Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
21.7 Legacy Series
»
IPsec phase 2 SAs drop for no apparent reason
« previous
next »
Print
Pages: [
1
]
Author
Topic: IPsec phase 2 SAs drop for no apparent reason (Read 2500 times)
Patrick M. Hausen
Hero Member
Posts: 6844
Karma: 575
IPsec phase 2 SAs drop for no apparent reason
«
on:
October 10, 2021, 08:05:11 pm »
Hi all,
we have mostly successfully migrated our ancient Sidewinder firewall cluster to a HA pair of OPNsense on Deciso's very nice machines.
One single issue that troubles us: some but not all IPsec VPN connections to business partners, while correctly migrated and "up and running" drop their phase 2 SAs from time to time and do not re-establish them unless someone restarts the strongSwan service. I cannot see a pattern in the configuration.
All tunnels we run are set to "Start immediate" for phase 1.
I have set Keyingtries to "-1" for all tunnels.
I tried to manually edit the /usr/local/etc/ipsec.conf file and add "closeaction = restart" to each phase 2 entry, but it seems that even a service restart from the UI regenerates the config and deletes my changes.
So, first: can someone point me at the code that generates the ipsec.conf file - I would just hardwire that parameter for now and if that fixes things, I'd be more than willing to provide a pull request.
I did not find any jinja template or anything remotely MVC that does this. I assumed all of OPNsense could be found at /usr/local/opnsense/mvc/... but apparently I'm wrong.
Any other ideas? What particular debug setting to set to "more verbose" and what to look for in the log file would also help greatly. I have no experience with strongSwan, apart from commercial products I always used the standard FreeBSD kernel IPsec and racoon ...
Kind regards,
Patrick
P.S. Of course there are some tunnels that are just rock solid. Like IKEv1 ones to several Fritzbox routers or an IKEv2 one to another OPNsense. Unfortunately I won't convince our enterprise customers to switch their expensive Cisco/Checkpoint/... gear.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
Patrick M. Hausen
Hero Member
Posts: 6844
Karma: 575
Re: IPsec phase 2 SAs drop for no apparent reason
«
Reply #1 on:
October 11, 2021, 04:40:39 pm »
No ideas?
I took it to the strongSwan mailing list:
https://lists.strongswan.org/pipermail/users/2021-October/015130.html
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
Fright
Hero Member
Posts: 1777
Karma: 164
Re: IPsec phase 2 SAs drop for no apparent reason
«
Reply #2 on:
October 11, 2021, 07:27:15 pm »
hi
Quote
someone point me at the code that generates the ipsec.conf file
try this one
https://github.com/opnsense/core/blob/master/src/etc/inc/plugins.inc.d/ipsec.inc
Logged
Patrick M. Hausen
Hero Member
Posts: 6844
Karma: 575
Re: IPsec phase 2 SAs drop for no apparent reason
«
Reply #3 on:
October 11, 2021, 07:48:11 pm »
Line 1656 to hardwire $things per conn entry. Thanks!
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
Patrick M. Hausen
Hero Member
Posts: 6844
Karma: 575
Re: IPsec phase 2 SAs drop for no apparent reason
«
Reply #4 on:
October 12, 2021, 04:42:26 pm »
https://github.com/opnsense/core/pull/5275
«
Last Edit: October 12, 2021, 06:20:37 pm by pmhausen
»
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
Cerberus
Jr. Member
Posts: 63
Karma: 4
Re: IPsec phase 2 SAs drop for no apparent reason
«
Reply #5 on:
October 14, 2021, 11:50:19 am »
Hi,
yes i noticed that for some weeks, sometimes ipsec tunnels are down and ipsec status show that phase 1 is up but all phase 2 are missing. I have to press restart on opnsense to get it fixed, triggering a restart from the peer does not bring the phase 2 back.
«
Last Edit: October 14, 2021, 11:58:40 am by Cerberus
»
Logged
Patrick M. Hausen
Hero Member
Posts: 6844
Karma: 575
Re: IPsec phase 2 SAs drop for no apparent reason
«
Reply #6 on:
October 14, 2021, 01:10:36 pm »
Solution here:
https://github.com/opnsense/core/commit/bb9b8820c6a2725730598bd3ee77b11e626b1186
Hopefully in a regular minor update soon.
Kind regards,
Patrick
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
21.7 Legacy Series
»
IPsec phase 2 SAs drop for no apparent reason