Text only | Text with Images

OPNsense Forum

English Forums => Virtual private networks => Topic started by: ServerCat on April 02, 2024, 06:32:13 PM

Title: ipsec rekeying not working
Post by: ServerCat on April 02, 2024, 06:32:13 PM
The IPsec tunnel dont rekeying. So after 1 hour the connection get lost.

The Server log some proposal problem.
Code Select

2024-04-02T17:58:06 Informational charon 16[CFG] < 2de0136f-6cbc-421a-80aa-3729176f844e|421> configured proposals: ESP:AES_GCM_16_256/MODP_2048/NO_EXT_SEQ
2024-04-02T17:58:06 Informational charon 16[CFG] < 2de0136f-6cbc-421a-80aa-3729176f844e|421> received proposals: ESP:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ

The client log the same.

This is the config.
Code Select
# This file is automatically generated. Do not edit
connections {
    2de0136f-6cbc-421a-80aa-3729176f844e {
        proposals =  aes256gcm16-sha256-modp2048
        unique = no
        aggressive = no
        version = 2
        mobike = no
        local_addrs = my.address.com
        encap = yes
        rekey_time = 600
        dpd_delay = 30
        pools = PoolA
        send_certreq = yes
        keyingtries = 0
        local-fc3a7fbe-732d-4ee4-890b-f725d40125e8 {
            round = 0
            auth = pubkey
            id = my.address.com
            certs = 654269e2e801b.crt
        }
        remote-544f43ac-e76a-4d3a-9db6-57ff389b5b0f {
            round = 0
            auth = eap-radius
            id = ConnectionA
            eap_id = %any
            groups = GroupA
        }
        children {
            cab66875-3b0a-456c-ab01-e5af7fd9a621 {
                esp_proposals = aes256gcm16-sha256-modp2048
                sha256_96 = no
                start_action = trap|start
                close_action = trap
                dpd_action = clear
                mode = tunnel
                policies = yes
                local_ts = 192.168.10.0/24,192.168.100.0/24,192.168.50.0/24
                rekey_time = 3600
                updown = /usr/local/opnsense/scripts/ipsec/updown_event.py --connection_child cab66875-3b0a-456c-ab01-e5af7fd9a621
            }
        }
    }
}
pools {
    PoolA {
        addrs = 10.30.150.0/24
        dns = 192.168.10.1
    }
}
secrets {
}
# Include config snippets
include conf.d/*.conf


I have been tryed diffrent child proposals. But i didn't can find a right one. In my opinion there is an match with AES_GCM_16_256.

Any ideas?
Title: Re: ipsec rekeying not working
Post by: ServerCat on April 09, 2024, 02:32:21 PM
I have it! Im using Ubuntu as an client. The Network-Manager Addon don't use the  Perfect Forward Secrecy (PFS) by default. This mean no DH Group have to be configurated in the server side proposal settings. This was the reason for proposal missmatching.

So i can either use the "insecure" aes256-sah256 proposal on the server in the child or define an proposal on client side. On Ubuntu is a little bit hidden, on the bottom of Identity Tab, click at Algorithms.

PFS description on strongswan website  https://docs.strongswan.org/docs/5.9/config/rekeying.html (https://docs.strongswan.org/docs/5.9/config/rekeying.html)
Text only | Text with Images