[SOLVED] new IPSEC simply does not work

Started by bazbaz, October 02, 2023, 11:24:45 AM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
October 05, 2023, 12:28:26 PM #15
@bazbaz

When you have time, could you replicate the test setup I did above? If it works for you too, maybe you can find out what the problem is.

~Thank you for your time :)
Hardware:
DEC740
October 05, 2023, 05:41:52 PM #16
What I did today:
- started a new opnsense on a different datacenter, connected to a public network with a public IP address (quicker this that a full private env)
- created only firewall rules for ipsec, nothing else
- created a tunnel on boh opnsenses with quick ipsec settings I'm using. All-all rules on IPSEC interfaces.

Now on the NEW opnsense, in status overview, I can see in phase 2 some "bytes out" but zero "bytes in". On the other (main) opnsense, I can see some "bytes in" but zero "bytes out".
It seems that connecting this OpnSense to the other, I have the same problem I'm trying to solve. Packets are not entering the tunnel.

Addendum: on the main opnsense, I was able to start ONE tunnel. Same as other: same kind of settings, I've an other FG on the other side, etc. This is working. Tried to compare/align every single settings on one other tunnel but I was unable to start it.

I'm disheartened
October 05, 2023, 05:56:57 PM #17
I found something.

On the NEW opnsense, in virtual tunnel interfaces, I assigned reqid = 1 to the interface. With this settings I can see bytes out. If I change it with anything else, also this opnsense stops sending packets to the tunnel.

My knowledge of reqid is that it may be unique for every tunnel interface. Not connected to a specific value. But I thing I miss something here, so on the main opnsense I have something similar.

in fact the only tunnel that is working (see my prev post) is the one where interface has reqid=1
October 05, 2023, 05:58:13 PM #18
Did you look at the test setup I described.

The VTI tunnel interface has a REQID set (10)
The child has the same REQID set (10)

Each tunnel interface and each child needs a unique matching requid.
Hardware:
DEC740
October 05, 2023, 06:06:23 PM #19
Yes, and they were bold! Sorry, I didn't understand that that value was the link between interface and encryption!

I also needed a full reboot of routers to make them running, but after them now seems they are working!
Really thank you!

October 05, 2023, 06:08:29 PM #20
I'm happy you got it sorted out.

The REQID caught me off guard too, thats why I bolded it yesterday.

Sometimes its the small things.

Just make sure each of your 30 tunnels gets its own REQID :)
Hardware:
DEC740
October 16, 2023, 09:18:40 AM #21
of course :)

I moved all tunnels and all is fine now, thanks

I think that the doc may be improved here:
https://docs.opnsense.org/manual/how-tos/ipsec-s2s-conn-route.html#children
where nothing says to assign reqid parameter to children, so I forgot the point. The table may have an additional row with "reqid = 10" and maybe a reminder that 10 is the value selected before.
October 16, 2023, 09:53:33 AM #22
Great that it worked.

Its on my list to improve it:
https://github.com/opnsense/docs/issues/502
Hardware:
DEC740
February 28, 2025, 05:36:46 PM #23
Quote from: Monviech (Cedrik) on October 03, 2023, 11:37:04 AM...
ATTENTION:
- With this setup, all filter rules (firewall rules) will match on the ipsecXX interfaces. NOT on the enc0 interface. All filtering on the enc0 was disabled, so policy based tunnels won't have firewall anymore.

The instructions say to add rules to "Firewall -> Rules -> IPsec", but I think they mean "Firewall -> Rules -> IPSECnn", which makes sense.

Quote- Please either use only VTI or only ENC0 tunnels, mixing them will leave one of them unable to filter in the firewall.

Is this still a thing? If so, then it's simply not possible to migrate your tunnels one at a time?
Print
Go Up Pages 1 2
User actions