Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
23.7 Legacy Series
»
IPsec and State Synchronization - unexpected behavior
« previous
next »
Print
Pages: [
1
]
Author
Topic: IPsec and State Synchronization - unexpected behavior (Read 761 times)
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1613
Karma: 176
IPsec and State Synchronization - unexpected behavior
«
on:
September 15, 2023, 09:08:25 am »
I had this weird behavior between two OPNsense in HA while using IPsec (between DEC hardware and VM with pcie passthrough, all interface names are the same and theres a lagg)
Quite often, I connected an ikev2 ipsec tunnel, phase 1 and phase 2 were up, but there was no traffic from the opnsense back to the remote peer. It always worked the first time, but the second time it didn't. This behavior mostly affected roadwarrior connections with lots of reconnecting and lesser the site2site tunnels.
My troubleshooting led me to State Synchronization. In Sessions I could also see established TCP sessions even though the tunnel was down.
When I deleted the IP Addresses of the traffic selector (e.g. 192.168.0.0/24) from the state table on both firewalls and restarted the ipsec tunnel, it worked again with Tx and Rx.
To mitigate this behavior:
I created extra firewall rules in Firewall: Rules: IPsec which timed out TCP faster (after 600 seconds).
Then I disabled state syncronisation by setting the "State Type / NO pfsync" parameter for all rules in Firewall: Rules: IPsec.
I didn't come to a conclusion, I just know that my mitigations work and all roadwarriors can connect every time now. It would be interesting to know if that's an expected problem between hardware and vm, or if it could theoretically happen between two hardwares too.
«
Last Edit: September 15, 2023, 03:31:19 pm by Monviech
»
Logged
Hardware:
DEC740
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
23.7 Legacy Series
»
IPsec and State Synchronization - unexpected behavior