Text only | Text with Images

OPNsense Forum

Archive => 20.1 Legacy Series => Topic started by: henningkessler on March 24, 2020, 03:38:56 PM

Title: IPSEC Multiple SPIs State Installed?
Post by: henningkessler on March 24, 2020, 03:38:56 PM
Hello,

I am connecting two OPNsenses via IPSEC successfully but it seams to strange/flakey as connections between both sides drops quite fast even with DPD configured on both sides. At the same time In the "Status Overview"  I have several SPIs with a INSTALLED/routed status.

Side A is a single OPNsense connecting via PPPoE with an dynamically allocated IPv4 address and a DynDNS hostname.
Side B are two OPNsense in HA with a public /29 IPv4 net.

here are my configs
A<>B
Connection method      default<>default
Key Exchange version    auto<>auto
Internet Protocal       IPv4<>IPv4
Interface             WAN<>"CARP IP"
Remote Gateway          "CARP IP"<>"DYNDNS-FQDN"
Dynamic Gateway       No<>YES

Phase 1 proposal (Authentication)
Authentication method    Mutal PSK<>Mutual PSK
My Identifier          DN "DYNDNS-FQDN"<>IPAdress "CARP IP"
Peer Identifier       IPAdress "CARP IP"<>DN "DYNDNS-FQDN"

Phase 1 proposal (Algorithms)
Encryption algorithm    AES 256<>AES 256
Hash Algorithms       SHA256<>SHA256
DH key group         14<>14
Lifetime             28800<>28800
NAT Traversal          Enable<>Enable
Dead Peer Detection    YES<>YES

Tunnel
Mode                Tunnel IPv4<>Tunnel IPv4
LocalNetwork
Type               Network<>Network
Address             172.19.173.0/24<>10.100.0.0/16
Remote Network
Type                 Network<>Network
Address               10.100.0.0/16<>172.19.173.0/24
Phase 2 Proposal
Protocol            ESP<>ESP
Encryption             AES 256bits auto<>AES 256bits auto
Hash algorithms       SHA256<>SHA256
PFS key group          14<>14
Lifetime             3600<>3600
Advanced Options
Automatically ping host "LAN CARP IP"<>"OPN LAN IP"

(https://cloud.henningkessler.de/s/6kyjtF4KmAg5NJB/preview)
(https://cloud.henningkessler.de/s/N5xiyS4gaF8NYaz/preview)
Title: Re: IPSEC Multiple SPIs State Installed?
Post by: mfedv on March 26, 2020, 03:13:18 PM
Hi,

lots of possible reasons, probably ipsec logs and perhaps packet filter logs required for further analysis.

On the HA opnsense side, please check if your fw rules allow incoming IKE/ESP traffic from everywhere (or some subnets, if you know the dynamic ip address comes from a certain pool). Fw rules for IKE/ESP are not auto-generated if you use a CARP address. It might still work sometimes, if the HA opnsense initiates the connection and the "let out anything" rule kicks in.

DPD keeps up the IKE connection, and with non-UDP-encapsulated ESP you may need traffic inside the tunnel to keep up connection state in the packet filters. Auto-Ping is perhaps not enough, it sends 3 packets every 4 minutes. If no other traffic is sent, 4 minutes may be too long to keep connection state for ESP up. This should not be a problem if your fw rules allow ESP traffic even without existing connection state as explained above.
Title: Re: IPSEC Multiple SPIs State Installed?
Post by: henningkessler on March 28, 2020, 03:10:58 PM
Hi mfedv,

sorry for the late reply. As you suggest I added two fw rules to my WAN interface and it actually solved almost all my problems.
(https://cloud.henningkessler.de/s/Cy6iynWrx7LGf7e/preview)
I am still getting multiple ESP? tunnels and the tunnels seam to be closed quite fast but they are opened much quicker then before..

Thanks for helping

Henning
Text only | Text with Images