[Worked-around] IKEv2 S2S IPv6 doesn't come up after reboot

[StartersOrders]

Strange one this.

I have an OVH/SYS start VMware server with OPNsense 22.1.1_1 (so far gateway is a thing). As a result I'm having to use Hurriane Electric's IPv6 tunnel service to get IPv6 to my internal network.

This works fine, if a bit Heath Robinson with two WAN interfaces, one for v4 and one for v6.

What is very odd is that the IPsec VPN I run between home and the OPNsense box doesn't survive a reboot particularly well. The IPv4 P2s work fine after a reboot, but the IPv6 P2 (for the /48 at each end) doesn't appear to come up and instead stays down even though it's installed. Before the reboot it works fine?

To test I snapshotted (with RAM) the VM and rebooted it, which killed the ping I had running to the LAN interface. Once I restored the snapshot (soas if it had never been rebooted) the ping started working again?! Again, the whole time the IPv4 P2s were fine and I could ping each end of the VPN once they'd re-established.

Oddly this exact setup works fine on pfSense, although that has it's own issues.

[franco]

Might be same as https://forum.opnsense.org/index.php?topic=26700.0 and we're working on it... it should be fixed in the latest development version. Changes are too many to use opnsense-patch reliably.

If you can snapshot it's worth a try to change release type to development check for updates and install plus reboot.


Cheers,
Franco

[StartersOrders]

Might be same as https://forum.opnsense.org/index.php?topic=26700.0 and we're working on it... it should be fixed in the latest development version. Changes are too many to use opnsense-patch reliably.

If you can snapshot it's worth a try to change release type to development check for updates and install plus reboot.


Cheers,
Franco

Just tried - no dice unfortunately :(

It's a VM I can swap out at will so I don't mind doing destructive testing!

[franco]

Ok, let's back up a little then. Are we talking about GIF not coming up on boot or IPsec over IPv6 or both? I'd like to inspect system log a little. It should throw at least 1-2 configuration errors that would indicate a failure to init all during boot.


Cheers,
Franco

[StartersOrders]

Ok, let's back up a little then. Are we talking about GIF not coming up on boot or IPsec over IPv6 or both? I'd like to inspect system log a little. It should throw at least 1-2 configuration errors that would indicate a failure to init all during boot.


Cheers,
Franco

It appears to just be the IPsec side of things as I can remotely ping over the GIF tunnel, it's just the IPsec-connected networks that don't work.

How do you want the logs?

[franco]

This is VTI, right?

I think it's unable to configure the assigned interface... Can you check?

# opnsense-log | grep Unable.to.configure


Cheers,
Franco

[StartersOrders]

This is VTI, right?

I think it's unable to configure the assigned interface... Can you check?

# opnsense-log | grep Unable.to.configure


Cheers,
Franco

No, straight IPsec policies.

I ran the command and obviously nothing returned.

[franco]

Not sure what's wrong to be honest. There's little data to analyse further about your setup and actual system state (routes, IPs, ping from where).


Cheers,
Franco

[StartersOrders]

Right, gave in and coverted the other end to OPNsense after the Other Vendor (tm) decided to go on a Reddit locking spree...

... And it works with both ends as OPNsense afer a reboot in policy mode! Very strange, but I'm a happy man  ;D

[franco]

Oh, happy to hear that... welcome to the family. :)

Looks I need to read up on Reddit.


Cheers,
Franco