IPsec issues with 24.7.2

[doktornotor]

Regarding the firewall rules, reading the documentation is always helpful. https://docs.opnsense.org/manual/vpnet.html#firewall-rules

Those "magic" ones have not been there for quite a while except for the legacy tunnels, where it can be optionally enabled.

but I'd have to do that individually for all IPSEC connections on all WAN interfaces.

Or use the interface groups. And that's exactly what you have to do with any other firewall rules, no idea why should IPsec be treated specially.

[monkfish]

Thanks for that was aware, however these machines have been around for a long time and were therefore probably built when the defaults referred to were set. They have certainly never been unset automatically by any particular update - until 24.7.2.

Sharing my particular symptom and fix.

[Beleggrodion]

I had here a similar issue with some firewalls which are updated to 24.7.2 (not all)

The issue is between a fw with 24.1.10 and a fresh updated 24.7.2 .

Because first i think thats again a issue on our provider (they hat a bgb router which don't terminate some sessions correctly). So i disabled on both firewalls the corresponding ipsec rules and re-enable them after half an hour. On the status page of both firewalls  the tunnel is "installed" with the correct subnets, but no traffic goes through the tunnel.

on a host on the 24.1.10 net i can start a ping through the tunnel i see also in the log/tcpdump that there is traffic which goes through enc0 but tcpdump on the 24.7.2 on enc0 don't see any traffic. The intresting part is also that under firewall rules the ipsec part is completly missing.

As mentioned under https://forum.opnsense.org/index.php?topic=28326.0 i can see the rules when i call the rules directly. but disable ipsec and re-enabled doesn't help. currently i cannot reboot the 24.7.2.

Edit, Short Update:

If a edit a Rule then the IPSEC Block appears again. And Traffic goes through the VPN Tunnel when i manually add the rules which are previously created via auto rules.

[franco]

Can you share the difference of /usr/local/etc/strongswan.conf between version 24.7.1 and 24.7.2? (diff -u)

Privately is fine too: franco@opnsense.org

Does anyone use strongswan.opnsense.d/*.conf overrides affected here?

Cheers,
Franco

[Beleggrodion]

I found one FW which i don't updated to 24.7.2 because they lost internet connection after reboot, and stuck this weekend on 24.7.1.  Your mentioned config is complete different. Because no confidential data is inside /usr/local/etc/strongswan.conf i paste them here.

FW 24.7.1 with "Automatically generated rules (end of ruleset)" on WAN:

Code: [Select]

# Automatically generated, please do not modify
starter {
    load_warning = no
}
charon {
    threads = 16
    ikesa_table_size = 32
    ikesa_table_segments = 4
    init_limit_half_open = 1000
    ignore_acquire_ts = yes
    syslog {
        identifier = charon
        daemon {
            ike_name = yes
        }
    }
    install_routes = no
    plugins {
    }
}

include strongswan.opnsense.d/*.conf


FW 24.7.2 without "Automatically generated rules (end of ruleset)" on WAN:

Code: [Select]

# Automatically generated, please do not modify
starter {
    load_warning = no
}
charon {
    threads = 16
    ikesa_table_size = 32
    ikesa_table_segments = 4
    init_limit_half_open = 1000
    ignore_acquire_ts = yes
    syslog {
        ike_name = yes
        log_level = no
        daemon {
            app = 1
            asn = 1
            cfg = 1
            chd = 1
            dmn = 1
            enc = 1
            esp = 1
            ike = 1
            imc = 1
            imv = 1
            job = 1
            knl = 1
            lib = 1
            mgr = 1
            net = 1
            pts = 1
            tls = 1
            tnc = 1
        }
    }
    install_routes = no
    plugins {
    }
}

include strongswan.opnsense.d/*.conf


[franco]

@Beleggrodion

Thanks! My colleague found this but it's not related to the behavioural change: https://github.com/opnsense/core/commit/7993a82e84

> FW 24.7.1 with "Automatically generated rules (end of ruleset)"

Which rule is that exactly?

Can you check System: Configuration: History for a revision change of the IPsec migration? This diff would help to understand this further.


