Text only | Text with Images

OPNsense Forum

Archive => 21.7 Legacy Series => Topic started by: Patrick M. Hausen on October 10, 2021, 08:05:11 PM

Title: IPsec phase 2 SAs drop for no apparent reason
Post by: Patrick M. Hausen on October 10, 2021, 08:05:11 PM
Hi all,

we have mostly successfully migrated our ancient Sidewinder firewall cluster to a HA pair of OPNsense on Deciso's very nice machines.

One single issue that troubles us: some but not all IPsec VPN connections to business partners, while correctly migrated and "up and running" drop their phase 2 SAs from time to time and do not re-establish them unless someone restarts the strongSwan service. I cannot see a pattern in the configuration.

All tunnels we run are set to "Start immediate" for phase 1.
I have set Keyingtries to "-1" for all tunnels.

I tried to manually edit the /usr/local/etc/ipsec.conf file and add "closeaction = restart" to each phase 2 entry, but it seems that even a service restart from the UI regenerates the config and deletes my changes.

So, first: can someone point me at the code that generates the ipsec.conf file - I would just hardwire that parameter for now and if that fixes things, I'd be more than willing to provide a pull request.
I did not find any jinja template or anything remotely MVC that does this. I assumed all of OPNsense could be found at /usr/local/opnsense/mvc/... but apparently I'm wrong.

Any other ideas? What particular debug setting to set to "more verbose" and what to look for in the log file would also help greatly. I have no experience with strongSwan, apart from commercial products I always used the standard FreeBSD kernel IPsec and racoon ...

Kind regards,
Patrick

P.S. Of course there are some tunnels that are just rock solid. Like IKEv1 ones to several Fritzbox routers or an IKEv2 one to another OPNsense. Unfortunately I won't convince our enterprise customers to switch their expensive Cisco/Checkpoint/... gear. ;)
Title: Re: IPsec phase 2 SAs drop for no apparent reason
Post by: Patrick M. Hausen on October 11, 2021, 04:40:39 PM
No ideas?

I took it to the strongSwan mailing list:
https://lists.strongswan.org/pipermail/users/2021-October/015130.html
Title: Re: IPsec phase 2 SAs drop for no apparent reason
Post by: Fright on October 11, 2021, 07:27:15 PM
hi
Quotesomeone point me at the code that generates the ipsec.conf file
try this one  ;)
https://github.com/opnsense/core/blob/master/src/etc/inc/plugins.inc.d/ipsec.inc
Title: Re: IPsec phase 2 SAs drop for no apparent reason
Post by: Patrick M. Hausen on October 11, 2021, 07:48:11 PM
Line 1656 to hardwire $things per conn entry. Thanks!
Title: Re: IPsec phase 2 SAs drop for no apparent reason
Post by: Patrick M. Hausen on October 12, 2021, 04:42:26 PM
https://github.com/opnsense/core/pull/5275
Title: Re: IPsec phase 2 SAs drop for no apparent reason
Post by: Cerberus on October 14, 2021, 11:50:19 AM
Hi,

yes i noticed that for some weeks, sometimes ipsec tunnels are down and ipsec status show that phase 1 is up but all phase 2 are missing. I have to press restart on opnsense to get it fixed, triggering a restart from the peer does not bring the phase 2 back.
Title: Re: IPsec phase 2 SAs drop for no apparent reason
Post by: Patrick M. Hausen on October 14, 2021, 01:10:36 PM
Solution here:
https://github.com/opnsense/core/commit/bb9b8820c6a2725730598bd3ee77b11e626b1186

Hopefully in a regular minor update soon.

Kind regards,
Patrick
Text only | Text with Images