Text only | Text with Images

OPNsense Forum

English Forums => Virtual private networks => Topic started by: kumba on July 03, 2025, 08:38:38 PM

Title: IPSec site to site seems to lose/break connection after some time
Post by: kumba on July 03, 2025, 08:38:38 PM
I've got a site to site IPSec VPN setup between two routers with static IPs. Site A is a BGP router with a single static IP. Site B has two cable modems with static IPs. The VPN is setup to use any of the static IPs on Site B to connect with. I have MOBIKE enabled which from what I can tell should help in multi-homed situations. I can manually connect the sites and things works great, but at some point the link will go down and not re-establish.

Time wise the link might stay up for 3 hours or it might stay up for 20 hours. I've yet to see it stay up for a day or longer. I am doing some hefty file transfers over the link but I wouldn't expect this to be a problem since the CPU load on both routers is just fine.

Any guidance on where I should look to try and see why the connection keeps breaking? Or is there a way I can tell it to keep trying to re-establish the link if it goes down?
Title: Re: IPSec site to site seems to lose/break connection after some time
Post by: kumba on July 05, 2025, 08:09:37 AM
So I've narrowed down the problem.

On Site A with the BGP router, it's originating the IPSec from the BGP peer side instead of the routed IP block. I assume this is a misconfiguration somewhere on my side. Is there a way to get the router to originate the IPSec connection from the routed IP block instead of the BGP Peer IPs?
Title: Re: IPSec site to site seems to lose/break connection after some time
Post by: Patrick M. Hausen on July 05, 2025, 05:57:35 PM
That depends entirely on the feature set of the mentioned router. Check its documentation or consult vendor support or the $router community forum. There is no standard way that is the same for all products to do something like this.
Title: Re: IPSec site to site seems to lose/break connection after some time
Post by: kumba on July 06, 2025, 06:25:04 AM
All routers involved except the upstream ISP side are OPNSense boxes running 25.1.10. I believe this forum is the correct community to be asking these questions.

Here's how the network is laid out:
BGP1 = 1.2.3.4/28
BGP2 = 2.3.4.5/28
IPBlock = 4.3.2.1/24

The issue I am having is when charon/strongswan goes to send packets to the remote OPNSense router it's picking the BGP Peer IPs instead of the routed IP block to initiate the connection. I can initiate the VPN from the remote side and it will establish and stay up for an hour or so. Eventually OPNSense goes to re-key (or whatever it does) and tries to use the BGP IPs to initiate the traffic instead of my IP Block.

Some other things of note is that 4.3.2.1 is a CARP IP with the static IP being 4.3.2.2.

I think what I need help with is making traffic initiated by OPNSense itself originate from 4.3.2.1 and not 1.2.3.4 or 2.3.4.5.
Text only | Text with Images