search

opnsense / core

OPNsense GUI, API and systems backend
https://opnsense.org/
BSD 2-Clause "Simplified" License
3.12k stars 708 forks source link

Multiple Phase 2 Entries / Reboot / traffic selectors unacceptable #4336

Closed Hecatron closed 3 years ago

Hecatron commented 3 years ago

Important notices Before you add a new report, we ask you kindly to acknowledge the following:

[X] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md

[X] I have searched the existing issues and I'm convinced that mine is new.

I think I've discovered a bug associated with VPN site to Site tunnels when the box is rebooted and there are several Phase 2 entries in the tunnel for multiple subnets

So I have a VPN Tunnel setup with a Cisco ASA Firewall on one end. And a AWS OpnSense Image on the other

With multiple subnets routed over (multiple Phase 2 entries) (Cisco side) 192.168.21.0/24 -> (OpnSense Side) 10.26.0.0/16 (Cisco side) 192.168.21.0/24 -> (OpnSense Side) 10.22.0.0/16

So If I reboot the opnsense box then try and access something from the cisco side, the opnsense logs tend to show something along the lines of

traffic selectors 10.22.11.201/32 10.22.0.0/16 === 192.168.21.73/32 192.168.21.0/24 unacceptable

If I then go into VPN -> IPSec -> Status Overview Then click on the circle symbol at the top (which I think restarts the vpn service) Everything then works fine

I'm guessing the VPN Service is starting too soon after a reboot which is why it may manually need a restart of the vpn service just to get things going properly

I'm planning on moving across to routed IPSec so I'm hoping that will fix it.

Environment

OPNsense 20.7.2-amd64 AMD EPYC 7571 (2 cores) (AWS Image)

Hecatron commented 3 years ago

I've put some config below, although I tried to mask out any private data like passwords etc