Thanks,
Franco

[franco]

Ok I found it. Will share a fix shortly.


Cheers,
Franco

[franco]

https://github.com/opnsense/core/commit/178ef826f7

# opnsense-patch 178ef826f7
# /usr/local/opnsense/mvc/script/run_migrations.php
# /usr/local/etc/rc.filter_configure


Cheers,
Franco

[franco]

And this is probably the actual reason since I read the last post again and Beleggrodion observed it in reverse...

https://github.com/opnsense/core/commit/0e4cb12f3f8

# opnsense-patch 0e4cb12f3f8
# /usr/local/etc/rc.filter_configure


Cheers,
Franco

[danderson]

@franco,

I see the Automatically generated rules (end of ruleset) after applying both patches and running related commands. Testing now on legacy tunnels.

As for non legacy tunnels we do or do not need to add in WAN rules for inbound IPSEC? I have not added any rules for ESP/ISAKMP/NAT-T and my non-legacy tunnels appear to be working correctly.

[doktornotor]

There is no need to add the same rules twice. That said, I'd recommend to set up proper firewall rules manually and untick that "magic" checkbox. Avoid all similar disruption in the future.

[danderson]

I dont see "magic" rules except for the Tunnel Settings (legacy) site to sites, for the Connections (non legacy) i dont see the same "magic"  in Automatically generated rules (end of ruleset).

I dont mind the "magic" as it saves me from having to create a rule for each Site to Site I have, granted I could prob make 1 ruleset and apply to an alias and add all the site to site IPs in the alias. Just easier with the magic and im lazy

Plus im in the process of migrating the last few tunnels I have under legacy to the newer connections.

There is no need to add the same rules twice. That said, I'd recommend to set up proper firewall rules manually and untick that "magic" checkbox. Avoid all similar disruption in the future.

[doktornotor]

I dont see "magic" rules except for the Tunnel Settings (legacy) site to sites

Yes, as already noted - https://docs.opnsense.org/manual/vpnet.html#firewall-rules

With the "magic" gone, nothing works - legacy or not.

[guyp2k]

Finally reaching out for some help after following this thread and applying both patches Franco released the other day, and I am still struggling with IPSEC tunnels dropping. I am terminating between a Sonicwall 2650 and OPNSense, prior to 24.7.2 no issues, now having issues w/ P2 dropping. Below is the issue I think and I have validated that proposals match:

2024-08-28T10:25:58-05:00   Informational   charon   06[IKE] no acceptable proposal found   
2024-08-28T10:25:58-05:00   Informational   charon   06[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_GCM_16_256/MODP_2048/NO_EXT_SEQ   
2024-08-28T10:25:58-05:00   Informational   charon   06[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ   
2024-08-28T10:25:58-05:00   Informational   charon   06[ENC] parsed CREATE_CHILD_SA request 31 [ SA No TSi TSr ]

If I restart the IPSEC service, the tunnel will come up and stay up for an hour or less and then I see P2 disconnected.

OPNSense WAN FW Rules, see attachments.

Here what I have selected in OPNSense and SonicWall, see attachment.

[allan]

Finally reaching out for some help after following this thread and applying both patches Franco released the other day, and I am still struggling with IPSEC tunnels dropping. I am terminating between a Sonicwall 2650 and OPNSense, prior to 24.7.2 no issues, now having issues w/ P2 dropping. Below is the issue I think and I have validated that proposals match:

2024-08-28T10:25:58-05:00   Informational   charon   06[IKE] no acceptable proposal found   
2024-08-28T10:25:58-05:00   Informational   charon   06[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_GCM_16_256/MODP_2048/NO_EXT_SEQ   
2024-08-28T10:25:58-05:00   Informational   charon   06[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ   
2024-08-28T10:25:58-05:00   Informational   charon   06[ENC] parsed CREATE_CHILD_SA request 31 [ SA No TSi TSr ]

The Sonicwall does not have PFS enabled. This is confirmed by the missing MODP_2048 in received proposals. You should pick "default" for your ESP.