[SOLVED] new IPSEC simply does not work

[Monviech (Cedrik)]

@bazbaz

When you have time, could you replicate the test setup I did above? If it works for you too, maybe you can find out what the problem is.

~Thank you for your time

[bazbaz]

What I did today:
- started a new opnsense on a different datacenter, connected to a public network with a public IP address (quicker this that a full private env)
- created only firewall rules for ipsec, nothing else
- created a tunnel on boh opnsenses with quick ipsec settings I'm using. All-all rules on IPSEC interfaces.

Now on the NEW opnsense, in status overview, I can see in phase 2 some "bytes out" but zero "bytes in". On the other (main) opnsense, I can see some "bytes in" but zero "bytes out".
It seems that connecting this OpnSense to the other, I have the same problem I'm trying to solve. Packets are not entering the tunnel.

Addendum: on the main opnsense, I was able to start ONE tunnel. Same as other: same kind of settings, I've an other FG on the other side, etc. This is working. Tried to compare/align every single settings on one other tunnel but I was unable to start it.

I'm disheartened

[bazbaz]

I found something.

On the NEW opnsense, in virtual tunnel interfaces, I assigned reqid = 1 to the interface. With this settings I can see bytes out. If I change it with anything else, also this opnsense stops sending packets to the tunnel.

My knowledge of reqid is that it may be unique for every tunnel interface. Not connected to a specific value. But I thing I miss something here, so on the main opnsense I have something similar.

in fact the only tunnel that is working (see my prev post) is the one where interface has reqid=1

[Monviech (Cedrik)]

Did you look at the test setup I described.

The VTI tunnel interface has a REQID set (10)
The child has the same REQID set (10)

Each tunnel interface and each child needs a unique matching requid.

[bazbaz]

Yes, and they were bold! Sorry, I didn't understand that that value was the link between interface and encryption!

I also needed a full reboot of routers to make them running, but after them now seems they are working!
Really thank you!

[Monviech (Cedrik)]

I'm happy you got it sorted out.

The REQID caught me off guard too, thats why I bolded it yesterday.

Sometimes its the small things.

Just make sure each of your 30 tunnels gets its own REQID

[bazbaz]

of course

I moved all tunnels and all is fine now, thanks

I think that the doc may be improved here:
https://docs.opnsense.org/manual/how-tos/ipsec-s2s-conn-route.html#children
where nothing says to assign reqid parameter to children, so I forgot the point. The table may have an additional row with "reqid = 10" and maybe a reminder that 10 is the value selected before.

[Monviech (Cedrik)]

Great that it worked.

Its on my list to improve it:
https://github.com/opnsense/docs/issues/502