IPSec transport mode broken in 17.7.x #1875
Comments
|
I manually changed auto=start to auto=route in the /usr/local/etc/ipsec.conf file on OPNSense, and it brought up the "Routed Connection" to pfSense status in ipsec statusall. However, no change to outbound traffic being sent in the clear (and thus blocked). |
|
More - setkey -D for the two boxes (OPNSense and pfSense looks the same). Can't figure out why OPNSense isn't throwing the traffic into the IPSec transport... |
|
@obrienmd can you compare the output of ipsec.conf in OPN and pf? |
|
Sorry @obrienmd I can't reproduce it. For testing:
This works fine for me .. 17.7.5 and other peer 17.7.4. I can update the last one if you insist :) |
|
Hrm, thanks for testing. I'm unfortunately out of time, so won't be able to
test again until my next project with IPSec, or if I get some free time in
between projects.
Thanks for the test case - given you validated, please feel free to close,
can't really make any sense out of why this only hit me, that was my exact
test case more than a few time :)
…--
Mike OBrien
253.217.7129
On Sat, Oct 14, 2017 at 9:33 PM, Michael ***@***.***> wrote:
Sorry @obrienmd <https://github.com/obrienmd> I can't reproduce it.
For testing:
- Go to Firewall rules and allow everything between the WAN IPs
- Both FW P1's, only change to v2, add test as psk, add peer, nothing
else!
- Both FW P2's, only change type to Transprt, nothing else!
This works fine for me .. 17.7.5 and other peer 17.7.4. I can update the
last one if you insist :)
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1875 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAWl91aalCxxIMQJO2b0c4kpNPNhOCetks5ssYsVgaJpZM4P5aZX>
.
|
|
Sidenote: For a different test I had floating rules any any accept, when missing it's denied. |
|
Sidenote2: If you build a GRE tunnel with parent IF WAN over this transport its also working This should solve: https://forum.opnsense.org/index.php?topic=6131.0 UPDATE: removed the stuff with floating rules, you need them. I'll investigate the next days .. |
|
Hi Michael, can I ask you an update about your investigation? I'm using Citrix vSwitch, which uses GRE protocol. OPNSense updated to 18.1.4 Augusto B. |
|
Why would you need GRE for the vSwitch? |
|
It seems the DVS Controller is using GRE tunneling to provide network isolation. How did you setup the vSwitch? I'm trying to make it work, I don't find the docs clear enough. |
|
I'm facing the same issue between two OPNsense 18.1.6 gateways. |
|
@steveej please open a new issue of at first a new thread in the forums, since it's unclear what your problem is. |
|
I'm having this same issue. IPSec VPN comes up, and the OPNSense receives the traffic through the tunnel, but sends back the replies in clear-text through the WAN interface. Let me know what is needed to debug |
|
Had to check "Install policy" in the ipsec settings |
|
It was 8b8bbc3 |
Per an e-mail conversation with @fichtner , I have been struggling with IPSec in transport mode (to support GRE tunnels and dynamic routing) in OPNSense. I have also tried the following with a testing 11.1 kernel he sent over, hoping the new ipsec bits in that kernel would help - they did not.
When a transport mode phase 2 is brought up, OPNSense doesn't seem to be sending traffic through the IPSec connection, and rather tries to send it directly out the WAN interface in the clear.
To reproduce and verify:
When I do this between an OPNSense 17.7.5 and pfSense 2.4.0 box, the pfSense box as sender shows ESP traffic going out the WAN interface and can successfully ping the OPNSense WAN IP (the OPNSense box sends back as ESP when the other side initiates, strangely). As sender, the OPNSense box tries to send in the clear and denies permission as in the OPNSense <> OPNSense test case (the pfSense side never sees packets). I think this might be the most useful debug case, so I added some info in a gist: https://gist.github.com/obrienmd/724a3b3f13e336de618b7725cf3063d7
^ It looks like we might be missing the "Routed Connections"?
When I do this between two pfSense 2.4.0 boxes, the traffic goes out as ESP from both sides and both sides can ping successfully.
The text was updated successfully, but these errors were encountered: