I've recent converted from pfSense and am now running 20.1.7 connecting to a number of IPSEC traditional VPN tunnels.
- The endpoints are a number of different pfSense firewalls, 2.4.4.p3, 2.4.5 and 2.4.5-p1.
- If I restart IPSEC on OPNsense, all the tunnels P1/P2 connect and work.
- After about 1 hour, some, consistently the same tunnels, lose their P2 in OPNsense.
What have a done?* I have rebooted OPNsense
* Deleted the affected OPNsense tunnels and remade them on OPNsense again
* Minutely compared settings on OPNsense to tunnels that work and never drop and those that do (no * differences detected)
See some IPSEC log entries from OPNsense;
2020-06-11T06:55:51 charon: 14[IKE] <con4|21> failed to establish CHILD_SA, keeping IKE_SA
2020-06-11T06:55:51 charon: 14[IKE] <con4|21> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Have a look at this whilst in failure mode:
See the last one (con6) - no P2
(http://nop2.png)
NO PROPOSAL CHOSEN means there is a mismatch in settings, like enc alg or hash digest.
You need to compare both sides one by one.
Thanks.
You are right, just some very subtle differences and that was the cause.
Problem solved.