IPsec phase 2 rekey changes lately?

Started by Patrick M. Hausen, December 20, 2024, 12:55:23 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 20, 2024, 12:55:23 PM
Hi all,

24.7.9 --> 24.7.11_2

Tunnel to a Sophos appliance claims to be up, but no traffic is passing in at least one direction. We have 3 phase 2 SAs and it seems that the problem occurs whenever there's a rekey happening. All hints welcome.

Thanks and kind regards,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 21, 2024, 09:45:44 AM #1
The only apparent change is:

o ipsec: remove hashing algorithm from null cipher

But I'm hoping you did not use a null cipher.  Otherwise I have no clue. Wouldn't guess it was updated code, but in any case you can try opnsense-revert to use the core from 24.7.10 or 24.7.9 to see if the same or better.


Cheers,
Franco
January 02, 2025, 08:57:52 AM #2
Hello,

I have the same problem, after one or two hours the traffic stops, but the Tunnel (phase 1 and 2) is up. Attached yoc can find screenshosts of configuration.

Thank you
January 02, 2025, 10:09:07 AM #3 Last Edit: January 02, 2025, 10:11:00 AM by Monviech (Cedrik)
I had these issues mostly with Sophos XG firewalls.

They are most likely caused by Sophos since they mess around with their VPN a lot (at least in XG).

I mitigated that with Phase 1 Lifetime of 2400s and Phase 2 Lifetime of 600s. Using RSA instead of PSK also seems to help. Another thing is not doing multiple children, but putting all networks into one child on both sides (if possible)

Sophos should be the initiator and OPNsense the responder.

I had these issues since 2-3 years with Sophos XG also to other firewalls like juniper when I still ran them.
Hardware:
DEC740
January 02, 2025, 10:23:47 AM #4
Quote from: Monviech (Cedrik) on January 02, 2025, 10:09:07 AMI had these issues mostly with Sophos XG firewalls.

Nailed it :) I'll try your suggestions.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 13, 2025, 02:47:00 PM #5
It's a Sophos SG at the other end. Another tunnel for the same customer with an XG has been working fine ever since initial setup.
We lowered the rekey times significantly as suggested and now the tunnel fails every 10 minutes when a phase 2 rekey occurs.

This is the relevant (I figure) line in the OPNsense log:
Code Select
2025-01-13T14:41:16 Informational charon 03[NET] received unsupported IKE version 11.6 from *.*.*.*, sending INVALID_MAJOR_VERSION
And this is the Sophos side:
Code Select
2025:01:13-14:38:48 sg01 pluto[6636]: "S_S2S-VPN-***********" #122652: max number of retransmissions (2) reached STATE_MAIN_R1
2025:01:13-14:38:48 sg01 pluto[6636]: packet from *.*.*.*:500: ISAKMP version of ISAKMP Message has an unknown value: 169
2025:01:13-14:38:48 sg01 pluto[6636]: packet from *.*.*.*:500: sending notification INVALID_MAJOR_VERSION to *.*.*.*:500
2025:01:13-14:38:49 sg01 pluto[6636]: packet from *.*.*.*:500: next payload type of ISAKMP Message has an unknown value: 73
2025:01:13-14:38:49 sg01 pluto[6636]: packet from *.*.*.*:500: sending notification INVALID_MAJOR_VERSION to *.*.*.*:500
Any ideas?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 13, 2025, 03:57:05 PM #6
SG only supports IKEv1 so we disabled DPD and additionally and after finding an old Strongswan redmine issue changed from AES256-SHA256-DH14 to AES128-SHA256-DH14. Still stalling, occasionally. Increasing the log verbosity and hoping to spot some hints, eventually.

Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 13, 2025, 04:36:48 PM #7
I'm interested in this, just can't add much right now.
Hardware:
DEC740
Print
Go Up Pages1
User actions