OPNsense Forum

Archive => 19.1 Legacy Series => Topic started by: Beleggrodion on March 13, 2019, 11:08:28 am

Title: IPSEC Tunnel not working anymore
Post by: Beleggrodion on March 13, 2019, 11:08:28 am
We had the problem, that since our firewall updated to 19.1.4 our ipsec tunnel's don't work anymore as expected. We see on the GUI that all tunnels are up and on both sites we see status up on both phase. But we don't see any traffic through the tunnel. I can ping from my host on site A to the firewall or the server of site B and i don't see any traffic on Site B, i only see with tcpdump my ping request on the Firewall of site A but nothing more. We also rebooted the firewall but no effect.

Edit:
Site B ist still on version 19.1.2 and when i ping from Site B to Site A i see in tcpdump on interface enc0 ping ping request on site A and Site B. When i do a ping from Site A, i don't see this ping on enc0. Only on the LAN interface and then it goes to nowhere.
Title: Re: IPSEC Tunnel not working anymore
Post by: airdatec on March 13, 2019, 12:56:51 pm
same same since 19.1.4
Title: Re: IPSEC Tunnel not working anymore
Post by: franco on March 13, 2019, 01:32:24 pm
Try reverting https://github.com/opnsense/core/commit/8490bc70ab

# opnsense-patch 8490bc70ab


Cheers,
Franco
Title: Re: IPSEC Tunnel not working anymore
Post by: ccesario on March 13, 2019, 04:11:36 pm
Im getting the same problem 19.1.3 and 19.1.4 versions... I needed go back to 19.1.2 ... because my env it was in production mode and I did not have time to investigate.

Regards
Carlos
Title: Re: IPSEC Tunnel not working anymore
Post by: ivoruetsche on March 13, 2019, 04:13:25 pm
Yes, same on our side, we go back to 19.1.2 and have to request a maintenance window to try the patch.

ivo
Title: Re: IPSEC Tunnel not working anymore
Post by: airdatec on March 13, 2019, 04:56:49 pm
how did you go back to 19.1.2 ? with Reinstall or ist ther a option to go back without new installation ?
Title: Re: IPSEC Tunnel not working anymore
Post by: ivoruetsche on March 13, 2019, 05:02:59 pm

In the console:

opnsense-revert -r 19.1.2 opnsense
Title: Re: IPSEC Tunnel not working anymore
Post by: franco on March 13, 2019, 05:11:03 pm
Please try the patch revert instead of going back to older versions -- otherwise we'll not have enough data to work on.


Cheers,
Franco
Title: Re: IPSEC Tunnel not working anymore
Post by: ivoruetsche on March 13, 2019, 07:54:06 pm
Salü Franco

It looks fine after applying the patch:

- Update 19.1.2 --> 19.1.4
- Manual Reboot
- Applying patch
- Manual Reboot

Besten Dank und schönen Abend.

gruss ivo
Title: Re: IPSEC Tunnel not working anymore
Post by: franco on March 14, 2019, 08:15:09 am
Hoi Ivo,

Thanks for confirming. Is there an OPNsense < 19.1.4 or pfSense on the other end?


Cheers,
Franco
Title: Re: IPSEC Tunnel not working anymore
Post by: ivoruetsche on March 14, 2019, 08:49:42 am

Salü Franco

For sure we only use opnSense :-)

Without the patch in the main office, we had different versions in place; between 19.1.2 and 19.1.4 and we can't connect to any side.

Maybe this is interesting: We patch only the FW on the main office (19.1.4 + patch) and it runs fine with the unpatched 19.1.4 boxes and 19.1.2 to .3 from the branch offices.

gruss ivo
Title: Re: IPSEC Tunnel not working anymore
Post by: schnipp on March 14, 2019, 09:55:17 pm
I have updated from 19.1.2 to 19.1.4 and my IPSec connections (1 x site2site, 2 x mobile) still work fine without installing the patch. Is the latter only needed in case of using VTI?

Title: Re: IPSEC Tunnel not working anymore
Post by: airdatec on March 16, 2019, 12:29:11 pm
Patch works fine
Title: Re: IPSEC Tunnel not working anymore
Post by: karaman on March 18, 2019, 09:40:09 am
Same problem. Patch works fine.
Title: Re: IPSEC Tunnel not working anymore
Post by: franco on March 18, 2019, 04:37:47 pm
Since the patch is just a feature removal the question now is: everyone who needs to revert the feature, what is your special setup quirk here? Need details please....


Cheers,
Franco
Title: Re: IPSEC Tunnel not working anymore
Post by: jloipers on March 19, 2019, 09:48:30 am
Hi all,

we had the same issue here. We have 22 site-2-site IPSec tunnels running, three of them are ike v2.
All remote peers are different kind of firewalls (Cisco ASA, Lancom, Checkpoint) but no OPNsense.

After upgrading to 19.1.4 some tunnels worked fine some didn't. It didn't make any difference if it was ike v1 or v2.

As far as we can say all not working tunnels contain single host configurations in the phase 2 entries. But I am not sure about that matter 'cause we weren't able to test all connections.

After applying the patch (= removal of VTI) everything was fine, thanks for that!


Cheers

Josef

Title: Re: IPSEC Tunnel not working anymore
Post by: siegfried on March 20, 2019, 03:52:07 pm
Hi all,
same problem here. Since 19.1.4 a tunnel to a Fortigate cluster (2x Fortigate 200E) doesn't work anymore. SAs are created, the counters for incoming traffic are >0, but no outgoing traffic to the Fortigate box.

I'll try the patch later this evening.
Edit: Fortigate Firmware version: 5.6.3
Title: Re: IPSEC Tunnel not working anymore
Post by: KittD on March 20, 2019, 08:35:37 pm
Updated a bunch of routers last night from 19.1.2 to 19.1.4 and a few of them had VPN issues this morning. Reverted the patch on one of them, rebooted, and no issues right now.
Title: Re: IPSEC Tunnel not working anymore
Post by: franco on March 20, 2019, 09:24:27 pm
Appreciate the info. We removed the explicit reqid setting from non-VTI configurations and that should be it for 19.1.5.


Cheers,
Franco
Title: Re: IPSEC Tunnel not working anymore
Post by: siegfried on March 21, 2019, 07:46:37 am
Moin!
Patch solved the issue. Thanks!
Title: Re: IPSEC Tunnel not working anymore
Post by: emmitt on March 25, 2019, 06:44:30 pm
Hi,

is it useful tp wait for 19.1.5?

If not, how can I download and install the patch?

Thanks!
Title: Re: IPSEC Tunnel not working anymore
Post by: glasi on March 30, 2019, 05:07:38 pm
Hi all,

I have the same issue here with a site-2-site IPSec tunnel. OPNsense does not build up the IPsec tunnel.

In my setup I can pin down the problem to the connection method in the tunnel settings. OPNsense fails to establish the IPsec tunnel when 'Start immediate' is selected as connection method.

As soon as I select 'Start on traffic' as connection method, everything works fine.

Can anybody reproduce this issue with his/her own setup?