OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: DFC on September 04, 2018, 10:34:52 am

Title: Inexpectable VPN behavior
Post by: DFC on September 04, 2018, 10:34:52 am

Hello!
I've got 2 Opnsense boxes running in different cities, connected with site-to-site IPSec VPN.
On site1 I've got 2 WANs from different ISPs, lets say, isp1 (100mbps, primary) and isp2 (50mbps, secondary), failover. On site2 I've got 1 WAN, same isp2 (100mbps).
When I tried site1:isp1<->site2:isp2 connection - that was not very good, ping rtt inside IPSce tunnel is about 85 ms. So, I use site1:isp2<->site2:isp2 connection and get 25 ms rtt - not bad.
Also, on site1 Opnsensebox I have l2tp server for the remote windows clients to login (I prefer solutions, which don't need third-party software, that is why L2TP, not openvpn).
And here comes the problem. When l2tp client disconnects, strongswan resets the tunnel to site1:isp1<->site2:isp2.
This is what I see in ipsec.log at the moment, when the tunnel site1:isp2<->site2:isp2 is up and l2tp client disconnects:

Code: [Select]

Sep  4 08:35:27 pnz-gw charon: 02[KNL] interface ng0 appeared
Sep  4 08:35:27 pnz-gw charon: 02[IKE] <con2|15> old path is not available anymore, try to find another
Sep  4 08:35:27 pnz-gw charon: 02[IKE] <con2|15> looking for a route to $site2ip ...
Sep  4 08:35:27 pnz-gw charon: 02[IKE] <con2|15> sending address list update using MOBIKE, implicitly requesting an address change
Sep  4 08:35:27 pnz-gw charon: 02[ENC] <con2|15> generating INFORMATIONAL request 4 [ ]
Sep  4 08:35:27 pnz-gw charon: 02[IKE] <con2|15> checking path $site1ip1[4500] - $site2ip[4500]
Sep  4 08:35:27 pnz-gw charon: 02[NET] <con2|15> sending packet: from $site1ip1[4500] to $site2ip[4500] (96 bytes)
Sep  4 08:35:27 pnz-gw charon: 13[NET] <con2|15> received packet: from $site2ip[4500] to $site1ip1[4500] (96 bytes)
Sep  4 08:35:27 pnz-gw charon: 13[ENC] <con2|15> parsed INFORMATIONAL response 4 [ ]
Sep  4 08:35:27 pnz-gw charon: 13[ENC] <con2|15> generating INFORMATIONAL request 5 [ N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(AD
Sep  4 08:35:27 pnz-gw charon: 13[NET] <con2|15> sending packet: from $site1ip1[4500] to $site2ip[4500] (192 bytes)
Sep  4 08:35:28 pnz-gw charon: 13[NET] <con2|15> received packet: from $site2ip[4500] to $site1ip1[4500] (96 bytes)
Sep  4 08:35:28 pnz-gw charon: 13[ENC] <con2|15> parsed INFORMATIONAL response 5 [ ]
So I get not very good speed inside tunnel until I manually restart strongswan daemons.
May be someone can help me with that? Thanks in advance!
P.S. This behavior was on 18.1.<any> and now on latest 18.7.1 is the same

Title: Re: Inexpectable VPN behavior
Post by: DFC on September 06, 2018, 07:50:03 am

Anyone? Any suggestions? May be more logs to look into? Please...  :(