OPNsense Forum
English Forums => General Discussion => Topic started by: nwildner on July 19, 2019, 02:17:10 pm
-
Hi
I have an IPSec scenario where OPNSense is the client and the server is a Checkpoint appliance.
The problem i have is: Every time OPNSense side ISP gets down the tunnel hangs, and when the ISP gateway gets up again, i have to restart strongswan. I have even created an user with only "services view" so a local support guy can restart the service when needed.
But the question is. Can i automate in a way that when OPNSense gateway changes from down to up, strongswan is restarted? I've already changed the "Monitor IP" to a external one since i have a dhcp wan.
Cheers.
-
Well, this is how we've created a solution to this case: Ping a host inside our main site that is only reachable through ipsec, if it isn't reachable, restart ipsec.
Steps:
Services > Monit > Settings
General Setings:
Set Polling Interval to 120 and Start Delay to 60. This will make monit checks to execute each 2 minutes. Check Enable Monit.
Service Test Settings > Add New
Name: IPSEC_ICMP_MONITOR
Condition: failed ping4 count 5 address 10.x.x.254
Action: Restart
10.x.x.254 is the IP Address of this firewall LAN interface. This will ensure that i'm using a source address that will be able to reach that host inside the IPsec tunnel. Keep in mind that i have a specific SPD rule that will deal with delivering traffic.
Service Settings > Add New
Name: REDIAL_IPSEC
Type: Remote Host
Address: 172.y.y.y
Start: /usr/local/sbin/configctl ipsec start
Stop: /usr/local/sbin/configctl ipsec stop
Tests: IPSEC_ICMP_MONITOR
172.y.y.y is our main AD server. Could be any host with real importance and that you know will be always up-and-running inside your main site.
Done. No more manual intervention on this host.
-
Great write-up, I added it to the official docs! :) Thx!
-
Thank you nwilder, this is a really great way to keep the connections up and running.
just to clarify:
172.y.y.y is an address in the headquarter, that is pinged through the tunnel
10.x.x.254 is the lan ip from the branch office opnsense, that is restarting the ipsec
is this correct?
do you know a way to show the target address in the monit status page? and is there a way of changing the monit sender address for the email notifications?
thanks a lot in advance
Guybrush
-
Sorry to necrobump this post, but this is just a feedback on why i've stopped posting about this reconnection method.
Since we moved from Checkpoint to Fortigate to manage our sdwan solution at the main site, things got a lot better. Checkpoint ipsec implementation is GARBAGE and require you to use a lot of kludges to make it work.
Tunnel isolation, ikev1 only, no dpd(btw, dead peer detection only works with site2site checkpoint only) and other stuff that this proprietary firewall does to cripple third-party integration. It was deliberately designed to integrate badly with other firewalls.
With Fortigate on our main site, is just a matter of configuring dpd counters to keep the tunnel reconnecting on WAN outages, and with tunnel restart on ou main site.
Maybe this info could be useful to others trying to integrate with this garbage IPSec provided by Checkpoint.