We had the problem, that since our firewall updated to 19.1.4 our ipsec tunnel's don't work anymore as expected. We see on the GUI that all tunnels are up and on both sites we see status up on both phase. But we don't see any traffic through the tunnel. I can ping from my host on site A to the firewall or the server of site B and i don't see any traffic on Site B, i only see with tcpdump my ping request on the Firewall of site A but nothing more. We also rebooted the firewall but no effect.
Edit:
Site B ist still on version 19.1.2 and when i ping from Site B to Site A i see in tcpdump on interface enc0 ping ping request on site A and Site B. When i do a ping from Site A, i don't see this ping on enc0. Only on the LAN interface and then it goes to nowhere.
same same since 19.1.4
Try reverting https://github.com/opnsense/core/commit/8490bc70ab
# opnsense-patch 8490bc70ab
Cheers,
Franco
Im getting the same problem 19.1.3 and 19.1.4 versions... I needed go back to 19.1.2 ... because my env it was in production mode and I did not have time to investigate.
Regards
Carlos
Yes, same on our side, we go back to 19.1.2 and have to request a maintenance window to try the patch.
ivo
how did you go back to 19.1.2 ? with Reinstall or ist ther a option to go back without new installation ?
In the console:
opnsense-revert -r 19.1.2 opnsense
Please try the patch revert instead of going back to older versions -- otherwise we'll not have enough data to work on.
Cheers,
Franco
Salü Franco
It looks fine after applying the patch:
- Update 19.1.2 --> 19.1.4
- Manual Reboot
- Applying patch
- Manual Reboot
Besten Dank und schönen Abend.
gruss ivo
Hoi Ivo,
Thanks for confirming. Is there an OPNsense < 19.1.4 or pfSense on the other end?
Cheers,
Franco
Salü Franco
For sure we only use opnSense :-)
Without the patch in the main office, we had different versions in place; between 19.1.2 and 19.1.4 and we can't connect to any side.
Maybe this is interesting: We patch only the FW on the main office (19.1.4 + patch) and it runs fine with the unpatched 19.1.4 boxes and 19.1.2 to .3 from the branch offices.
gruss ivo
I have updated from 19.1.2 to 19.1.4 and my IPSec connections (1 x site2site, 2 x mobile) still work fine without installing the patch. Is the latter only needed in case of using VTI?
Patch works fine
Same problem. Patch works fine.
Since the patch is just a feature removal the question now is: everyone who needs to revert the feature, what is your special setup quirk here? Need details please....
Cheers,
Franco
Hi all,
we had the same issue here. We have 22 site-2-site IPSec tunnels running, three of them are ike v2.
All remote peers are different kind of firewalls (Cisco ASA, Lancom, Checkpoint) but no OPNsense.
After upgrading to 19.1.4 some tunnels worked fine some didn't. It didn't make any difference if it was ike v1 or v2.
As far as we can say all not working tunnels contain single host configurations in the phase 2 entries. But I am not sure about that matter 'cause we weren't able to test all connections.
After applying the patch (= removal of VTI) everything was fine, thanks for that!
Cheers
Josef
Hi all,
same problem here. Since 19.1.4 a tunnel to a Fortigate cluster (2x Fortigate 200E) doesn't work anymore. SAs are created, the counters for incoming traffic are >0, but no outgoing traffic to the Fortigate box.
I'll try the patch later this evening.
Edit: Fortigate Firmware version: 5.6.3
Updated a bunch of routers last night from 19.1.2 to 19.1.4 and a few of them had VPN issues this morning. Reverted the patch on one of them, rebooted, and no issues right now.
Appreciate the info. We removed the explicit reqid setting from non-VTI configurations and that should be it for 19.1.5.
Cheers,
Franco
Moin!
Patch solved the issue. Thanks!
Hi,
is it useful tp wait for 19.1.5?
If not, how can I download and install the patch?
Thanks!
Hi all,
I have the same issue here with a site-2-site IPSec tunnel. OPNsense does not build up the IPsec tunnel.
In my setup I can pin down the problem to the connection method in the tunnel settings. OPNsense fails to establish the IPsec tunnel when 'Start immediate' is selected as connection method.
As soon as I select 'Start on traffic' as connection method, everything works fine.
Can anybody reproduce this issue with his/her own setup?