14[IKE] unable to resolve

dstr · August 09, 2024, 11:08:57 AM

Im using unbound as dns server and ipsec tunnel with a dns remote gateway. after rebooting the firewall, ipsec seems to be started before unbound and is not able to resolve the host. it stops after 3 retrys, even though keyretries is set to 0 in the ipsec config which should mean unlimited retries.
is there a way to start ipsec delayed after unbound, or configure ipsec service not to stop?

Monviech (Cedrik) · August 09, 2024, 01:23:45 PM

Does the Firewall itself use Unbound as resolver for its own DNS requests?

What configured in System: Settings: General?

Maybe use the resolvers of your ISP or Cloudflare/Google here instead and see if that fixes the problem.

dstr · August 09, 2024, 02:20:40 PM

general is 127.0.0.1 configured, with google it works but is not a option since Im using encrypted dns and blocklists with unbound.

Monviech (Cedrik) · August 09, 2024, 02:46:05 PM

Hmm, you should open an issue on github and explain your case there.

https://github.com/opnsense/core/issues

Maybe also attach the ipsec logs of the permanent failure thats happening.

schnipp · August 09, 2024, 08:43:37 PM

Quote from: dstr on August 09, 2024, 11:08:57 AM
is there a way to start ipsec delayed after unbound, or configure ipsec service not to stop?

Generally it's not needed. IPsec connections start automatically if properly configured. Check the CHILD_SAs:

Start action should be set to "trap" or "trap+start"
DPD action should be set to "trap" (if used)

14[IKE] unable to resolve

dstr

August 09, 2024, 11:08:57 AM

Monviech (Cedrik)

August 09, 2024, 01:23:45 PM #1

dstr

August 09, 2024, 02:20:40 PM #2

Monviech (Cedrik)

August 09, 2024, 02:46:05 PM #3

schnipp

August 09, 2024, 08:43:37 PM #4