Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Only one tunnel in IPsec s2s VPN possible since update to OPNsense 22.7
« previous
next »
Print
Pages: [
1
]
Author
Topic: Only one tunnel in IPsec s2s VPN possible since update to OPNsense 22.7 (Read 1934 times)
glasi
Jr. Member
Posts: 98
Karma: 9
Only one tunnel in IPsec s2s VPN possible since update to OPNsense 22.7
«
on:
October 02, 2022, 04:49:00 pm »
I am running an IPsec site 2 site VPN with several phase 2 tunnels. Tunnel isolation has been enabled in phase 1 settings. All tunnels show up in ipsec.conf file.
This setup has been working flawlessly in OPNsense 22.1.
Unfortunately, since update to OPNsense 22.7 only one tunnel is possible. Once one tunnel (it doesn't matter which one) is being established no further connections can be established.
Any ideas how to fix?
«
Last Edit: October 02, 2022, 04:50:50 pm by glasi
»
Logged
schnipp
Sr. Member
Posts: 371
Karma: 19
Re: Only one tunnel in IPsec s2s VPN possible since update to OPNsense 22.7
«
Reply #1 on:
October 03, 2022, 11:16:40 am »
I had similar issues after updating my Opnsense to the version 22.7.x short time ago. Before doing this I switched from LibreSSL to OpensSSL due to the fact that LibreSSL is deprecated (
link
). Update went fine after a few approaches. But I didn't notice the issues with multiple isolated Child_SAs per IPsec connection. I started some research beginning with with the log error message "unable to install inbound and outbound IPsec SA (SAD) in kernel". Maybe at the other endpoint there will only be a message "no proposal chosen" depending on which endpoint started the negotiation.
Result is, that this is an issue with OpenSSL. Switching back to LibreSSL solved this issue. But, due to the discontinuation of LibreSSL this can only be a short term solution. The detailed problem is, that the key derive function in OpenSSL 1.1.x has not enough buffer space to handle
modp8192
. The key derive function fails with an error code and the IKE daemon is unable to negotiate additional phases 2.
I see the following resolutions:
Switch back from OpenSSL 1.1.x back to LibreSSL (only a short term solution, because it will break again if LibreSSL is dropped in next major release)
Reduce the key derive configuration for all phases 2 from
modp8192
to a lower one (e.g.
modp4096
should be fine and is still treated as secure by the security community and BSI the next time (subject to change))
Switch to OpenSSL 3.0.5 or higher (Unfortunately, OpenSSL 3.x branch is still not available for productive FreeBSD). It would be glad if somebody can backport the small patch for increasing the buffer size of the HKDF function)
References:
https://github.com/strongswan/strongswan/issues/1255
https://github.com/openssl/openssl/commit/20c2876f24d0ccf9581ace08c7882d544d2588ea
https://www.openssl.org/docs/man1.1.1/man3/EVP_PKEY_CTX_add1_hkdf_info.html
Logged
OPNsense 24.7.1-amd64
glasi
Jr. Member
Posts: 98
Karma: 9
Re: Only one tunnel in IPsec s2s VPN possible since update to OPNsense 22.7
«
Reply #2 on:
October 03, 2022, 07:37:23 pm »
Nice observation! Thanks for the references.
You are right. VPN logs showing "no proposal chosen" error when using modp8192. Switching to LibreSSL on both endpoints fixed the issue.
I hope OpenSSL will be fixed or upgraded to > 3.0.5 before LibreSSL will be dropped.
Logged
schnipp
Sr. Member
Posts: 371
Karma: 19
Re: Only one tunnel in IPsec s2s VPN possible since update to OPNsense 22.7
«
Reply #3 on:
October 05, 2022, 06:46:54 pm »
Github ticket see
here (#6068)
.
Logged
OPNsense 24.7.1-amd64
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: Only one tunnel in IPsec s2s VPN possible since update to OPNsense 22.7
«
Reply #4 on:
October 06, 2022, 10:28:41 am »
https://github.com/opnsense/core/issues/6068#issuecomment-1269576040
Logged
schnipp
Sr. Member
Posts: 371
Karma: 19
Re: Only one tunnel in IPsec s2s VPN possible since update to OPNsense 22.7
«
Reply #5 on:
October 06, 2022, 09:04:10 pm »
A
further workaround
solution could be switching to DH group 31 when using OpenSSL flavor. Prerequisite is that the other endpoint must support this group.
I'll test this with my configuration next week.
Logged
OPNsense 24.7.1-amd64
schnipp
Sr. Member
Posts: 371
Karma: 19
[Solved] Only one tunnel in IPsec s2s VPN possible since update to OPNsense 22.7
«
Reply #6 on:
October 24, 2022, 03:36:27 pm »
I did some more tests. And as already mentioned using ECDH with group 31 as key exchange mechanism can be treated as a partial workaround compared to DH with modp8192 in combination with OpenSSL 1.x flavor. So far it looks good.
Logged
OPNsense 24.7.1-amd64
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Only one tunnel in IPsec s2s VPN possible since update to OPNsense 22.7