Messages

When hooks are triggered, I believe a log entry is triggered as well.

Yes, that's the problem right there. When failing, the hook is not triggered and there is no log message.

We sometimes see this after network interruptions. When this happens, the remedy is to manually disconnect and reconnect the tunnel.

Is it possible that this is failing when our firewall is responding and not when initiating?

Has there been any related improvements since 24.7.12?

Yes, that hook is used regardless if the reqid is dynamic or static.

However, I suspect the problem is related to the following caution on the page linked in the original post:
>  While Child SA rekeying establishes a new Child SA, the hooks do not get invoked.

There might be different triggers, but the end result is the same:
Tunnel-specific dynamic reqids change and corresponding manual SPD entries no longer match.

Best regards,
Ulf

Hi! Thank you for replying.

Let me clarify:
The issue in this case is not caused by overlapping between legacy and new.
All tunnels were moved to connections and we no longer have any legacy tunnels.
This is also the case in the reproducible example above, where there are only two connections.

The issue seems to be that manual SPD entries are not synced with dynamic reqids when they change.
In other words, the UPDOWN script would need to be run when reqids change, not only on up and down.

Locking reqids at configuration-time would work, but there would need to be some way of automatically selecting the next free / unique number.

Best regards,
Ulf

After moving our IPsec tunnels from legacy Tunnel Settings to Connections, we have had problems with missing manual policies or manual policies with wrong unique numbers (as seen with setkey -PD).

After taking a closer look, it seems these issues are caused by dynamic reqids.
Using legacy Tunnel Settings, reqids are automatically allocated at configuration time.
Using Connections, reqids are allocated (and also change) when tunnels are connected.
There is an option to manually define static reqids, but this is not really maintainable when you have a lot of tunnels.

We made a test setup with two OPNsense 24.7.12 in order to reproduce the problem.
Defined two ipsec connections with one child each. Using default parameters.
Added manual SPD entries for both children like this:
- Reqid = empty
- Connection child = connection name - child name
- Source network = 0.0.0.0/0
- Destination network = empty

To reproduce:
- Have two tunnels, each with manual SPD entries
- Connect both tunnels
- Observerve correct reqids (by looking at setkey -PD output)
- Disconnect the first tunnel
- Disconnect and reconnect the second tunnel
- Observerve incorrect reqids (by looking at setkey -PD output)

Could similar issues be triggered by reauth or rekey?
As indicated by the caution on this page:
https://docs.strongswan.org/docs/latest/plugins/updown.html

Is there anything that can be done to fix this?