OPNsense Forum

Hi hi,

I've got two APU based OPNsense's which are connected using Ipsec

(https://snag.gy/sRlZ0p.jpg)

After I've added MultiWAN with a failover config on location#1:
(https://snag.gy/rXO7Rl.jpg)

I modified the firewall rules like so:
(https://snag.gy/9ECHUN.jpg)

But I still can't connect from location #1 to location #2, whilst the opposite direction still works fine. To be clear: IPsec phase 1 & 2 are connected just fine!

BTW: "CS net" is 10.10.2.0/24 an "DS net" is 10.10.5.0/24

Hope one of you spot's my failure...

Check in IPSEC tunnel is "Install Policy" is ticked. There was an error introduced in 19.1.4 only affecting new installed tunnels.

@mimugmail: THX for your reply, but both of the system are running since 16/17 and both of the tunnel's have been there for a while... But I checked anyways and the tunnel's have it checked on both side's of the connection.

So, the IPSEC connection is established, CS net can reach DS net but not vice versa, correct?
Rules look fine. tcpdump on interface enc0 via console would help.

Yes the Tunnel's are established, and sorry for not stating that clearly in my intro!

I can't connect from 10.10.2.x to 10.10.23.2 (for example) but I can connect from 10.10.23.x to 10.10.2.2

I already created dumps on the OPNsense on location #1 ,one is from Interface CS the other from IPsec... All I tried to do is open a ssh connection behind the IPsec...

Then it's blocked on the other side in incoming direction I'd guess

Quote from: mimugmail on April 04, 2019, 03:57:14 PM
Then it's blocked on the other side in incoming direction I'd guess

Definitly not as it worked before changing the WAN setup on location #1 ;-)

As a picture based approval:
(https://snag.gy/rqR2zy.jpg)

Firewall log on location #1:
(https://snag.gy/TFx54U.jpg)

Firewall log on location #2:
(https://snag.gy/wdvQrD.jpg)

I am experiencing a similar issue. I have noticed dropped esp packets on from the IPsec peer to the interface not configured for IPSec. If I remove the secondary wan interface, the tunnel passes traffic. Odd thing is, both sides report the tunnel as up.

May be related, but I haven't had time to dig deeper.

I had a similar problem.
You can try it out with a rule on the wan interface for ESP any / any, if that is better then.
Then you can change the rule that ESP is only allowed to both WAN IPs.

regards,
Ralf

@va176thunderbolt For me this is no similar issue as I can connect from one side of the tunnel but not from the other side. Probably just my fault in the firewall settings...

Have you tried the rule for allowing esp packets from any?

Since Ping from loc1 to loc2 is outgoing, from loc2 to loc1 incoming direction.

@ralf.kirmis

THX for the hint, just tried it but no change so far:
(https://snag.gy/B5AzKP.jpg)

does the live log from the firewall display denied packets?

@ralf.kirmis No, as shown in the above ScreenShot ;-)

Had a call with Jos, installing two patches solved the Issue:


sudo opnsense-patch 7835e9c 198887ed


So I'll be skipping 19.1.5 or wait for the Hotfix Franco has in the makes ...  8)

EDIT: seems to be already out:

[13/38] Fetching opnsense-19.1.5_1.txz: 100%    4 MiB   2.2MB/s    00:02