IPSec reported tunnels

[Manxmann]

Hi Folks,

Sorry me again

More of an observation than a bug. I have a number of 'site to site' IPsec VPN's in place between 5 different sites. All sites run OPNsense, mostly 17.1.7 but a one is 17.1.4.

Everything works and for the most part is trouble free but on each host I see odd numbers reported for the number of connected tunnels. For example I have one FW configured with 1 phase link and two phase two using IKEv1. The Dashboard shows 4 Active tunnels and -2 In-Active.

I have also noted at times that all the tunnels on a host can be 'Active' and working and the Dashboard shows 0 Active and 0 in-active. When this occurs checking VPN/IPSec/Status Overview shows nothing. Restarting the StrongSWAN daemon corrects this.

Whilst this odd behaviour doesn't seem to affect the IPSec function it does make diagnosing problems somewhat tricky.

Cheers

[Droppie391]

for what its worth, we see this too. It seems to resolve itself after a few minutes. I assume this is due to a change in strongswan. Probably this is caused by the renegotiation of the tunnels and the displayed numbers reflect to the total of old and new keys.

[franco]

Hi,

Sorry, this appeared when strongSwan was updated from 5.5.1 to 5.5.2, a very unlikely candidate for such changes. I caught the IPsec widget's tunnel reporting in time, but the other one was harder to track and would only pop up in a secondary install ever so sporadically.

https://github.com/opnsense/core/commit/a039ad4d

It will be part of 17.1.8 this week, but you can patch it right away to help confirm:

# opnsense-patch a039ad4d


Cheers,
Franco

[Manxmann]

Thanks Franco,

Patch applied, I'll report back on my progress.

root@XEN-FW:~ # opnsense-patch a039ad4d
Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|From a039ad4db4d5819fa427c694c94d09846a377e3e Mon Sep 17 00:00:00 2001
|From: Franco Fichtner <franco@opnsense.org>
|Date: Fri, 19 May 2017 16:19:24 +0200
|Subject: [PATCH] ipsec: fix widget count after 5.5.2 update
|
|---
| src/www/widgets/widgets/ipsec.widget.php | 12 +++++++++---
| 1 file changed, 9 insertions(+), 3 deletions(-)
|
|diff --git a/src/www/widgets/widgets/ipsec.widget.php b/src/www/widgets/widgets/ipsec.widget.php
|index 4a98e13a5..58eb9e258 100644
|--- a/src/www/widgets/widgets/ipsec.widget.php
|+++ b/src/www/widgets/widgets/ipsec.widget.php
--------------------------
Patching file www/widgets/widgets/ipsec.widget.php using Plan A...
Hunk #1 succeeded at 34.
Hunk #2 succeeded at 66.
Hunk #3 succeeded at 109.
done
All patches have been applied successfully.  Have a nice day.
root@XEN-FW:~ #

[Scalaechelon]

sir,

Please post a guide on how to configure an IPSEC VPN because this is required in our office

Just site to site configuration as i do not want inter branch communication, only branch to central office.

Im relatively new to Opnsense VPN Implementation so i need all the help i can get .

Ciao.

[franco]

The guide is located here: https://docs.opnsense.org/manual/how-tos/ipsec-s2s.html