[SOLVED] IPsec tunnel only establishes first phase 2 entry

[8191]

I've a IPsec phase 1 entry with three phase 2 entries. Only the first in the list is being established. At the other endpoint I cannot even see OPNsense trying to establish the other P2's. If I swap the P2 entries (just order, no config), the new first P2 entry is being established.

The /usr/local/etc/ipsec.conf file contains all endpoints as configured via the GUI, namely con1-000 up to con1-002. In the IPsec logs i found:

Nov 29 10:30:22    ipsec_starter[87595]: 'con1-001' routed
Nov 29 10:30:22    ipsec_starter[87595]: 'con1-000' routed
Nov 29 10:30:21    ipsec_starter[87595]: configuration 'con1-001' not found
Nov 29 10:30:21    ipsec_starter[87595]: configuration 'con1-000' unrouted

I'm not so deep into charon, which log levels should I raise to get more info on that issue?

I use OPNsense 15.7.18_1-i386 (willing to upgrade to unstable if this would help investigations).

[8191]

I've found out that both P2's have the same reqid set in the conn section of ipsec.conf. Unfortunately I don't know what charon does with the reqid, since also the man page is quite silent on that...

       reqid = <number>
         sets  the   reqid for a given connection to   a pre-configured fixed
         value.

[AdSchellevis]

We recently dropped the request id, because of some similar issues for someone else.
This commit removes it from our code (and will probably be in the next release):
https://github.com/opnsense/core/commit/3e0e936bdb2d23f918e153c0d046580070c37b0b

[8191]

Great, thanks for the info.

[franco]

Already pushed to what will be 15.7.21 (likely on Friday).