24.7.2 dropped WAN Rules for VPN

Started by tops4u, August 23, 2024, 09:53:11 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 23, 2024, 09:53:11 AM
I just upgraded from 24.7.1 to 24.7.2 yesterday and my VPN stopped working (iOS) via IPSec. So I noted two things today.

1. The VPN Log will stay empty even on Debug Level, whatever you to (Restart the Service, Change Config, Connect, etc...)
2. The Default Rules for VPN Traffic on the WAN Interface have been (probably) removed in the upgrade Process. I just added them now manually as per: https://github.com/thomergil/opnsense-ipsec-vpn and now IPSec works again.

Maybe this will help other with the same problem.
August 24, 2024, 08:28:18 PM #1
Thanks for the solution, I had the same issue. Shouldn't these rules be automatically created when the tunnels are configured?
"I'm done with this NONsense!!!"-- SpyAlelo
August 25, 2024, 12:07:04 AM #2
Intentional and well documented change, because many administrators (me included) hate "magic" and prefer manually created rules.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
August 25, 2024, 03:48:52 AM #3 Last Edit: August 25, 2024, 05:07:10 AM by DarthAnimagus
I spent the better part of the day today trying to get my vti tunnels back up.  Even after manually adding the VPN rules back to the WAN interfaces, nothing would work.  It was very strange, because on each end of the tunnel I could see traffic make in in from the other side, but never going back out.  Each firewall could ping the tunnel interface of the other, but get no farther.

What has made it work (for now) is changing the IP address of the VPN Gateway I had created to anything other than the IP addresses of the virtual tunnel interfaces.  Policy routing works again, even though the tunnel gateway is now totally bogus one each side of the connection.

Edit...  Which seems to be because somehow in all the confusion the gateway interfaces ended up pointing to themselves, not the other side of the tunnel.
August 25, 2024, 07:13:50 AM #4
IPSEC 24.7.2 <--> 24.7.2 does not work

IPSEC 24.7.2 <--> 24.1.5 still working

Do NOT upgrade to 24.7.2!!!!
August 25, 2024, 05:40:13 PM #5
Quote from: Patrick M. Hausen on August 25, 2024, 12:07:04 AM
Intentional and well documented change, because many administrators (me included) hate "magic" and prefer manually created rules.
I thought as much, and is a welcome change to be fair. I do also have a distaste for "automagic" rules.
"I'm done with this NONsense!!!"-- SpyAlelo
August 25, 2024, 06:09:14 PM #6
Confirmed roll-back to 24.7.1 resolves issue

     - SSH to appliance
     - Select (8) Shell
     - Command:   opnsense-revert -r 24.7.1 opnsense
     -Reboot

Tested on 2 so far and both rebooted and VPN's came online.
August 26, 2024, 04:02:16 AM #7
Spent the entire weekend redoing the IPSEC tunnels, manually adding in the WAN rules and thought that had addressed the issue, nope just received a call they are down. Rolling back until this is resolved.

Tempted to adding another GW as someone suggested.
Print
Go Up Pages1
User actions