[MERGED INTO 17.1.4] SafeStack base and IPsec IPv4 TCP connection aborts

[franco]

opnsense-update wasn't updated so it's still on 17.1.3 and since you installed the test kernel which is 17.1.3-next it tried to reapply the known good one.

It's not unfixable, yet I think something changed in FreeBSD with the python setup tools package that is causing this.

First step is to identify the extra packages you installed:

# pkg query -e '%a = 0' %o

Next step would be to remove the offending packages, then the update should be fixed. Last step is putting your extra packages back based on the latest ports code (we may have to add them to our mirror packages to make sure future upgrades work ok for you).

[tillsense]

Ok here the output

# pkg query -e '%a = 0' %o

Code: [Select]

devel/git
www/lightsquid
editors/nano
opnsense/opnsense
opnsense/os-smart
ports-mgmt/pkg
lang/python27
www/squid
www/squidanalyzer
www/squidview


[franco]

# pkg delete squidanalyzer squidview
# pkg autoremove

This should bring the system back into an upgradeable state, double-check with upgrade -n again. If it doesn't want to remove "opnsense-17.1.3" package you can go for it.

[tillsense]

Hi Franco,

has unfortunately not worked. after many months of the dev apu and then these lines:

Code: [Select]

FreeBSD repository update completed. 25859 packages processed.
pkg-static: No packages available to install matching 'opnsense' have been found in the repositories

it's time for new ways....

Code: [Select]

pkg install ca_root_nss
fetch https://raw.githubusercontent.com/opnsense/update/master/bootstrap/opnsense-bootstrap.sh
sh ./opnsense-bootstrap.sh

Reboot.....Done....Perfect 

thanks for your help
cheers till

[franco]

Hi Till,

Funny, ok. Just for future endeavours... "opnsense-bootstrap" is installed by default.


Cheers,
Franco

[dragon2611]

Upgraded from 17.3 to 17.4 on the one location where I still use IPSEC on opnsense, was able to disable the quick match/floating rules and it looks like the site2site VPN tunnels may be passing traffic now, but I'd like to give it a couple days before I say for sure that it's fixed.

I'll need to Give it a couple days to be sure

For Reference that opnSense VM has the following IPSEC tunnels at the moment

IKEv1 tunnel + NAT-T from a CHR (Virtual) RouterOS (need to move to IKE2, I think when i set it up IKE2 support in routerOS was just out and didn't seem to want to play nice with opnSense)

IKEv2 tunnel from a ubnt Edge Router

IKEv2 tunnel from an Routerboard RB750Gr3 (RouterOS)

[ristridin]

Hi,

I´m on 17.1.7 and IPSec traffic is only working if any - any is enabled.
As soon as any source or destination ip is inserted, all ipsec traffic get´s blocked by default any block rule.

Anything I can provide in order to help?

cheers!