IPSec reported tunnels

Started by Manxmann, May 30, 2017, 02:57:26 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 30, 2017, 02:57:26 PM
Hi Folks,

Sorry me again :)

More of an observation than a bug. I have a number of 'site to site' IPsec VPN's in place between 5 different sites. All sites run OPNsense, mostly 17.1.7 but a one is 17.1.4.

Everything works and for the most part is trouble free but on each host I see odd numbers reported for the number of connected tunnels. For example I have one FW configured with 1 phase link and two phase two using IKEv1. The Dashboard shows 4 Active tunnels and -2 In-Active.

I have also noted at times that all the tunnels on a host can be 'Active' and working and the Dashboard shows 0 Active and 0 in-active. When this occurs checking VPN/IPSec/Status Overview shows nothing. Restarting the StrongSWAN daemon corrects this.

Whilst this odd behaviour doesn't seem to affect the IPSec function it does make diagnosing problems somewhat tricky.

Cheers
May 30, 2017, 04:51:51 PM #1
for what its worth, we see this too. It seems to resolve itself after a few minutes. I assume this is due to a change in strongswan. Probably this is caused by the renegotiation of the tunnels and the displayed numbers reflect to the total of old and new keys.
May 30, 2017, 08:23:48 PM #2
Hi,

Sorry, this appeared when strongSwan was updated from 5.5.1 to 5.5.2, a very unlikely candidate for such changes. I caught the IPsec widget's tunnel reporting in time, but the other one was harder to track and would only pop up in a secondary install ever so sporadically.

https://github.com/opnsense/core/commit/a039ad4d

It will be part of 17.1.8 this week, but you can patch it right away to help confirm:

# opnsense-patch a039ad4d


Cheers,
Franco
May 30, 2017, 10:33:01 PM #3
Thanks Franco,

Patch applied, I'll report back on my progress.

root@XEN-FW:~ # opnsense-patch a039ad4d
Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|From a039ad4db4d5819fa427c694c94d09846a377e3e Mon Sep 17 00:00:00 2001
|From: Franco Fichtner <franco@opnsense.org>
|Date: Fri, 19 May 2017 16:19:24 +0200
|Subject: [PATCH] ipsec: fix widget count after 5.5.2 update
|
|---
| src/www/widgets/widgets/ipsec.widget.php | 12 +++++++++---
| 1 file changed, 9 insertions(+), 3 deletions(-)
|
|diff --git a/src/www/widgets/widgets/ipsec.widget.php b/src/www/widgets/widgets/ipsec.widget.php
|index 4a98e13a5..58eb9e258 100644
|--- a/src/www/widgets/widgets/ipsec.widget.php
|+++ b/src/www/widgets/widgets/ipsec.widget.php
--------------------------
Patching file www/widgets/widgets/ipsec.widget.php using Plan A...
Hunk #1 succeeded at 34.
Hunk #2 succeeded at 66.
Hunk #3 succeeded at 109.
done
All patches have been applied successfully.  Have a nice day.
root@XEN-FW:~ #
May 31, 2017, 02:36:16 AM #4
sir,

Please post a guide on how to configure an IPSEC VPN because this is required in our office

Just site to site configuration as i do not want inter branch communication, only branch to central office.

Im relatively new to Opnsense VPN Implementation so i need all the help i can get .

Ciao.
May 31, 2017, 11:59:30 AM #5
Print
Go Up Pages1
User actions