IPsec policy issues with dynamic reqids

Started by ulfabet, April 18, 2025, 08:25:41 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 18, 2025, 08:25:41 AM
After moving our IPsec tunnels from legacy Tunnel Settings to Connections, we have had problems with missing manual policies or manual policies with wrong unique numbers (as seen with setkey -PD).

After taking a closer look, it seems these issues are caused by dynamic reqids.
Using legacy Tunnel Settings, reqids are automatically allocated at configuration time.
Using Connections, reqids are allocated (and also change) when tunnels are connected.
There is an option to manually define static reqids, but this is not really maintainable when you have a lot of tunnels.

We made a test setup with two OPNsense 24.7.12 in order to reproduce the problem.
Defined two ipsec connections with one child each. Using default parameters.
Added manual SPD entries for both children like this:
- Reqid = empty
- Connection child = connection name - child name
- Source network = 0.0.0.0/0
- Destination network = empty

To reproduce:
- Have two tunnels, each with manual SPD entries
- Connect both tunnels
- Observerve correct reqids (by looking at setkey -PD output)
- Disconnect the first tunnel
- Disconnect and reconnect the second tunnel
- Observerve incorrect reqids (by looking at setkey -PD output)

Could similar issues be triggered by reauth or rekey?
As indicated by the caution on this page:
https://docs.strongswan.org/docs/latest/plugins/updown.html

Is there anything that can be done to fix this?
Today at 09:17:04 AM #1
Hi,

When using both legacy and new at the same time, overlaps may happen as mentioned https://docs.opnsense.org/manual/vpnet.html#combining-legacy-tunnels-and-connections

You can either lock the reqid's on the new connections too or force the numbering to start with an offset.

The latter should be possible by adding a file /usr/local/etc/strongswan.opnsense.d/reqid-base.conf containing

Code Select
charon {
    reqid_base = 8192
}

Given we recently refactored the charon configuration to new mvc code, I also don't mind adding the option in the ui, just open a ticket requesting the feature here https://github.com/opnsense/core/issues

Best regards,

Ad
Today at 11:45:13 AM #2
Hi! Thank you for replying.

Let me clarify:
The issue in this case is not caused by overlapping between legacy and new.
All tunnels were moved to connections and we no longer have any legacy tunnels.
This is also the case in the reproducible example above, where there are only two connections.

The issue seems to be that manual SPD entries are not synced with dynamic reqids when they change.
In other words, the UPDOWN script would need to be run when reqids change, not only on up and down.

Locking reqids at configuration-time would work, but there would need to be some way of automatically selecting the next free / unique number.

Best regards,
Ulf
Today at 01:58:13 PM #3
Hi Ulf,

That might depend on configured settings, these events are triggered when connected properly to the child instead of a static id:

https://github.com/opnsense/core/blob/3c2ad5d6b3c53f27d747bbde7b6ff81dc4bb7e5f/src/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.php#L246


Best regards,

Ad
Print
Go Up Pages1
User actions