[Solved] IPsec problems

Started by jke, January 02, 2025, 04:27:32 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 02, 2025, 04:27:32 PM Last Edit: January 19, 2025, 05:30:28 PM by jke
I have two OPNsense appliances. One in Hetzner with a dedicated IPv4 and IPv6 address.

The other one is in my homelab, behind a FritzBox. The Fritzbox has dynamic IPv4, so i use IPv6.

I opened the Port UDP/500 and UDP/4500 on the FirtzBox and Port Forward it to the OPNsense on IPv6.

I do the same for the ESP protocol.

The OPNsense at Hetzner has all Ports for all Protocols opened, and i manage the Firewall Rules via the OPNsense itself.

Both of them allow traffic for all protocols on all ports for the IPv6 of the other appliance.

So heres my Problem:

The tunnel already worked, a few days ago, then i did nothing on both sites for some days, and when i looked back at the Firewalls, i noticed, that the tunnel is no longer working.

I cant figure out where the problem is. In the logs i cant find any entries helping me entries, even in debug mode. The only thing i can see is the following:

14[IKE] <f30738ad-7548-43d0-839a-c0972585c1f3|3> establishing IKE_SA failed, peer not responding

14[IKE] <f30738ad-7548-43d0-839a-c0972585c1f3|3> giving up after 5 retransmits

These entries appear on both sides. For setting up the tunnel i used this tutorial.

The only thing i cahnged was the Start action in the Children. Instead of "Trap" i use "Trap+start". But even after i changed it to only trap, it does not work.

Can anyone hint me in the right direction or has the same problem?
January 03, 2025, 12:32:58 AM #1
Update: Forgot to paste the tutorial link.
https://docs.opnsense.org/manual/how-tos/ipsec-s2s-conn-route.html
January 03, 2025, 01:18:06 AM #2
The IPs may have changed. I would recommend using dynamic dns entries on both ends so that no matter when the IP changes on either side you're only 5 minutes away max from the tunnel(s) coming back online.
January 03, 2025, 08:49:52 AM #3
Use tcpdump to observe if packets from the peer arrive at all and if they have the peer IP address you think they should.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 03, 2025, 02:31:09 PM #4 Last Edit: January 03, 2025, 02:41:47 PM by jke Reason: Layer 8 Problem...
Quote from: newsense on January 03, 2025, 01:18:06 AMThe IPs may have changed. I would recommend using dynamic dns entries on both ends so that no matter when the IP changes on either side you're only 5 minutes away max from the tunnel(s) coming back online.

I've read, that the IPsec also has problems with the change of the IP-address, thats why i used the static IPv6 of the FritzBox/OPNsense appliance, but i will try it nonetheless, thanks.

Forget what i said. This is my error. I always thought the IPv6 was static. I now figured out, it isn't.
January 03, 2025, 02:36:38 PM #5
Quote from: Patrick M. Hausen on January 03, 2025, 08:49:52 AMUse tcpdump to observe if packets from the peer arrive at all and if they have the peer IP address you think they should.

What would be your approach for filtering? The IPv6 of the other appliance or ports 500/4500?
Or is there any other identifier for the connection?
January 03, 2025, 03:20:28 PM #6
Ports, so you can see if the source address of the peer is not what you expect.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions