New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IPsec Connections - IKE DPD Action "Restart" listed as "Start" does not restart/re-negotiate the connection when a peer dies. #7374
Comments
The upstream documentation about this is a bit inconsistent on this topic https://wiki.strongswan.org/projects/strongswan/wiki/Fromipsecconf -> https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html, according to the migration guide it should be Just to be sure, to rule our both actually do the same, did you configure a |
When looking at |
Good morning, Thank you for looking into my issue. I have configured a dpd_delay of 30 seconds for the connection on both ends. Hmmm - Thats very interesting regarding the start v. restart inconsistency in the strongSwan docs. I looked at the 5.9 docs and only saw "restart" listed as an option hence the initial bug report. My phase 2 and associated SPD is dying for some reason and not being re-negotiated after the peer dies. I thought I had it narrowed down to DPD not re-negotiating, but it looks like I might need to dig into this some more and see if it happens during re-key or randomly. Here is my complete setup for "fw01". "fw02" is also running the same version of OPNsense and configured the same. I do have FQDNs configured which I know are broken in strongSwan 5.9 with VTI mode. I am currently using Policy mode. |
It might help to increase the log levels a bit and check for events around your issue, the packet capture is also a useful tool to inspect if anything is being exchanged between the peers. |
Security Recommendations |
@gongoscho - Thanks for the recommendation. |
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Describe the bug
IKE Dead Peer-Detection Restart Action using the new "Connections - IKE Children UI" is showing as "Start" and does not actually force restart IKE re-negotiation upon a dead peer despite DPD timer being configured.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The "Edit Child" UI naming should be corrected to say "Restart" and should also force restart a new IKE session after the specified IKE DPD delay is triggered by a dead-peer.
Describe alternatives you considered
None - This appears to be a bug with the updated core IPsec Plugin. I did not have this issue prior to migrating my "Legacy" IPsec VPN Connections.
Screenshots
Relevant log files
None - IKE Child SA Negotiation sometimes fails due to dead-peer and does not attempt to re-negotiate even after receiving no responses to DPD requests.
Additional context
I have reviewed the IPsec plugin code (core/src/etc/inc/plugins.inc.d/ipsec.inc) and believe the problematic code is located at lines 1545-1551.
Specifically:
I believe that all references to "start" should be corrected to "restart". I am not sure if there are additional dependencies with this same error.
Environment
OPNsense 24.1.5_3-amd64
FreeBSD 13.2-RELEASE-p11
OpenSSL 3.0.13
Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz (2 cores, 4 threads)
The text was updated successfully, but these errors were encountered: