Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec upgrade to 2.5

    IPsec
    3
    21
    3.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      Ofloo @Ofloo
      last edited by

      @ofloo

      what about this error

      zebra[71429]: Can't lookup mtu by ioctl(SIOCGIFMTU)
      

      while:

      3e6f39d3-82e1-41b3-ad52-ac72051339fb-afbeelding.png

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        That error also implies the interface doesn't exist or can't be queried.

        The swanctl config is nice but can you give a screenshot of the GUI settings for that P2? Or at least the config.xml -- I need more about how it is getting to that point, not the end result.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        O 1 Reply Last reply Reply Quote 0
        • O
          Ofloo @jimp
          last edited by

          @jimp I've removed it just a min ago so no, but even when removed it makes no difference.
          i've removed all IPv6 just to be sure but still no difference.

          O 1 Reply Last reply Reply Quote 0
          • O
            Ofloo @Ofloo
            last edited by Ofloo

            @jimp is it important that you see it? I still can rollback the vm. If it helps..

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              It may be enough to know that the external addresses were IPv6. I checked in my lab and I don't have any VTI that are setup using IPv6 on the outside like that. I can't recall the last time I tested it.

              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                I opened an issue to track it at https://redmine.pfsense.org/issues/11537, hopefully it won't be too difficult for one of us to reproduce and solve.

                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                O 1 Reply Last reply Reply Quote 1
                • O
                  Ofloo @jimp
                  last edited by Ofloo

                  @jimp

                  Just rebooted once more and I also noticed a lot of these errors?

                  14[CFG] trap not found, unable to acquire reqid 2000
                  
                   00[CFG] loaded PKCS#11 v2.20 library 'opensc' (/usr/local/lib/opensc-pkcs11.so) 
                  00[CFG] PKCS11 module '<name>' lacks library path 
                  00[DMN] Starting IKE charon daemon (strongSwan 5.9.1, FreeBSD 12.2-STABLE, amd64) 
                  
                  <con5000|3718> querying policy 0.0.0.0/0|/0 === 0.0.0.0/0|/0 in failed, not found 
                  15[KNL] <con5000|3718> querying policy 0.0.0.0/0|/0 === 0.0.0.0/0|/0 in failed, not found 
                   15[KNL] <con5000|3718> querying policy fdxx:xxxx:xxx::2/128|/0 === fdxx:xxxx:xxx::2/128|/0 in failed, not found 
                  
                  Feb 26 08:05:19 	charon 	50795 	15[CFG] <con5000|3720> selecting traffic selectors for us:
                  Feb 26 08:05:19 	charon 	50795 	15[CFG] <con5000|3720> selected proposal: ESP:AES_GCM_16_256/MODP_4096/NO_EXT_SEQ
                  Feb 26 08:05:19 	charon 	50795 	15[CFG] <con5000|3720> configured proposals: ESP:AES_GCM_16_256/MODP_4096/NO_EXT_SEQ
                  Feb 26 08:05:19 	charon 	50795 	15[CFG] <con5000|3720> received proposals: ESP:AES_CBC_256/HMAC_SHA2_512_256/MODP_4096/NO_EXT_SEQ, ESP:AES_GCM_16_256/MODP_4096/NO_EXT_SEQ
                  Feb 26 08:05:19 	charon 	50795 	15[CFG] <con5000|3720> proposal matches
                  Feb 26 08:05:19 	charon 	50795 	15[CFG] <con5000|3720> selecting proposal:
                  Feb 26 08:05:19 	charon 	50795 	15[CFG] <con5000|3720> no acceptable ENCRYPTION_ALGORITHM found 
                  

                  On that last error no acceptable encryption proposals found, .. is strange cause both are configured with same encryption scheme/configuration.

                  O 1 Reply Last reply Reply Quote 0
                  • O
                    Ofloo @Ofloo
                    last edited by Ofloo

                    @ofloo NVM bad patch applied.

                    EDIT:

                    @jimp NVM bad patch applied.

