"
After moving our IPsec tunnels from legacy Tunnel Settings to Connections, we have had problems with missing manual policies or manual policies with wrong unique numbers (as seen with setkey -PD).
After taking a closer look, it seems these issues are caused by dynamic reqids.
Using legacy Tunnel Settings, reqids are automatically allocated at configuration time.
Using Connections, reqids are allocated (and also change) when tunnels are connected.
There is an option to manually define static reqids, but this is not really maintainable when you have a lot of tunnels.
We made a test setup with two OPNsense 24.7.12 in order to reproduce the problem.
Defined two ipsec connections with one child each. Using default parameters.
Added manual SPD entries for both children like this:
- Reqid = empty
- Connection child = connection name - child name
- Source network = 0.0.0.0/0
- Destination network = empty
To reproduce:
- Have two tunnels, each with manual SPD entries
- Connect both tunnels
- Observerve correct reqids (by looking at setkey -PD output)
- Disconnect the first tunnel
- Disconnect and reconnect the second tunnel
- Observerve incorrect reqids (by looking at setkey -PD output)
Could similar issues be triggered by reauth or rekey?
As indicated by the caution on this page:
https://docs.strongswan.org/docs/latest/plugins/updown.html
Is there anything that can be done to fix this?
After taking a closer look, it seems these issues are caused by dynamic reqids.
Using legacy Tunnel Settings, reqids are automatically allocated at configuration time.
Using Connections, reqids are allocated (and also change) when tunnels are connected.
There is an option to manually define static reqids, but this is not really maintainable when you have a lot of tunnels.
We made a test setup with two OPNsense 24.7.12 in order to reproduce the problem.
Defined two ipsec connections with one child each. Using default parameters.
Added manual SPD entries for both children like this:
- Reqid = empty
- Connection child = connection name - child name
- Source network = 0.0.0.0/0
- Destination network = empty
To reproduce:
- Have two tunnels, each with manual SPD entries
- Connect both tunnels
- Observerve correct reqids (by looking at setkey -PD output)
- Disconnect the first tunnel
- Disconnect and reconnect the second tunnel
- Observerve incorrect reqids (by looking at setkey -PD output)
Could similar issues be triggered by reauth or rekey?
As indicated by the caution on this page:
https://docs.strongswan.org/docs/latest/plugins/updown.html
Is there anything that can be done to fix this?
