IPSEC breaks networking

Started by JustTed, November 03, 2020, 10:01:30 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 03, 2020, 10:01:30 PM
New to Opnsense, so could be me, but seems very odd behaviour

Creating a route-based IPSEC VPN as per https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route.html

As soon as  I create the phase 2 policy, just as described, everything stops networking wise. Can't even ping the Opnsense server.

So I go onto console, 'configctl ipsec stop' - everything comes back. And all is fine if I disable the phase 2 policy, and then restart ipsec.

I can't see anything in the phase 2 policy that would affect it like that. What could be happening? Have updated to the latest firmware.
November 03, 2020, 10:03:35 PM #1
You used live addresses as tunnel network?
Screenshots please ...
November 03, 2020, 10:15:07 PM #2
By live addresses what do you mean exactly? These are the IP addresses for the tunnel surely, so are arbitrary? I used the same addresses as in the example

November 03, 2020, 10:17:38 PM #3
One of the things I've noticed, JIC it's relevant, is that the console shows the local endpoint IP for the tunnel as the IP that is dynamically assigned to the PPPoE connection, whereas it should be one of the static IP addresses I have added to the interface (and defined in phase1)
November 03, 2020, 10:23:09 PM #4
Phase 1

November 04, 2020, 07:30:27 AM #5
When IPsec is Off, does any Interface has IPs from the tunnel?
November 04, 2020, 01:24:20 PM #6
No, and I've tried all sorts of different addresses on the tunnel to see if that made a difference, but no...
November 04, 2020, 01:38:46 PM #7
Then I need netstat -nr when system is unavailable and ipsec.log
November 04, 2020, 03:00:39 PM #8
Attached. Interestingly the ipsec.log is filling up with a *lot* of nulls. I had to chop a load out just to get it under the max attachment size.
November 05, 2020, 03:09:16 PM #9
Any ideas?
November 05, 2020, 04:03:21 PM #10
Code Select
Nov  4 13:38:12 OPNsense charon[45164]: 13[KNL] can't install route for 60.139.124.132/32 === 61.74.23.234/32 out, conflicts with IKE traffic

Sounds weird. Are you sure you entered the correct IP addresses for the peers?
,,The S in IoT stands for Security!" :)
November 05, 2020, 04:11:48 PM #11
Yes that .234 address is the remote endpoint for the VPN. Not sure why it's saying it's conflicting?
November 05, 2020, 05:25:46 PM #12
Ok so one issue sorted - I had to uncheck "install policy", then the phase 2 policy stopped taking the traffic down!

The issue remaining is that the "Local IP" in VPN status is showing up as the dynamically assigned IP on the PPPoE interface. Here, there is an additional static /29 assigned by the Internet provider.

I have manually added one of the static IPs as an IP Alias to the WAN interface, but it could also go in Interfaces/PointToPoint/Devices/PPPoE - which is correct?
Print
Go Up Pages1
User actions