Topics

1

20.1 Legacy Series / IPsec - missing automatic tunnel restarts

« on: May 22, 2020, 11:11:14 am »

Hi all,

I am facing issues with my IPsec setup.
For normal everything is running fine - but in case that something happens to my internet connection, my IPsec tunnels go offline and do not come back.

Did I miss any option I can set that the tunnel gets reestablished as soon as possible?
Thanks in advance,
Matthias

2

16.7 Legacy Series / There is a Phase 2 using IPv4, you cannot use IPv6.

« on: December 14, 2016, 11:06:56 pm »

Hi all,

I've set up an IPv6 phase 1 connection, which contains two phase 2 entries.
One of them is IPv6, the other IPv4.

I have a stable connection for something 20 minutes up to 6 hours.
After that time (variable) the tunnel is still up and running, but no more packets are going through the tunnel..... Until I restart the IPsec strongswan service on one side (the other side remains untouched)...

I've set the log to "control" in all parts - I'll update the thread as soon as I found something interesting...

I suspected now that the dead-peer-connection is causing the issues and I wanted to disable it in phase 1, but I'm getting "There is a Phase 2 using IPv4, you cannot use IPv6.".

Why is it working anyway? For at least this limited time. Shouldn't it be configurable anyway?

cheers,
Matthias

3

16.7 Legacy Series / IPv6 --> Client's get IPv6 address for round about one hour....

« on: November 29, 2016, 11:51:54 pm »

Hi @all,

I'm currently facing a very strange issue.
Attachment restrictions are very interesting... I'll add them by replying to this thread....

ISP = Vodafone / Kabel Deutschland
|
|
|
----- IF WAN -
AVM FritzBox 6490 - a_fritzbox-ifswithips.png, a_fritzbox-ipv6-conf.png
----- IF LAN -
|
|-- some machines X
|
----- IF WAN - a_opnsense-ifwan.png
OpnSense
----- IF LAN - a_opnsense-iflan.png
|
|-- some machines Y
|

IPv4 is working great. IPv6 does not (yet )
The AVM FritzBox 6490 is configured as described at https://en.avm.de/service/fritzbox/fritzbox-7390/knowledge-base/publication/show/1239_Setting-up-a-IPv6-subnet-in-the-FRITZ-Box/

Since I'm getting a /62 subnet from my ISP I guessed I have to request a /63 subnet from my FritzBox (which would let me choose between 20da and 20db)
So I've configured the WAN interface to request a /63 subnet and assigned the first IP of 20da to the internal IF of the OpnSense machine.
Furthermore I've configured a DHCPv6 Server as shown in - a_opnsense-dhcpv6server.png. The advertisement is configured as shown in - a_opnsense-dhcpv6ad.png

Machines X are able to obtain IPv6 addresses immediately (they route their traffic through the AVM FritzBox 6490). The clients are served by the Subnet with ID 2a02:810d:xxxx:20d8::/64
Machines Y are not able to obtain IPv6 - by issuing "ipconfig /renew6" they are obtaining and IPv6 from the DHCPv6 Server with all settings correct, are able to route traffic over the OpnSense to the AVM FritzBox and in the end to the Internet. After round about one hour of connectivity, the connection gets lost.

Any Ideas:
- Which logs do I have to check?
- Which configuration do I have to change?

I've seen the following logs:

a_opnsense-log.png

ICMPv6 is enabled on all Firewall Rulesets.
Cheers and thanks in advance,
Matthias

4

16.7 Legacy Series / [SOLVED] changes to ipsec log configuration doesn't change anything

« on: November 28, 2016, 09:22:47 pm »

Hi @all,

am I missing something or are any changes to the log configuration of IPsec currently without any configuration change?

I've configured all to Highest Loglevel, but the Log Output (also on console) is unchanged (not giving any detailled or diagnostic information).
Even a restart of the service or the application doesn't change anything to that.

Cheers,
Matthias

5

16.7 Legacy Series / IPsec VPN crashes completely and reenables only on service restart

« on: November 21, 2016, 12:59:45 am »

Hi @all,

I've set up a site2site IPsec VPN connection and this seem so to be working like a charm - up to one hour.
Then the Connection gets lost and it is not possible to reenable the connection through reinitiating via "status overview".

The log reports something like:
"no matching CHILD_SA config found" and "INVALID ID"

looking for both sides configuration seems everything fine and after restarting the IPsec service everything works great again for one hour....

Any Ideas which Log I should enabled and where do I look for the right lines?
Cheers,
Matthias

6

16.7 Legacy Series / Routing IPv4 via IPv6 IPsec Tunnel

« on: November 20, 2016, 02:19:59 am »

Hi @all,

I've configured a native IPv6 IPsec tunnel.
Now I want to tunnel IPv4 over that IPv6 tunnel - this should be possible, shouldn't it?

Site A:
Dualstack IPv4 (172.16.0.0/24 locally) + IPv6
SiteB:
Dualstack IPv4 (172.17.0.0/24 locally) + IPv6

unfortunately I'm receiving:
Nov 20 02:01:55 charon: 07[KNL] installing route failed: 172.17.0.0/24 via fe80::3631:c4ff:fe83:a04a src 172.16.0.1 dev hn1
Nov 20 02:01:55 charon: 07[KNL] adding PF_ROUTE route failed: Invalid argument

Thanks for any reply in advance!
Matthias

7

16.7 Legacy Series / IPv6 - routing seems to be lost after rebooting opnsense/pfsense

« on: November 18, 2016, 12:11:43 am »

Hi @all,

I've configured my opnsense like this:
LAN interface (IPv6 tracks WAN Interface)
WAN interface (IPv6 address and prefix is aquired by DHCPv6)

Everything seems to be working fine until I'm restarting the opnsense device.
A running ping (from another client through the opnsense) on IPv6 targets works, of course runs in a timeout during reboot, but stays "request timed out" after reboot. Stopping the ping and re-initiating the ping doesn't work.

For now it seems that the routing is getting restored after 10-15 minutes.
Is this an expected behavior?

Cheers,
Matthias