IPsec Routing Problem after Update to 22.7.x

Started by Hannes, August 10, 2022, 04:20:58 PM

Previous topic - Next topic
I have a Problem with IPsec since updated to OPNsense 22.7.x

IPsec Setup (Road Warrior)

Client: macOS 12

OPNsense 22.1.x
Connect with Client to OPNsense Network from "the road". All IPs on the VPN Network are accessable, Internet Routing goes through Client Internet Connection.

After Update to 22.7.x
Connect with Client to OPNsense Network from "the road". All IPs on the VPN Network are accessable, Internet Routing goes through VPN Connection and Internet/DNS is not working or too slow.

This behavior i had before i found the setting "Provide a list of accessible networks to clients" (VPN/IPSec/Mobile Clients).

1. Did i discribe the problem to be understood?
2. Is there a quick-fix - maybe in an configuration file on the opnsense server?
3. Please do not offer solutions like "this is better, or use wireguard" - i'm interested in this solution, and it worked allready, so i would like to fix it, thank you.

Greetings

August 14, 2022, 06:55:04 PM #1 Last Edit: August 15, 2022, 09:44:31 AM by Hannes
Further investigations:

strongswan.conf (OPNsense 22.7) (not working)

cisco_unity = yes
    plugins {
        attr {
            dns = 10.1.1.1
            # Search domain and default domain
            28674 = corporation.local
            28675 = corporation.local
            25 = corporation.local
        }
        xauth-pam {
            pam_service = ipsec
            session = no
            trim_email = yes
        }
    }

strongswan.conf (OPNsense 22.1) (working)

cisco_unity = yes
    plugins {
        attr {
            subnet = 192.168.100.0/24
            split-include = 192.168.100.0/24
            dns = 192.168.100.1
            # Search domain and default domain
            28674 = network.local
            28675 = network.local
            25 = network.local
        }
        xauth-pam {
            pam_service = ipsec
            session = no
            trim_email = yes
        }
    }



The file says a warning: "# Automatically generated, please do not modify"

So the change needs to made in OPNsense?

Thank you

Client macOS 12.5

netstat:

Connected with OPNsense 22.7 (not working) -> gateway is the vpn interface
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)   
tcp4       0      0  10.1.99.100.51771      17.248.173.48.https    SYN_SENT


Connected with OPNsense 22.1 (working) -> local gateway is used
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)   
tcp4       0      0  mbp-16-han.fritz.51894 10.5.1.113.net-assista SYN_SENT

August 15, 2022, 01:14:28 PM #3 Last Edit: August 15, 2022, 03:06:28 PM by Hannes
I tried do edit /usr/local/etc/strongswan.conf -> the file gets recovered by the system on restart of strongswan

I tried to create /usr/local/etc/stongswan.opnsense.d/include.conf -> works!

-----
starter {
}
charon {
    plugins {
        attr {
            subnet = 10.1.1.0/24
            split-include = 10.1.1.0/24
        }
    }
}
-----

Thanks, this is helpful. I have >30 entries in "subnet" and "split-include".

Did you copy the whole content of strongswan.conf into include.conf, or just the missing part?

What would also interest me is whether this behaviour is a "feature" or a bug. I will probably try vs. 22.1.10 in the evening.

August 16, 2022, 02:08:59 PM #5 Last Edit: August 16, 2022, 02:27:32 PM by Hannes
Hi eell!

Thank you for reply!

I copied just the missing part to the include.conf with the necessary brackets and header.

Really missing are just this 2 lines:
subnet = 10.1.1.0/24
split-include = 10.1.1.0/24

IMO this is a bug - it worked with 22.1.x (when you activated "Provide a list of accessible networks to clients"), but the 2 lines disappeared with 22.7 and dont come back, even if you activate the button.

Greetings

Hannes

Thank you Hannes,

worked like a charm. I did not try 22.1 as you did this already. But i filed a bug report: #5960

Best regards

Thanks for the ticket. Commit causing this has likely been found and ticket assigned over to author for inspection.


Cheers,
Franco