Open smeretech opened 1 week ago
Monviech
commented
1 week ago Try to remove all manual Reqid from all children and let the system auto assign them.
They're only needed manually for VTI, or if you make sure each child has a unique Reqid number and you assign the manual SPD rules based on these unique numbers.
offtopic (Do my eyes spy a tunnel to an SSG5)
smeretech
commented
1 week ago Thanks for your reply.
I removed the Reqid from Child, saved, applied and rebooted the firewall
Before to reboot:
After the reboot:
I tried to reach the remote subnet and the traffic went to the internet instead routed to the tunnel.
Monviech
commented
1 week ago I have tried to reproduce this on 24.7.6 but I couldn't. After each reboot the manual SPD entry was there. Even with trap+start, start or none.
My test tunnel had static IPs on both sides, is any of your IP dynamic?
smeretech
commented
1 week ago The public IPs are static.
SORRY. I forgot to point out that said firewall is in HA (carp) and both opnsense firewalls have a private IP on the wan as it is natted through a router.
In the sections regarding the public local address of the instance vpn, I also had to enter the virtual carp IP assigned on the wan that is used for exit.
Probably, if I restart the master and the secondary comes on like active, the tunnel vpn is stopped and does not start automatically. That is why it does not enter the manual route present among the installed ones.
Vice versa, if the master comes back on, the tunnel on the master after the reboot is in the down state. Again, there is no route installed until I first activate manually the tunnel.
The best is to understand as strongswan works if there is a carp HA.
regards
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Describe the bug
I configured an ipsec-type vpn via the area 'VPN: IPsec: Connections'. This tunnel has in phase 2 (child) the Trap+Start configuration and a /24 network that does not correspond to my local network (LAN) so I had to set a Nat 1-1. I entered my LAN subnet in manual mode in the area 'VPN: IPsec: Security Policy Database', selecting the corresponding child.
Each time I restart opnsense, the tunnel in question is down and in the area 'VPN: IPsec: Security Policy Database', Installed tab, there is only the subnests provided by the tunnell and not the line corresponding to the one I entered in the Manual tab.
Therefore, if I try to go from my LAN subnet to the remote network, the traffic goes to the Internet.
If I manually activate the tunnel from the area 'VPN: IPsec: Status Overview', the tunnel goes up and automatically enters my network in the area 'VPN: IPsec: Security Policy Database' tab Installed as well.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Having set the Trap+Start mode, the tunnel should go up automatically in the event of a strongswan server/service restart, but this does not happen. If I execute the manual start, the manual policy becomes part of the installed policies and remains there even if the tunnel subsequently goes down due to timeout. As long as that policy remains in installed, traffic to the remote network is not routed and the tunnel does not activate.
Describe alternatives you considered
At the moment, the only way is to activate the tunnel in manual mode.
Screenshots
IPsec tunnel (child config):
Security Policy Database (manual)
Security Policy Database (installed) after the reboot.
Security Policy Database (installed) after the manual start of the tunnel
Environment Software version used and hardware type if relevant, e.g.: OPNsense 24.7.6 (amd64).