Configuring a routed IPSec tunnel breaks connectivity

Started by gjarboni, August 30, 2019, 09:25:38 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 30, 2019, 09:25:38 AM
Hello,

I have a bit of an oddball situation. I'm using OPNSense (v19.7) as a router for IPSec VTI connections (or route-based tunnels), nothing else. I can't be on the public Internet due to restrictions at the site. So one physical network interface and, currently, one routed IPSec tunnel. The remote end is a Cisco router running 15.1-4M10 directly connected to the Internet.

Now, this is the strange part. On two separate firewalls enabling this set up has caused the firewall to copmletely lose connectiity. The OPNSense box isn't even getting ARP replies. Anyway, since this happened twice, I'm reasonably confident it's something I'm doing and not hardware related. BTW, the "hardware" for these boxes is virtual under VMWare. One box is using the VMWare NIC and the other is using e1000 emulation (em0)

I'm thinking this is related to NAT, but I'm not sure. Running pfctl -d doesn't help, though (I don't know if that makes sense or not).

Anyway, I'm hoping someone can give me some insight. Thanks in advance!

Jason M.
August 30, 2019, 09:27:41 AM #1
19.7 or 19.7.3?
August 30, 2019, 10:47:33 AM #2
The console says 19.7 (no .3). Is that enough or should I look elsewhere? Thanks.
August 30, 2019, 11:52:28 AM #3
Please update to .3
August 31, 2019, 05:54:14 AM #4
Okay, I've updated and no change. This is what I did.

Reset to factory default (so I could access the network again)
Ran opnsense-update -- rebooted when done
Copied backup of config to /conf/config.xml
Rebooted

The result is the same -- no network connectivity. I also redid the setup this time remembering to disable NAT, and added an additional interface for the WAN (even though it's not on the Internet). Still the same problem. When I finish the configuration for the routed IPSec tunnel, all network connectivity is lost.

Any ideas?
August 31, 2019, 07:06:47 AM #5
This probably won't surprise anyone but running:

/etc/rc.d/ipsec onestop

restores connectivity to the box. However once I did this, I could access the LAN, but couldn't ping anything reachable via the WAN. I previously put in rules to pass any traffic on LAN and WAN (for testing) and turned off NAT.
August 31, 2019, 07:36:03 AM #6 Last Edit: August 31, 2019, 07:40:51 AM by gjarboni
Okay, this is even more curious. After disabling IPSec and SSHing to the OPNSense box I see the routing table:

Quoteroot@OPNsense2:~ # netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
0.0.0.0/1          A.B.C.1          US         vmx0
default            A.B.C.1          UGS        vmx0
A.B.C.0/24         link#1             U          vmx0
A.B.C.3            link#1             UHS         lo0
G.H.I.195          A.B.C.1          UGHS       vmx0
G.H.I.198          A.B.C.1          UGHS       vmx0
127.0.0.1          link#3             UH          lo0
128.0.0.0/1        A.B.C.1          US         vmx0
D.E.23.1           link#7             UHS         lo0
D.E.23.2           link#7             UH     ipsec100
D.E.F.0/24         link#2             U           em0
D.E.F.3            link#2             UHS         lo0

I'm focusing on the 0.0.0.0/1 and 128.0.0.0/1 routes. They look odd so I delete them:

Quoteroot@OPNsense2:~ # route delete -net 0.0.0.0/1 A.B.C.1
delete net 0.0.0.0: gateway A.B.C.1
root@OPNsense2:~ # route delete -net 128.0.0.0/1 A.B.C.1
delete net 128.0.0.0: gateway A.B.C.1
root@OPNsense2:~ # netstat -rn | more
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            A.B.C.1          UGS        vmx0
A.B.C.0/24         link#1             U          vmx0
A.B.C.3            link#1             UHS         lo0
G.H.I.195          A.B.C.1          UGHS       vmx0
G.H.I.198          A.B.C.1          UGHS       vmx0
127.0.0.1          link#3             UH          lo0
D.E.23.1           link#7             UHS         lo0
D.E.23.2           link#7             UH     ipsec100
D.E.F.0/24         link#2             U           em0
D.E.F.3            link#2             UHS         lo0


And now I can ping via the WAN:

Quoteroot@OPNsense2:~ # ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=53 time=13.144 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=53 time=13.146 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=53 time=13.238 ms

Any idea where those routes came from? My home OPNSense box doesn't have them. I'm mystified.
August 31, 2019, 08:21:54 AM #7
One more data point. Killing charon restores connectivity as well.
August 31, 2019, 10:12:02 AM #8
Okay, it turns out it was the "Install policy" setting that was breaking things. Thanks.
September 01, 2019, 07:36:24 AM #9
Great! But did you set it? It's stated to not set it :)
September 01, 2019, 09:10:21 PM #10
Unforatunely, it's enabled by default. I don't remember setting it, but I could have just forgotten. Not so nice to have a "history erasing" button in the gui :)
January 22, 2020, 05:19:51 PM #11
I fell into the same ditch as you until I found out via this very helpful post that "Install Policy" must be unchecked. I hope this behaviour will be changed in the future because simply selecting "Route Based" with the default settings must not render the whole firewall unreachable.
Print
Go Up Pages1
User actions