English Forums > Virtual private networks

[Solved] Second IPsec Site2Site Tunnel down

(1/3) > >>

BusinessTux:
Hi at all,

I have a problem with a setup on three locations with with two ipsec S2S tunnels to the main office.

I've configured two routed IPSec Tunnels, like described here: https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route.html.

Homeoffice 1          Main Office                Homeoffice 2
100.64.21.2/30      100.64.21.1/30
                              100.64.22.1/30        100.64.22.2/30
                   
                   
The tunnel to Homeoffice 1 works like a charm. The tunnel to Homeoffice2 is active, but routing isn't functionally.

In short:
- WAN-Rules in Firewall (IPSec, ISAKMP, ESP) are active on all three locations
- Gateways for both home office are created and configured as "far gateway"
- Routes for the remote networks of both home offices are created in the main office
- Routes for the networks of the main office are created in both home offices
- Firewall-Rules on ipsec interface in the main office are created
- Firewall-Rules on ipsec interface in the home offices are created


Traceroute main office to Homeoffice 1: works
Traceroute main office to Homeoffice 2: hangs on main office gateway

The route to home office 2 is in the active routing table of then main office gateway.

But the mainofficerouter says network is down:

--- Code: ---root@mainofficerouter:~ # ping -t 3 100.64.22.2
PING 100.64.22.2 (100.64.22.2): 56 data bytes
ping: sendto: Network is down
--- End code ---

I doublechecked all configurations twice, but I can't figure it out.

The box versions are

mainofficerouter: OPNsense 21.10.2 (amd64/OpenSSL)
homeoffice 1:       OPNsense 21.7.7 (amd64/OpenSSL)
homeoffice 2:       OPNsense 21.10.2 (amd64/OpenSSL)

My ipsec.conf (completely generated)

--- Code: ---root@mainofficerouter:~ # cat /usr/local/etc/ipsec.conf
# This file is automatically generated. Do not edit
config setup
  uniqueids = yes

conn con1
  aggressive = no
  fragmentation = yes
  keyexchange = ikev2
  mobike = yes
  reauth = yes
  rekey = yes
  forceencaps = no
  installpolicy = no
  type = tunnel





  left = 80.153.119.52
  right = custwar02.edvnet.biz
  rightallowany = yes
  leftid = userfqdn:site2siteHQBN@cust-bonn.de
  ikelifetime = 28800s
  lifetime = 3600s
  ike = aes256-sha512-modp2048!
  leftauth = pubkey
  rightauth = pubkey
  leftcert = /usr/local/etc/ipsec.d/certs/cert-1.crt
  leftsendcert = always
  rightca = "/C=DE/ST=NRW/L=Bonn/O=cust XXXXXX GmbH/OU=cust XCA/CN=custVpnCA/emailAddress=edv@cust-bonn.de/"
  rightid = userfqdn:site2sitehowa@cust-bonn.de
  reqid = 1
  rightsubnet = 0.0.0.0/0
  leftsubnet = 0.0.0.0/0
  esp = aes256-sha512-modp2048!
  auto = add

conn con2
  aggressive = no
  fragmentation = yes
  keyexchange = ikev2
  mobike = yes
  reauth = yes
  rekey = yes
  forceencaps = no
  installpolicy = no
  type = tunnel





  left = 80.153.119.52
  right = custror02.edvnet.biz
  rightallowany = yes
  leftid = userfqdn:site2siteHQBN@cust-bonn.de
  ikelifetime = 28800s
  lifetime = 3600s
  ike = aes256-sha512-modp2048!
  leftauth = pubkey
  rightauth = pubkey
  leftcert = /usr/local/etc/ipsec.d/certs/cert-2.crt
  leftsendcert = always
  rightca = "/C=DE/ST=NRW/L=Bonn/O=cust XXXXXX GmbH/OU=cust XCA/CN=custVpnCA/emailAddress=edv@cust-bonn.de/"
  rightid = userfqdn:site2sitehoro@cust-bonn.de
  reqid = 2
  rightsubnet = 0.0.0.0/0
  leftsubnet = 0.0.0.0/0
  esp = aes256-sha512-modp2048!
  auto = add

include ipsec.opnsense.d/*.conf
--- End code ---

Where is my error?

BusinessTux:
Here more screenshots

BusinessTux:
Not good for debugging, but good for me.

This morning the ipsec connection to home office 1 was down. After I restartet ipsec vpn (in settings) the tunnel was online, but there was no routing. I saw the ping from home office 1 in the firewall log of the main office as passed to the lokal intranet of the main office. But there was no reply.

For my understanding the tunnel was online, but the main office gateway doesn't route.

After a restart of the OPNsense in main office both tunnels where working. I hope, this will be for a long time.

Where can I find additionial informations about routing problems in the OPNsense?
What can I restart to get routing back to work without restart the hardware?

Thanks
Ulf

BusinessTux:
After about two weeks and very stable tunnels notice to myself: a reboot will not hurt

BusinessTux:
Today there was no routing again.
After some restarts of all three devices the tunnels where up, but no routing.

I've doublecheck System/Routes/Status. The static routes I entered were not present.  >:(

My workaround: Edit one static route and save it without to change someting.

After that both ipsec routings where online again.

Navigation

[0] Message Index

[#] Next page

Go to full version