OPNsense Forum
English Forums => Virtual private networks => Topic started by: GaardenZwerch on December 03, 2020, 02:38:53 pm
-
Hi,
I have a two node HA-Cluster that operates as a VPN gateway.
It has a setup for mobile clients (roadwarriors)
several tunnels to other (fixed) locations
and an OpenVPN server.
I have experienced several times now that IPSec restarts when I modify the config of the OpenVPN server, when I hit apply.
This is the syslog. I don't have anything useful in the ipsec.log, as it overwrites the log when it restarts.
Is this related to the /usr/local/etc/rc.newwanip entries?
The weirdest thing is that I have built a lab (qemu) with the exact same setup, same OPNsense (20.7.5), same config (just rename interface names), including the cluster, a router and a client, and I can't reproduce it there.
Thanks a lot for any clues,
Frank
Dec 3 10:24:43 TC-master configctl[71989]: event @ 1606991083.41 msg: Dec 3 10:24:43 TC-master......
config[46965]: config-event: new_config /conf/backup/config-1606991083.412.xml
Dec 3 10:24:43 TC-master configctl[71989]: event @ 1606991083.41 exec: system event config_changed
Dec 3 10:24:46 TC-master sshd[24400]: Accepted publickey for root from 172.30.0.250 port 51436 ssh2: RSA ....
Dec 3 10:24:46 TC-master sshd[24400]: Received disconnect from 172.30.0.250 port 51436:11: disconnected by user
Dec 3 10:24:46 TC-master sshd[24400]: Disconnected from user root 172.30.0.250 port 51436
Dec 3 10:26:03 TC-master webgui[46965]: /index.php: Session timed out for user 'root' from: 172.27.5.3
Dec 3 10:26:03 TC-master webgui[46965]: /index.php: Session timed out for user 'root' from: 172.27.5.3
Dec 3 10:26:06 TC-master webgui[46965]: /index.php: Successful login for user 'root' from: 172.27.5.3
Dec 3 10:26:06 TC-master webgui[46965]: /index.php: Successful login for user 'root' from: 172.27.5.3
Dec 3 10:27:47 TC-master kernel: ovpns1: link state changed to DOWN
Dec 3 10:27:47 TC-master configctl[71989]: event @ 1606991267.15 msg: Dec 3 10:27:47 TC-master.....
config[46965]: config-event: new_config /conf/backup/config-1606991267.1531.xml
Dec 3 10:27:47 TC-master configctl[71989]: event @ 1606991267.15 exec: system event config_changed
Dec 3 10:27:49 TC-master kernel: pflog0: promiscuous mode disabled
Dec 3 10:27:49 TC-master kernel: pflog0: promiscuous mode enabled
Dec 3 10:27:49 TC-master kernel: ovpns1: link state changed to UP
Dec 3 10:27:49 TC-master config[46965]: /vpn_openvpn_server.php: OpenVPN server 1 instance started on PID 21866.
Dec 3 10:27:49 TC-master opnsense[71739]: /usr/local/etc/rc.newwanip: IPv4 renewal is starting on 'ovpns1'
Dec 3 10:27:49 TC-master opnsense[71739]: /usr/local/etc/rc.newwanip: Interface '' is disabled or empty, nothing to do.
Dec 3 10:27:50 TC-master kernel: pflog0: promiscuous mode disabled
Dec 3 10:27:50 TC-master kernel: pflog0: promiscuous mode enabled
-
Re,
I have now been able to reproduce this in my lab, by moving the Roadwarrior behind a NATting router, so that the IPSec server can't initiate anything.
I can now see that when OpenVPN cfg changes, and the service restarts, IPSec tries to find a new path. It tries this ten times (during wich the traffic from the roadwarrior is still fine), and the decides the roadwarrior has disappeared and then the connection is dead.
So this is more likely to be a problem of my IPSec setup, but I'd still be grateful for any hint.
Thanks to you all
Dec 3 15:52:37 TC-masterTest charon[39941]: 13[KNL] 172.29.10.1 disappeared from ovpns1
Dec 3 15:52:37 TC-masterTest charon[39941]: 13[KNL] interface ovpns1 deactivated
Dec 3 15:52:37 TC-masterTest charon[39941]: 07[IKE] <con1|15> old path is not available anymore, try to find another
Dec 3 15:52:37 TC-masterTest charon[39941]: 07[IKE] <con1|15> looking for a route to 1.2.3.249 ...
Dec 3 15:52:37 TC-masterTest charon[39941]: 07[IKE] <con1|15> sending address list update using MOBIKE, implicitly requesting an address change
Dec 3 15:52:37 TC-masterTest charon[39941]: 07[ENC] <con1|15> generating INFORMATIONAL request 4 [ ]
Dec 3 15:52:37 TC-masterTest charon[39941]: 07[IKE] <con1|15> checking path 1.2.3.243[4500] - 1.2.3.249[41362]
Dec 3 15:52:37 TC-masterTest charon[39941]: 07[NET] <con1|15> sending packet: from 1.2.3.243[4500] to 1.2.3.249[41362] (96 bytes)
Dec 3 15:52:40 TC-masterTest charon[39941]: 10[IKE] <con1|15> path probing attempt 1
Dec 3 15:52:40 TC-masterTest charon[39941]: 10[IKE] <con1|15> checking path 1.2.3.243[4500] - 1.2.3.249[41362]
Dec 3 15:52:40 TC-masterTest charon[39941]: 10[NET] <con1|15> sending packet: from 1.2.3.243[4500] to 1.2.3.249[41362] (96 bytes)
Dec 3 15:52:43 TC-masterTest charon[39941]: 10[IKE] <con1|15> path probing attempt 2
Dec 3 15:52:43 TC-masterTest charon[39941]: 10[IKE] <con1|15> checking path 1.2.3.243[4500] - 1.2.3.249[41362]
Dec 3 15:52:43 TC-masterTest charon[39941]: 10[NET] <con1|15> sending packet: from 1.2.3.243[4500] to 1.2.3.249[41362] (96 bytes)
Dec 3 15:52:44 TC-masterTest charon[39941]: 09[KNL] interface ovpns1 activated
Dec 3 15:52:44 TC-masterTest charon[39941]: 09[KNL] fe80::6030:b46d:9981:8c68 appeared on ovpns1
Dec 3 15:52:44 TC-masterTest charon[39941]: 10[KNL] 172.29.10.1 appeared on ovpns1
Dec 3 15:52:44 TC-masterTest charon[39941]: 10[IKE] <con1|15> old path is not available anymore, try to find another
Dec 3 15:52:44 TC-masterTest charon[39941]: 10[IKE] <con1|15> looking for a route to 1.2.3.249 ...
