OPNsense Forum
Archive => 19.1 Legacy Series => Topic started by: mircsicz on April 04, 2019, 12:34:41 pm
-
Hi hi,
I've got two APU based OPNsense's which are connected using Ipsec
(https://snag.gy/sRlZ0p.jpg)
After I've added MultiWAN with a failover config on location#1:
(https://snag.gy/rXO7Rl.jpg)
I modified the firewall rules like so:
(https://snag.gy/9ECHUN.jpg)
But I still can't connect from location #1 to location #2, whilst the opposite direction still works fine. To be clear: IPsec phase 1 & 2 are connected just fine!
BTW: "CS net" is 10.10.2.0/24 an "DS net" is 10.10.5.0/24
Hope one of you spot's my failure...
-
Check in IPSEC tunnel is "Install Policy" is ticked. There was an error introduced in 19.1.4 only affecting new installed tunnels.
-
@mimugmail: THX for your reply, but both of the system are running since 16/17 and both of the tunnel's have been there for a while... But I checked anyways and the tunnel's have it checked on both side's of the connection.
-
So, the IPSEC connection is established, CS net can reach DS net but not vice versa, correct?
Rules look fine. tcpdump on interface enc0 via console would help.
-
Yes the Tunnel's are established, and sorry for not stating that clearly in my intro!
I can't connect from 10.10.2.x to 10.10.23.2 (for example) but I can connect from 10.10.23.x to 10.10.2.2
I already created dumps on the OPNsense on location #1 ,one is from Interface CS the other from IPsec... All I tried to do is open a ssh connection behind the IPsec...
-
Then it's blocked on the other side in incoming direction I'd guess
-
Then it's blocked on the other side in incoming direction I'd guess
Definitly not as it worked before changing the WAN setup on location #1 ;-)
As a picture based approval:
(https://snag.gy/rqR2zy.jpg)
Firewall log on location #1:
(https://snag.gy/TFx54U.jpg)
Firewall log on location #2:
(https://snag.gy/wdvQrD.jpg)
-
I am experiencing a similar issue. I have noticed dropped esp packets on from the IPsec peer to the interface not configured for IPSec. If I remove the secondary wan interface, the tunnel passes traffic. Odd thing is, both sides report the tunnel as up.
May be related, but I haven’t had time to dig deeper.
-
I had a similar problem.
You can try it out with a rule on the wan interface for ESP any / any, if that is better then.
Then you can change the rule that ESP is only allowed to both WAN IPs.
regards,
Ralf
-
@va176thunderbolt For me this is no similar issue as I can connect from one side of the tunnel but not from the other side. Probably just my fault in the firewall settings...
-
Have you tried the rule for allowing esp packets from any?
Since Ping from loc1 to loc2 is outgoing, from loc2 to loc1 incoming direction.
-
@ralf.kirmis
THX for the hint, just tried it but no change so far:
(https://snag.gy/B5AzKP.jpg)
-
does the live log from the firewall display denied packets?
-
@ralf.kirmis No, as shown in the above ScreenShot ;-)
Had a call with Jos, installing two patches solved the Issue:
sudo opnsense-patch 7835e9c 198887ed
So I'll be skipping 19.1.5 or wait for the Hotfix Franco has in the makes ... 8)
EDIT: seems to be already out:
[13/38] Fetching opnsense-19.1.5_1.txz: 100% 4 MiB 2.2MB/s 00:02