OPNsense Forum

English Forums => Virtual private networks => Topic started by: mliebherr on April 27, 2021, 08:45:11 am

Title: IPSec Tunnel to Cisco is unstable
Post by: mliebherr on April 27, 2021, 08:45:11 am

Hello,

my tunnel to a remite Site (Cisco i think) is unstable. Here is some tcpdump snippets:

22:20:48.323405 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cc5), length 152
22:20:48.323421 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cc6), length 152
22:20:48.323437 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cc7), length 152
22:20:48.323470 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cc8), length 152
22:20:48.323487 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cc9), length 152
22:20:48.833110 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cca), length 104
22:20:50.682362 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4ccb), length 88
22:20:51.127368 IP RemoteSite.500 > MySite.500: isakmp: parent_sa ikev2_init
22:20:51.833354 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4ccc), length 104
22:20:53.689542 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4ccd), length 104
22:20:54.134106 IP RemoteSite.500 > MySite.500: isakmp: parent_sa ikev2_init
22:20:54.802874 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cce), length 104
22:20:56.688672 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4ccf), length 104
22:20:56.716580 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cd0), length 104
22:20:57.803060 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cd1), length 104
22:20:57.834224 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cd2), length 104

On my Site the Tunnel seems to be up, looking at the tcpdump the remote side seems to reconnect?

The Lifetimes/Timeouts match on each side.
I already changed the "Connection method" to respond only.

Here are the settings:
(https://i.ibb.co/hcgtDH0/ipsec.png)


Here are the logs:

2021-04-26T22:22:14   charon[40039]   15[IKE] <con2|17> IKE_SA con2[17] established between MySite[MySite]...RemoteSite[RemoteSite]   
2021-04-26T22:22:14   charon[40039]   15[IKE] <con2|15> destroying duplicate IKE_SA for peer 'RemoteSite', received INITIAL_CONTACT   
2021-04-26T22:22:14   charon[40039]   15[IKE] <con2|17> authentication of 'MySite' (myself) with pre-shared key   
2021-04-26T22:22:14   charon[40039]   15[IKE] <con2|17> authentication of 'RemoteSite' with pre-shared key successful   
2021-04-26T22:22:14   charon[40039]   15[CFG] <con2|17> selected peer config 'con2'   
2021-04-26T22:22:11   charon[40039]   15[NET] <con2|15> sending packet: from MySite[500] to RemoteSite[500] (80 bytes)   
2021-04-26T22:22:11   charon[40039]   15[ENC] <con2|15> generating INFORMATIONAL request 0 [ D ]   
2021-04-26T22:22:11   charon[40039]   15[IKE] <con2|15> sending DELETE for IKE_SA con2[15]   
2021-04-26T22:22:11   charon[40039]   15[IKE] <con2|15> deleting IKE_SA con2[15] between MySite[MySite]...RemoteSite[RemoteSite]   
2021-04-26T22:22:11   charon[40039]   09[CFG] received stroke: terminate 'con2'   
2021-04-26T20:49:19   charon[40039]   05[NET] <con2|15> sending packet: from MySite[500] to RemoteSite[500] (240 bytes)   
2021-04-26T20:49:19   charon[40039]   05[ENC] <con2|15> generating IKE_AUTH response 1 [ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) ]   
2021-04-26T20:49:19   charon[40039]   05[IKE] <con2|15> CHILD_SA con2{21} established with SPIs c0d2b134_i da1200e6_o and TS 172.18.161.0/24 === 10.228.16.0/21   
2021-04-26T20:49:19   charon[40039]   05[CFG] <con2|15> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ   
2021-04-26T20:49:19   charon[40039]   05[IKE] <con2|15> maximum IKE_SA lifetime 86020s   
2021-04-26T20:49:19   charon[40039]   05[IKE] <con2|15> scheduling reauthentication in 85480s   
2021-04-26T20:49:19   charon[40039]   05[IKE] <con2|15> IKE_SA con2[15] established between MySite[MySite]...RemoteSite[RemoteSite]   
2021-04-26T20:49:19   charon[40039]   05[IKE] <con2|1> destroying duplicate IKE_SA for peer 'RemoteSite', received INITIAL_CONTACT   
2021-04-26T20:49:19   charon[40039]   05[IKE] <con2|15> authentication of 'MySite' (myself) with pre-shared key   
2021-04-26T20:49:19   charon[40039]   05[IKE] <con2|15> authentication of 'RemoteSite' with pre-shared key successful   
2021-04-26T20:49:19   charon[40039]   05[CFG] <con2|15> selected peer config 'con2'   
2021-04-26T20:49:14   charon[40039]   05[NET] <con2|1> sending packet: from MySite[500] to RemoteSite[500] (496 bytes)   
2021-04-26T20:49:14   charon[40039]   05[IKE] <con2|1> retransmit 1 of request with message ID 8   
2021-04-26T20:49:10   charon[40039]   05[NET] <con2|1> sending packet: from MySite[500] to RemoteSite[500] (496 bytes)   
2021-04-26T20:49:10   charon[40039]   05[ENC] <con2|1> generating CREATE_CHILD_SA request 8 [ N(REKEY_SA) N(ESP_TFC_PAD_N) SA No KE TSi TSr ]   
2021-04-26T20:49:10   charon[40039]   05[IKE] <con2|1> establishing CHILD_SA con2{20} reqid 2   
2021-04-26T19:06:37   charon[40039]   10[IKE] <con2|1> CHILD_SA closed

Title: Re: IPSec Tunnel to Cisco is unstable
Post by: mimugmail on April 27, 2021, 09:11:29 am

You can try setting "Disable MOBIKE" and deselect tunnel isolation

Title: Re: IPSec Tunnel to Cisco is unstable
Post by: atom on April 27, 2021, 10:13:22 am

You should use a timeserver. The IPSec log shows time jumps.

Title: Re: IPSec Tunnel to Cisco is unstable
Post by: juere on April 27, 2021, 11:43:41 am

Quote from: mliebherr on April 27, 2021, 08:45:11 am

The Lifetimes/Timeouts match on each side.

Sometimes with "unstable" tunnels it is a good idea *not* to match them.
Setting the lifetimes of SideA twice the lifetimes of SideB will force SideB to initiate all the re-keying, which in my experience sometimes can lead to more stability.

Might be worth a try :)