IPsec phase 2 SAs drop for no apparent reason

Started by Patrick M. Hausen, October 10, 2021, 08:05:11 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 10, 2021, 08:05:11 PM
Hi all,

we have mostly successfully migrated our ancient Sidewinder firewall cluster to a HA pair of OPNsense on Deciso's very nice machines.

One single issue that troubles us: some but not all IPsec VPN connections to business partners, while correctly migrated and "up and running" drop their phase 2 SAs from time to time and do not re-establish them unless someone restarts the strongSwan service. I cannot see a pattern in the configuration.

All tunnels we run are set to "Start immediate" for phase 1.
I have set Keyingtries to "-1" for all tunnels.

I tried to manually edit the /usr/local/etc/ipsec.conf file and add "closeaction = restart" to each phase 2 entry, but it seems that even a service restart from the UI regenerates the config and deletes my changes.

So, first: can someone point me at the code that generates the ipsec.conf file - I would just hardwire that parameter for now and if that fixes things, I'd be more than willing to provide a pull request.
I did not find any jinja template or anything remotely MVC that does this. I assumed all of OPNsense could be found at /usr/local/opnsense/mvc/... but apparently I'm wrong.

Any other ideas? What particular debug setting to set to "more verbose" and what to look for in the log file would also help greatly. I have no experience with strongSwan, apart from commercial products I always used the standard FreeBSD kernel IPsec and racoon ...

Kind regards,
Patrick

P.S. Of course there are some tunnels that are just rock solid. Like IKEv1 ones to several Fritzbox routers or an IKEv2 one to another OPNsense. Unfortunately I won't convince our enterprise customers to switch their expensive Cisco/Checkpoint/... gear. ;)
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 11, 2021, 04:40:39 PM #1
No ideas?

I took it to the strongSwan mailing list:
https://lists.strongswan.org/pipermail/users/2021-October/015130.html
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 11, 2021, 07:27:15 PM #2
hi
Quotesomeone point me at the code that generates the ipsec.conf file
try this one  ;)
https://github.com/opnsense/core/blob/master/src/etc/inc/plugins.inc.d/ipsec.inc
October 11, 2021, 07:48:11 PM #3
Line 1656 to hardwire $things per conn entry. Thanks!
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 12, 2021, 04:42:26 PM #4 Last Edit: October 12, 2021, 06:20:37 PM by pmhausen
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 14, 2021, 11:50:19 AM #5 Last Edit: October 14, 2021, 11:58:40 AM by Cerberus
Hi,

yes i noticed that for some weeks, sometimes ipsec tunnels are down and ipsec status show that phase 1 is up but all phase 2 are missing. I have to press restart on opnsense to get it fixed, triggering a restart from the peer does not bring the phase 2 back.
October 14, 2021, 01:10:36 PM #6
Solution here:
https://github.com/opnsense/core/commit/bb9b8820c6a2725730598bd3ee77b11e626b1186

Hopefully in a regular minor update soon.

Kind regards,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions