Good day
I want to set up a routed VPN between pfsense and opnsense. previously both endpoints were pfsense, but now I want to change one side to an opnsense. unfortunately I was not really successful.
If i do it according to this guide:
https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route.html
it works, but as soon as i enable gateway monitoring, the VPN (incl. phase 2) is still UP but ping/connection is gone. Also the gateway does not come green, although I can ping the gateway before activating monitoring with the opnsense.
With the pfsense there were no problems.
Does anyone have an idea what it could be?
Task:
Setup routed VPN, VPN work = OK
ping gateway from side B with opnsense = OK
ping gateway from side B with PC = OK
setup GW monitoring with monitor IP GW Side B = fail
ping gateway from side B with opnsense = fails
ping gateway from side B with pc = fails
vpn does not work anymore!
Szenario:
Side A opnsense
routet VPN GW 1.1.1.1
Side B pfsense
routet VPN GW 2.2.2.2
Monitor side A GW = OK
If i setup the same monitoring on opnsense like pfsense but vice versa, its not working and the all communication over the VPN is gone. (the tunnel ist still up)
I have the feeling it is a bug..
Best Regards
k
Have you tried rebooting after setting up gateway monitoring? Something is buggy w.r.t. VTI interfaces, haven't looked into what exactly it is yet, but it's possible that VTI interfaces lose their IP addresses after certain configuration changes, i know at least one way to provoke it (change MTU or MSS values in interface config).
When i experimented with this, rebooting usually got everything working. iirc simply disconnecting and reconnecting the tunnel also worked, the VTI interface had its IP address again
QuoteHave you tried rebooting after setting up gateway monitoring? Something is buggy w.r.t. VTI interfaces, haven't looked into what exactly it is yet, but it's possible that VTI interfaces lose their IP addresses after certain configuration changes, i know at least one way to provoke it (change MTU or MSS values in interface config).
When i experimented with this, rebooting usually got everything working. iirc simply disconnecting and reconnecting the tunnel also worked, the VTI interface had its IP address again
Thank you for your message!
With MTU and MSS i played already, this was the solution when i setup the tunnel with pfsense and it was not working at beginning. Now i use the value MSS 1300 and MTU 1400 to be safe. The tunnel works well until i setup gateway monitoring, so i think it is not a failure with MSS and MTU. Now i setup another tunnel to another endpoint pfsense and lets see whats happend.
tbc..
BR
K
my point was not that changing MTU or MSS could solve the issue. my point was that doing so is one way of breaking VTI tunnels, because the interface loses its ip address. so it could be that changing gateway monitoring settings triggers the same or a similar issue.
would you mind posting your ifconfig output here? and you haven't yet answered whether or not you've tried reconnecting the tunnel or rebooting the machine