Messages

Hi all,

I am facing issues with my IPsec setup.
For normal everything is running fine - but in case that something happens to my internet connection, my IPsec tunnels go offline and do not come back.

Did I miss any option I can set that the tunnel gets reestablished as soon as possible?
Thanks in advance,
Matthias

update - I coudln't believe it, but since moving to Sophos UTM I have absolutely no issues with IPv6 - finally got working.
Opnsense and Pfsense - both didn't work for me.

Cheers,
Matthias

Hi all,

I've set up an IPv6 phase 1 connection, which contains two phase 2 entries.
One of them is IPv6, the other IPv4.

I have a stable connection for something 20 minutes up to 6 hours.
After that time (variable) the tunnel is still up and running, but no more packets are going through the tunnel..... Until I restart the IPsec strongswan service on one side (the other side remains untouched)...

I've set the log to "control" in all parts - I'll update the thread as soon as I found something interesting...

I suspected now that the dead-peer-connection is causing the issues and I wanted to disable it in phase 1, but I'm getting "There is a Phase 2 using IPv4, you cannot use IPv6.".

Why is it working anyway? For at least this limited time. Shouldn't it be configurable anyway?

cheers,
Matthias

ipv6 seems to be stable since I've removed the static configuration and replaced it with "track WAN interface" on the LAN interface IPv6 setting. This disables IPv6 RA configuration and dhcp (static ip needed). I will analyze this in the future.... would like to have a nice static ipv6 for my gateway.

Mh. Unfortunately VoIP is realized via the FritzBox - and no chance to get the credentials.

Cheers,
Matthias

nope. no change....

Hi Bart,

actually I cannot add IPv6 static routes to the fritz box - see a_fritzbox-noipv6staticroutes.png
And a ping from one of machines X to the internal interface of the OpnSense doesn't work..... thanks for that hint!
I actually had to add a Rule to the LAN which allows ICMPv6-Pings from anywhere.
Furthermore I've added allow all traffic from the 20d8-network to the WAN-Interface. Routing seems now to work!

But shouldn't the opnsense and the fritzbox exchange routing tables?
Reg. https://en.avm.de/service/fritzbox/fritzbox-7390/knowledge-base/publication/show/1239_Setting-up-a-IPv6-subnet-in-the-FRITZ-Box/
The wrote:
You can use a router with its own IPv6 subnet in the FRITZ!Box home network. In this case, you do not need to configure static routes for the IPv6 subnet because the FRITZ!Box and the IPv6 router automatically exchange all of the necessary routing information.

What needs to be enabled to enable this route table exchange?

In step 2 (configuring the IPv6 router) they wrote:
Configure the IPv6 router so that it requests its own prefix from the FRITZ!Box using IPv6 prefix delegation and that it announces its routing information to the FRITZ!Box via router advertisement.

It looks like the WAN interface would need some special configuration to publish the routes.

I'll double check the ipv6 problems and report again.

cheers,
Matthias

adding further attachments

adding further attachments

adding further attachments

adding further attachments

Hi @all,

I'm currently facing a very strange issue.
Attachment restrictions are very interesting... I'll add them by replying to this thread....

ISP = Vodafone / Kabel Deutschland
|
|
|
----- IF WAN -
AVM FritzBox 6490 - a_fritzbox-ifswithips.png, a_fritzbox-ipv6-conf.png
----- IF LAN -
|
|-- some machines X
|
----- IF WAN - a_opnsense-ifwan.png
OpnSense
----- IF LAN - a_opnsense-iflan.png
|
|-- some machines Y
|

IPv4 is working great. IPv6 does not (yet ;) )
The AVM FritzBox 6490 is configured as described at https://en.avm.de/service/fritzbox/fritzbox-7390/knowledge-base/publication/show/1239_Setting-up-a-IPv6-subnet-in-the-FRITZ-Box/

Since I'm getting a /62 subnet from my ISP I guessed I have to request a /63 subnet from my FritzBox (which would let me choose between 20da and 20db)
So I've configured the WAN interface to request a /63 subnet and assigned the first IP of 20da to the internal IF of the OpnSense machine.
Furthermore I've configured a DHCPv6 Server as shown in - a_opnsense-dhcpv6server.png. The advertisement is configured as shown in - a_opnsense-dhcpv6ad.png

Machines X are able to obtain IPv6 addresses immediately (they route their traffic through the AVM FritzBox 6490). The clients are served by the Subnet with ID 2a02:810d:xxxx:20d8::/64
Machines Y are not able to obtain IPv6 - by issuing "ipconfig /renew6" they are obtaining and IPv6 from the DHCPv6 Server with all settings correct, are able to route traffic over the OpnSense to the AVM FritzBox and in the end to the Internet. After round about one hour of connectivity, the connection gets lost.

Any Ideas:
- Which logs do I have to check?
- Which configuration do I have to change?

I've seen the following logs:

a_opnsense-log.png

ICMPv6 is enabled on all Firewall Rulesets.
Cheers and thanks in advance,
Matthias

Hi Ad,

Couldn't find anything using google regarding this...
thank you very much!

Cheers,
Matthias

Hi @all,

am I missing something or are any changes to the log configuration of IPsec currently without any configuration change?

I've configured all to Highest Loglevel, but the Log Output (also on console) is unchanged (not giving any detailled or diagnostic information).
Even a restart of the service or the application doesn't change anything to that.

Cheers,
Matthias

Hi @all,

I've set up a site2site IPsec VPN connection and this seem so to be working like a charm - up to one hour.
Then the Connection gets lost and it is not possible to reenable the connection through reinitiating via "status overview".

The log reports something like:
"no matching CHILD_SA config found" and "INVALID ID"

looking for both sides configuration seems everything fine and after restarting the IPsec service everything works great again for one hour....

Any Ideas which Log I should enabled and where do I look for the right lines?
Cheers,
Matthias