Are you having a problem getting an IPSec (the new >23.1 style) to connect to a High Availability environment?
I've been hammering away at this for the last hour or so, and this is what solved it for me. It's this little section in the tutorial (https://docs.opnsense.org/manual/how-tos/ipsec-s2s.html) I totally skipped over because "of course that's still there" from when I ran IPSec tunnels under the old style IPSec before.
QuoteFirewall Rules Site A & Site B (part 1)
To allow IPsec Tunnel Connections, the following should be allowed on WAN for on sites (under Firewall ‣ Rules ‣ WAN):
- Protocol ESP
- UDP Traffic on Port 500 (ISAKMP)
- UDP Traffic on Port 4500 (NAT-T)
In my case, ever since going to High Availability, I've had to explicitly specify what
CARP Interface IP or an
Alias containing the CARP Interface IPs (for each one of my ISPs) my rules applied to.
This got me thinking
"I'm only accepting IPSec VPN traffic on one IP of each block of IPs from the ISPs. I'll bet I have to put some custom rules in place to accept this."So I created some new rules based on the above that look like this (this is the first one. You can clone it and modify for the other two):
Firewall - Rules - WAN:
- Action: Pass
- Disabled: No
- Quick: Yes
- Interface: WAN
- Direction: In
- TCP/IP Version: IPv4 *Your preference, but I don't use IPv6
- Protocol: ESP
- Source/Invert: No
- Source: acl_remote_sites *An alias that includes my remote sites' IP addresses.
- Destination/Invert: No
- Destination: acl_wan_1st_ips *An alias that includes ISP1's 1st IP, ISP2's 1st IP, etc.
- Destination Port Range: Greyed Out, but on others you'll put in ISAKMP or NAT-T
- Log: No
- Category: [blank]
- Description: IPSec ESP
- No XMLRPC Sync: No
- Schedule: None
- Gateway: GWG_Pri_ISP1_Sec_ISP2_Tert_ISP3 *A Gateway Group I created to decide the order for failover
Save, Rinse, Lather, Repeat for the other two rules. Put them at the top of your WAN rule stack under your block rules and maybe your Allow CARP Traffic rule. This way the rule is processed quickly.
In my case, within 5 minutes of applying these rules, my remote firewalls were connecting to my High Availability cluster. It did take about 5 minutes though.
YMMV, but leave a "thumbs up" or something if this helped you. :-)