OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 17.1 Legacy Series »
  • IPSec reported tunnels
« previous next »
  • Print
Pages: [1]

Author Topic: IPSec reported tunnels  (Read 3074 times)

Manxmann

  • Newbie
  • *
  • Posts: 21
  • Karma: 0
    • View Profile
IPSec reported tunnels
« on: May 30, 2017, 02:57:26 pm »
Hi Folks,

Sorry me again :)

More of an observation than a bug. I have a number of 'site to site' IPsec VPN's in place between 5 different sites. All sites run OPNsense, mostly 17.1.7 but a one is 17.1.4.

Everything works and for the most part is trouble free but on each host I see odd numbers reported for the number of connected tunnels. For example I have one FW configured with 1 phase link and two phase two using IKEv1. The Dashboard shows 4 Active tunnels and -2 In-Active.

I have also noted at times that all the tunnels on a host can be 'Active' and working and the Dashboard shows 0 Active and 0 in-active. When this occurs checking VPN/IPSec/Status Overview shows nothing. Restarting the StrongSWAN daemon corrects this.

Whilst this odd behaviour doesn't seem to affect the IPSec function it does make diagnosing problems somewhat tricky.

Cheers
Logged

Droppie391

  • Jr. Member
  • **
  • Posts: 55
  • Karma: 4
    • View Profile
Re: IPSec reported tunnels
« Reply #1 on: May 30, 2017, 04:51:51 pm »
for what its worth, we see this too. It seems to resolve itself after a few minutes. I assume this is due to a change in strongswan. Probably this is caused by the renegotiation of the tunnels and the displayed numbers reflect to the total of old and new keys.
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13633
  • Karma: 1174
    • View Profile
Re: IPSec reported tunnels
« Reply #2 on: May 30, 2017, 08:23:48 pm »
Hi,

Sorry, this appeared when strongSwan was updated from 5.5.1 to 5.5.2, a very unlikely candidate for such changes. I caught the IPsec widget's tunnel reporting in time, but the other one was harder to track and would only pop up in a secondary install ever so sporadically.

https://github.com/opnsense/core/commit/a039ad4d

It will be part of 17.1.8 this week, but you can patch it right away to help confirm:

# opnsense-patch a039ad4d


Cheers,
Franco
Logged

Manxmann

  • Newbie
  • *
  • Posts: 21
  • Karma: 0
    • View Profile
Re: IPSec reported tunnels
« Reply #3 on: May 30, 2017, 10:33:01 pm »
Thanks Franco,

Patch applied, I'll report back on my progress.

root@XEN-FW:~ # opnsense-patch a039ad4d
Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|From a039ad4db4d5819fa427c694c94d09846a377e3e Mon Sep 17 00:00:00 2001
|From: Franco Fichtner <franco@opnsense.org>
|Date: Fri, 19 May 2017 16:19:24 +0200
|Subject: [PATCH] ipsec: fix widget count after 5.5.2 update
|
|---
| src/www/widgets/widgets/ipsec.widget.php | 12 +++++++++---
| 1 file changed, 9 insertions(+), 3 deletions(-)
|
|diff --git a/src/www/widgets/widgets/ipsec.widget.php b/src/www/widgets/widgets/ipsec.widget.php
|index 4a98e13a5..58eb9e258 100644
|--- a/src/www/widgets/widgets/ipsec.widget.php
|+++ b/src/www/widgets/widgets/ipsec.widget.php
--------------------------
Patching file www/widgets/widgets/ipsec.widget.php using Plan A...
Hunk #1 succeeded at 34.
Hunk #2 succeeded at 66.
Hunk #3 succeeded at 109.
done
All patches have been applied successfully.  Have a nice day.
root@XEN-FW:~ #
Logged

Scalaechelon

  • Newbie
  • *
  • Posts: 4
  • Karma: 0
    • View Profile
Re: IPSec reported tunnels
« Reply #4 on: May 31, 2017, 02:36:16 am »
sir,

Please post a guide on how to configure an IPSEC VPN because this is required in our office

Just site to site configuration as i do not want inter branch communication, only branch to central office.

Im relatively new to Opnsense VPN Implementation so i need all the help i can get .

Ciao.
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13633
  • Karma: 1174
    • View Profile
Re: IPSec reported tunnels
« Reply #5 on: May 31, 2017, 11:59:30 am »
The guide is located here: https://docs.opnsense.org/manual/how-tos/ipsec-s2s.html
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 17.1 Legacy Series »
  • IPSec reported tunnels
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2