IPSEC Tunnel not working anymore

Started by Beleggrodion, March 13, 2019, 11:08:28 AM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
March 13, 2019, 11:08:28 AM Last Edit: March 13, 2019, 11:26:10 AM by Beleggrodion
We had the problem, that since our firewall updated to 19.1.4 our ipsec tunnel's don't work anymore as expected. We see on the GUI that all tunnels are up and on both sites we see status up on both phase. But we don't see any traffic through the tunnel. I can ping from my host on site A to the firewall or the server of site B and i don't see any traffic on Site B, i only see with tcpdump my ping request on the Firewall of site A but nothing more. We also rebooted the firewall but no effect.

Edit:
Site B ist still on version 19.1.2 and when i ping from Site B to Site A i see in tcpdump on interface enc0 ping ping request on site A and Site B. When i do a ping from Site A, i don't see this ping on enc0. Only on the LAN interface and then it goes to nowhere.
March 13, 2019, 12:56:51 PM #1
same same since 19.1.4
March 13, 2019, 01:32:24 PM #2
Try reverting https://github.com/opnsense/core/commit/8490bc70ab

# opnsense-patch 8490bc70ab


Cheers,
Franco
March 13, 2019, 04:11:36 PM #3
Im getting the same problem 19.1.3 and 19.1.4 versions... I needed go back to 19.1.2 ... because my env it was in production mode and I did not have time to investigate.

Regards
Carlos
March 13, 2019, 04:13:25 PM #4 Last Edit: March 13, 2019, 09:12:43 PM by ivoruetsche
Yes, same on our side, we go back to 19.1.2 and have to request a maintenance window to try the patch.

ivo
March 13, 2019, 04:56:49 PM #5
how did you go back to 19.1.2 ? with Reinstall or ist ther a option to go back without new installation ?
March 13, 2019, 05:02:59 PM #6

In the console:

opnsense-revert -r 19.1.2 opnsense
March 13, 2019, 05:11:03 PM #7
Please try the patch revert instead of going back to older versions -- otherwise we'll not have enough data to work on.


Cheers,
Franco
March 13, 2019, 07:54:06 PM #8
Salü Franco

It looks fine after applying the patch:

- Update 19.1.2 --> 19.1.4
- Manual Reboot
- Applying patch
- Manual Reboot

Besten Dank und schönen Abend.

gruss ivo
March 14, 2019, 08:15:09 AM #9
Hoi Ivo,

Thanks for confirming. Is there an OPNsense < 19.1.4 or pfSense on the other end?


Cheers,
Franco
March 14, 2019, 08:49:42 AM #10

Salü Franco

For sure we only use opnSense :-)

Without the patch in the main office, we had different versions in place; between 19.1.2 and 19.1.4 and we can't connect to any side.

Maybe this is interesting: We patch only the FW on the main office (19.1.4 + patch) and it runs fine with the unpatched 19.1.4 boxes and 19.1.2 to .3 from the branch offices.

gruss ivo
March 14, 2019, 09:55:17 PM #11
I have updated from 19.1.2 to 19.1.4 and my IPSec connections (1 x site2site, 2 x mobile) still work fine without installing the patch. Is the latter only needed in case of using VTI?

OPNsense 24.7.11_2-amd64
March 16, 2019, 12:29:11 PM #12
Patch works fine
March 18, 2019, 09:40:09 AM #13
Same problem. Patch works fine.
March 18, 2019, 04:37:47 PM #14
Since the patch is just a feature removal the question now is: everyone who needs to revert the feature, what is your special setup quirk here? Need details please....


Cheers,
Franco
Print
Go Up Pages1 2
User actions