OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • Virtual private networks »
  • Manual SDP Entry becomes invalid if remote gateway changes dynamic IP
« previous next »
  • Print
Pages: [1]

Author Topic: Manual SDP Entry becomes invalid if remote gateway changes dynamic IP  (Read 851 times)

Monviech (Cedrik)

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1601
  • Karma: 176
    • View Profile
Manual SDP Entry becomes invalid if remote gateway changes dynamic IP
« on: May 09, 2023, 12:12:18 pm »
I don't know if its a bug or not:

- Create an IPsec Tunnel with a dynamic endpoint in phase 1
- Set a manual SPD entry in phase 2 (for example the additional network 192.168.100.0/24 so you can use NAT rules)

After the tunnel comes up, the SPD Entry works. But when the dynamic endpoint changes IP, the tunnel comes back up and the SPD Entry becomes invalid. The NAT rules stop working.

Whenever that happens I have to manually remove the SPD entry, save the config, and then re-add it.
Logged
Hardware:
DEC740

enea.marcantoni

  • Newbie
  • *
  • Posts: 2
  • Karma: 0
    • View Profile
Re: Manual SDP Entry becomes invalid if remote gateway changes dynamic IP
« Reply #1 on: February 22, 2024, 02:39:22 pm »
Hi, We have a similar issue.
We phase 1 that point to a FQDN with 3 IPs associated. This phase 1 have "respond only" as connection method and "Allow any remote gateway to connect", so the initator is the firewall on the other side.
This phase 1 have multiple phase 2 associated, one of this phase 2 have a manual SPD entry that contain a private subnet. When the initiator change its exit IP seems that the SPD entry aren't updated.
 
Example:
My OPNsense have the IP: 4.4.4.4
The phase 1 have "firewall.fqdn" as remote gateway that are resolved with the following IPs:
firewall.fqdn.    300 IN  A 1.1.1.1
firewall.fqdn.    300 IN  A 2.2.2.2
firewall.fqdn.    300 IN  A 3.3.3.3
 
The phase 2 entry have the following subnet:
Local: 192.168.1.0/24
Remote: 192.168.2.0/24
Manual SPD entries: 192.168.3.0/24
 
The initiator on the other side open the s2s using the IPs 1.1.1.1, and the following SPD entries are created:
192.168.1.0/24[any] 192.168.2.0/24[any] 4.4.4.4->1.1.1.1
192.168.2.0/24[any] 192.168.1.0/24[any] 1.1.1.1->4.4.4.4
192.168.3.0/24[any] 192.168.2.0/24[any] 4.4.4.4->1.1.1.1
In this case everything works fine
 
When on the initiator side the firewall reopen connection using an IP different from 1.1.1.1 (eg. 2.2.2.2) the SPD entries are broken.
Checking the SPD we can see the following entries:
192.168.1.0/24[any] 192.168.2.0/24[any] 4.4.4.4->2.2.2.2
192.168.2.0/24[any] 192.168.1.0/24[any] 2.2.2.2->4.4.4.4
192.168.3.0/24[any] 192.168.2.0/24[any] 4.4.4.4->1.1.1.1
In this case the traffic from/to 192.168.3.0/24 aren't routed correctly.

Someone have encountered and solved this issue?

Versions:
OPNsense 24.1.1-amd64
FreeBSD 13.2-RELEASE-p9
OpenSSL 3.0.13
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • Virtual private networks »
  • Manual SDP Entry becomes invalid if remote gateway changes dynamic IP
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2