Messages

Ok, but this means we have to use if_ipsec which is currently not supported.

I know.
But this functionality is not specific to StrongSwan, it does not have failover, we can read in its documentation.
This is a functionality implemented in the specific part of each product. Each one implements its logic and works together with Strongswan, Libreswan...

Libreswan has it's own interface support (software), and FreeBSD introduced with 11.0 if_ipsec (OS). Don't know how exactly Sophos does it, they also use strongswan, but the old version 4 (no IKEv2!!!). Also ASA e.g. introduced route based VPN very late.

So... the only distribution I got to see the failover script was Sophos, in this case both UTM and XG and both are big scripts...

Please have a look at: https://forum.opnsense.org/index.php?topic=5547.0
"ipsec: IKEv2 can handle multiple phase 1 with the same IP"

I'm using this feature with ASA in order to handle SAs based on the key-id field to separate connections. This would allow you to failover to X backup interfaces.

Perhaps this already fits you needs and just need some documentation

What would a rough sketch of the documentation look like? Whether or not this fits the OP's needs, it should fit mine, I think.

I did not read the documentation but a think that this feature is for create two or more tunnels with one IP only. I just think...

Ok, but this means we have to use if_ipsec which is currently not supported.

I know.
But this functionality is not specific to StrongSwan, it does not have failover, we can read in its documentation.
This is a functionality implemented in the specific part of each product. Each one implements its logic and works together with Strongswan, Libreswan...

Yes, it works perfectly.
There is only a minimal loss of packets in time that there is link loss, IPsec key exchange ... but on average it loses around 10~15 packets until the link goes up and everything is functional. It works automatically.

I tested both with Sophos UTM and XG, and Fortinet.

Mimugmail, I do not think I understand...

I believe I do not need another host, just two valid IPs for internet connection and yes, I would need to "know" the other guess.

I say this on the basis of having two OPNsenses, nor do I even think about doing this redundancy with another vendor.

This already exists with Sophos, Fortinet, Watchguard...

Ah and this configuration in Sohpos for example is create with IKEv1.

Hi.

Thank you for your attention!

I'm not talking about complete HA, this OPNsene already has via the CARP protocol.

What I am saying is this, although the idea is very simple, I believe that logic and development involve a lot of knowledge.

Let's say that both the head office and branch office have two links to the internet.

I would very much like to be able to create an IPsec failover that does the following:

If one of the links falls, IPsec or routing migrates to the other tunnel and vice versa, and for that we have some options.

For example:

1 - I have two IPsec tunnels, one in standbay in case the main tunel falls, the second assumes.

2 - I have two tunnels and the two become active, and what controls is the routing with metrics.

I think it's like a Wan Failover Group, but with IPsec.

Hi Franco,
I was reading this documentation. Really, it does not say anything in time, and as you said, the longer the weaker time, the more security.

The issue is that I have an IPsec with a Fortinet that is falling every now and then, and in the Lifetime field we put 172800 seconds ...

We began to suspect that it could be some time-related problem, because it is always when the time expires and tries to generate another key.

But anyway, thank you very much for your attention !!

Hi everyone!

I do not know if it's with the community of OPNSense or with the community and strongSwan documentation. But does anyone know what the maximum time I can put in the Phase 1 and Phase 2 "Lifetime" fields of IPsec settings?

Thanks!

Hello everyone.

I want very much to have the IPsec failover feature as well as multiple enterprise distributions have it.

I believe this is a very important and excencial feature that would cause the OPNsense stay above the other opensource market distros.

I do not know if the development staff is already thinking about implementing ...

I know that it is an advanced resource and very complicated to implement, but I am willing to participate in some project, since I really need this functionality ...

How can we start such a project? If there is anyone else interested, it would be better.

Thank you all!

In time...

I noticed that if using the rules in "Floating" works ... I'm using internal IP.

Hello!

I installed OPNSense 17.1.4 and immediately upgraded to version 17.1.9.

From then on the firewall rules such as ping, ssh no longer worked.

If I disable the firewall works perfectly.

I have production versions 17.1.8, 17.1.7 and 16.x.x running perfectly.

Is there a way I can downgrade?

I know you have opnsense-revert, but it's package-by-package.

Can you downgrade all packages at one time?

[I am using AES128 and SHA-1 in all phases 1 and phases 2.]

Hello,

I have just closed 2 IPsec tunnels with a Fortinet and I am having communication with ping and other protocols, however I am getting the message below:

Jun 30 00:56:55 charon: 04 [KNL] unable to query SAD entry with SPI cc41f65b: No such file or directory (2)
Jun 30 00:55:43 charon: 08 [KNL] unable to query SAD entry with SPI cc41f65b: No such file or directory (2)
Jun 30 00:54:03 charon: 05 [KNL] unable to query SAD entry with SPI cc41f65b: No such file or directory (2)
Jun 30 00:49:56 charon: 05 [KNL] unable to query SAD entry with SPI cc41f65b: No such file or directory (2)
Jun 30 00:48:45 charon: 05 [KNL] unable to query SAD entry with SPI cc41f65b: No such file or directory (2)
Jun 30 00:47:15 charon: 12 [KNL] unable to query SAD entry with SPI cc41f65b: No such file or directory (2)
Jun 30 00:44:36 charon: 09 [KNL] unable to query SAD entry with SPI cc41f65b: No such file or directory (2)
Jun 30 00:44:09 charon: 15 [KNL] unable to query SAD entry with SPI cc41f65b: No such file or directory (2)

I am using AES128 and SHA-1 in all phases 1 and phases 2.

Does anyone know what can it be?

I'm using:
OPNsense 16.7.14_2-amd64
FreeBSD 10.3-RELEASE-p14
OpenSSL 1.0.2j 26 Sep 2016

Thanks!

Hello, I do not know how to delete the topic but as information, the problem was in WAN interface configuration. Even if I select the gateway, it did not save the configuration, I had to edit the interface configuration and add the gateway again. From that moment the connectivity between LAN and WAN worked perfectly.

Interesting that even though the gateway was not set up on the WAN interface, I could navigate from within the firewall to the internet.

Well ... sorry for the inconvenience.

Hello, I installed a clean version of 17.1.4 and then upgraded to version 17.1.8 and for some reason my internal network does not browse, even allowing ALL traffic to the internet.

I do not know if it's a NAT issue or if the rules are not being applied correctly.

.