Text only | Text with Images

OPNsense Forum

Archive => 23.1 Legacy Series => Topic started by: thwien on February 22, 2023, 12:49:04 PM

Title: [SOLVED] IPsec unstable after upgrade to OPNsense 23.1
Post by: thwien on February 22, 2023, 12:49:04 PM
After upgrading OPNsense to 23.1 one of four IPsec connections fails after exact one hour. IPsec connections to Cisco routers are stable, only the one IPsec connection to a Sonicwall firewall is unstable.

After one hour I see the following in the Logfiles:

Code Select
charon 38786 - [meta sequenceId="8237"] 01[IKE] <con1|29> received DELETE for IKE_SA con1[29]
charon 38786 - [meta sequenceId="8238"] 01[IKE] <con1|29> deleting IKE_SA con1[29] between 1.2.3.4[opnsense.example.org]...4.3.2.1[sonicwall.example.org]

The connection is gone after that message and did not come back with oder without DPD settings. Manually restarting this connection is successful and then after one hour the connection is gone again.

Nearly one hour after a connection has gone, I see the following messages:

Code Select
charon 38786 - [meta sequenceId="8724"] 01[CFG] <30> selected peer config "con1"
charon 38786 - [meta sequenceId="8725"] 01[IKE] <con1|30> IKE_SA con1[30] established between 1.2.3.4[opnsense.example.org]...4.3.2.1[sonicwall.example.org]
[...]
charon 38786 - [meta sequenceId="8746"] 01[ENC] <con1|30> invalid HASH_V1 payload length, decryption failed?
charon 38786 - [meta sequenceId="8747"] 01[ENC] <con1|30> could not decrypt payloads
charon 38786 - [meta sequenceId="8748"] 01[IKE] <con1|30> message parsing failed

But the connection is not established anymore and works after a manually restart immediately.

We compared all lifetime settings. PSK is not changed. This IPsec connection worked for a long time on OPNsense 22.1 and 22.7 without any problems. Problems started with upgrading to OPNsense 23.1.

What has changed in IPsec on OPNsense 23.1 significantly?

Thanks a lot for any suggestions.
Title: Re: IPsec unstable after upgrade to OPNsense 23.1
Post by: thwien on February 24, 2023, 07:34:21 PM
I found a solution. After lifetime of 1 hour ended the Sonicwall sent "DELETE for IKE_SA". OPNsense responded correctly. Setting "Close Action" to "Restart" on OPNsense the connection was "stable". While restarting some packages are dropped, but generally the connection was nearly "stable". Related to the logs I guess Strongswan is using lifetimes of 4 hours instead of 1 hour set in OPNsense GUI. But I cannot prove my suspicion.

Nevertheless I decided on both sides to change from IKEv1 (historical reasons) to IKEv2 with modern ciphers, PFS (DH group), hashes and a lifetime of 4 hours. Until now it seems to be a stable ipsec connection.
Text only | Text with Images