Messages

Hallo,

ja ipsec1000 ist da, Danke, und sorry für meine Blindheit.

Letzte Frage: 'Manual SPD' macht hier wohl keinen Sinn. Habe ich eine chance ein src NAT hinzukriegen mit diesem setup?
Danke

Oh, mann.... Sorry, 'route-based'....

Bitte :-)
und Danke

Ich versuche gerade das routed IPSec howto nachzustellen und komme nicht weiter: bei der Einrichtung der Gateways habe ich nur meine selbst eingerichteten Interfaces zur Auswahl. Die generierte ipsec.conf beinhaltet kein 'reqid = ' aber ein 'type = tunnel'.
Habe ich irgendwas übersehen? (Ich habe es zigmal kontrolliert).

Die Verbindung ist 'up'

Code Select Expand

       con1{11}:  INSTALLED, TUNNEL, reqid 7, ESP SPIs: cf282e8b_i c874d2a8_o
        con1{11}:  AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 30 minutes
        con1{11}:   10.111.1.1/32 === 10.111.1.2/32

ipsec.conf

Code Select Expand

# This file is automatically generated. Do not edit
config setup
  uniqueids = yes

conn con1
  aggressive = no
  fragmentation = yes
  keyexchange = ikev2
  mobike = yes
  reauth = yes
  rekey = yes
  forceencaps = no
  installpolicy = no
  type = tunnel
 
  left = 1.2.3.4
  right = 4.3.2.1
 
  leftid = 1.2.3.4
  ikelifetime = 86400s
  lifetime = 3600s
  ike = aes256-sha256-modp2048!
  leftauth = psk
  rightauth = psk
  rightid = 4.3.2.1
  rightsubnet = 10.111.1.1
  leftsubnet = 10.111.1.2
  esp = aes256-sha256!
  auto = start

include ipsec.opnsense.d/*.conf


You splitted you problem in two threads, hard to follow.

It's because I believe they are two distinct problems. But solving either one would get me what I need  ;)

Is there a workaround listed in Cisco Bug?

Yes:

A broader crypto ACL can be configured to have only one line in the ACL.
Also, if feasible, a VTI can be used when both endpoints support route based IKEv2 IPSec tunnels.

In my case, both suggestions are the same ;-)
I need parts in 10.x, 192.168.x, as well as a 'non-private-but-only-used-internally-Class-B'. So 0/0 would match that.
Route based ipsec is what we will try next.

Sorry if I'm chatting with myself here, but I just found out that Cisco says this can't be done (screenshot)

weirdly enough,
if I create two identical Phase1, each with one Phase2, I get the same error.
If I check 'Tunnel Isolation' on both Phase1, it works. The resulting ipsec.conf is basically identical in that case,
except that conX is broken into conX  and conX-000
but all params are the same.

Unfortunately my problem is not solved by this, because as soon as I configure 'Manual SPD's that I need, traffic gets routed with the wrong SPIs, as described here: https://forum.opnsense.org/index.php?topic=14240.0

Hi,

I have trouble getting an IPSec connection to a Cisco: I need several phase2 tunnels (and NAT on my side). When I uncheck 'Tunnel Isolation' in phase1, the connection fails with

Code Select Expand

received TS_UNACCEPTABLE notify, no CHILD_SA built
when I check 'Tunnel isolation' (no other change to the config), then each phase2 can be brought up without a problem, but this brings other problems described here

https://forum.opnsense.org/index.php?topic=14240.0

Thanks for any hints,
Frank

Hi,

I am struggling with an IPSec connection to a remote CISCO. I need several phase2 tunnels, and NAT on my side (I can't use the IP range that the remote side has given me).

When I bring one phase2 tunnel UP, everything is fine. As soon as I bring a second one up, all the traffic uses the SPI of the latest tunnel, and gets refused by the remote side.

