IPSec Azure Issue 18.1.4

Started by Aergan, March 12, 2018, 04:52:36 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 12, 2018, 04:52:36 PM
Hi there,

I upgraded from 18.1.2 through to 18.1.4 and now my IPSec Site to site tunnel to Azure will no longer work correctly after 15~20minutes then results in the following:

Quotecharon: 07[IKE] establishing IKE_SA failed, peer not responding
Mar 12 15:45:27    charon: 07[IKE] giving up after 5 retransmits
Mar 12 15:45:18    charon: 13[CFG] ignoring acquire, connection attempt pending
Mar 12 15:45:18    charon: 14[KNL] creating acquire job for policy x.x.x.x/32 === y.y.y.y/32 with reqid {6}

And connection down.

To get it to reconnect I either have to reboot OPNsense or delete and recreate the connection on Microsoft Azure. Restarting IPsec / disable & reenable does not solve it.

Previously this has been working fine in 17.7 through to 18.1.2.
Connection type is IKEv2.
I've tried both with "Prefer older SA's" enabled and disabled and it seems to have no affect. In an older release of OPNsense I needed to have it enabled but haven't for a long time.
March 12, 2018, 05:10:50 PM #1
Hi,

Can you try again with the older strongSwan?

# opnsense-revert -r 18.1.3 strongswan


Cheers,
Franco
March 13, 2018, 01:46:36 AM #2
That certainly seems to have sorted it. Instantly connected and has remained up so far
March 13, 2018, 08:32:58 AM #3
Just to confirm, no configuration changes and tunnel is still up and working correctly.
March 14, 2018, 06:36:44 PM #4
Hi Aergan,

There is an amendment patch to the recent update we missed during the release process (it takes a day to build all and this didn't flag in our test env).

I'm guessing that's the issue:

https://wiki.strongswan.org/issues/2579

It'll be in 18.1.5 and I'll try to post a test version to make sure before that comes out. Are you on amd64 LibreSSL or OpenSSL?


Cheers,
Franco
March 14, 2018, 11:46:10 PM #5
Looks about right, reboot sorts it etc. Thanks for finding a probably cause, appreciated

I'm on OpenSSL
March 22, 2018, 09:51:42 AM #6
Hey Aergan,

Should be ok now on 18.1.5?


Thanks,
Franco
March 22, 2018, 06:30:38 PM #7
Hi there, currently testing and so far it's been up for 14hrs with no issue on 18.1.15. Shall see how it fairs after a reboot later on
March 22, 2018, 09:09:51 PM #8
Ok, nice, don't expect any more issues. :)
Print
Go Up Pages1
User actions