Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
15.7 Legacy Series
»
[SOLVED] IPsec tunnel only establishes first phase 2 entry
« previous
next »
Print
Pages: [
1
]
Author
Topic: [SOLVED] IPsec tunnel only establishes first phase 2 entry (Read 9090 times)
8191
Jr. Member
Posts: 83
Karma: 4
[SOLVED] IPsec tunnel only establishes first phase 2 entry
«
on:
November 29, 2015, 11:30:43 am »
I've a IPsec phase 1 entry with three phase 2 entries. Only the first in the list is being established. At the other endpoint I cannot even see OPNsense trying to establish the other P2's. If I swap the P2 entries (just order, no config), the new first P2 entry is being established.
The
/usr/local/etc/ipsec.conf
file contains all endpoints as configured via the GUI, namely con1-000 up to con1-002. In the IPsec logs i found:
Nov 29 10:30:22 ipsec_starter[87595]: 'con1-001' routed
Nov 29 10:30:22 ipsec_starter[87595]: 'con1-000' routed
Nov 29 10:30:21 ipsec_starter[87595]: configuration 'con1-001' not found
Nov 29 10:30:21 ipsec_starter[87595]: configuration 'con1-000' unrouted
I'm not so deep into charon, which log levels should I raise to get more info on that issue?
I use OPNsense 15.7.18_1-i386 (willing to upgrade to unstable if this would help investigations).
«
Last Edit: November 30, 2015, 07:26:25 am by franco
»
Logged
8191
Jr. Member
Posts: 83
Karma: 4
Re: IPsec tunnel only establishes first phase 2 entry
«
Reply #1 on:
November 29, 2015, 02:41:20 pm »
I've found out that both P2's have the same
reqid
set in the
conn
section of ipsec.conf. Unfortunately I don't know what charon does with the
reqid
, since also the
man page
is quite silent on that...
reqid = <number>
sets the reqid for a given connection to a pre-configured fixed
value.
Logged
AdSchellevis
Administrator
Hero Member
Posts: 907
Karma: 184
Re: IPsec tunnel only establishes first phase 2 entry
«
Reply #2 on:
November 29, 2015, 07:23:38 pm »
We recently dropped the request id, because of some similar issues for someone else.
This commit removes it from our code (and will probably be in the next release):
https://github.com/opnsense/core/commit/3e0e936bdb2d23f918e153c0d046580070c37b0b
Logged
8191
Jr. Member
Posts: 83
Karma: 4
Re: IPsec tunnel only establishes first phase 2 entry
«
Reply #3 on:
November 29, 2015, 07:52:42 pm »
Great, thanks for the info.
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: IPsec tunnel only establishes first phase 2 entry
«
Reply #4 on:
November 30, 2015, 07:26:12 am »
Already pushed to what will be 15.7.21 (likely on Friday).
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
15.7 Legacy Series
»
[SOLVED] IPsec tunnel only establishes first phase 2 entry