"
Hi All,
So have just created brand new IPSEC tunnels between an OPNsense and 2 pfsense routers.
TL;DR: new IPSEC tunnels never come up, whatsoever, unless you go into the Status Overview page, and click the connect button.
Once IPSEC service has been restarted, tunnels come up automatically as expected.
This post from the archive describes exactly the same Issue I was seeing: https://forum.opnsense.org/index.php?topic=30990.0
Tunnels are intended to be "always on", regardless of any traffic, and initiated only from the OPNsense end.
Basic info & versions...
Opnsense end:
Running 24.10.1 (Not my router, so not up to me to update, but have passed this suggestion on! Apologies if this has already been fixed since this version!)
Except endpoint ips, keys and P2 subnets, both tunnels are identical.
The relevant bits...
P1:
IKEv2, with connection method "default".
Install Policy: true
Close Action: restart
DPD enabled, 10s, 5 retries
Inactivity time: blank
P2's:
Mode: ipv4 tunnel
Auto ping host: Valid (always on) host on the remote side.
Then Pfsense ends:
2.7.0-RELEASE
P1's set with
Child SA Start action: none (responder only)
Close action: close and clear SA
DPD: 10s, 5 retries.
The issue is, that these tunnels never come up, whatsoever, unless you go into the Status Overview page, and click the connect button.
Once connected, if they are disconnected (from either end), they stay down until you go manually connect again.
During testing, I also tried
Connection method: Start Immediate
Connection method: Start on traffic (While having a continus ping to something on the pfsense end running).
Neither had any effect.
From the archived post, I suspect it was their reboot which solved it, though by accident.
In my case,
Once I finally decided to restart the IPSEC service on the OPNsense end, these tunnels instantly started working as expected.
Perhaps there could be a note on the new tunnel page to suggest this, assuming it couldnt just be done automatically.
Prior to restarting IPSEC, I had manually connected and disconnected the tunnels multiple times, and generated plenty of traffic which should have brought them up.
Post restarting IPSEC, with a ping running every second, if I manually disconnect the tunnel, I only see a single ping timeout before the tunnel has been brought back up automatically, as expected.
Also on a completely unrelated note, I registered for the forum in order to post this, but got no confirmation email.
After requesting a new activation code from https://forum.opnsense.org/index.php?action=activate about 5 times, over the space of an hour, I finally got an email!
So have just created brand new IPSEC tunnels between an OPNsense and 2 pfsense routers.
TL;DR: new IPSEC tunnels never come up, whatsoever, unless you go into the Status Overview page, and click the connect button.
Once IPSEC service has been restarted, tunnels come up automatically as expected.
This post from the archive describes exactly the same Issue I was seeing: https://forum.opnsense.org/index.php?topic=30990.0
Tunnels are intended to be "always on", regardless of any traffic, and initiated only from the OPNsense end.
Basic info & versions...
Opnsense end:
Running 24.10.1 (Not my router, so not up to me to update, but have passed this suggestion on! Apologies if this has already been fixed since this version!)
Except endpoint ips, keys and P2 subnets, both tunnels are identical.
The relevant bits...
P1:
IKEv2, with connection method "default".
Install Policy: true
Close Action: restart
DPD enabled, 10s, 5 retries
Inactivity time: blank
P2's:
Mode: ipv4 tunnel
Auto ping host: Valid (always on) host on the remote side.
Then Pfsense ends:
2.7.0-RELEASE
P1's set with
Child SA Start action: none (responder only)
Close action: close and clear SA
DPD: 10s, 5 retries.
The issue is, that these tunnels never come up, whatsoever, unless you go into the Status Overview page, and click the connect button.
Once connected, if they are disconnected (from either end), they stay down until you go manually connect again.
During testing, I also tried
Connection method: Start Immediate
Connection method: Start on traffic (While having a continus ping to something on the pfsense end running).
Neither had any effect.
From the archived post, I suspect it was their reboot which solved it, though by accident.
In my case,
Once I finally decided to restart the IPSEC service on the OPNsense end, these tunnels instantly started working as expected.
Perhaps there could be a note on the new tunnel page to suggest this, assuming it couldnt just be done automatically.
Prior to restarting IPSEC, I had manually connected and disconnected the tunnels multiple times, and generated plenty of traffic which should have brought them up.
Post restarting IPSEC, with a ping running every second, if I manually disconnect the tunnel, I only see a single ping timeout before the tunnel has been brought back up automatically, as expected.
Also on a completely unrelated note, I registered for the forum in order to post this, but got no confirmation email.
After requesting a new activation code from https://forum.opnsense.org/index.php?action=activate about 5 times, over the space of an hour, I finally got an email!