Config ``` 11.2 vicuna Disable the pf ftp proxy handler. debug.pfftpproxy default Increase UFS read-ahead speeds to match current state of hard drives and NCQ. More information here: http://ivoras.sharanet.org/blog/tree/2010-11-19.ufs-read-ahead.html vfs.read_max default Set the ephemeral port range to be lower. net.inet.ip.portrange.first default Drop packets to closed TCP ports without returning a RST net.inet.tcp.blackhole default Do not send ICMP port unreachable messages for closed UDP ports net.inet.udp.blackhole default Randomize the ID field in IP packets (default is 0: sequential IP IDs) net.inet.ip.random_id default Source routing is another way for an attacker to try to reach non-routable addresses behind your box. It can also be used to probe for information about your internal networks. These functions come enabled as part of the standard FreeBSD core system. net.inet.ip.sourceroute default Source routing is another way for an attacker to try to reach non-routable addresses behind your box. It can also be used to probe for information about your internal networks. These functions come enabled as part of the standard FreeBSD core system. net.inet.ip.accept_sourceroute default Redirect attacks are the purposeful mass-issuing of ICMP type 5 packets. In a normal network, redirects to the end stations should not be required. This option enables the NIC to drop all inbound ICMP redirect packets without returning a response. net.inet.icmp.drop_redirect default This option turns off the logging of redirect packets because there is no limit and this could fill up your logs consuming your whole hard drive. net.inet.icmp.log_redirect default Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway) net.inet.tcp.drop_synfin default Enable sending IPv4 redirects net.inet.ip.redirect default Enable sending IPv6 redirects net.inet6.ip6.redirect default Enable privacy settings for IPv6 (RFC 4941) net.inet6.ip6.use_tempaddr default Prefer privacy addresses and use them over the normal addresses net.inet6.ip6.prefer_tempaddr default Generate SYN cookies for outbound SYN-ACK packets net.inet.tcp.syncookies default Maximum incoming/outgoing TCP datagram size (receive) net.inet.tcp.recvspace default Maximum incoming/outgoing TCP datagram size (send) net.inet.tcp.sendspace default IP Fastforwarding net.inet.ip.fastforwarding default Do not delay ACK to try and piggyback it onto a data packet net.inet.tcp.delayed_ack default Maximum outgoing UDP datagram size net.inet.udp.maxdgram default Handling of non-IP packets which are not passed to pfil (see if_bridge(4)) net.link.bridge.pfil_onlyip default Set to 0 to disable filtering on the incoming and outgoing member interfaces. net.link.bridge.pfil_member default Set to 1 to enable filtering on the bridge interface net.link.bridge.pfil_bridge default Allow unprivileged access to tap(4) device nodes net.link.tap.user_open default Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid()) kern.randompid default Maximum size of the IP input queue net.inet.ip.intr_queue_maxlen default Disable CTRL+ALT+Delete reboot from keyboard. hw.syscons.kbd_reboot default Enable TCP extended debugging net.inet.tcp.log_debug default Set ICMP Limits net.inet.icmp.icmplim default TCP Offload Engine net.inet.tcp.tso default UDP Checksums net.inet.udp.checksum default Maximum socket buffer size kern.ipc.maxsockbuf default normal Admin-Firewall1 admin.company.local 1 admins System Administrators system 1999 0 page-all root System Administrator system admins 0 user-shell-access 2000 2000 Europe/London 300 0.nl.pool.ntp.org https 1 57569a834bc23 1 yes 1 hadp hadp hadp monthly 115200 serial 1 1 0 OPNsense-Backup os-theme-cicada,os-theme-rebellion,os-theme-tukan,os-theme-vicuna en_US none none none none none none none none 1 enabled 1 1 1 xn0 dhcp dhcp6 0 WAN 1 Loopback 1 lo0 127.0.0.1 ::1 8 128 none 1 ena1 LAN 1 dhcp 32 SavedCfg dhcp6 0 1 1 enc0 IPsec none 1 1 1 COMPANYAdminCOMPANYSMSVPN ipsec2000 none 192.168.1.100 192.168.1.199 public automatic pass wan inet keep state Default allow LAN to any rule 1 1 root@95.97.23.77 /firewall_rules_edit.php made changes pass wan inet6 keep state Default allow LAN IPv6 to any rule 1 1 root@95.97.23.77 /firewall_rules_edit.php made changes pass wan inet keep state WAN is managed by AWS Security Group, so allow all in 1 1 1 root@1.1.1.1 /firewall_rules_edit.php made changes root@1.1.1.1 /firewall_rules_edit.php made changes pass enc0 inet keep state Access from the office in 1
