OPNsense Forum
Archive => 19.7 Legacy Series => Topic started by: cardins2u on July 18, 2019, 03:00:08 am
-
The upgrade to 19.7 went smooth. Everything looks good so far. its functional as is.
The only issues I see is. After reboot IPSec services show as green but no ping or connections. NO SMB connections to server server across the ipsec.
Here's how I fix it every OPNSense Reboot last 10 reboots:
Every Reboot - the IPSec connection doesnt come up. you would have to go to
VPN > IPSec > Tunnel Settings > select one of the tunnel, click save > apply changes
then tunnel works again. I can access SMB on other side again. THis is no changes. Just save and apply. IPSEC works again.
Anyone can produce this?
-
Maybe the other side doesnt know the old session was brought down.
-
doesnt make sense. the other side nothing changed. I reverted back to old snapshot of the opnsense virtual machine. It worked magically. Restarted OPNSense and IPsec connects comes up without doing anything. Did it a couple of times.
Started the upgrade again. Back on 19.7 and it behaves werid again.
-
I can reproduce, opened a ticket:
https://github.com/opnsense/core/issues/3582
-
Check your config history for clues in the config.xml. This makes no sense because code in IPsec on 19.1.10 is the same as 19.7.
Cheers,
Franco
-
I'm so stumpped.
Here's the log.
Logs Right after Reboot:
##############################################
Jul 18 20:46:12 charon: 07[IKE] <con1|3> failed to establish CHILD_SA, keeping IKE_SA
Jul 18 20:46:12 charon: 07[IKE] <con1|3> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Jul 18 20:46:12 charon: 07[ENC] <con1|3> parsed CREATE_CHILD_SA response 4 [ N(NO_PROP) ]
Jul 18 20:46:12 charon: 07[NET] <con1|3> received packet: from 24.18.XXX.XXX[4500] to 96.XXX.XXX.XXX[4500] (76 bytes)
Jul 18 20:46:11 charon: 07[NET] <con1|3> sending packet: from 96.XXX.XXX.XXX[4500] to 24.18.XXX.XXX[4500] (364 bytes)
Jul 18 20:46:11 charon: 07[ENC] <con1|3> generating CREATE_CHILD_SA request 4 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Jul 18 20:46:11 charon: 07[IKE] <con1|3> establishing CHILD_SA con1{14} reqid 1
Jul 18 20:46:11 charon: 09[KNL] creating acquire job for policy 96.XXX.XXX.XXX/32 === 24.18.XXX.XXX/32 with reqid {1}
Jul 18 20:46:10 charon: 09[IKE] <con2|4> failed to establish CHILD_SA, keeping IKE_SA
Jul 18 20:46:10 charon: 09[IKE] <con2|4> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Jul 18 20:46:10 charon: 09[ENC] <con2|4> parsed CREATE_CHILD_SA response 2 [ N(NO_PROP) ]
Jul 18 20:46:10 charon: 09[NET] <con2|4> received packet: from XXX.XXX.XXX.XXX[4500] to 96.XXX.XXX.XXX[4500] (76 bytes)
Jul 18 20:46:10 charon: 09[NET] <con2|4> sending packet: from 96.XXX.XXX.XXX[4500] to XXX.XXX.XXX.XXX[4500] (348 bytes)
Jul 18 20:46:10 charon: 09[ENC] <con2|4> generating CREATE_CHILD_SA request 2 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Jul 18 20:46:10 charon: 09[IKE] <con2|4> establishing CHILD_SA con2{13} reqid 2
Jul 18 20:46:10 charon: 07[KNL] creating acquire job for policy 96.XXX.XXX.XXX/32 === XXX.XXX.XXX.XXX/32 with reqid {2}
Jul 18 20:46:09 charon: 09[IKE] <con1|3> failed to establish CHILD_SA, keeping IKE_SA
Jul 18 20:46:09 charon: 09[IKE] <con1|3> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Jul 18 20:46:09 charon: 09[ENC] <con1|3> parsed CREATE_CHILD_SA response 3 [ N(NO_PROP) ]
