IPSec - Problem with a Phase 2 entry

[indigosi]

Hello!

I have a problem that i alone am unable to solve and with high hopes, that with your help i can find the solution i came here to this community.

Topology:
Point A: OPNsense 21.7.2_1-amd64 as a virtual maschine in AWS EC2
Point B: Mikrotik RB2011UiAS with RouterOS 6.48.1

Betwenn those two points i have a single IPSec IKEv2 Tunnel with multiple phase 2 entries. All the phase 2 entries are working without any problems but i had to add a new one, because i got a new subnet in AWS EC2 that i need to reach from Point B.

So what i did was simply to copy one of the existing entries and just changed the networks that i need. Here a screenshot how this looks:



The new entry is the one that hast the local subnet defined as 10.99.3.0/24 and goes to remote network 10.101.11.0/24

The same is of course configured on the point B on mikrotik:



After i confirm the changes on OPNSense and on mikrotik i get some debug messages on both sides.

Code: [Select]

OPNSense:
021-09-14T20:37:05 charon 62079 09 KNL   con1 10  updating policy 10.101.11.0/24 === 10.99.3.0/24 in
2021-09-14T20:37:05 charon 62079 09 KNL   con1 10  deleting policy 10.101.11.0/24 === 10.99.3.0/24 in
2021-09-14T20:37:05 charon 62079 09 KNL   con1 10  no local address found in traffic selector 10.99.3.0/24
2021-09-14T20:37:05 charon 62079 09 KNL   con1 10  getting a local address in traffic selector 10.99.3.0/24
2021-09-14T20:37:05 charon 62079 09 KNL   con1 10  policy 10.101.11.0/24 === 10.99.3.0/24 in already exists, increasing refcount
2021-09-14T20:31:24 charon 62079 11 KNL   con1 8  updating policy 10.101.11.0/24 === 10.99.3.0/24 in
2021-09-14T20:31:24 charon 62079 11 KNL   con1 8  deleting policy 10.101.11.0/24 === 10.99.3.0/24 in
2021-09-14T20:31:24 charon 62079 11 KNL   con1 8  no local address found in traffic selector 10.99.3.0/24
2021-09-14T20:31:24 charon 62079 11 KNL   con1 8  getting a local address in traffic selector 10.99.3.0/24
2021-09-14T20:31:18 charon 62079 14 KNL   con1 6  updating policy 10.101.11.0/24 === 10.99.3.0/24 in
2021-09-14T20:31:18 charon 62079 14 KNL   con1 6  deleting policy 10.101.11.0/24 === 10.99.3.0/24 in


On te mikrotik i only get the info, that there no phase 2 is present for this network. Also on OPNSense, when i go under Status Overview for IPSec i cant see this route to be added.

I really have no clue what i am doing wrong. I hope i provided enough informations so that you can help me out for which i thank you in advance!

Kind regards,
Matjaz

[indigosi]

Also some additional output from cli:

REMINDER: The NETWORK for Mikrotik has changed from 10.101.11.0/24 to 10.101.12.0/24 ... so dont wonder why this logs are showing another network.

ipsec statusall

Code: [Select]

Listening IP addresses:
10.99.1.10
10.99.0.253
10.99.0.252
10.99.2.253
10.98.0.1
10.98.16.1

Connections:
con1: 10.99.1.10...xx.xxx.xx.xx IKEv2 -> xxx so nas public ip
con1: local: [vpn.nasadomena.com] uses pre-shared key authentication
con1: remote: [xx.xxx.xx.xx] uses pre-shared key authentication
con1: child: 10.99.3.0/24 === 10.101.12.0/24 TUNNEL
con1-001: child: 10.99.0.0/24 === 10.101.12.0/24 TUNNEL
con1-002: child: 10.99.0.0/24 === 10.101.10.0/24 TUNNEL
con1-003: child: 10.99.0.0/24 === 10.101.11.0/24 TUNNEL
con1-004: child: 10.99.0.0/24 === 10.113.12.0/24 TUNNEL
con1-005: child: 10.98.0.0/24 === 10.101.11.0/24 TUNNEL

Routed Connections:
con1-005{29}: ROUTED, TUNNEL, reqid 5
con1-005{29}: 10.98.0.0/24 === 10.101.11.0/24
con1-004{28}: ROUTED, TUNNEL, reqid 4
con1-004{28}: 10.99.0.0/24 === 10.113.12.0/24
con1-003{27}: ROUTED, TUNNEL, reqid 3
con1-003{27}: 10.99.0.0/24 === 10.101.11.0/24
con1-002{26}: ROUTED, TUNNEL, reqid 2
con1-002{26}: 10.99.0.0/24 === 10.101.10.0/24
con1-001{25}: ROUTED, TUNNEL, reqid 1
con1-001{25}: 10.99.0.0/24 === 10.101.12.0/24
con1{24}: ROUTED, TUNNEL, reqid 7
con1{24}: 10.99.3.0/24 === 10.101.12.0/24

Security Associations (1 up, 0 connecting):
con1[46]: ESTABLISHED 6 minutes ago, 10.99.1.10[vpn.nasadomena.com]...xx.xx.xx.xx[xx.xx.xx.xx]
con1[46]: IKEv2 SPIs: 3b2c3caf12c2ab2b_i* 924ee645628a06d8_r, pre-shared key reauthentication in 7 hours
con1[46]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
con1-005{141}: INSTALLED, TUNNEL, reqid 5, ESP in UDP SPIs: c1e77d0d_i 0e5d311f_o
con1-005{141}: AES_CBC_256/HMAC_SHA2_256_128, 1471 bytes_i (2 pkts, 1s ago), 346480 bytes_o (2720 pkts, 1s ago), rekeying in 36 minutes
con1-005{141}: 10.98.0.0/24 === 10.101.11.0/24
con1-003{142}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: ca1f9729_i 07391316_o
con1-003{142}: AES_CBC_256/HMAC_SHA2_256_128, 1608 bytes_i (2 pkts, 132s ago), 1416 bytes_o (6 pkts, 121s ago), rekeying in 38 minutes
con1-003{142}: 10.99.0.0/24 === 10.101.11.0/24
con1-004{143}: INSTALLED, TUNNEL, reqid 4, ESP in UDP SPIs: ce70238c_i 0f721d42_o
con1-004{143}: AES_CBC_256/HMAC_SHA2_256_128, 3068964 bytes_i (4684 pkts, 0s ago), 2472976 bytes_o (4944 pkts, 0s ago), rekeying in 43 minutes
con1-004{143}: 10.99.0.0/24 === 10.113.12.0/24
con1-001{144}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c6722e19_i 0fadf2ff_o
con1-001{144}: AES_CBC_256/HMAC_SHA2_256_128, 462192 bytes_i (605 pkts, 184s ago), 0 bytes_o (0 pkts, 171s ago), rekeying in 44 minutes
con1-001{144}: 10.99.0.0/24 === 10.101.12.0/24
con1-002{145}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: c90d0896_i 0f443b19_o
con1-002{145}: AES_CBC_256/HMAC_SHA2_256_128, 2747596 bytes_i (3486 pkts, 152s ago), 1524 bytes_o (11 pkts, 14s ago), rekeying in 45 minutes
con1-002{145}: 10.99.0.0/24 === 10.101.10.0/24

As you can see the routed, tunnel ist set up, but then under "installed, tunnel" this is nowhere present.

If i do then a ipsec up con1 this route is also installed, tunnel, but dissapears when the rekey takes place. I really dont unserstand this behaviour.



Matt