192.168.11.0/24
1 root@1.1.1.1 /firewall_rules_edit.php made changes root@1.1.1.1 /firewall_rules_edit.php made changes pass enc0 inet keep state Access from Manoc7 / VPN in 1
192.168.21.0/24
1 root@1.1.1.1 /firewall_rules_edit.php made changes root@1.1.1.1 /firewall_rules_edit.php made changes pass lo0 inet keep state in 1 1 1 1 root@1.1.1.1 /firewall_rules_edit.php made changes root@1.1.1.1 /firewall_rules_edit.php made changes pass opt1 inet keep state LAN is managed by AWS Security Group, so allow all in 1 1 1 root@1.1.1.1 /firewall_rules_edit.php made changes root@1.1.1.1 /firewall_rules_edit.php made changes 1,31 0-5 * * * root adjkerntz -a 1 3 1 * * root /usr/local/etc/rc.update_bogons */60 * * * * root /usr/local/sbin/expiretable -v -t 3600 sshlockout 1 1 * * * root /usr/local/etc/rc.dyndns.update */60 * * * * root /usr/local/sbin/expiretable -v -t 3600 virusprot 30 12 * * * root /usr/local/etc/rc.update_urltables ICMP icmp ICMP TCP tcp Generic TCP HTTP http Generic HTTP / 200 HTTPS https Generic HTTPS / 200 SMTP send Generic SMTP 220 * system_information-container:00000000-col1:show,interface_list-container:00000001-col1:show,cpu_usage-container:00000002-col4:show,ipsec-container:00000003-col4:show,log-container:00000004-col4:show 2 (system) /usr/local/opnsense/mvc/script/run_migrations.php made changes v9 0 1800 15 0 120 120 127.0.0.1 25 0 auto 1 syslog facility log_daemon 0 root 2812 5 1 0 root@localhost.local 0 10 1 $HOST system 300
0bb251ae-5130-4aee-be92-23a3a8a95616,436493f7-4095-4796-a78c-67e555589976,4a1972c9-8527-48ce-a216-6c0ef0789435,c927a3f6-001b-41e0-a833-103809751202 1 RootFs filesystem / 300
4fa33822-b5c8-446c-8a98-cf5334ef1933 0 carp_status_change custom /usr/local/opnsense/scripts/OPNsense/Monit/carp_status 300
79a15b3e-8262-4890-b257-249665f5ec9a 0 gateway_alert custom /usr/local/opnsense/scripts/OPNsense/Monit/gateway_alert 300
bfadbd12-3ac2-426d-bfd6-2a76ab2128fc Ping NetworkPing failed ping alert NetworkLink NetworkInterface failed link alert NetworkSaturation NetworkInterface saturation is greater than 75% alert MemoryUsage SystemResource memory usage is greater than 75% alert CPUUsage SystemResource cpu usage is greater than 75% alert LoadAvg1 SystemResource loadavg (1min) is greater than 4 alert LoadAvg5 SystemResource loadavg (5min) is greater than 3 alert LoadAvg15 SystemResource loadavg (15min) is greater than 2 alert SpaceUsage SpaceUsage space usage is greater than 75% alert ChangedStatus ProgramStatus changed status alert NonZeroStatus ProgramStatus status != 0 alert 1 0 0 0 wan 192.168.0.0/16,10.0.0.0/8,172.16.0.0/12 W0D23 4 ac medium 0 0 0 0 wan dynamic WAN_DHCP 1 1 inet Interface WAN_DHCP Gateway 1 1 wan dynamic WAN_DHCP6 1 1 inet6 Interface WAN_DHCP6 Gateway 1 1 ipsec2000 10.199.1.2 COMPANYSMS_Gateway 255 1 inet 1 1 1 ikev2 wan inet address 2.2.2.2 peeraddress aes 256 28800 Test pre_shared_key COMPANYAdmin-Manoc7-VPN on start 5 sha1,sha256,sha384,sha512,aesxcbc 185.55.77.116 2 ikev2 wan inet myaddress peeraddress aes 256 28800 Test pre_shared_key COMPANYAdmin-COMPANYSMS-VPN off start 14 sha512 1 3.3.3.3 1 5f50f966a0dcd tunnel 5 3600 COMPANYAdmin-Manoc7-Phase2 esp network
10.26.0.0
16 network
192.168.21.0
24 aes 256 hmac_sha1 hmac_sha256 hmac_sha384 hmac_sha512 aesxcbc 1 5f56a82875f9d tunnel 5 3600 COMPANYAdmin-Manoc7-Phase2 esp network
10.26.0.0
16 network
192.168.11.0
24 aes 256 hmac_sha1 hmac_sha256 hmac_sha384 hmac_sha512 aesxcbc 2 5f57c6ff62e85 route-based 14 3600 COMPANYAdmin-COMPANYSMS-Phase2 esp 10.199.1.1 10.199.1.2 aes 256 hmac_sha512 1 5f57dd8dd032f tunnel 5 3600 COMPANYAdmin-Manoc7-Phase2 esp network
10.22.0.0
16 network
192.168.21.0
24 aes 256 hmac_sha1 hmac_sha256 hmac_sha384 hmac_sha512 aesxcbc 1 10.26.23.0/24 LAN_DHCP COMPANYAdmin-L2-2C 0 10.26.12.0/24 LAN_DHCP COMPANYAdmin-L1-2B 0 10.26.13.0/24 LAN_DHCP COMPANYAdmin-L1-2C 0 10.26.21.0/24 LAN_DHCP COMPANYAdmin-L2-2A 0 10.26.22.0/24 LAN_DHCP COMPANYAdmin-L2-2B 0 10.26.0.0/24 LAN_DHCP DNS 0 10.22.0.0/16 COMPANYSMS_Gateway COMPANYSMS - Destination 0 ```
OPNsense-bot commented 3 years ago

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.