Slow boot IPSec VTI

Started by Lokutos, July 03, 2022, 03:21:17 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 03, 2022, 03:21:17 PM
Hi, i have setup 2 IPSec VTI tunnels, since then a have issues with the boot time,

in the console, it stays at the interface log line for around 2 minutes...

The IPsec connections work fast if i restart the service or just stop and start the connection in VPN: IPsec: Status Overview.

Is there any hint?
July 20, 2022, 02:37:57 PM #1
Hi,

We experience the very same issue with several OPNsense instances. IPsec VTI configuration takes several minutes to complete. Did you find a solution to this problem ?

Thanks!
--
Marin BERNARD
System administrator
July 20, 2022, 02:52:10 PM #2
Sorry, but unfortunately I can't offer or find a solution myself
September 28, 2022, 10:09:17 AM #3
Still exist in 22.7 and cant find a solution ... anyone?
September 28, 2022, 10:16:01 AM #4
Unfortunately, nothing new on my side either. The boot delay has to do with the setup of the VTI interfaces: disabling the IPsec service has no effect as long as the VTI interfaces still exist. Maybe someone should open an issue on the GitHub tracker ?
--
Marin BERNARD
System administrator
September 28, 2022, 10:23:21 AM #5
if i check my log:

2022-09-28T10:13:26   Error   php   /usr/local/etc/rc.bootup: The command '/sbin/ifconfig 'ipsec5' 'inet' tunnel '136.243.195.58' 'fqdn.off.otherfirewall' up' returned exit code '1', the output was 'ifconfig: error in parsing address string: Name does not resolve'   
2022-09-28T10:11:56   Error   php   /usr/local/etc/rc.bootup: Device ipsec5 required for ipsec5, configuring now

so it sounds for me that the issue is that dns not working in this state ...

after change it to a IP (Temporary becouse its not a solution for me)
(Change the Ipsec tunnel setting vpn gateway)
it is booting fast ...
September 28, 2022, 10:34:53 AM #6
Thanks for this!

I suppose this happens because the local DNS daemon (unbound) is not yet available when ipsec interfaces are set  up, as services are started later in the boot process.

One option would be to check the Do not use the local DNS service as a nameserver for this system check box in the System > Settings > General page, and provide at least one DNS resolver in the fields just above. This would allow the box to use a remote DNS resolver for its own needs, and remove the dependency on the local unbound service.

I'll try to implement this on my side too and report the results.
--
Marin BERNARD
System administrator
September 28, 2022, 10:38:43 AM #7
Report is already done...
https://github.com/opnsense/core/issues/6052

Do not use possible save the issue but it result for me in wrong resolutions of the overrides for local domains...
Print
Go Up Pages1
User actions