IPSEC traffic stalling after 20.7.1 upgrade

[fraenki]

I need some screenshots of Phase1 and Phase2.

Sure, but nothing special there, I guess:
(I've removed sensitive data like remote host, psk, identifiers.)

[fraenki]

@Andreas_: Could you please provide screenshots of your configuration too? Maybe we find similarities...

@mimugmai: Maybe you could also share your test configuration...

[mimugmail]

I flipped from v2 to v1 and after 16k pings only 12 losses.

[mimugmail]

I'm using the same values as you, but no DPD and no auto-ping.
Can you try to adjust as mine ?

[mimugmail]

15 losses in 20k pings .. I'll now enable DPD

[fraenki]

I tend to assume that this is not really a IPsec bug. It could be related to the hardware platform. My firewalls are running on A2SDi-2C-HLN4F with a Intel C3338 CPU and Intel C3000 NIC chip. This NIC chip is driven by the ix driver on FreeBSD.

@Andreas_ Which hardware are you using, especially the NIC chip/driver? And could you share a screenshot of the Interfaces -> Settings page?

[fraenki]

I tend to assume that this is not really a IPsec bug. It could be related to the hardware platform. My firewalls are running on A2SDi-2C-HLN4F with a Intel C3338 CPU and Intel C3000 NIC chip. This NIC chip is driven by the ix driver on FreeBSD.

I've tested again with most defensive interface settings, unfortunately no change:

[mimugmail]

Doesn't seem to be generic indeed.

On my side it's a virtualbox VM and an openstack VM on the other side. I put 1GB over the tunnel and it's still up with your settings.

[Cerberus]

I had massive IPSEC problems after updating to 20.7. My current ipsec connections:

kvm opnsense  <ikev2 or ikev1> kvm opnsense: connection is dead after few minutes, no traffic or error, ipsec still shown as "up"
kvm opnsense <ikev1> sophos utm on hw: Works most times, sometimes down and have to be restarted, dpd not working
kvm opnsense <ikev2> azure gateway: opnsense connection is dead after few minutes, no traffic or error, ipsec still shown as "up"

For the first and third scenario i switched to Zerotier for now and connection works fine, slower than ipsec but acceptable for my use case.

I had plans to replace the Sophos UTM with OPNsense, but this issue is a blocker for me.

[glasi]

I tend to assume that this is not really a IPsec bug. It could be related to the hardware platform. My firewalls are running on A2SDi-2C-HLN4F with a Intel C3338 CPU and Intel C3000 NIC chip. This NIC chip is driven by the ix driver on FreeBSD.

@Andreas_ Which hardware are you using, especially the NIC chip/driver? And could you share a screenshot of the Interfaces -> Settings page?

I am running OPNsense on comparable hardware (A2SDi-4C-HLN4F).

I've updated to OPNsense 20.7.3 from 20.1, today. My first IPsec tests do not show any incorrect behaviour. I've pushed nearly 8 GB through the IPsec tunnel in each direction.

Let's see how the results of a long term test will look like.

[fraenki]

I had massive IPSEC problems after updating to 20.7.

As reported by mimugmail this cannot be reproduced, so we should focus on making this reproducable. For this I ask you to provide the following information:

* configuration of Phase 1 and Phase 2
* your configuration in "Interfaces: Settings"
* your configuration in "Firewall: Settings: Advanced"
* your configuration in "System: Settings: Tunables"

Thanks!

- Frank

[fraenki]

I am running OPNsense on comparable hardware (A2SDi-4C-HLN4F).
I've updated to OPNsense 20.7.3 from 20.1, today. My first IPsec tests do not show any incorrect behaviour. I've pushed nearly 8 GB through the IPsec tunnel in each direction.

Thanks for smashing my theory. ;-) (In all seriousness, I appreciate your feedback!)
For comparison sake, would you mind to provide the data I've requested in my previous post?

Thanks!

- Frank

[Ricardo]

As I am also planning to build some new FW with ipsec ESP,  I am eagerly waiting if this will be a blocker for me as well.

[glasi]

IPsec settings...

[glasi]

Interfaces: Settings
Firewall: Settings: Advanced