New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ipsec: connections VTI support for dynamic local/remote IP #6781
Comments
can't work reliable, see note in https://docs.opnsense.org/manual/vpnet.html#route-based-vti |
No it won't be as reliable as with a static IP. But I have a working VTI configuration with dynamic IP for months now on opnsense, years even on pfsense. As soon as you have dynamic IP somewhere, it does not work reliably anymore, VTI or not, as you will have to tolerate some downtime. The tunnel endpoints can be changed live with a single ifconfig command. The main issue is detecting when it needs to be changed. Unfortunately a lot of us are still stuck to dynamic IP especially on non-professional home ISP |
if/when |
I double that. I use IPsec VTI since a few years now (I believe starting with 21.1) and did not have any major problems so far. |
You can keep using the legacy tunnels, maybe eventually we think of something that is sustainable or an upstream change will offer the possibility to change |
+1 for this. I'm also using a Site-to-Site Tunnel with dynamic IPs on both sides for over a year now. With some monit rules to check the tunnel health and dead peer detection enabled, the downtime was ~5-10 minutes every few weeks. |
@cektom |
…nfiguration to connection up event in order to support dynamic dns scenarios. a bit of an experiment for #6781 Simplify ipsec_configure_vti() to make sure we only drop interfaces when not required anymore (tunnel address cleanup is unconditional) and only set local/remote address when configured.
…nfiguration to connection up event in order to support dynamic dns scenarios. a bit of an experiment for #6781 Simplify ipsec_configure_vti() to make sure we only drop interfaces when not required anymore (tunnel address cleanup is unconditional) and only set local/remote address when configured.
This 816ecae should do the trick, but now I'm looking for people to try it out. |
I could successfully set this up with one dynamic IP and one static at least. (Leaving both addresses empty). |
@joni1993 thanks for testing. I'll leave this here for a little while, maybe someone else want to try it as well. Merging should be relatively safe as setups with local/remote addresses set are not provisioned using the new hook. |
nobody else interested in this? that's surprising.... |
still in use as a "legacy config" - but ever wondered why this did not work using the new way - how is this testable? |
|
…nfiguration to connection up event in order to support dynamic dns scenarios. closes #6781 Simplify ipsec_configure_vti() to make sure we only drop interfaces when not required anymore (tunnel address cleanup is unconditional) and only set local/remote address when configured.
Seems to be working ! |
@AdSchellevis: I am not sure what exactly changed, but for me it is now not working anymore. Not sure if it was a coincidence it worked back then or something else changed (did not find any related code changes). Enabling the old setup works - i noticed following changes comparing the old and new UI method:
If i can help any further, just let me know. EDIT: Above method worked once, now i can't get it working again. |
@joni1993 when the old type works, it's unlikely related to this change as both are being setup quite similar, on my end a statically configure vti looks normal after an update. core/src/etc/inc/plugins.inc.d/ipsec.inc Lines 1717 to 1825 in bad7f25
The patch 659ed11 was released in |
Are they really set up similar? On the other hand the new method generates the updown event handler in the
|
Changing the updown event script as follows:
Adds the I don't know if the patch is correct for the SPD part though.. but the vti part of |
@joni1993 what does the
Without sections starting with |
I am not using static addresses - thats the whole point of this issue right? ;) "Phase 1" (Connections): "Local Authentication" (Connections): "Remote Authentication" (Connections): "Children" (Connections): Pre-Shared-Keys: Virtual Tunnel Interface: reqid_events:
|
@joni1993 you mentioned your setup worked before this change, dynamic addresses weren't supported before 21.1.4 for the new connections. |
It worked when i was on 21.1.1 + manually applying the patch. But i suspect it maybe worked because back then i did just disable the old config and enabled the new config at the same time and when applying some "old state"/IKE/Phase2 got reused for the new config - which made it seem working. But yesterday after updating to 24.1.6, it did not work anymore, so i suspect it initially only worked because of some quirks/coincidence/leftovers-states. |
if the log contains the event being processed in :
we can add some additional logging to help local debugging, in that case just open a new ticket to request more logging in this event. |
Yes it does include the line - but the script probably fails as written in my above comment - because the tunnel property is never applied.
|
@joni1993 ah, got it, missed that part in your initial comment, I'll take a look |
…down_event.py as get() doesn't have a default. (#6781 (comment))
Yes - this works and brings up the tunnel. Interestingly after disconnecting the tunnel and connecting again after tearing down and bringing up the VTI, the static routes for the gateway did not get applied. |
…down_event.py as get() doesn't have a default. (#6781 (comment)) (cherry picked from commit b0bf317)
the event shouldn't try to enforce routing, but if we only change the outer addressing, the inner shouldn't change anyway |
I agree. Somehow the Gateway Interface magically changed to some arbitrary interface... Anyway I'd call this case closed :) |
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Describe the bug
With legacy IPsec configuration it is possible to :
VTI interface was then created/modified according to FQDN resolution and/or interface IP change, this was usefull when having a dynamic local IP (assigned to the interface) or a dynamic remote IP.
Main issue : With the new IPsec Connection UI it is impossible to add FQDN or interface name in the Virtual Tunnel Interfaces tab, which breaks dynamic IP VTI configurations.
IPSec configuration itself should work as we can input FQDN in local_addrs/remote_addrs fields, however the help text state that "If FQDNs are assigned, they are resolved every time a configuration lookup is done."
Secondary issue : An option to regularly check if the FQDN changed it's IP (or maybe allow to use alias) and reload ipsec and associated automatic-pass firewall rules might be useful as it will prevent unnecessary use of %any.
For now new IPsec connection UI seems broken for dynamic local/remote IP in routed/VTI setup.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Allow IPsec routed/VTI configurations to works with local and remote dynamic IPs :
Describe alternatives you considered
The only workaround would be to manually update the VTI interface configuration every time the local/remote IP changes.
Additional context
Some reports on the forum :
https://forum.opnsense.org/index.php?topic=35140.0
https://forum.opnsense.org/index.php?topic=33117.0
Environment
OPNsense 23.7.2-amd64
The text was updated successfully, but these errors were encountered: