IPsec issues with 24.7.2

[franco]

FYI: Shipping these to patches in 24.7.3 today.

[guyp2k]

Finally reaching out for some help after following this thread and applying both patches Franco released the other day, and I am still struggling with IPSEC tunnels dropping. I am terminating between a Sonicwall 2650 and OPNSense, prior to 24.7.2 no issues, now having issues w/ P2 dropping. Below is the issue I think and I have validated that proposals match:

2024-08-28T10:25:58-05:00   Informational   charon   06[IKE] no acceptable proposal found   
2024-08-28T10:25:58-05:00   Informational   charon   06[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_GCM_16_256/MODP_2048/NO_EXT_SEQ   
2024-08-28T10:25:58-05:00   Informational   charon   06[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ   
2024-08-28T10:25:58-05:00   Informational   charon   06[ENC] parsed CREATE_CHILD_SA request 31 [ SA No TSi TSr ]

The Sonicwall does not have PFS enabled. This is confirmed by the missing MODP_2048 in received proposals. You should pick "default" for your ESP.

Thank You, I enabled PFS on the SW and all is good.

[Ruxor]

Hello my friends,

I was still having big problems with our IPsec site-to-site setup (especially with the two locations using PPPoE DSL). The solution that worked for me was the following:

"The host suggested setting the MSS to 1300 for IPsec connections. I did this under Firewall -> Settings -> Normalization -> Max MSS 1300 for the IPsec interface. To test if this setting works, I tried pinging over the tunnel with a payload larger than 1300 and the 'Don't Fragment' flag."

We didn't have this issue before @franco – maybe you can take a look at it, and perhaps my solution will help others.

Cheers, 
Ruxor