Text only | Text with Images

OPNsense Forum

English Forums => Virtual private networks => Topic started by: atom on March 31, 2021, 02:53:35 PM

Title: ipsec multiple networks in phase 2
Post by: atom on March 31, 2021, 02:53:35 PM
Hello,

i have a problem with ipsec connections when I want to use more than one network remotely with the same local network phase 2.

1. network
local                                           remote
192.168.100.0/24                      10.0.0.0/24

works until add a second network

2. network
local                                           remote
192.168.100.0/24                     10.10.0.0/24

I got a 'received DELETE for ESP CHILD_SA' and then a 'closing CHILD_SA con' .

Regards,
atom
Title: Re: ipsec multiple networks in phase 2
Post by: Patrick M. Hausen on March 31, 2021, 03:09:45 PM
What's the other side running? Do you have "Tunnel isolation" enabled? Most commercial firewalls/vpn-gateways require that in my experience.

And of course you need to add both networks to the "local" list on the remote side.
Title: Re: ipsec multiple networks in phase 2
Post by: atom on March 31, 2021, 03:13:24 PM
The remote side is running a Cisco ASA. I've also tried to set "Tunnel isolation".

The tunnel works before without any issue between a Lancom and the Cisco. Now I try only to switch one end of the tunnel from Lancom to OPNsense.
Title: Re: ipsec multiple networks in phase 2
Post by: Patrick M. Hausen on March 31, 2021, 03:41:58 PM
So you have two phase 2 SAs on the ASA side, too? Then this should work as intended. Probably with Tunnel isolation enabled.

Are you sure it is not only temporarily tearing down the tunnel because of your config changes?
Title: Re: ipsec multiple networks in phase 2
Post by: atom on March 31, 2021, 07:15:13 PM
We first try it with IKEv2. Then I could reach one of the other two networks, depending on "Tunnel isolation" is enabled or not.
Then we fall back to IKEv1. Then it was not possible to get the tunnel running with two networks enabled.
Title: Re: ipsec multiple networks in phase 2
Post by: atom on April 21, 2021, 03:32:05 PM
The SAs are correct (on both side of the tunnel):
Source    Destination    Protocol    SPI    Enc. alg.    Auth. alg.    Data
xx.xx.xx.xx    yy.yy.yy.yy    ESP    c9fd5d36    rijndael-cbc    hmac-sha1    0 B
yy.yy.yy.yy    xx.xx.xx.xx    ESP    c47ae68a    rijndael-cbc    hmac-sha1    0 B
xx.xx.xx.xx    yy.yy.yy.yy    ESP    161bc2a1    rijndael-cbc    hmac-sha1    18176 B
yy.yy.yy.yy    xx.xx.xx.xx    ESP    c9458776    rijndael-cbc    hmac-sha1    6695 B

The packets for the first network are send with the correct SPI:
Code Select

14:14:19.072273 (authentic,confidential): SPI 0x161bc2a1: IP 192.168.x.x.53355 > 10.0.x.x.3210: Flags [S], seq 421378147, win 64860, options [mss 1380,nop,wscale 8,nop,nop,sackOK], length 0
14:14:19.073146 (authentic,confidential): SPI 0xc9458776: IP 10.0.x.x.3210 > 192.168.x.x.54727: Flags [S.], seq 1604342582, ack 421378148, win 8192, options [mss 1380,nop,wscale 8,nop,nop,sackOK], length 0


But the packets for the second network are send with the same SPI and not the other one:
Code Select

14:14:40.298621 (authentic,confidential): SPI 0x161bc2a1: IP 192.168.x.x.53356 > 172.16.x.x.53200: Flags [S], seq 2338379155, win 64860, options [mss 1380,nop,wscale 8,nop,nop,sackOK], length 0
14:14:40.537097 (authentic,confidential): SPI 0x161bc2a1: IP 192.168.x.x.53357 > 172.16.x.x.53200: Flags [S], seq 3742114150, win 64860, options [mss 1380,nop,wscale 8,nop,nop,sackOK], length 0

Text only | Text with Images