Text only | Text with Images

OPNsense Forum

Archive => 22.1 Legacy Series => Topic started by: Lokutos on July 03, 2022, 03:21:17 PM

Title: Slow boot IPSec VTI
Post by: Lokutos on July 03, 2022, 03:21:17 PM
Hi, i have setup 2 IPSec VTI tunnels, since then a have issues with the boot time,

in the console, it stays at the interface log line for around 2 minutes...

The IPsec connections work fast if i restart the service or just stop and start the connection in VPN: IPsec: Status Overview.

Is there any hint?
Title: Re: Slow boot IPSec VTI
Post by: Marin BERNARD on July 20, 2022, 02:37:57 PM
Hi,

We experience the very same issue with several OPNsense instances. IPsec VTI configuration takes several minutes to complete. Did you find a solution to this problem ?

Thanks!
Title: Re: Slow boot IPSec VTI
Post by: Lokutos on July 20, 2022, 02:52:10 PM
Sorry, but unfortunately I can't offer or find a solution myself
Title: Re: Slow boot IPSec VTI
Post by: Lokutos on September 28, 2022, 10:09:17 AM
Still exist in 22.7 and cant find a solution ... anyone?
Title: Re: Slow boot IPSec VTI
Post by: Marin BERNARD on September 28, 2022, 10:16:01 AM
Unfortunately, nothing new on my side either. The boot delay has to do with the setup of the VTI interfaces: disabling the IPsec service has no effect as long as the VTI interfaces still exist. Maybe someone should open an issue on the GitHub tracker ?
Title: Re: Slow boot IPSec VTI
Post by: Lokutos on September 28, 2022, 10:23:21 AM
if i check my log:

2022-09-28T10:13:26   Error   php   /usr/local/etc/rc.bootup: The command '/sbin/ifconfig 'ipsec5' 'inet' tunnel '136.243.195.58' 'fqdn.off.otherfirewall' up' returned exit code '1', the output was 'ifconfig: error in parsing address string: Name does not resolve'   
2022-09-28T10:11:56   Error   php   /usr/local/etc/rc.bootup: Device ipsec5 required for ipsec5, configuring now

so it sounds for me that the issue is that dns not working in this state ...

after change it to a IP (Temporary becouse its not a solution for me)
(Change the Ipsec tunnel setting vpn gateway)
it is booting fast ...
Title: Re: Slow boot IPSec VTI
Post by: Marin BERNARD on September 28, 2022, 10:34:53 AM
Thanks for this!

I suppose this happens because the local DNS daemon (unbound) is not yet available when ipsec interfaces are set  up, as services are started later in the boot process.

One option would be to check the Do not use the local DNS service as a nameserver for this system check box in the System > Settings > General page, and provide at least one DNS resolver in the fields just above. This would allow the box to use a remote DNS resolver for its own needs, and remove the dependency on the local unbound service.

I'll try to implement this on my side too and report the results.
Title: Re: Slow boot IPSec VTI
Post by: Lokutos on September 28, 2022, 10:38:43 AM
Report is already done...
https://github.com/opnsense/core/issues/6052

Do not use possible save the issue but it result for me in wrong resolutions of the overrides for local domains...
Text only | Text with Images