mgmt/pkg
lang/python27
www/squid
www/squidanalyzer
www/squidview
March 30, 2017, 11:10:53 AM #17
# pkg delete squidanalyzer squidview
# pkg autoremove

This should bring the system back into an upgradeable state, double-check with upgrade -n again. If it doesn't want to remove "opnsense-17.1.3" package you can go for it. :)
March 30, 2017, 01:47:30 PM #18
Hi Franco,

has unfortunately not worked. after many months of the dev apu and then these lines: :o
Code Select

FreeBSD repository update completed. 25859 packages processed.
pkg-static: No packages available to install matching 'opnsense' have been found in the repositories


it's time for new ways....
Code Select

pkg install ca_root_nss
fetch https://raw.githubusercontent.com/opnsense/update/master/bootstrap/opnsense-bootstrap.sh
sh ./opnsense-bootstrap.sh


Reboot.....Done....Perfect  :)

thanks for your help
cheers till
March 30, 2017, 04:55:26 PM #19
Hi Till,

Funny, ok. Just for future endeavours... "opnsense-bootstrap" is installed by default. :D


Cheers,
Franco
April 01, 2017, 02:22:34 AM #20
Upgraded from 17.3 to 17.4 on the one location where I still use IPSEC on opnsense, was able to disable the quick match/floating rules and it looks like the site2site VPN tunnels may be passing traffic now, but I'd like to give it a couple days before I say for sure that it's fixed.

I'll need to Give it a couple days to be sure

For Reference that opnSense VM has the following IPSEC tunnels at the moment

IKEv1 tunnel + NAT-T from a CHR (Virtual) RouterOS (need to move to IKE2, I think when i set it up IKE2 support in routerOS was just out and didn't seem to want to play nice with opnSense)

IKEv2 tunnel from a ubnt Edge Router

IKEv2 tunnel from an Routerboard RB750Gr3 (RouterOS)
May 31, 2017, 11:09:45 PM #21
Hi,

I´m on 17.1.7 and IPSec traffic is only working if any - any is enabled.
As soon as any source or destination ip is inserted, all ipsec traffic get´s blocked by default any block rule.

Anything I can provide in order to help?

cheers!
Print
Go Up Pages 1 2
User actions