IPsec second tunnel affects first tunnel

Started by opnforumuser, October 16, 2022, 01:37:52 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 16, 2022, 01:37:52 PM
Hi,
we have two tunnels T1+T2 to another data center, T1 starting early 2022 and works fine.
A new tunnel T2 affects the first, no packets go through T1 once T2 is established in phase-1.
It doesn't matter whether T2-Phase2 is enabled or disabled.
Any suggestions?
Here is our basic configuration:

Code Select


IPsec T1 all IP's single address /32

| T1 | remote       | local        | Port       |
| -- | ------------ | ------------ | ---------- |
| P1 | 195.3.3.30   | 62.2.2.10    |            |
| .  |              |              |            |
| P2 | 192.30.30.30 | 10.50.50.100 | Any - 3050 |


IPsec T2 all IP's single address /32

| T2 | remote       | local        | Port       |
| -- | ------------ | ------------ | ---------- |
| P1 | 195.3.3.30   | 62.2.2.20    |            |
| .  |              |              |            |
| P2 | 192.40.40.40 | 10.50.50.200 | Any - 3306 |

local = OPNsense v.22.7.6
remote = cisco ASA v.?

October 19, 2022, 02:26:19 PM #1
It looks like you can't have two tunnels running to the same remote gateway.

Solution : We change it to one tunnel and now it works.

Code Select


IPsec T1 all IP's single address /32

| T1 | remote       | local          | Port     |
| -- | ------------ | ------------ | ---------- |
| P1 | 195.3.3.30   | 62.2.2.10    |            |
| .  |              |              |            |
| P2 | 192.30.30.30 | 10.50.50.100 | Any - 3050 |
| P2 | 192.40.40.40 | 10.50.50.200 | Any - 3306 |
October 19, 2022, 04:46:27 PM #2
It depends on how the other end is configured. The "tunnel isolation" option would have likely fixed the original behaviour.

In those cases the other end only accepts one phase 2 per phase 1 and so the second phase 2 will overwrite the first phase 2.


Cheers,
Franco
October 19, 2022, 04:55:08 PM #3
He tried to run two phase 1 SAs between the same peers if I got that right.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 20, 2022, 07:37:08 AM #4
Well, what I got was ASA was configured as

P1 - P2
P1 - P2

And OPNsense was

P1 - P2, P2

Then he changed the ASA to the same configuration and it started working. Tunnel isolation would have fixed this from the OPNsense other end leaving the first ASA configuration as is.

Not too long ago I learned that multiple P2 on a single P1 are meant for situations where all participating networks will see each other by default and P1 isolated P2 will not be able to see each other unless more routing is configured on the box in question. That's why in these misconfigurations the multiple P2 are ignored and the last one is the only one active...


Cheers,
Franco
October 20, 2022, 11:45:46 AM #5 Last Edit: October 20, 2022, 11:59:42 AM by opnforumuser
Hi,
we had switched on the tunnel isolation.

FYI
Before we changed the config from one to two, we tested everything with the support from the asa side.
We checked if all tunnel settings are identical.
asa
- T1 - P1 - P2
- T2 - P1 - P2
opn
- T1 - P1 - P2
- T2 - P1 - P2

The two tunnels came up and both works fine.
It was surprising and I couldn't understand why it worked.
Then after a hour the first tunnel blocks any traffic.

Thats exactly the P2 Lifetime = 3600 seconds.
There may be a problem with rekeying.

We are happy that the tunnels are now stable.
We can't do any further experiments regarding the first configuration .

Thanks for all the help regarding our problem.

PS:
Another piece of information:
The ASA has two options for rekeying in Phase-2.
1. Lifetime in seconds
2. Number of kilobytes of processed data
The setting can be 1 or 2 or both.
When connecting to OPNsense, only option 1 should be active.
Print
Go Up Pages1
User actions