Disappointed by IPSec management

[Peter2121]

Hello,
I'm trying to replace our pfSense and I've just try OPNsense.
I state that the IPsec management does NOT work as it should. 
I have about 30 tunnels, just several ones are up after switching to OPNsense.
After some digging I understand that:
- all IPsec tunnels with NAT (at my side) do not work at all, the packets are send non encrypted to Internet, there is no Phase 2 negotiations at all;
- very often the modifications in Phase 2 destinations do not work, there is no changes in system route table (old route is still here, new one is not added), this problem is randomly present;
- when I force BINAT - it complains about the difference in network masks between my LAN network and translated network, but I'm sure to use the same network mask.
It's really damage, but I must go back to my pfSense. 

[Julien]

I am havinf a similar issue
With pfsense everything works when I install opnsense got stuck.
Have already opened a threat waiting for someone's answer
In the meantime I switch back to pfsense until I can get the tunnels up and running
I believe it's a NAT issue but I don't know

[OpSteve]

I have the same feelings. After installing opnsense everything's going nuts... Please let me know if you will get any answers from technical support. Thanks

[djGrrr]

Unfortunately the IPSec related bugs are mostly (completely?) to do with bugs and changes introduced in upstream FreeBSD 11, so they are taking a bit of time to narrow down / fix; some bugs were already fixed since 17.1 release, but a few still remain.

[Peter2121]

Unfortunately the IPSec related bugs are mostly (completely?) to do with bugs and changes introduced in upstream FreeBSD 11, so they are taking a bit of time to narrow down / fix; some bugs were already fixed since 17.1 release, but a few still remain.

It seems that the bugs are not core IPsec related, but IPsec tunnels management, as I have two tunnels with the same configuration, one is working fine but second cannot be connected if the NAT of LAN is active. Moreover, if I change the Phase 2 config of not working tunnel from NATed LAN to not-NATed LAN - it continues blocking. I need to recreate the whole tunnel (phase 1 and phase 2) to get it working without NAT. So, for me something is broken in OPNsense layer, between Web interface and IPsec core. And another bug - an IPsec related static route that stays after removing of tunnel, it is definitely not related to core, as I can remove it from command line without problem.

[franco]

Hi,

First of all, it's very discouraging to enter a thread in a helpful manner with such a title. If we assume pfSense 2.3 is better in this regard, you're essentially disappointed that we are not pfSense 2.3. Which is true.

This is also suboptimal because by thinking IPsec tunnels can simply be copied and will work will lead you to think that OPNsense doesn't work as it should. Which is maybe not so true.

We added features, pfSense added features. If you use these newer features they may not work here. It's natural.

> when I force BINAT - it complains about the difference in network masks between my LAN network and translated network, but I'm sure to use the same network mask.

BINAT doesn't work. It requires a pfSense patch to StrongSwan which we are unwilling to touch.

> all IPsec tunnels with NAT (at my side) do not work at all, the packets are send non encrypted to Internet, there is no Phase 2 negotiations at all;

This is very odd, but it would point to configuration issues...

> very often the modifications in Phase 2 destinations do not work, there is no changes in system route table (old route is still here, new one is not added), this problem is randomly present;

This is odd, but then the question is does it work when you restart the service?

What pfSense version are you using, what OPNsense version?


Cheers,
Franco

[Peter2121]

If we assume pfSense 2.3 is better in this regard, you're essentially disappointed that we are not pfSense 2.3.

Not, at all.
If I'm trying to migrate our firewall from pfSense to OPNsense - that's because I'm NOT satisfied by the functioning of pfSense. And that's because I hoped to be more happy with OPNsense, for myself and (maybe) for my customers.

This is also suboptimal because by thinking IPsec tunnels can simply be copied and will work will lead you to think that OPNsense doesn't work as it should. Which is maybe not so true.

When I look into xml with IPsec configurations exported from pfSense and from OPNsense - they seem to be similar. So, I hope that it should work. And when I search a firewall to replace pfSense - the possibility of importing the actual configuration brings OPNsense to the first place in my list.

We added features, pfSense added features. If you use these newer features they may not work here. It's natural.

All our IPsec tunnels were created in pfSense 2.1, they don't use something 'new' from pfSense features. Anyway, as I've mentioned, the newly created tunnel has the same problems as the imported one. Maybe, there is an influence of another tunnel to this one, but it should not influence like this normally.

BINAT doesn't work. It requires a pfSense patch to StrongSwan which we are unwilling to touch.

Nice to know it. Why is BINAT still present in Web interface of OPNsense? It's confusing!

This is odd, but then the question is does it work when you restart the service?

If the route is not deleted (it randomly happens), disabling/enabling IPsec (checkbox at the bottom of the page) does not change it. I don't know if it really restarts IPsec service.

What pfSense version are you using, what OPNsense version?

pfSense 2.3.2-RELEASE-p1, OPNsense 17.1.2.