OPNsense Forum

English Forums => Virtual private networks => Topic started by: dstr on August 09, 2024, 11:08:57 am

Title: 14[IKE] unable to resolve
Post by: dstr on August 09, 2024, 11:08:57 am

Im using unbound as dns server and ipsec tunnel with a dns remote gateway. after rebooting the firewall, ipsec seems to be started before unbound and is not able to resolve the host. it stops after 3 retrys, even though keyretries is set to 0 in the ipsec config which should mean unlimited retries.
is there a way to start ipsec delayed after unbound, or configure ipsec service not to stop?

Title: Re: 14[IKE] unable to resolve
Post by: Monviech (Cedrik) on August 09, 2024, 01:23:45 pm

Does the Firewall itself use Unbound as resolver for its own DNS requests?

What configured in System: Settings: General?

Maybe use the resolvers of your ISP or Cloudflare/Google here instead and see if that fixes the problem.

Title: Re: 14[IKE] unable to resolve
Post by: dstr on August 09, 2024, 02:20:40 pm

general is 127.0.0.1 configured, with google it works but is not a option since Im using encrypted dns and blocklists with unbound.

Title: Re: 14[IKE] unable to resolve
Post by: Monviech (Cedrik) on August 09, 2024, 02:46:05 pm

Hmm, you should open an issue on github and explain your case there.

https://github.com/opnsense/core/issues

Maybe also attach the ipsec logs of the permanent failure thats happening.

Title: Re: 14[IKE] unable to resolve
Post by: schnipp on August 09, 2024, 08:43:37 pm

Quote from: dstr on August 09, 2024, 11:08:57 am

is there a way to start ipsec delayed after unbound, or configure ipsec service not to stop?

Generally it's not needed. IPsec connections start automatically if properly configured. Check the CHILD_SAs:

• Start action should be set to "trap" or "trap+start"
• DPD action should be set to "trap" (if used)