                    These appear though:

                    <con5000|3> querying policy fdxx:xxxx:xxxx::2/128|/0 === fdxx:xxxx:xxxx::2/128|/0 in failed, not found
                    <con5000|3> querying policy 0.0.0.0/0|/0 === 0.0.0.0/0|/0 in failed, not found
                    <con5000|3> querying policy 0.0.0.0/0|/0 === 0.0.0.0/0|/0 in failed, not found
                    <con1000|2> querying policy fdxx:xxxx:44xx::1/128|/0 === fdxx:xxxx:44xx::2/128|/0 in failed, not found
                    <con1000|2> querying policy 0.0.0.0/0|/0 === 0.0.0.0/0|/0 in failed, not found
                    <con1000|2> querying policy 0.0.0.0/0|/0 === 0.0.0.0/0|/0 in failed, not found 
                    

                    pasting logs is consider spam?

                    O 1 Reply Last reply Reply Quote 0
                    • O
                      Ofloo @Ofloo
                      last edited by

                      @ofloo An other problem I've noticed. It was a bug before but i was able to make it work.

                      In relase 2.4.5p1 both when you wanted a dual stack VTI you could set it to IPv4 and it would just work. You then could add both P2 IPv4 and IPv6 this worked.

                      However now in 2.5 this configuration doesn't seem to work anymore. When it's set to IPv4 vti only IPv4 works as it should i guess but when set to dual stack nothing works as it did before. But now you can't make dual stack work anymore.

                      O 1 Reply Last reply Reply Quote 0
                      • O
                        Ofloo @Ofloo
                        last edited by Ofloo

                        @ofloo

                        I think the problem still lies with FRR, maybe it's a configuration thing at least for the IPv4 part.

