IPSEC Troubles

[PotatoCarl]

Hi
I just notices that either with the last update or the one before I have serious problems running my IPSEC.

I have 3 FritzBoxes, each one forming an IPSEC connection to my ONSENSE Box by IPSEC. Worked for a long time troublefree.

However, recently (either with the current or the update before) 19.7.2 *one* of the connections is broken.

That means that the two con1 and con2 are working as previously. The con3 however, is as "tunnel inactive" show. In status overview, I see a green triangle, which means it should work. If I press "i" everything is empty.

Additionally a line with "unnamed" is displayed, also show as working. "i" does not give any information.

I tried to kill the daemon, restart, make a new tunnel, switch from main to aggressive mode etc.

The fun thing is, when I restart my FritzBox (7490, Firmware 7.12) it works for a couple of minutes and then breaks down again.

ONE (con3)    IKEv1    xxx.yyy.zzz.www    sss.ttt.uuu.vvv    somewhere.ip.address    aaa.bbb.ccc.ddd    pre-shared key    pre-shared key    
((unnamed))    1       sss.ttt.uuu.vvv       aaa.bbb.ccc.ddd

The "unnamed" shows the "version" as "1" not ikev1 and local ID/remote ID empty, The local and remote ID are shown as in con3.


The only difference between the working and the non-working tunnels is that they operate on two different DSL lines.

Has anyone any idea how to fix this?

Thank you.

          

[PotatoCarl]

Well, well, well.

I restarted the FritzBox that acts as DSL router (thank you Telekom for making me use this crappy setup to get it to work at all), and then the "ghost" connection vanished... Also, the VPN works again.

Maybe it was totally unreleated to IPSEC or to OPNSense...

[PotatoCarl]

Unfortunately I was fooled by the (longer) stability of the VPN. Now it crashes after 15-30 minutes reproducibly.

Any help how to analyse the problem and remove it?

Thank you.

[mimugmail]

Any log available? Can you check if port 4500 is allowed on your side and OPNsense is the exposed host for the FB? Also check there is no IPSec running on the FB itself.

[PotatoCarl]

Hi,
the FritzBox say after short time "ike time out"
There is no separate IPSEC running and it connects after a reset of either end (Fritzboxes). A restart of the IPSsec of OPNsense however does not reconnect.
I did not change ANYTHING at the configuration, which was running since 2 years smoothly as can be. The only thing that happened that recently the update to 19.7.2 happened on the OPNSense and the update to 7.12 on the Fritzbox.
I checked the logs and found that it worked with 19.7.1 but stopped to work with a timeout with 19.7.2

So I can state: 19.7.1 <-> FritzOs 7.12 Working well
19.7.2. <-> FritzOS 7.12 stoppes are a few minutes with IKE Timeout.
19.7.2 <-> FritzOS 7.10 and FritzOS 6.86 -> Works well.

The protocoll on the OPNSense is not helpful I believe. I set the information to "HIGHEST" but there is not much information there:

Aug 16 11:16:21    charon: 14[IKE] <con3|6409> IKE_SA con3[6409] state change: CONNECTING => DESTROYING
Aug 16 11:16:21    charon: 14[MGR] <con3|6409> checkin and destroy IKE_SA con3[6409]
Aug 16 11:16:21    charon: 14[IKE] <con3|6409> establishing IKE_SA failed, peer not responding
Aug 16 11:16:21    charon: 14[IKE] <con3|6409> giving up after 5 retransmits
Aug 16 11:16:21    charon: 14[MGR] IKE_SA con3[6409] successfully checked out

In the "Status" page the connection is shown with a green triangle and working, in the dashboard, the tunnel is inactive and the FritzBox says "timeout".

So it looks to me like a strongswan problem.

Remark: OpenVPN works fine.

Greetings

[andygee]

This is basically the same problem that I am experiencing.  What is strange in my case is ipsec works fine to other non-opnsense firewalls, but not to opnsense.  Although it is possible it's related to just one side of the vpn, both are running the same version of opnsense.

[mimugmail]

Screenshot of Auto rules WAN Tab please

[PotatoCarl]

Sorry, where? In the Firewall I cannot find any auto rules, neither in the IPSEC nor in the WAN section (of either WAN).

[banym]

In the firewall rules section at the very top.
It's a new feature to show auto generated rules.

[PotatoCarl]

Hi

this is what is displayed in the corresponding WAN:

          Automatically generated rules    
      IPv4 *    <bogons>    *    *    *    *    *    Block bogon IPv4 networks from WAN3TDSL    
      IPv4+6 UDP    *    67    *    68    *    *    allow DHCP client on WAN3TDSL    
      IPv4+6 UDP    *    68    *    67    *    *    allow DHCP client on WAN3TDSL    
      IPv4+6 *    em3    *    *    *    WAN3TDSL_DHCP    *    let out anything from firewall host itself (force gw)    
      IPv4 UDP    *    *    xxx.xxx.xxx.xxx    500    WAN3TDSL_DHCP    *    IPsec: ONE    
      IPv4 UDP    xxx.xxx.xxx.xxx    *    *    500    *    *    IPsec: ONE    
      IPv4 UDP    *    *    xxx.xxx.xxx.xxx    4500    WAN3TDSL_DHCP    *    IPsec: ONE    
      IPv4 UDP    xxx.xxx.xxx.xxx    *    *    4500    *    *    IPsec: ONE    
      IPv4 ESP    *    *    xxx.xxx.xxx.xxx    *    WAN3TDSL_DHCP    *    IPsec: ONE    
      IPv4 ESP    xxx.xxx.xxx.xxx    *    *    *    *    *    IPsec: ONE    

That is only the "autorules" part.

Is that helpfuls? It looks okay for me...

[mimugmail]

Looks good, I try to ask around if someone has a spare modem around and replace. Most of the time it's the FB itself

[PotatoCarl]

Just to understand, you mean I should try (like "I'd try" instead of "I try") to search for a spare FB? This will probably be difficult, but I will give it a try, or do you mean that you will ask around and borrow me one (which would be a nice surprise and very generous)....
;-)
I will certainly ask around, but hey, if you have one you could spare for a week or two  ;-)

In any case I will try to hard reset everything, too. Sometime I noticed that the "automatic reboot" and even the "soft reboot" (triggered from the web interface) are not sufficient and it is really necessary to pull the plug from the appliance (I got one from Deciso which usually works nicely, only missing a VGA connection to connect "just in case" directly).

Thank you for your help.

[mimugmail]

I mean a different vendor than FB. If you are in munich area you can come around and pick one up for sure

[PotatoCarl]

I might acutally come back to that offer, but I am a bit away and I rather try to find somebody closer. Thank you for the offer. I have a Zyxel DSL Modem lying around, however, I would loose the VOIP lines here (it is kind of a shitty difficult setup, thanks to TELEKOM).

I will update when I have found a solution. Still, maybe it would be worth to look into the Strongswan implementation anyhow just to make sure...

After more logs research I see that the time out seems to be on the FB side (time out - dead peer detektion). However, then it seems not to try to re-esthablish the connection... Will do more error search and let you know.

Have a nice sunday.

[mimugmail]

You can use siproxd when your phone is sip capable. German forum, Nicolas Rush is the expert