IPsec issues with 24.7.2

Started by HollinCH, August 23, 2024, 02:28:54 PM

Previous topic - Next topic
Print
Go Down Pages1 2 3
User actions
August 23, 2024, 02:28:54 PM Last Edit: August 23, 2024, 03:12:36 PM by HollinCH
A couple of firewalls experienced site-to-site IPsec IKEv2 issues after upgrading to 24.7.2. We reverted back to 24.7.1 and it seems to return to normal.

The IPsec connections terminate at a FortiGate, and the connections are either lost and recovered by rebooting the OpnSense, or the connection is lost completely (a reboot doesn't reestablish the connection).

Returning to 24.7.1 has corrected this.
August 23, 2024, 03:12:29 PM #1 Last Edit: August 23, 2024, 03:16:58 PM by franco
Sali,

Can you share the difference of /usr/local/etc/strongswan.conf between version 24.7.1 and 24.7.2? (diff -u)

Privately is fine too: franco@opnsense.org


Thanks,
Franco
August 23, 2024, 03:34:53 PM #2
Hi Franco,

I haven't captured the 24.7.2 version of the file because terminal logging was off, but I compared it to one of the other firewalls still running 24.7.2. There may be slight differences in how the VPN is configured. The 02-strongswan.conf is still running 24.7.2.

~ @ ctmac01(xxxxxxx): diff -u *strongswan.conf
--- 01-strongswan.conf   2024-08-23 15:24:40
+++ 02-strongswan.conf   2024-08-23 15:23:12
@@ -9,9 +9,27 @@
     init_limit_half_open = 1000
     ignore_acquire_ts = yes
     syslog {
-        identifier = charon
+        ike_name = yes
+        log_level = no
         daemon {
-            ike_name = yes
+            app = 1
+            asn = 1
+            cfg = 1
+            chd = 1
+            dmn = 1
+            enc = 1
+            esp = 1
+            ike = 1
+            imc = 1
+            imv = 1
+            job = 1
+            knl = 1
+            lib = 1
+            mgr = 1
+            net = 1
+            pts = 1
+            tls = 1
+            tnc = 1
         }
     }
     install_routes = no
@@ -19,4 +37,3 @@
     }
}

-include strongswan.opnsense.d/*.conf

Regards,
Jaap
August 23, 2024, 03:51:31 PM #3
+1 for me as well after upgrading, IPSEC tunnels drop after a short period of time, service restart addresses the issue. Just a a FYI, if you need logs, glad to provide.

Thanks
August 23, 2024, 04:02:19 PM #4
Thanks so far. It's inconclusive unfortunately. Could someone provide the diff between version for the same system without modified settings?

Does anyone use strongswan.opnsense.d/*.conf overrides affected here?


Thanks,
Franco
August 23, 2024, 04:08:10 PM #5
I can downgrade one of the other firewalls tonight from 24.7.2 to 24.7.1 while saving the conf files before and after. We have about 15 remaining OPNsense that I think are now running 24.7.2. They all have IPsec connections with our Fortigate. The others are not (yet) misbehaving.

Please let me know if you need other files before and after to compare.
August 23, 2024, 04:21:44 PM #6
Correction, 8 devices have upgraded to 24.7.2.
August 23, 2024, 05:10:18 PM #7
To address this issue I enabled DPD:

August 25, 2024, 12:44:25 AM #8
We are having similar issues
August 25, 2024, 07:02:30 AM #9
Upgraded to 24.7.2 and IPSEC VPNs are having issues.  When will this be resolved????
August 25, 2024, 07:15:10 AM #10
Just verified:

24.7.2 <--> 24.7.2 does NOT work

24.7.2 <--> 24.1.5 Still working

Will not be upgrading the 24.1.5 firewall anytime soon.

What is the issue and when will it be resolved?  The 24.7.x line appears to be quite buggy.
August 25, 2024, 10:24:47 AM #11
Quote from: franco on August 23, 2024, 03:12:29 PM
Can you share the difference of /usr/local/etc/strongswan.conf between version 24.7.1 and 24.7.2? (diff -u)

Privately is fine too: franco@opnsense.org

Quote from: franco on August 23, 2024, 04:02:19 PM
Does anyone use strongswan.opnsense.d/*.conf overrides affected here?


Cheers,
Franco
August 25, 2024, 10:31:28 AM #12
Quote from: franco on August 23, 2024, 04:02:19 PM
Does anyone use strongswan.opnsense.d/*.conf overrides affected here?

Negative. Also, if IPsec is unavoidable, we always use DPD. It's working fine with 24.7.2

Quote from: dwoodroofe on August 25, 2024, 07:15:10 AM
What is the issue and when will it be resolved?

You know, that's what people here are trying to determine. Posts like yours are useless for that purpose.
August 25, 2024, 11:32:19 AM #13
Hello, I'd like to add to this by describing the symptoms experienced on my testbed platform. I have a number of virtual Opensense VMs interconnected via IPSEC which have worked fine up until 24.7.2.

However, on all of my 24.7.2 machines I now see in firewall logs ESP traffic dropping into the default WAN deny rule and so tunnels, while establishing, are passing no traffic.

It would appear that ESP previously covered by automatic rules generated upon enabling IPSEC has changed under 24.7.2. See attachment of log screenshot

What I have tested is a rollback to 24.7.1 by either restore of VM from backup or an interactive "opnsense-revert -r 24.7.1 opnsense". In both cases this fixes the issue and restores IPSEC traffic flow correctly.

Whilst not highly technical I hope description of symptoms helps somebody clevererer figure out any perceived issue with 24.7.2.
Thank you for Opnsense!
August 25, 2024, 11:47:28 AM #14
Cannot modify original message, wanted to add another test on a 24.7.2 prior to restore;

On the WAN interface I created a firewall rule to pass ESP traffic from source ip to wan interface, in my head mimicking what the automatically created rules might be doing.

This worked (definitely on a 24.7.2 VM) and permitted traffic to pass but I'd have to do that individually for all IPSEC connections on all WAN interfaces.

If somebody really wanted to stay on 24.7.2 and has only a handful of connections this could be a workaround until addressed by Opnsense gurus.
Print
Go Up Pages1 2 3
User actions