OPNsense Forum

Archive => 19.7 Legacy Series => Topic started by: GaardenZwerch on September 17, 2019, 02:13:55 pm

Title: IPSec and SPI
Post by: GaardenZwerch on September 17, 2019, 02:13:55 pm

Hi,

I am struggling with an IPSec connection to a remote CISCO. I need several phase2 tunnels, and NAT on my side (I can't use the IP range that the remote side has given me).

When I bring one phase2 tunnel UP, everything is fine. As soon as I bring a second one up, all the traffic uses the SPI of the latest tunnel, and gets refused by the remote side.

One tunnel UP:
ipsec-status:

Code: [Select]

Security Associations (1 up, 0 connecting):
        con1[2]: ESTABLISHED 17 seconds ago, 1.2.3.130[1.2.3.130]...4.5.6.130[4.5.6.130]
        con1{9}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cbd8b851_i 9231068c_o
        con1{9}:   10.203.251.240/28 === 172.16.0.0/16
tcpdump:

Code: [Select]

14:09:24.989728 (authentic,confidential): SPI 0x9231068c: IP 10.2.0.1 > 172.16.0.3: ICMP echo request, id 16897, seq 821, length 64
14:09:24.992286 (authentic,confidential): SPI 0xcbd8b851: IP 172.16.0.3 > 10.203.251.243: ICMP echo reply, id 16897, seq 821, length 64
14:09:25.991076 (authentic,confidential): SPI 0x9231068c: IP 10.2.0.1 > 172.16.0.3: ICMP echo request, id 16897, seq 822, length 64
14:09:25.993699 (authentic,confidential): SPI 0xcbd8b851: IP 172.16.0.3 > 10.203.251.243: ICMP echo reply, id 16897, seq 822, length 64
now I bring the second tunnel up (ipsec up con1-001).
ipsec-status:

Code: [Select]

Security Associations (1 up, 0 connecting):
        con1[2]: ESTABLISHED 28 seconds ago, 1.2.3.130[1.2.3.130]...4.5.6.130[4.5.6.130]
        con1{9}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cbd8b851_i 9231068c_o
        con1{9}:   10.203.251.240/28 === 172.16.0.0/16
    con1-001{10}:  INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: cf947911_i 41c91673_o
    con1-001{10}:   10.203.251.240/28 === 192.168.2.0/24

tcpdump shows the new SPI is used:

Code: [Select]

14:09:28.994230 (authentic,confidential): SPI 0x41c91673: IP 10.2.0.1 > 172.16.0.3: ICMP echo request, id 16897, seq 825, length 64
14:09:29.996407 (authentic,confidential): SPI 0x41c91673: IP 10.2.0.1 > 172.16.0.3: ICMP echo request, id 16897, seq 826, length 64
I have read  these threads here
https://github.com/opnsense/core/issues/2173
https://github.com/opnsense/core/issues/1773
but it is not clear to me if the issue is considered to be solved.

I would very much like to try the hack that involves removing the 'Manual SPD' from my phase2 entries and adding them by script.
Does anybody know how to do this?

Thanks a lot,

Frank