core: Syslog-ng does not send traffic over policy-based IPSEC tunnels for lack of localip() setting
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
- I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
- I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue
Describe the bug
Syslog-ng cannot figure out how to send traffic to remote targets over policy-based IPSEC tunnels.
To Reproduce
Steps to reproduce the behavior:
- Configure site to site IPSEC tunnel with policy selectors
- Configure ACLs and verify ability to send syslog to the target manually
- Configure logging target to a remote host over the tunnel
- Watch nothing be received on the remote-end
Expected behavior
- GUI permits setting the source-IP for syslog transmission
- syslog-ng config sets the
localip()parameter to the provided address in step 1
Environment
OPNsense 22.1.1_3 (amd64, OpenSSL).
Notes
- Manually added the
localip()param to the configuration - Executed
pkill -HUP syslog-ngto reset the logger without letting the GUI reset the config - Observed log data coming in
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Comments: 15 (7 by maintainers)
Had a similar issue where the package repo needs to be reached over the IPSec tunnel and pkg not being able to set the relevant src IP address. Solution provided above solved it immediate;y.
Digging through the repo now to see how to do this. A bit more used to writing docs inline w/ code in all my projects or keeping wikis for infra/systems/etc from the front-side of the wiki, not the src 😄
Looks like you need to disable the automatic gateway rules for this to work, but can confirm that the route is picked up after that and a logger restart, and syslog is now coming through without hand-written configs. Thank you.