Messages

1

24.7 Production Series / Re: IPsec issues with 24.7.2

« on: August 25, 2024, 12:11:23 pm »

Thanks for that was aware, however these machines have been around for a long time and were therefore probably built when the defaults referred to were set. They have certainly never been unset automatically by any particular update - until 24.7.2.

Sharing my particular symptom and fix.

2

24.7 Production Series / Re: IPsec issues with 24.7.2

« on: August 25, 2024, 11:47:28 am »

Cannot modify original message, wanted to add another test on a 24.7.2 prior to restore;

On the WAN interface I created a firewall rule to pass ESP traffic from source ip to wan interface, in my head mimicking what the automatically created rules might be doing.

This worked (definitely on a 24.7.2 VM) and permitted traffic to pass but I'd have to do that individually for all IPSEC connections on all WAN interfaces.

If somebody really wanted to stay on 24.7.2 and has only a handful of connections this could be a workaround until addressed by Opnsense gurus.

3

24.7 Production Series / Re: IPsec issues with 24.7.2

« on: August 25, 2024, 11:32:19 am »

Hello, I'd like to add to this by describing the symptoms experienced on my testbed platform. I have a number of virtual Opensense VMs interconnected via IPSEC which have worked fine up until 24.7.2.

However, on all of my 24.7.2 machines I now see in firewall logs ESP traffic dropping into the default WAN deny rule and so tunnels, while establishing, are passing no traffic.

It would appear that ESP previously covered by automatic rules generated upon enabling IPSEC has changed under 24.7.2. See attachment of log screenshot

What I have tested is a rollback to 24.7.1 by either restore of VM from backup or an interactive "opnsense-revert -r 24.7.1 opnsense". In both cases this fixes the issue and restores IPSEC traffic flow correctly.

Whilst not highly technical I hope description of symptoms helps somebody clevererer figure out any perceived issue with 24.7.2.
Thank you for Opnsense!