Text only | Text with Images

OPNsense Forum

Archive => 20.7 Legacy Series => Topic started by: JustTed on November 03, 2020, 10:01:30 PM

Title: IPSEC breaks networking
Post by: JustTed on November 03, 2020, 10:01:30 PM
New to Opnsense, so could be me, but seems very odd behaviour

Creating a route-based IPSEC VPN as per https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route.html

As soon as  I create the phase 2 policy, just as described, everything stops networking wise. Can't even ping the Opnsense server.

So I go onto console, 'configctl ipsec stop' - everything comes back. And all is fine if I disable the phase 2 policy, and then restart ipsec.

I can't see anything in the phase 2 policy that would affect it like that. What could be happening? Have updated to the latest firmware.
Title: Re: IPSEC breaks networking
Post by: mimugmail on November 03, 2020, 10:03:35 PM
You used live addresses as tunnel network?
Screenshots please ...
Title: Re: IPSEC breaks networking
Post by: JustTed on November 03, 2020, 10:15:07 PM
By live addresses what do you mean exactly? These are the IP addresses for the tunnel surely, so are arbitrary? I used the same addresses as in the example

(//)
Title: Re: IPSEC breaks networking
Post by: JustTed on November 03, 2020, 10:17:38 PM
One of the things I've noticed, JIC it's relevant, is that the console shows the local endpoint IP for the tunnel as the IP that is dynamically assigned to the PPPoE connection, whereas it should be one of the static IP addresses I have added to the interface (and defined in phase1)
Title: Re: IPSEC breaks networking
Post by: JustTed on November 03, 2020, 10:23:09 PM
Phase 1

(//)
Title: Re: IPSEC breaks networking
Post by: mimugmail on November 04, 2020, 07:30:27 AM
When IPsec is Off, does any Interface has IPs from the tunnel?
Title: Re: IPSEC breaks networking
Post by: JustTed on November 04, 2020, 01:24:20 PM
No, and I've tried all sorts of different addresses on the tunnel to see if that made a difference, but no...
Title: Re: IPSEC breaks networking
Post by: mimugmail on November 04, 2020, 01:38:46 PM
Then I need netstat -nr when system is unavailable and ipsec.log
Title: Re: IPSEC breaks networking
Post by: JustTed on November 04, 2020, 03:00:39 PM
Attached. Interestingly the ipsec.log is filling up with a *lot* of nulls. I had to chop a load out just to get it under the max attachment size.
Title: Re: IPSEC breaks networking
Post by: JustTed on November 05, 2020, 03:09:16 PM
Any ideas?
Title: Re: IPSEC breaks networking
Post by: Gauss23 on November 05, 2020, 04:03:21 PM
Code Select
Nov  4 13:38:12 OPNsense charon[45164]: 13[KNL] can't install route for 60.139.124.132/32 === 61.74.23.234/32 out, conflicts with IKE traffic

Sounds weird. Are you sure you entered the correct IP addresses for the peers?
Title: Re: IPSEC breaks networking
Post by: JustTed on November 05, 2020, 04:11:48 PM
Yes that .234 address is the remote endpoint for the VPN. Not sure why it's saying it's conflicting?
Title: Re: IPSEC breaks networking
Post by: JustTed on November 05, 2020, 05:25:46 PM
Ok so one issue sorted - I had to uncheck "install policy", then the phase 2 policy stopped taking the traffic down!

The issue remaining is that the "Local IP" in VPN status is showing up as the dynamically assigned IP on the PPPoE interface. Here, there is an additional static /29 assigned by the Internet provider.

I have manually added one of the static IPs as an IP Alias to the WAN interface, but it could also go in Interfaces/PointToPoint/Devices/PPPoE - which is correct?
Text only | Text with Images