OPNsense Forum
Archive => 15.7 Legacy Series => Topic started by: 8191 on November 29, 2015, 11:30:43 am
-
I've a IPsec phase 1 entry with three phase 2 entries. Only the first in the list is being established. At the other endpoint I cannot even see OPNsense trying to establish the other P2's. If I swap the P2 entries (just order, no config), the new first P2 entry is being established.
The /usr/local/etc/ipsec.conf file contains all endpoints as configured via the GUI, namely con1-000 up to con1-002. In the IPsec logs i found:
Nov 29 10:30:22 ipsec_starter[87595]: 'con1-001' routed
Nov 29 10:30:22 ipsec_starter[87595]: 'con1-000' routed
Nov 29 10:30:21 ipsec_starter[87595]: configuration 'con1-001' not found
Nov 29 10:30:21 ipsec_starter[87595]: configuration 'con1-000' unrouted
I'm not so deep into charon, which log levels should I raise to get more info on that issue?
I use OPNsense 15.7.18_1-i386 (willing to upgrade to unstable if this would help investigations).
-
I've found out that both P2's have the same reqid set in the conn section of ipsec.conf. Unfortunately I don't know what charon does with the reqid, since also the man page (https://www.freebsd.org/cgi/man.cgi?query=ipsec.conf&apropos=0&sektion=0&manpath=FreeBSD+10.2-RELEASE+and+Ports&arch=default&format=html) is quite silent on that...
reqid = <number>
sets the reqid for a given connection to a pre-configured fixed
value.
-
We recently dropped the request id, because of some similar issues for someone else.
This commit removes it from our code (and will probably be in the next release):
https://github.com/opnsense/core/commit/3e0e936bdb2d23f918e153c0d046580070c37b0b
-
Great, thanks for the info.
-
Already pushed to what will be 15.7.21 (likely on Friday).