                        tcpdump -ni ipsec5000 not icmp
                        tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
                        listening on ipsec5000, link-type NULL (BSD loopback), capture size 262144 bytes
                        08:35:56.952614 IP 10.128.x.9.52117 > 10.128.x.10.179: Flags [FP.], seq 1342714925:1342714944, ack 1126756536, win 131, options [nop,nop,TS val 2158382576 ecr 2930881738], length 19: BGP
                        08:35:57.049220 IP 10.128.x.10.179 > 10.128.x.9.52117: Flags [R], seq 1126756536, win 0, length 0
                        08:36:02.013888 IP 10.128.x.10.179 > 10.128.x.9.46094: Flags [R.], seq 3726290407, ack 2899991084, win 512, options [nop,nop,TS val 4145417838 ecr 2305700040], length 0
                        08:36:07.589692 IP 10.128.x.9.179 > 10.128.x.10.46063: Flags [FP.], seq 255473205:255473226, ack 100809217, win 128, options [nop,nop,TS val 1581327985 ecr 96898160], length 21: BGP
                        08:36:11.152170 IP 10.128.x.9.2199 > 10.128.x.10.179: Flags [P.], seq 485006693:485006712, ack 3890827107, win 131, options [nop,nop,TS val 2143866376 ecr 2627774982], length 19: BGP
                        08:36:11.213583 IP 10.128.x.10.179 > 10.128.x.9.2199: Flags [P.], seq 1:20, ack 0, win 512, options [nop,nop,TS val 2627833734 ecr 2143807680], length 19: BGP
                        08:36:11.213623 IP 10.128.x.9.2199 > 10.128.x.10.179: Flags [.], ack 20, win 131, options [nop,nop,TS val 2143866438 ecr 2627833734], length 0
                        08:36:11.249057 IP 10.128.x.10.179 > 10.128.x.9.2199: Flags [.], ack 19, win 511, options [nop,nop,TS val 2627833769 ecr 2143866376], length 0
                        08:36:21.343545 IP 10.128.x.10.179 > 10.128.x.9.2199: Flags [P.], seq 20:336, ack 19, win 512, options [nop,nop,TS val 2627843862 ecr 2143866438], length 316: BGP
                        08:36:21.343608 IP 10.128.x.9.2199 > 10.128.x.10.179: Flags [.], ack 336, win 131, options [nop,nop,TS val 2143876562 ecr 2627843862], length 0
                        08:36:48.363641 IP 10.128.x.9.52117 > 10.128.x.10.179: Flags [FP.], seq 0:19, ack 1, win 131, options [nop,nop,TS val 2158433987 ecr 2930881738], length 19: BGP
                        08:36:48.461330 IP 10.128.x.10.179 > 10.128.x.9.52117: Flags [R], seq 1126756536, win 0, length 0
                        08:37:04.116239 IP 10.128.x.9.179 > 10.128.x.10.46063: Flags [FP.], seq 0:21, ack 1, win 128, options [nop,nop,TS val 1581384512 ecr 96898160], length 21: BGP
                        08:37:11.163081 IP 10.128.x.9.2199 > 10.128.x.10.179: Flags [P.], seq 19:38, ack 336, win 131, options [nop,nop,TS val 2143926387 ecr 2627843862], length 19: BGP
                        08:37:11.263206 IP 10.128.x.10.179 > 10.128.x.9.2199: Flags [.], ack 38, win 511, options [nop,nop,TS val 2627893780 ecr 2143926387], length 0
                        08:37:11.263233 IP 10.128.x.10.179 > 10.128.x.9.2199: Flags [P.], seq 336:355, ack 38, win 512, options [nop,nop,TS val 2627893780 ecr 2143926387], length 19: BGP
                        08:37:11.263252 IP 10.128.x.9.2199 > 10.128.x.10.179: Flags [.], ack 355, win 131, options [nop,nop,TS val 2143926487 ecr 2627893780], length 0
                        08:37:39.763627 IP 10.128.x.9.52117 > 10.128.x.10.179: Flags [FP.], seq 0:19, ack 1, win 131, options [nop,nop,TS val 2158485387 ecr 2930881738], length 19: BGP
                        08:37:39.859222 IP 10.128.x.10.179 > 10.128.x.9.52117: Flags [R], seq 1126756536, win 0, length 0
                        08:38:00.732652 IP 10.128.x.9.179 > 10.128.x.10.46063: Flags [FP.], seq 0:21, ack 1, win 128, options [nop,nop,TS val 1581441128 ecr 96898160], length 21: BGP
                        08:38:11.262922 IP 10.128.x.9.2199 > 10.128.x.10.179: Flags [P.], seq 38:57, ack 355, win 131, options [nop,nop,TS val 2143986487 ecr 2627893780], length 19: BGP
                        08:38:11.287734 IP 10.128.x.10.179 > 10.128.x.9.2199: Flags [P.], seq 355:374, ack 38, win 512, options [nop,nop,TS val 2627953810 ecr 2143926487], length 19: BGP
                        08:38:11.287759 IP 10.128.x.9.2199 > 10.128.x.10.179: Flags [.], ack 374, win 131, options [nop,nop,TS val 2143986512 ecr 2627953810], length 0
                        08:38:11.358617 IP 10.128.x.10.179 > 10.128.x.9.2199: Flags [.], ack 57, win 511, options [nop,nop,TS val 2627953880 ecr 2143986487], length 0
                        08:38:31.163620 IP 10.128.x.9.52117 > 10.128.x.10.179: Flags [R.], seq 20, ack 1, win 0, options [nop,nop,TS val 2158536787 ecr 2930881738], length 0
                        

                        The routes are just not distributing.

                        O 1 Reply Last reply Reply Quote 0
                        • O
                          Ofloo @Ofloo
                          last edited by Ofloo

                          @ofloo I did a backup of a router installed a cloud version of it (linode) 2.5 configuration, added a wireguard tunnel as well now both ipsec vti I can ping both IPv4 and IPv6, i can ping through wireguard.

                          However frr bgp* still doesn't distribute routes not even through wireguard, added allow IP 0.0.0.0/0 and ::1/0

                          1 Reply Last reply Reply Quote 0
                          • D
                            danjeman @jimp
                            last edited by

                            @jimp Can we simply update to 2.5.1 or 21.02.2 over the top of these system patches or should they be removed before or after?

                            1 Reply Last reply Reply Quote 0
                            • jimpJ
                              jimp Rebel Alliance Developer Netgate
                              last edited by

                              You can just update, the patches are a part of 21.02.2/2.1.5.

                              Alternately, you can remove the patch entries (Do NOT revert, just delete them) either before or after upgrade and leave the patches package in place.

                              The only possible action you might need to take is to make sure none of them are set to auto-apply. In most cases that wouldn't hurt anything since it would just fail to apply, but certain diffs may end up adding themselves multiple times that way.

                              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                              Need help fast? Netgate Global Support!

                              Do not Chat/PM for help!

                              1 Reply Last reply Reply Quote 1
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.