Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Weird issue with VPN-IPSEC-Connections
« previous
next »
Print
Pages: [
1
]
Author
Topic: Weird issue with VPN-IPSEC-Connections (Read 1014 times)
NikB
Newbie
Posts: 4
Karma: 0
Weird issue with VPN-IPSEC-Connections
«
on:
October 11, 2023, 02:39:52 pm »
For a while I'm using few IPSEC connections to remote locations.
Since v22.7 there is a new way to configure IPSEC, so called "Connections". I've decided to try set up my tunnels using new approach since I had an issue with DPD, that didn't wanted to restart tunnels after temporarily connectivity loss.
It was going fine, I set up 4 of 5 tunnels, and while I was tinkering with the last one, my router went offline.
I went to remote location, the router looks fine. Up and running. Simple "dmesg" check looks fine as well, but there are no connectivity both on LAN and WAN interfaces. (Then I get the same thing on another opnSense router with 23.7.5 firmware)
Can you help me with troubleshooting guidance? I feel comfortable with Linux, but not very good with FreeBSD.
Thanks!
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1617
Karma: 177
Re: Weird issue with VPN-IPSEC-Connections
«
Reply #1 on:
October 12, 2023, 10:30:19 pm »
Did you create VTI tunnels and accidentally forget to uncheck "Policies" in a child? That would cause a 0.0.0.0/0 IPsec Kernel policy being installed and all network traffic will just stop.
Going into the local console and issuing a "service strongswan stop" will bring connectivity back to fix that child.
Logged
Hardware:
DEC740
NikB
Newbie
Posts: 4
Karma: 0
Re: Weird issue with VPN-IPSEC-Connections
«
Reply #2 on:
February 05, 2024, 02:06:37 pm »
It looks like a delay with answer, but maybe I'm just a slowpoke
Thanks a lot, it is exactly a root cause! Never experienced that behavior with strongswan on Linux.
And unfortunately it is hard to troubleshoot it from remote locations.
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1617
Karma: 177
Re: Weird issue with VPN-IPSEC-Connections
«
Reply #3 on:
February 05, 2024, 02:17:00 pm »
Hey thanks for the reply. Yeah it's hard to troubleshoot. Hope you got it working now.
Logged
Hardware:
DEC740
NikB
Newbie
Posts: 4
Karma: 0
Re: Weird issue with VPN-IPSEC-Connections
«
Reply #4 on:
February 05, 2024, 03:55:04 pm »
I've got this broken second time, but this time I know where to start. %)
Perhaps, it is a good idea to open Github Issue to make a check for 0.0.0.0/0 child net and "Install routes" enabled by default, to make some kind of warning. Or just disable "Install routes" by default here:
https://github.com/opnsense/core/blob/c7d6f53797722678f64a754c8a4da2be7cf11eb9/src/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.xml#L295
Troubleshooting why VPN connection doesn't work should be easier then restore remote-site connectivity.
Logged
NikB
Newbie
Posts: 4
Karma: 0
Re: Weird issue with VPN-IPSEC-Connections
«
Reply #5 on:
February 05, 2024, 04:38:16 pm »
Ok, I found a quick fix for remote-site. I will leave it for anyone who will get here by searching the "My OpnSense router were bricked while I was setting up IKEv2 IPSEC site-to-site tunnel".
Connection getting lost only if tunnel is up. So simplest way to access the router is to disable IPSEC daemon on the other side and it automatically removes routes from kernel and you can connect to the router as usual (if that peer were NOT the only host that could connect).
I hope this would help one day to someone, and thanks for help!
Opened Github issue:
https://github.com/opnsense/core/issues/7205
«
Last Edit: February 05, 2024, 05:05:42 pm by NikB
»
Logged
netnut
Sr. Member
Posts: 272
Karma: 33
Re: Weird issue with VPN-IPSEC-Connections
«
Reply #6 on:
February 05, 2024, 06:17:16 pm »
IKE v1 or v2 ?
With the new "connection" interface look carefull to the start/trap options and also at the rekey times. You might set the rekey a "little" bit less for the responder to prevent confusion and timeouts.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Weird issue with VPN-IPSEC-Connections