OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 15.7 Legacy Series »
  • [SOLVED] IPsec tunnel only establishes first phase 2 entry
« previous next »
  • Print
Pages: [1]

Author Topic: [SOLVED] IPsec tunnel only establishes first phase 2 entry  (Read 5608 times)

8191

  • Jr. Member
  • **
  • Posts: 80
  • Karma: 4
    • View Profile
[SOLVED] IPsec tunnel only establishes first phase 2 entry
« on: November 29, 2015, 11:30:43 am »
I've a IPsec phase 1 entry with three phase 2 entries. Only the first in the list is being established. At the other endpoint I cannot even see OPNsense trying to establish the other P2's. If I swap the P2 entries (just order, no config), the new first P2 entry is being established.

The /usr/local/etc/ipsec.conf file contains all endpoints as configured via the GUI, namely con1-000 up to con1-002. In the IPsec logs i found:

Nov 29 10:30:22    ipsec_starter[87595]: 'con1-001' routed
Nov 29 10:30:22    ipsec_starter[87595]: 'con1-000' routed
Nov 29 10:30:21    ipsec_starter[87595]: configuration 'con1-001' not found
Nov 29 10:30:21    ipsec_starter[87595]: configuration 'con1-000' unrouted


I'm not so deep into charon, which log levels should I raise to get more info on that issue?

I use OPNsense 15.7.18_1-i386 (willing to upgrade to unstable if this would help investigations).
« Last Edit: November 30, 2015, 07:26:25 am by franco »
Logged

8191

  • Jr. Member
  • **
  • Posts: 80
  • Karma: 4
    • View Profile
Re: IPsec tunnel only establishes first phase 2 entry
« Reply #1 on: November 29, 2015, 02:41:20 pm »
I've found out that both P2's have the same reqid set in the conn section of ipsec.conf. Unfortunately I don't know what charon does with the reqid, since also the man page is quite silent on that...

       reqid = <number>
         sets  the   reqid for a given connection to   a pre-configured fixed
         value.
Logged

AdSchellevis

  • Administrator
  • Hero Member
  • *****
  • Posts: 850
  • Karma: 163
    • View Profile
Re: IPsec tunnel only establishes first phase 2 entry
« Reply #2 on: November 29, 2015, 07:23:38 pm »
We recently dropped the request id, because of some similar issues for someone else.
This commit removes it from our code (and will probably be in the next release):
https://github.com/opnsense/core/commit/3e0e936bdb2d23f918e153c0d046580070c37b0b
Logged

8191

  • Jr. Member
  • **
  • Posts: 80
  • Karma: 4
    • View Profile
Re: IPsec tunnel only establishes first phase 2 entry
« Reply #3 on: November 29, 2015, 07:52:42 pm »
Great, thanks for the info.
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13689
  • Karma: 1176
    • View Profile
Re: IPsec tunnel only establishes first phase 2 entry
« Reply #4 on: November 30, 2015, 07:26:12 am »
Already pushed to what will be 15.7.21 (likely on Friday).
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 15.7 Legacy Series »
  • [SOLVED] IPsec tunnel only establishes first phase 2 entry
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2