IPSec Connections VPN having Child SA Issue

niravopn23 · May 06, 2025, 05:56:28 PM

Hello,

I'm running the latest release of OPNsense v25.1.5. I have 4 tunnels configured using the legacy IPSec and was able to transferred them over to the new Connections and disabled the tunnels in legacy.

One of the tunnel I'm having issues which has two child objects

My FW: "192.168.2.5/32"

Other FW: "10.168.9.1/32 and 172.2.2.1/32"

I can only connect to the first Child "10.168.9.1" if I change the config and use "172.2.2.1" as first Child it will connect and "10.168.9.1" will be dropped. I have tried adding both tunnel IP into 1 child object but still the same issue only the first will connect.

I don't have this issue when using the legacy tunnel which is nearing the EOL.

For time being I have enabled legacy for "172.2.2.1" and connection for the "10.168.9.1"

Can someone please provide some help. I'm lost.

viragomann · May 06, 2025, 06:18:23 PM

Quote from: niravopn23 on May 06, 2025, 05:56:28 PMOne of the tunnel I'm having issues which has two child objects

My FW: "192.168.2.5/32"

Other FW: "10.168.9.1/32 and 172.2.2.1/32"

Try to put both into a single child.

niravopn23 · May 06, 2025, 06:49:09 PM

I already tried that but same issue, only the first IP gets connected.

niravopn23 · May 06, 2025, 11:09:22 PM

Can anyone please provide some help?

guyp2k · May 18, 2025, 05:47:07 AM

Did you ever get this reolved, same issue and ended up having child objects for each.

niravopn23 · May 18, 2025, 02:32:31 PM

Quote from: guyp2k on May 18, 2025, 05:47:07 AMDid you ever get this reolved, same issue and ended up having child objects for each.

Unfortunately no, I have tried separate child object and only first child obj will connect. If you got it working can you provide some guidance. Currently I have legacy tunnel for one child obj and new connections for the second.

Thank you

seroal · May 28, 2025, 05:13:11 PM

Hello all,

today I wanted to built up a tunnel in a similar scenario, where there are multiple Remote networks in one child SA. I also get only one SA with one of the Remote Networks established. What for a limitation is this? Is there a solution for this? Otherwise we will not be able to use OPNSense for our customers.... This is a common scenario that needs to work.

Any feedback appreciated!

IPSec Connections VPN having Child SA Issue

niravopn23

May 06, 2025, 05:56:28 PM

viragomann

May 06, 2025, 06:18:23 PM #1

niravopn23

May 06, 2025, 06:49:09 PM #2

niravopn23

May 06, 2025, 11:09:22 PM #3

guyp2k

May 18, 2025, 05:47:07 AM #4

niravopn23

May 18, 2025, 02:32:31 PM #5

seroal

May 28, 2025, 05:13:11 PM #6 Last Edit: May 28, 2025, 05:14:46 PM by seroal