Dec 3 15:52:44 TC-masterTest charon[39941]: 10[IKE] <con1|15> sending address list update using MOBIKE, implicitly requesting an address change
Dec 3 15:52:45 TC-masterTest charon[39941]: 11[IKE] <con1|15> path probing attempt 3
Dec 3 15:52:45 TC-masterTest charon[39941]: 11[IKE] <con1|15> checking path 1.2.3.243[4500] - 1.2.3.249[41362]
Dec 3 15:52:45 TC-masterTest charon[39941]: 11[NET] <con1|15> sending packet: from 1.2.3.243[4500] to 1.2.3.249[41362] (96 bytes)
Dec 3 15:52:48 TC-masterTest charon[39941]: 11[IKE] <con1|15> path probing attempt 4
Dec 3 15:52:48 TC-masterTest charon[39941]: 11[IKE] <con1|15> checking path 1.2.3.243[4500] - 1.2.3.249[41362]
Dec 3 15:52:48 TC-masterTest charon[39941]: 11[NET] <con1|15> sending packet: from 1.2.3.243[4500] to 1.2.3.249[41362] (96 bytes)
Dec 3 15:52:50 TC-masterTest charon[39941]: 12[IKE] <con1|15> path probing attempt 5
Dec 3 15:52:50 TC-masterTest charon[39941]: 12[IKE] <con1|15> checking path 1.2.3.243[4500] - 1.2.3.249[41362]
Dec 3 15:52:50 TC-masterTest charon[39941]: 12[NET] <con1|15> sending packet: from 1.2.3.243[4500] to 1.2.3.249[41362] (96 bytes)
Dec 3 15:52:53 TC-masterTest charon[39941]: 11[IKE] <con1|15> path probing attempt 6
Dec 3 15:52:53 TC-masterTest charon[39941]: 11[IKE] <con1|15> checking path 1.2.3.243[4500] - 1.2.3.249[41362]
Dec 3 15:52:53 TC-masterTest charon[39941]: 11[NET] <con1|15> sending packet: from 1.2.3.243[4500] to 1.2.3.249[41362] (96 bytes)
Dec 3 15:52:55 TC-masterTest charon[39941]: 12[IKE] <con1|15> path probing attempt 7
Dec 3 15:52:55 TC-masterTest charon[39941]: 12[IKE] <con1|15> checking path 1.2.3.243[4500] - 1.2.3.249[41362]
Dec 3 15:52:55 TC-masterTest charon[39941]: 12[NET] <con1|15> sending packet: from 1.2.3.243[4500] to 1.2.3.249[41362] (96 bytes)
Dec 3 15:52:58 TC-masterTest charon[39941]: 11[IKE] <con1|15> path probing attempt 8
Dec 3 15:52:58 TC-masterTest charon[39941]: 11[IKE] <con1|15> checking path 1.2.3.243[4500] - 1.2.3.249[41362]
Dec 3 15:52:58 TC-masterTest charon[39941]: 11[NET] <con1|15> sending packet: from 1.2.3.243[4500] to 1.2.3.249[41362] (96 bytes)
Dec 3 15:53:00 TC-masterTest charon[39941]: 12[IKE] <con1|15> path probing attempt 9
Dec 3 15:53:00 TC-masterTest charon[39941]: 12[IKE] <con1|15> checking path 1.2.3.243[4500] - 1.2.3.249[41362]
Dec 3 15:53:00 TC-masterTest charon[39941]: 12[NET] <con1|15> sending packet: from 1.2.3.243[4500] to 1.2.3.249[41362] (96 bytes)
Dec 3 15:53:03 TC-masterTest charon[39941]: 12[IKE] <con1|15> path probing attempt 10
Dec 3 15:53:03 TC-masterTest charon[39941]: 12[IKE] <con1|15> checking path 1.2.3.243[4500] - 1.2.3.249[41362]
Dec 3 15:53:03 TC-masterTest charon[39941]: 12[NET] <con1|15> sending packet: from 1.2.3.243[4500] to 1.2.3.249[41362] (96 bytes)
Dec 3 15:53:05 TC-masterTest charon[39941]: 14[IKE] <con1|15> giving up after 10 path probings
Dec 3 15:53:05 TC-masterTest charon[39941]: 14[IKE] <con1|15> unable to reestablish IKE_SA due to asymmetric setup
Dec 3 15:53:05 TC-masterTest charon[39941]: 14[CFG] <con1|15> lease 10.9.0.1 by 'C=LU, ST=NA, L=Walferdange, O=CGIE, OU=InfDist, CN=admweifr259-homer.men.lux' went offline
-
Sorry for the monologue, I think I found it:
I need to "Disable MOBIKE" on the server
Thanks