One tunnel UP:
ipsec-status:

Code Select Expand


Security Associations (1 up, 0 connecting):
        con1[2]: ESTABLISHED 17 seconds ago, 1.2.3.130[1.2.3.130]...4.5.6.130[4.5.6.130]
        con1{9}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cbd8b851_i 9231068c_o
        con1{9}:   10.203.251.240/28 === 172.16.0.0/16

tcpdump:

Code Select Expand

14:09:24.989728 (authentic,confidential): SPI 0x9231068c: IP 10.2.0.1 > 172.16.0.3: ICMP echo request, id 16897, seq 821, length 64
14:09:24.992286 (authentic,confidential): SPI 0xcbd8b851: IP 172.16.0.3 > 10.203.251.243: ICMP echo reply, id 16897, seq 821, length 64
14:09:25.991076 (authentic,confidential): SPI 0x9231068c: IP 10.2.0.1 > 172.16.0.3: ICMP echo request, id 16897, seq 822, length 64
14:09:25.993699 (authentic,confidential): SPI 0xcbd8b851: IP 172.16.0.3 > 10.203.251.243: ICMP echo reply, id 16897, seq 822, length 64

now I bring the second tunnel up (ipsec up con1-001).
ipsec-status:

Code Select Expand

Security Associations (1 up, 0 connecting):
        con1[2]: ESTABLISHED 28 seconds ago, 1.2.3.130[1.2.3.130]...4.5.6.130[4.5.6.130]
        con1{9}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cbd8b851_i 9231068c_o
        con1{9}:   10.203.251.240/28 === 172.16.0.0/16
    con1-001{10}:  INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: cf947911_i 41c91673_o
    con1-001{10}:   10.203.251.240/28 === 192.168.2.0/24


tcpdump shows the new SPI is used:

Code Select Expand

14:09:28.994230 (authentic,confidential): SPI 0x41c91673: IP 10.2.0.1 > 172.16.0.3: ICMP echo request, id 16897, seq 825, length 64
14:09:29.996407 (authentic,confidential): SPI 0x41c91673: IP 10.2.0.1 > 172.16.0.3: ICMP echo request, id 16897, seq 826, length 64

I have read  these threads here
https://github.com/opnsense/core/issues/2173
https://github.com/opnsense/core/issues/1773
but it is not clear to me if the issue is considered to be solved.

I would very much like to try the hack that involves removing the 'Manual SPD' from my phase2 entries and adding them by script.
Does anybody know how to do this?

Thanks a lot,

Frank

somehow, the tunnel closes every now and then (after inactivity?), even if I leave it at 'Start immediate' (tried this before), it will eventually go down, and my side won't be able to get it up again. Figuring out why the tunnel goes away is hard, as I don't control the other side. On my side, is it possible to get a log over a longer period of time?

[enc0]

Hmm,

I have no control over the remote side of the connection, so this is not easy. Leaving it on 'connect on traffic' is a requirement from the remote side.

My BINAT rule generates the following:

Code Select Expand

binat on enc0 inet from 192.168.0.0/24 to <BO_NETS> -> 10.203.207.0/24

but when the tunnel is down, traffic from 192.168.0.0/24 will not get routed to enc0. I suspect that this is the root of the problem.

Hello MiMu,

yes, there is a nagios server (192.168.0.2) in that network that checks availability of servers 'on the other side'. It gets replies, but only if the Tunnel is up.

Can I post any additional info that might be useful?
Thanks

Hi,

I have a local Network (192.168.0.0/24) that needs to be NATed (to 10.203.207.0/24) before it goes into the IPSec Tunnel.
When the Tunnel is up, this works perfectly fine. (ie I have a NAT defined(on the IPSec device), and added a Manual SPD entry for 192.168.0.0/24)
However, hosts from the local Network (192.168.0.0/24) can't get the Tunnel up.

Code Select Expand

ping -S 192.168.0.1 other.side does nothing whereas

Code Select Expand

ping -S 10.203.207.1 other.side pulls the tunnel up (I have added a virtual IP for 10.203.207.1 on the same interface as 192.168.0.1)

Could this bit from the changelog in 19.7.x solve my Problem?

ipsec: use interface IP address in local ID when doing NAT before IPsec

Thanks a lot

Thanks,
done!

Best regards,
Frank

I have a general question: now that we have alias export/import I have played around a little with this.
Objects have had uuids for quite some time but the name is still the key that is used to reference objects.
Is this planned to change at some time?

Thanks