Jul 18 20:46:09 charon: 09[NET] <con1|3> received packet: from 24.18.XXX.XXX[4500] to 96.XXX.XXX.XXX[4500] (76 bytes)
Jul 18 20:46:09 charon: 11[NET] <con1|3> sending packet: from 96.XXX.XXX.XXX[4500] to 24.18.XXX.XXX[4500] (364 bytes)
Jul 18 20:46:09 charon: 11[ENC] <con1|3> generating CREATE_CHILD_SA request 3 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Jul 18 20:46:09 charon: 11[IKE] <con1|3> establishing CHILD_SA con1{12} reqid 1
Jul 18 20:46:09 charon: 11[KNL] creating acquire job for policy 96.XXX.XXX.XXX/32 === 24.18.XXX.XXX/32 with reqid {1}
Jul 18 20:46:09 charon: 09[IKE] <con2|4> failed to establish CHILD_SA, keeping IKE_SA
Jul 18 20:46:09 charon: 09[IKE] <con2|4> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Jul 18 20:46:09 charon: 09[ENC] <con2|4> parsed CREATE_CHILD_SA response 1 [ N(NO_PROP) ]
Jul 18 20:46:09 charon: 09[NET] <con2|4> received packet: from XXX.XXX.XXX.XXX[4500] to 96.XXX.XXX.XXX[4500] (76 bytes)
Jul 18 20:46:08 charon: 09[NET] <con2|4> sending packet: from 96.XXX.XXX.XXX[4500] to XXX.XXX.XXX.XXX[4500] (348 bytes)
Jul 18 20:46:08 charon: 09[ENC] <con2|4> generating CREATE_CHILD_SA request 1 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Jul 18 20:46:08 charon: 09[IKE] <con2|4> establishing CHILD_SA con2{11} reqid 2
Jul 18 20:46:08 charon: 09[KNL] creating acquire job for policy 96.XXX.XXX.XXX/32 === XXX.XXX.XXX.XXX/32 with reqid {2}
Jul 18 20:46:06 charon: 09[IKE] <con1|3> failed to establish CHILD_SA, keeping IKE_SA
Jul 18 20:46:06 charon: 09[IKE] <con1|3> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Jul 18 20:46:06 charon: 09[ENC] <con1|3> parsed CREATE_CHILD_SA response 2 [ N(NO_PROP) ]
Jul 18 20:46:06 charon: 09[NET] <con1|3> received packet: from 24.18.XXX.XXX[4500] to 96.XXX.XXX.XXX[4500] (76 bytes)
Jul 18 20:46:06 charon: 09[NET] <con1|3> sending packet: from 96.XXX.XXX.XXX[4500] to 24.18.XXX.XXX[4500] (364 bytes)
Jul 18 20:46:06 charon: 09[ENC] <con1|3> generating CREATE_CHILD_SA request 2 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Jul 18 20:46:06 charon: 09[IKE] <con1|3> establishing CHILD_SA con1{10} reqid 1
Jul 18 20:46:06 charon: 11[KNL] creating acquire job for policy 96.XXX.XXX.XXX/32 === 24.18.XXX.XXX/32 with reqid {1}
Jul 18 20:46:05 charon: 11[IKE] <con2|4> failed to establish CHILD_SA, keeping IKE_SA
Jul 18 20:46:05 charon: 11[IKE] <con2|4> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Jul 18 20:46:05 charon: 11[ENC] <con2|4> parsed CREATE_CHILD_SA response 0 [ N(NO_PROP) ]
Jul 18 20:46:05 charon: 11[NET] <con2|4> received packet: from XXX.XXX.XXX.XXX[4500] to 96.XXX.XXX.XXX[4500] (76 bytes)
Jul 18 20:46:05 charon: 11[NET] <con2|4> sending packet: from 96.XXX.XXX.XXX[4500] to XXX.XXX.XXX.XXX[4500] (348 bytes)
Jul 18 20:46:05 charon: 11[ENC] <con2|4> generating CREATE_CHILD_SA request 0 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Jul 18 20:46:05 charon: 11[IKE] <con2|4> establishing CHILD_SA con2{9} reqid 2
Jul 18 20:46:05 charon: 08[KNL] creating acquire job for policy 96.XXX.XXX.XXX/32 === XXX.XXX.XXX.XXX/32 with reqid {2}
Jul 18 20:46:05 charon: 08[IKE] <con2|2> IKE_SA deleted
Jul 18 20:46:05 charon: 08[ENC] <con2|2> parsed INFORMATIONAL response 3 [ ]
##############################################
Logs After Clicking Save - VPN -> IPSEC > Tunnel Settings:
ABSOLUTELY NO CHANGES AT ALL. JUST CLICK SAVE and it works.
