I am running an IPsec site 2 site VPN with several phase 2 tunnels. Tunnel isolation has been enabled in phase 1 settings. All tunnels show up in ipsec.conf file.
This setup has been working flawlessly in OPNsense 22.1.
Unfortunately, since update to OPNsense 22.7 only one tunnel is possible. Once one tunnel (it doesn't matter which one) is being established no further connections can be established.
Any ideas how to fix?
I had similar issues after updating my Opnsense to the version 22.7.x short time ago. Before doing this I switched from LibreSSL to OpensSSL due to the fact that LibreSSL is deprecated (link (https://forum.opnsense.org/index.php?topic=29507.0)). Update went fine after a few approaches. But I didn't notice the issues with multiple isolated Child_SAs per IPsec connection. I started some research beginning with with the log error message "unable to install inbound and outbound IPsec SA (SAD) in kernel". Maybe at the other endpoint there will only be a message "no proposal chosen" depending on which endpoint started the negotiation.
Result is, that this is an issue with OpenSSL. Switching back to LibreSSL solved this issue. But, due to the discontinuation of LibreSSL this can only be a short term solution. The detailed problem is, that the key derive function in OpenSSL 1.1.x has not enough buffer space to handle
modp8192. The key derive function fails with an error code and the IKE daemon is unable to negotiate additional phases 2.
I see the following resolutions:
- Switch back from OpenSSL 1.1.x back to LibreSSL (only a short term solution, because it will break again if LibreSSL is dropped in next major release)
- Reduce the key derive configuration for all phases 2 from modp8192 to a lower one (e.g. modp4096 should be fine and is still treated as secure by the security community and BSI the next time (subject to change))
- Switch to OpenSSL 3.0.5 or higher (Unfortunately, OpenSSL 3.x branch is still not available for productive FreeBSD). It would be glad if somebody can backport the small patch for increasing the buffer size of the HKDF function)
References:
- https://github.com/strongswan/strongswan/issues/1255
- https://github.com/openssl/openssl/commit/20c2876f24d0ccf9581ace08c7882d544d2588ea
- https://www.openssl.org/docs/man1.1.1/man3/EVP_PKEY_CTX_add1_hkdf_info.html
Nice observation! Thanks for the references.
You are right. VPN logs showing "no proposal chosen" error when using modp8192. Switching to LibreSSL on both endpoints fixed the issue.
I hope OpenSSL will be fixed or upgraded to > 3.0.5 before LibreSSL will be dropped.
Github ticket see here (#6068) (https://github.com/opnsense/core/issues/6068).
https://github.com/opnsense/core/issues/6068#issuecomment-1269576040
A further workaround solution could be switching to DH group 31 when using OpenSSL flavor. Prerequisite is that the other endpoint must support this group.
I'll test this with my configuration next week.
I did some more tests. And as already mentioned using ECDH with group 31 as key exchange mechanism can be treated as a partial workaround compared to DH with modp8192 in combination with OpenSSL 1.x flavor. So far it looks good.