IPSEC Tunnel not working anymore

[Beleggrodion]

We had the problem, that since our firewall updated to 19.1.4 our ipsec tunnel's don't work anymore as expected. We see on the GUI that all tunnels are up and on both sites we see status up on both phase. But we don't see any traffic through the tunnel. I can ping from my host on site A to the firewall or the server of site B and i don't see any traffic on Site B, i only see with tcpdump my ping request on the Firewall of site A but nothing more. We also rebooted the firewall but no effect.

Edit:
Site B ist still on version 19.1.2 and when i ping from Site B to Site A i see in tcpdump on interface enc0 ping ping request on site A and Site B. When i do a ping from Site A, i don't see this ping on enc0. Only on the LAN interface and then it goes to nowhere.

[airdatec]

same same since 19.1.4

[franco]

Try reverting https://github.com/opnsense/core/commit/8490bc70ab

# opnsense-patch 8490bc70ab


Cheers,
Franco

[ccesario]

Im getting the same problem 19.1.3 and 19.1.4 versions... I needed go back to 19.1.2 ... because my env it was in production mode and I did not have time to investigate.

Regards
Carlos

[ivoruetsche]

Yes, same on our side, we go back to 19.1.2 and have to request a maintenance window to try the patch.

ivo

[airdatec]

how did you go back to 19.1.2 ? with Reinstall or ist ther a option to go back without new installation ?

[ivoruetsche]

In the console:

opnsense-revert -r 19.1.2 opnsense

[franco]

Please try the patch revert instead of going back to older versions -- otherwise we'll not have enough data to work on.


Cheers,
Franco

[ivoruetsche]

Salü Franco

It looks fine after applying the patch:

- Update 19.1.2 --> 19.1.4
- Manual Reboot
- Applying patch
- Manual Reboot

Besten Dank und schönen Abend.

gruss ivo

[franco]

Hoi Ivo,

Thanks for confirming. Is there an OPNsense < 19.1.4 or pfSense on the other end?


Cheers,
Franco

[ivoruetsche]

Salü Franco

For sure we only use opnSense :-)

Without the patch in the main office, we had different versions in place; between 19.1.2 and 19.1.4 and we can't connect to any side.

Maybe this is interesting: We patch only the FW on the main office (19.1.4 + patch) and it runs fine with the unpatched 19.1.4 boxes and 19.1.2 to .3 from the branch offices.

gruss ivo

[schnipp]

I have updated from 19.1.2 to 19.1.4 and my IPSec connections (1 x site2site, 2 x mobile) still work fine without installing the patch. Is the latter only needed in case of using VTI?

[airdatec]

Patch works fine

[karaman]

Same problem. Patch works fine.

[franco]

Since the patch is just a feature removal the question now is: everyone who needs to revert the feature, what is your special setup quirk here? Need details please....


Cheers,
Franco