English Forums > Virtual private networks
[Solved] Second IPsec Site2Site Tunnel down
BusinessTux:
Hi at all,
I have a problem with a setup on three locations with with two ipsec S2S tunnels to the main office.
I've configured two routed IPSec Tunnels, like described here: https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route.html.
Homeoffice 1 Main Office Homeoffice 2
100.64.21.2/30 100.64.21.1/30
100.64.22.1/30 100.64.22.2/30
The tunnel to Homeoffice 1 works like a charm. The tunnel to Homeoffice2 is active, but routing isn't functionally.
In short:
- WAN-Rules in Firewall (IPSec, ISAKMP, ESP) are active on all three locations
- Gateways for both home office are created and configured as "far gateway"
- Routes for the remote networks of both home offices are created in the main office
- Routes for the networks of the main office are created in both home offices
- Firewall-Rules on ipsec interface in the main office are created
- Firewall-Rules on ipsec interface in the home offices are created
Traceroute main office to Homeoffice 1: works
Traceroute main office to Homeoffice 2: hangs on main office gateway
The route to home office 2 is in the active routing table of then main office gateway.
But the mainofficerouter says network is down:
--- Code: ---root@mainofficerouter:~ # ping -t 3 100.64.22.2
PING 100.64.22.2 (100.64.22.2): 56 data bytes
ping: sendto: Network is down
--- End code ---
I doublechecked all configurations twice, but I can't figure it out.
The box versions are
mainofficerouter: OPNsense 21.10.2 (amd64/OpenSSL)
homeoffice 1: OPNsense 21.7.7 (amd64/OpenSSL)
homeoffice 2: OPNsense 21.10.2 (amd64/OpenSSL)
My ipsec.conf (completely generated)
--- Code: ---root@mainofficerouter:~ # cat /usr/local/etc/ipsec.conf
# This file is automatically generated. Do not edit
config setup
uniqueids = yes
conn con1
aggressive = no
fragmentation = yes
keyexchange = ikev2
mobike = yes
reauth = yes
rekey = yes
forceencaps = no
installpolicy = no
type = tunnel
left = 80.153.119.52
right = custwar02.edvnet.biz
rightallowany = yes
leftid = userfqdn:site2siteHQBN@cust-bonn.de
ikelifetime = 28800s
lifetime = 3600s
ike = aes256-sha512-modp2048!
leftauth = pubkey
rightauth = pubkey
leftcert = /usr/local/etc/ipsec.d/certs/cert-1.crt
leftsendcert = always
rightca = "/C=DE/ST=NRW/L=Bonn/O=cust XXXXXX GmbH/OU=cust XCA/CN=custVpnCA/emailAddress=edv@cust-bonn.de/"
rightid = userfqdn:site2sitehowa@cust-bonn.de
reqid = 1
rightsubnet = 0.0.0.0/0
leftsubnet = 0.0.0.0/0
esp = aes256-sha512-modp2048!
auto = add
conn con2
aggressive = no
fragmentation = yes
keyexchange = ikev2
mobike = yes
reauth = yes
rekey = yes
forceencaps = no
installpolicy = no
type = tunnel
left = 80.153.119.52
right = custror02.edvnet.biz
rightallowany = yes
leftid = userfqdn:site2siteHQBN@cust-bonn.de
ikelifetime = 28800s
lifetime = 3600s
ike = aes256-sha512-modp2048!
leftauth = pubkey
rightauth = pubkey
leftcert = /usr/local/etc/ipsec.d/certs/cert-2.crt
leftsendcert = always
rightca = "/C=DE/ST=NRW/L=Bonn/O=cust XXXXXX GmbH/OU=cust XCA/CN=custVpnCA/emailAddress=edv@cust-bonn.de/"
rightid = userfqdn:site2sitehoro@cust-bonn.de
reqid = 2
rightsubnet = 0.0.0.0/0
leftsubnet = 0.0.0.0/0
esp = aes256-sha512-modp2048!
auto = add
include ipsec.opnsense.d/*.conf
--- End code ---
Where is my error?
BusinessTux:
Here more screenshots
BusinessTux:
Not good for debugging, but good for me.
This morning the ipsec connection to home office 1 was down. After I restartet ipsec vpn (in settings) the tunnel was online, but there was no routing. I saw the ping from home office 1 in the firewall log of the main office as passed to the lokal intranet of the main office. But there was no reply.
For my understanding the tunnel was online, but the main office gateway doesn't route.
After a restart of the OPNsense in main office both tunnels where working. I hope, this will be for a long time.
Where can I find additionial informations about routing problems in the OPNsense?
What can I restart to get routing back to work without restart the hardware?
Thanks
Ulf
BusinessTux:
After about two weeks and very stable tunnels notice to myself: a reboot will not hurt
BusinessTux:
Today there was no routing again.
After some restarts of all three devices the tunnels where up, but no routing.
I've doublecheck System/Routes/Status. The static routes I entered were not present. >:(
My workaround: Edit one static route and save it without to change someting.
After that both ipsec routings where online again.
Navigation
[0] Message Index
[#] Next page
Go to full version