ipsec routing problem after adding failover WAN

[mircsicz]

Hi hi,

I've got two APU based OPNsense's which are connected using Ipsec



After I've added MultiWAN with a failover config on location#1:


I modified the firewall rules like so:


But I still can't connect from location #1 to location #2, whilst the opposite direction still works fine. To be clear: IPsec phase 1 & 2 are connected just fine!

BTW: "CS net" is 10.10.2.0/24 an "DS net" is 10.10.5.0/24

Hope one of you spot's my failure...

[mimugmail]

Check in IPSEC tunnel is "Install Policy" is ticked. There was an error introduced in 19.1.4 only affecting new installed tunnels.

[mircsicz]

@mimugmail: THX for your reply, but both of the system are running since 16/17 and both of the tunnel's have been there for a while... But I checked anyways and the tunnel's have it checked on both side's of the connection.

[mimugmail]

So, the IPSEC connection is established, CS net can reach DS net but not vice versa, correct?
Rules look fine. tcpdump on interface enc0 via console would help.

[mircsicz]

Yes the Tunnel's are established, and sorry for not stating that clearly in my intro!

I can't connect from 10.10.2.x to 10.10.23.2 (for example) but I can connect from 10.10.23.x to 10.10.2.2

I already created dumps on the OPNsense on location #1 ,one is from Interface CS the other from IPsec... All I tried to do is open a ssh connection behind the IPsec...

[mimugmail]

Then it's blocked on the other side in incoming direction I'd guess

[mircsicz]

Then it's blocked on the other side in incoming direction I'd guess

Definitly not as it worked before changing the WAN setup on location #1 ;-)

As a picture based approval:


Firewall log on location #1:


Firewall log on location #2:

[va176thunderbolt]

I am experiencing a similar issue. I have noticed dropped esp packets on from the IPsec peer to the interface not configured for IPSec. If I remove the secondary wan interface, the tunnel passes traffic. Odd thing is, both sides report the tunnel as up.

 May be related, but I haven’t had time to dig deeper.

[Ralf Kirmis]

I had a similar problem.
You can try it out with a rule on the wan interface for ESP any / any, if that is better then.
Then you can change the rule that ESP is only allowed to both WAN IPs.

regards,
Ralf

[mircsicz]

@va176thunderbolt For me this is no similar issue as I can connect from one side of the tunnel but not from the other side. Probably just my fault in the firewall settings...

[Ralf Kirmis]

Have you tried the rule for allowing esp packets from any?

Since Ping from loc1 to loc2 is outgoing, from loc2 to loc1 incoming direction.

[mircsicz]

@ralf.kirmis

THX for the hint, just tried it but no change so far:

[Ralf Kirmis]

does the live log from the firewall display denied packets?

[mircsicz]

@ralf.kirmis No, as shown in the above ScreenShot ;-)

Had a call with Jos, installing two patches solved the Issue:

Code: [Select]

sudo opnsense-patch 7835e9c 198887ed

So I'll be skipping 19.1.5 or wait for the Hotfix Franco has in the makes ... 

EDIT: seems to be already out:

Code: [Select]

[13/38] Fetching opnsense-19.1.5_1.txz: 100%    4 MiB   2.2MB/s    00:02