Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
21.1 Legacy Series
»
[Bug] Reproduced bug with IPSec Routed and an routing entry getting lost.
« previous
next »
Print
Pages: [
1
]
Author
Topic: [Bug] Reproduced bug with IPSec Routed and an routing entry getting lost. (Read 1625 times)
mrzaz
Newbie
Posts: 13
Karma: 1
[Bug] Reproduced bug with IPSec Routed and an routing entry getting lost.
«
on:
April 01, 2021, 01:33:06 am »
Hello,
I have found a reproducible bug with IPSec Routed and
a routing entry getting lost
causing issues to ping/reach remote tunnel-IP.
Prerequsit:
- Tested with 21.1.4
- Setup IPSec Routed in both end.
example:
I have a IPSec routed net with phase1 and phase2 setup with a tunnel-net 10.6.110.0/30.
Router1 10.6.110.1/30 (LAN: 192.168.120.221/24)
Router2 10.6.110.2/30 (LAN: 192.168.120.231/24)
- Have enabled "Dynamic gateway policy" and it has created the Dynamic Gateways in the gateway tab.
- I have also added rule on IPSec+VTI_ifc+LAN with a "Allow Firewall to respond to pings"
Dir: in, IPv4, ICMP, Any, This Firewall
- Configured the dynamicly created gateways with "Far Gateway"
1. restart routers. Both routers have the following entries. (reversed order in router2)
Destination Gateway Flags Netif Expire
default 178.132.73.97 UGS vtnet0
10.6.110.1 link#7 UHS lo0
10.6.110.2 link#7 UH ipsec1
2. Go to Gateways and edit the dynamic gateway created from IPsec.
3. Untick the "Disable Gateway Monitoring" and enter the tunnelIP on the other side and press APPLY.
(eg. 10.6.110.2)
4. Go to Gateways and edit the dynamic gateway created from IPsec again.
5. Tick the "Disable Gateway Monitoring" and remove the tunnelIP so editbox is blank and press APPLY.
6.
Now the routing table has lost one entry. (the "10.6.110.2 link#7 UH ipsec1"
Destination Gateway Flags Netif Expire
default 178.132.73.97 UGS vtnet0
10.6.110.1 link#7 UHS lo0
This is a bug.
Have now been issued in:
https://github.com/opnsense/core/issues/4888
Also another issue seen is that even when both entries exists and you could ping the remote tunnel IP both from commandline or through OPNSense webgui, if you enable gateway monitoring the monitorIP shows as blank and Gateway also blank and it is always OFFLINE.
I found the following in github that looks like the problem.
https://github.com/opnsense/core/issues/4676
In pfSense, from where I am currently migrating from to OPNSense (which will be my router to use in the future), the IPSecRouted dynamicly created gateways always picks up and shows the Gateway IP and the Monitor IP even if IP says "dynamic". This could possible be an additional bug.
Best regards
Dan Lundqvist
Stockholm, Sweden
«
Last Edit: April 01, 2021, 08:01:47 pm by mrzaz
»
Logged
Best regards
Dan Lundqvist (mrzaz)
"It's better to burn up, than fade away..." (Highlander)
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
21.1 Legacy Series
»
[Bug] Reproduced bug with IPSec Routed and an routing entry getting lost.