Show Posts
1
Virtual private networks / Re: Manual SDP Entry becomes invalid if remote gateway changes dynamic IP
« on: February 22, 2024, 02:39:22 pm »
Hi, We have a similar issue.
We phase 1 that point to a FQDN with 3 IPs associated. This phase 1 have "respond only" as connection method and "Allow any remote gateway to connect", so the initator is the firewall on the other side.
This phase 1 have multiple phase 2 associated, one of this phase 2 have a manual SPD entry that contain a private subnet. When the initiator change its exit IP seems that the SPD entry aren't updated.
Example:
My OPNsense have the IP: 4.4.4.4
The phase 1 have "firewall.fqdn" as remote gateway that are resolved with the following IPs:
firewall.fqdn. 300 IN A 1.1.1.1
firewall.fqdn. 300 IN A 2.2.2.2
firewall.fqdn. 300 IN A 3.3.3.3
The phase 2 entry have the following subnet:
Local: 192.168.1.0/24
Remote: 192.168.2.0/24
Manual SPD entries: 192.168.3.0/24
The initiator on the other side open the s2s using the IPs 1.1.1.1, and the following SPD entries are created:
192.168.1.0/24[any] 192.168.2.0/24[any] 4.4.4.4->1.1.1.1
192.168.2.0/24[any] 192.168.1.0/24[any] 1.1.1.1->4.4.4.4
192.168.3.0/24[any] 192.168.2.0/24[any] 4.4.4.4->1.1.1.1
In this case everything works fine
When on the initiator side the firewall reopen connection using an IP different from 1.1.1.1 (eg. 2.2.2.2) the SPD entries are broken.
Checking the SPD we can see the following entries:
192.168.1.0/24[any] 192.168.2.0/24[any] 4.4.4.4->2.2.2.2
192.168.2.0/24[any] 192.168.1.0/24[any] 2.2.2.2->4.4.4.4
192.168.3.0/24[any] 192.168.2.0/24[any] 4.4.4.4->1.1.1.1
In this case the traffic from/to 192.168.3.0/24 aren't routed correctly.
Someone have encountered and solved this issue?
Versions:
OPNsense 24.1.1-amd64
FreeBSD 13.2-RELEASE-p9
OpenSSL 3.0.13
We phase 1 that point to a FQDN with 3 IPs associated. This phase 1 have "respond only" as connection method and "Allow any remote gateway to connect", so the initator is the firewall on the other side.
This phase 1 have multiple phase 2 associated, one of this phase 2 have a manual SPD entry that contain a private subnet. When the initiator change its exit IP seems that the SPD entry aren't updated.
Example:
My OPNsense have the IP: 4.4.4.4
The phase 1 have "firewall.fqdn" as remote gateway that are resolved with the following IPs:
firewall.fqdn. 300 IN A 1.1.1.1
firewall.fqdn. 300 IN A 2.2.2.2
firewall.fqdn. 300 IN A 3.3.3.3
The phase 2 entry have the following subnet:
Local: 192.168.1.0/24
Remote: 192.168.2.0/24
Manual SPD entries: 192.168.3.0/24
The initiator on the other side open the s2s using the IPs 1.1.1.1, and the following SPD entries are created:
192.168.1.0/24[any] 192.168.2.0/24[any] 4.4.4.4->1.1.1.1
192.168.2.0/24[any] 192.168.1.0/24[any] 1.1.1.1->4.4.4.4
192.168.3.0/24[any] 192.168.2.0/24[any] 4.4.4.4->1.1.1.1
In this case everything works fine
When on the initiator side the firewall reopen connection using an IP different from 1.1.1.1 (eg. 2.2.2.2) the SPD entries are broken.
Checking the SPD we can see the following entries:
192.168.1.0/24[any] 192.168.2.0/24[any] 4.4.4.4->2.2.2.2
192.168.2.0/24[any] 192.168.1.0/24[any] 2.2.2.2->4.4.4.4
192.168.3.0/24[any] 192.168.2.0/24[any] 4.4.4.4->1.1.1.1
In this case the traffic from/to 192.168.3.0/24 aren't routed correctly.
Someone have encountered and solved this issue?
Versions:
OPNsense 24.1.1-amd64
FreeBSD 13.2-RELEASE-p9
OpenSSL 3.0.13