##############################################
Jul 18 20:47:45 charon: 10[IKE] <con2|4> CHILD_SA con2{143} established with SPIs ceb2477e_i c9db3f63_o and TS 10.0.0.0/22 === 10.0.52.0/24
Jul 18 20:47:45 charon: 10[CFG] <con2|4> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Jul 18 20:47:45 charon: 10[ENC] <con2|4> parsed CREATE_CHILD_SA response 61 [ SA No TSi TSr ]
Jul 18 20:47:45 charon: 10[NET] <con2|4> received packet: from XXX.XXX.XXX.XXX[4500] to XXX.XXX.XXX.XXX[4500] (204 bytes)
Jul 18 20:47:45 charon: 10[NET] <con2|4> sending packet: from XXX.XXX.XXX.XXX[4500] to XXX.XXX.XXX.XXX[4500] (828 bytes)
Jul 18 20:47:45 charon: 10[ENC] <con2|4> generating CREATE_CHILD_SA request 61 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Jul 18 20:47:45 charon: 10[IKE] <con2|4> establishing CHILD_SA con2{143} reqid 4
Jul 18 20:47:45 charon: 09[KNL] creating acquire job for policy XXX.XXX.XXX.XXX/32 === XXX.XXX.XXX.XXX/32 with reqid {4}
Jul 18 20:47:45 charon: 10[IKE] <con1|3> CHILD_SA con1{142} established with SPIs c3bd7173_i c9b412f6_o and TS 10.0.0.0/22 === 10.0.55.0/24
Jul 18 20:47:45 charon: 10[CFG] <con1|3> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Jul 18 20:47:45 charon: 10[ENC] <con1|3> parsed CREATE_CHILD_SA response 68 [ SA No TSi TSr ]
Jul 18 20:47:45 charon: 10[NET] <con1|3> received packet: from XXX.XXX.XXX.XXX[4500] to XXX.XXX.XXX.XXX[4500] (204 bytes)
Jul 18 20:47:45 charon: 10[NET] <con1|3> sending packet: from XXX.XXX.XXX.XXX[4500] to XXX.XXX.XXX.XXX[4500] (844 bytes)
Jul 18 20:47:45 charon: 10[ENC] <con1|3> generating CREATE_CHILD_SA request 68 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Jul 18 20:47:45 charon: 10[IKE] <con1|3> establishing CHILD_SA con1{142} reqid 3
Jul 18 20:47:45 charon: 10[KNL] creating acquire job for policy XXX.XXX.XXX.XXX/32 === XXX.XXX.XXX.XXX/32 with reqid {3}
Jul 18 20:47:45 charon: 10[CFG] received stroke: route 'con2'
Jul 18 20:47:45 charon: 09[CFG] added configuration 'con2'
Jul 18 20:47:45 charon: 09[CFG] received stroke: add connection 'con2'
Jul 18 20:47:45 charon: 10[CFG] received stroke: route 'con1'
Jul 18 20:47:45 charon: 13[CFG] added configuration 'con1'
Jul 18 20:47:45 charon: 13[CFG] received stroke: add connection 'con1'
Jul 18 20:47:45 charon: 06[CFG] deleted connection 'con2'
Jul 18 20:47:45 charon: 06[CFG] received stroke: delete connection 'con2'
Jul 18 20:47:45 charon: 10[CFG] received stroke: unroute 'con2'
Jul 18 20:47:45 charon: 12[CFG] deleted connection 'con1'
Jul 18 20:47:45 charon: 12[CFG] received stroke: delete connection 'con1'
Jul 18 20:47:45 charon: 10[CFG] received stroke: unroute 'con1'
Jul 18 20:47:45 charon: 06[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls'
Jul 18 20:47:45 charon: 06[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Jul 18 20:47:45 charon: 06[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Jul 18 20:47:45 charon: 06[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Jul 18 20:47:45 charon: 06[CFG] loaded ca certificate "C=US, ST=WA, L=Olympia, O=IH Gateway, OU=InVinHost, CN=OPNSenseCA, E=" from '/usr/local/etc/ipsec.d/cacerts/cca9ae1f.0.crt'
Jul 18 20:47:45 charon: 06[CFG] loaded ca certificate "C=US, ST=VPN, L=VPN, O=VPN, OU=VPN, CN=VPN, N=VPN, E=VPN" from '/usr/local/etc/ipsec.d/cacerts/a72f8721.0.crt'
Jul 18 20:47:45 charon: 06[CFG] loaded ca certificate "C=PA, O=NordVPN, CN=NordVPN Root CA" from '/usr/local/etc/ipsec.d/cacerts/38ce789e.0.crt'
Jul 18 20:47:45 charon: 06[CFG] rereading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Jul 18 20:47:45 charon: 06[CFG] expanding file expression '/usr/local/etc/ipsec.secrets.opnsense.d/*.secrets' failed
Jul 18 20:47:45 charon: 06[CFG] loaded IKE secret for XXX.XXX.XXX.XXX
Jul 18 20:47:45 charon: 06[CFG] loaded IKE secret for XXX.XXX.XXX.XXX
Jul 18 20:47:45 charon: 06[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Jul 18 20:47:45 charon: 06[CFG] rereading secrets
Jul 18 20:47:44 charon: 10[IKE] <con1|3> failed to establish CHILD_SA, keeping IKE_SA
Jul 18 20:47:44 charon: 10[IKE] <con1|3> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Jul 18 20:47:44 charon: 10[ENC] <con1|3> parsed CREATE_CHILD_SA response 67 [ N(NO_PROP) ]
Jul 18 20:47:44 charon: 10[NET] <con1|3> received packet: from XXX.XXX.XXX.XXX[4500] to XXX.XXX.XXX.XXX[4500] (76 bytes)
Jul 18 20:47:44 charon: 10[NET] <con1|3> sending packet: from XXX.XXX.XXX.XXX[4500] to XXX.XXX.XXX.XXX[4500] (364 bytes)
Jul 18 20:47:44 charon: 10[ENC] <con1|3> generating CREATE_CHILD_SA request 67 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Jul 18 20:47:44 charon: 10[IKE] <con1|3> establishing CHILD_SA con1{139} reqid 1
Jul 18 20:47:44 charon: 15[KNL] creating acquire job for policy XXX.XXX.XXX.XXX/32 === XXX.XXX.XXX.XXX/32 with reqid {1}
Jul 18 20:47:44 charon: 15[IKE] <con2|4> failed to establish CHILD_SA, keeping IKE_SA
##############################################
-
via CLI:
opnsense-patch 64858b5
Then reboot or restart IPSEC.
Should be in next release ..