Hi,
we have two tunnels T1+T2 to another data center, T1 starting early 2022 and works fine.
A new tunnel T2 affects the first, no packets go through T1 once T2 is established in phase-1.
It doesn't matter whether T2-Phase2 is enabled or disabled.
Any suggestions?
Here is our basic configuration:
IPsec T1 all IP's single address /32
| T1 | remote | local | Port |
| -- | ------------ | ------------ | ---------- |
| P1 | 195.3.3.30 | 62.2.2.10 | |
| . | | | |
| P2 | 192.30.30.30 | 10.50.50.100 | Any - 3050 |
IPsec T2 all IP's single address /32
| T2 | remote | local | Port |
| -- | ------------ | ------------ | ---------- |
| P1 | 195.3.3.30 | 62.2.2.20 | |
| . | | | |
| P2 | 192.40.40.40 | 10.50.50.200 | Any - 3306 |
local = OPNsense v.22.7.6
remote = cisco ASA v.?
It looks like you can't have two tunnels running to the same remote gateway.
Solution : We change it to one tunnel and now it works.
IPsec T1 all IP's single address /32
| T1 | remote | local | Port |
| -- | ------------ | ------------ | ---------- |
| P1 | 195.3.3.30 | 62.2.2.10 | |
| . | | | |
| P2 | 192.30.30.30 | 10.50.50.100 | Any - 3050 |
| P2 | 192.40.40.40 | 10.50.50.200 | Any - 3306 |
It depends on how the other end is configured. The "tunnel isolation" option would have likely fixed the original behaviour.
In those cases the other end only accepts one phase 2 per phase 1 and so the second phase 2 will overwrite the first phase 2.
Cheers,
Franco
He tried to run two phase 1 SAs between the same peers if I got that right.
Well, what I got was ASA was configured as
P1 - P2
P1 - P2
And OPNsense was
P1 - P2, P2
Then he changed the ASA to the same configuration and it started working. Tunnel isolation would have fixed this from the OPNsense other end leaving the first ASA configuration as is.
Not too long ago I learned that multiple P2 on a single P1 are meant for situations where all participating networks will see each other by default and P1 isolated P2 will not be able to see each other unless more routing is configured on the box in question. That's why in these misconfigurations the multiple P2 are ignored and the last one is the only one active...
Cheers,
Franco
Hi,
we had switched on the tunnel isolation.
FYI
Before we changed the config from one to two, we tested everything with the support from the asa side.
We checked if all tunnel settings are identical.
asa
- T1 - P1 - P2
- T2 - P1 - P2
opn
- T1 - P1 - P2
- T2 - P1 - P2
The two tunnels came up and both works fine.
It was surprising and I couldn't understand why it worked.
Then after a hour the first tunnel blocks any traffic.
Thats exactly the P2 Lifetime = 3600 seconds.
There may be a problem with rekeying.
We are happy that the tunnels are now stable.
We can't do any further experiments regarding the first configuration .
Thanks for all the help regarding our problem.
PS:
Another piece of information:
The ASA has two options for rekeying in Phase-2.
1. Lifetime in seconds
2. Number of kilobytes of processed data
The setting can be 1 or 2 or both.
When connecting to OPNsense, only option 1 should be active.