OPNsense Forum

For a few days now I've been racking my brains over an ipsec tunnel connection that doesn't really want to work.

Phase 1 and phase 2 are established but unfortunately I can't reach the other side.

I hope someone here has an idea and can help.

Version: OPNSENSE 21.1.6

Here are the data from ipsec statusall:

root@OPNsenseVF:~ # ipsec statusall
no files found matching '/usr/local/etc/strongswan.opnsense.d/*.conf'
Status of IKE charon daemon (strongSwan 5.9.2, FreeBSD 12.1-RELEASE-p16-HBSD, amd64):
  uptime: 11 minutes, since Jun 18 15:32:47 2021
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5
  loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac gcm drbg attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam whitelist addrblock counters
Listening IP addresses:
  192.168.22.100 (opnsense)
  192.168.10.198 (WAN)
Connections:
        con1:  192.168.10.198...85.1.2.3  IKEv2
        con1:   local:  [192.168.10.198] uses pre-shared key authentication
        con1:   remote: [85.1.2.3] uses pre-shared key authentication
        con1:   child:  213.1.2.3/32 === 139.1.2.3/32 TUNNEL
Security Associations (1 up, 0 connecting):
        con1[4]: ESTABLISHED 8 minutes ago, 192.168.10.198[192.168.10.198]...85.1.2.3[85.1.2.3]
        con1[4]: IKEv2 SPIs: c829b25a6dd28deb_i* cacc8476f40761cb_r, pre-shared key reauthentication in 2 hours
        con1[4]: IKE proposal: AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384
        con1{2}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c843ae3b_i 26d84c90_o
        con1{2}:  AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 37 minutes
        con1{2}:   213.1.2.3/32 === 139.1.2.3/32


Normally I should be able to reach 139.1.2.3 via telnet when the connection is established.


I notice this message in the log files.

charon[16026] 12[KNL] <con1|1> querying policy 213.1.2.3/32 === 139.1.2.3/32 out failed, not found

I cannot interpret these correctly.
Is it just a routing problem?

Here is netstat:

root@OPNsenseVF:~ # netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            192.168.10.2       UGS      vtnet1
1.1.1.1            8e:f7:81:14:be:93  UHS      vtnet1
8.8.4.4            8e:f7:81:14:be:93  UHS      vtnet1
127.0.0.1          link#4             UH          lo0
192.168.10.0/24    link#2             U        vtnet1
192.168.10.198     link#2             UHS         lo0
192.168.22.0/24    link#1             U        vtnet0
192.168.22.100     link#1             UHS         lo0

Does anyone have any ideas?

I am grateful for any inspiration.

I have no access to the other side.
IP addresses have been changed by me and are only an example.

Phase 1 entries are correct.
Phase 2 don´t match with the other side.

but in the status overview the status is "installed routed".
If phase 2 did not match, this would not be possible.

Have you marked "install policy" in phase 1 "advanced options" ?

Install policy is marked

You're default router is 192.168.10.2 and not WAN (192.168.10.198), correct ?
Do you have a network plan ?

192.168.10.2 is default WAN Gateway

I do not have a network plan with me at the moment.