IPsec phase 2 rekey changes lately?

[Patrick M. Hausen]

Hi all,

24.7.9 --> 24.7.11_2

Tunnel to a Sophos appliance claims to be up, but no traffic is passing in at least one direction. We have 3 phase 2 SAs and it seems that the problem occurs whenever there's a rekey happening. All hints welcome.

Thanks and kind regards,
Patrick

[franco]

The only apparent change is:

o ipsec: remove hashing algorithm from null cipher

But I'm hoping you did not use a null cipher.  Otherwise I have no clue. Wouldn't guess it was updated code, but in any case you can try opnsense-revert to use the core from 24.7.10 or 24.7.9 to see if the same or better.


Cheers,
Franco

[mic]

Hello,

I have the same problem, after one or two hours the traffic stops, but the Tunnel (phase 1 and 2) is up. Attached yoc can find screenshosts of configuration.

Thank you

[Monviech (Cedrik)]

I had these issues mostly with Sophos XG firewalls.

They are most likely caused by Sophos since they mess around with their VPN a lot (at least in XG).

I mitigated that with Phase 1 Lifetime of 2400s and Phase 2 Lifetime of 600s. Using RSA instead of PSK also seems to help. Another thing is not doing multiple children, but putting all networks into one child on both sides (if possible)

Sophos should be the initiator and OPNsense the responder.

I had these issues since 2-3 years with Sophos XG also to other firewalls like juniper when I still ran them.

[Patrick M. Hausen]

I had these issues mostly with Sophos XG firewalls.

Nailed it :) I'll try your suggestions.