Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Updating IPSec parameters in place breaks tunnel
« previous
next »
Print
Pages: [
1
]
Author
Topic: Updating IPSec parameters in place breaks tunnel (Read 785 times)
lpiwowarek
Newbie
Posts: 4
Karma: 0
Updating IPSec parameters in place breaks tunnel
«
on:
March 03, 2023, 09:20:09 am »
Hi OPNsense users,
I am trying to upgrade out of 21.7 since its quite severely out of date. In a VM, I confirmed that I can still do the upgrade by going through 21.7 > 22.1 > 22.7 > 23.1.
To go to 22.1, I need to migrate two tunnels away from 3DES/MD5 to AES256/SHA256. At the same time I am also migrating using an old legacy ISP connection to a new redundant one - both are configured in OPNsense, and we're using both for various things before the migration is complete. The VPN tunnels are some of the last items on the list.
There are two firewalls in HA pair. CARP, PFSYNC etc. appears to work correctly. These are HP 1U servers with 8c 16GB ram and quad port Broadcom network card. We do use VLANs.
I tried updating one of the tunnels but ran into a strange issue:
* I made the local changes, while the person in charge of remote endpoint made theirs to match
* Tunnel came up immediately and P1 and P2 were established
* Traffic from remote site arrived at local destination hosts correctly - confirmed with packet capture
* Local traffic was not sent into tunnel - statistics in Status Overview show 0 bytes sent but loads received and I did not see the traffic arrive at Firewall in live view
* States table was scrambled: flows which should match rule A, were being matched to rule B instead; this was resolved once I cleared the states table, but local traffic was not being sent into tunnel all the same
* Once we rolled back IPSEC and my endpoint IP address, the traffic resumed immediately without any other issues
While writing this, I thought that maybe we should try the following:
* Duplicate the existing tunnel config, with new parameters, but leave the entry as disabled
* Once ready, disable the current tunnel entry, and enable the new tunnel entry
Has anyone seen an issue like this? I tried searching the forum but could not find anything. Not quite sure how to describe it.
Thank you
Logged
lpiwowarek
Newbie
Posts: 4
Karma: 0
Re: Updating IPSec parameters in place breaks tunnel
«
Reply #1 on:
June 20, 2024, 06:19:26 am »
I found the issue here. The SP database was not updated correctly. I ended up using setkey to remove stale entries from the old configuration, then removing and re-adding the required Phase 2 and Phase 1 entries via the UI, that seems to have resolved it.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Updating IPSec parameters in place breaks tunnel