ipsec routing problem after adding failover WAN

Started by mircsicz, April 04, 2019, 12:34:41 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 04, 2019, 12:34:41 PM Last Edit: April 04, 2019, 03:47:17 PM by mircsicz
Hi hi,

I've got two APU based OPNsense's which are connected using Ipsec



After I've added MultiWAN with a failover config on location#1:


I modified the firewall rules like so:


But I still can't connect from location #1 to location #2, whilst the opposite direction still works fine. To be clear: IPsec phase 1 & 2 are connected just fine!

BTW: "CS net" is 10.10.2.0/24 an "DS net" is 10.10.5.0/24

Hope one of you spot's my failure...
April 04, 2019, 02:14:04 PM #1
Check in IPSEC tunnel is "Install Policy" is ticked. There was an error introduced in 19.1.4 only affecting new installed tunnels.
April 04, 2019, 02:39:56 PM #2
@mimugmail: THX for your reply, but both of the system are running since 16/17 and both of the tunnel's have been there for a while... But I checked anyways and the tunnel's have it checked on both side's of the connection.
April 04, 2019, 02:57:38 PM #3
So, the IPSEC connection is established, CS net can reach DS net but not vice versa, correct?
Rules look fine. tcpdump on interface enc0 via console would help.
April 04, 2019, 03:46:28 PM #4 Last Edit: April 04, 2019, 03:59:24 PM by mircsicz
Yes the Tunnel's are established, and sorry for not stating that clearly in my intro!

I can't connect from 10.10.2.x to 10.10.23.2 (for example) but I can connect from 10.10.23.x to 10.10.2.2

I already created dumps on the OPNsense on location #1 ,one is from Interface CS the other from IPsec... All I tried to do is open a ssh connection behind the IPsec...
April 04, 2019, 03:57:14 PM #5
Then it's blocked on the other side in incoming direction I'd guess
April 04, 2019, 04:00:07 PM #6 Last Edit: April 04, 2019, 04:08:28 PM by mircsicz
Quote from: mimugmail on April 04, 2019, 03:57:14 PM
Then it's blocked on the other side in incoming direction I'd guess

Definitly not as it worked before changing the WAN setup on location #1 ;-)

As a picture based approval:


Firewall log on location #1:


Firewall log on location #2:
April 05, 2019, 09:18:39 AM #7
I am experiencing a similar issue. I have noticed dropped esp packets on from the IPsec peer to the interface not configured for IPSec. If I remove the secondary wan interface, the tunnel passes traffic. Odd thing is, both sides report the tunnel as up.

May be related, but I haven't had time to dig deeper.
AMD Ryzen 3 1200
GA-A320M-S2H
8GB DDR4
Intel X550-T2 10GB
32GB Industrial SSD

Shuttle SZ270R8
Intel i5-6500
8gb ram
120gb ssd
Intel x540-t2 10gb nic
April 05, 2019, 11:53:16 AM #8
I had a similar problem.
You can try it out with a rule on the wan interface for ESP any / any, if that is better then.
Then you can change the rule that ESP is only allowed to both WAN IPs.

regards,
Ralf
April 05, 2019, 01:09:15 PM #9
@va176thunderbolt For me this is no similar issue as I can connect from one side of the tunnel but not from the other side. Probably just my fault in the firewall settings...

April 05, 2019, 01:14:11 PM #10
Have you tried the rule for allowing esp packets from any?

Since Ping from loc1 to loc2 is outgoing, from loc2 to loc1 incoming direction.
April 05, 2019, 02:53:47 PM #11
@ralf.kirmis

THX for the hint, just tried it but no change so far:
April 05, 2019, 07:11:02 PM #12
does the live log from the firewall display denied packets?
April 05, 2019, 08:29:44 PM #13 Last Edit: April 05, 2019, 08:38:29 PM by mircsicz
@ralf.kirmis No, as shown in the above ScreenShot ;-)

Had a call with Jos, installing two patches solved the Issue:

Code Select

sudo opnsense-patch 7835e9c 198887ed


So I'll be skipping 19.1.5 or wait for the Hotfix Franco has in the makes ...  8)

EDIT: seems to be already out:
Code Select

[13/38] Fetching opnsense-19.1.5_1.txz: 100%    4 MiB   2.2MB/s    00:02
Print
Go Up Pages1
User actions