Page 1 of 1

IPSec VPN tunnels not working when upgraded to 6.45.1

Posted: Sat Jul 06, 2019 3:23 pm
by Farseer
Hi,

So I have 1 HO, and 2 branches and previously these devices were on 6.43.12 and connected from the individual branch to the HO via IPSec VPN. Had almost no issues for a long time but with occasional hiccups. Today I upgraded all the devices to 6.45.1.

Here is what I did and what happened :

1) Upgraded firmware from 6.43.12 to 6.45.1
2) Disabled scheduler objection that ran a script to resolve DDNS names to fill in the resulting IP addresses into SA-SRC-ADDRESS and SA-DST-ADDRESS
3) Tunnels stayed open for a bit but then dropped.
4) All IPSec windows showed the peer column as "unknown" in all policies (HO and Branches). I went in into each policy object and just applied to get it to update and the unknown changed to the DDNS name of the relevant peer.
5) HO Router IPSec shows "no phase2" for both policies
6) Branch Routers IPSec shows either "no phase2" or "msg1 sent"
7) checking branch routers IPSec Policy Status tab shows SA Src. Address as 0.0.0.0. HO router shows the same in SA Src. Address 0.0.0.0.
8* Logs show "failed to pre-process ph2 packet" or "peer sent packet for dead phase2" on all routers.

I am sure there is no issue with the firmware, but I think with the way they changed the IPSec, something is misconfigured. Any idea what is missing?

Re: IPSec VPN tunnels not working when upgraded to 6.45.1

Posted: Sat Jul 06, 2019 4:18 pm
by Farseer
Alright so I managed to get it to work. I was basically playing around with the settings and found that :

1) 0.0.0.0 on SA SRC address is not an issue, if phase2 connects the tunnel will work.
2) I went into IPSec > Peers and set Local Address as first, the ip of the router on that end of the tunnel and then secondly, as the public IP of that branch/office. After that, kill all the connections in Active Peers and Flush the SA's. And go back and set it the Peers > Local to blank and disabled. Worked out for me.

Re: IPSec VPN tunnels not working when upgraded to 6.45.1

Posted: Sat Jul 06, 2019 9:07 pm
by ingdaka
That is a security feature that was developed since 6.44! You need to set both Remote and Local Peer IP! Before there was just remote peer IP!

Re: IPSec VPN tunnels not working when upgraded to 6.45.1

Posted: Thu Aug 08, 2019 12:33 pm
by voljka
That is a security feature that was developed since 6.44! You need to set both Remote and Local Peer IP! Before there was just remote peer IP!
Thanks for this comment, it saved me. can you point me to exact release note, where this feature was introduced? I'm unable to find it...

Re: IPSec VPN tunnels not working when upgraded to 6.45.1

Posted: Tue Nov 12, 2019 9:30 am
by Krusty
Id like se relese note for this too. This was hella long nightmare to search for it !

Re: IPSec VPN tunnels not working when upgraded to 6.45.1

Posted: Tue Nov 12, 2019 2:36 pm
by sindy
That is a security feature that was developed since 6.44! You need to set both Remote and Local Peer IP! Before there was just remote peer IP!
I cannot confirm this to be the case in 6.45.7. Here, you can still have no local-address set on peer and it works anyway. Maybe it was an unintentional change somewhere between 6.43.whatever and 6.45.1?

Other than that, officially (i.e. according to the documentation), sa-src-address and sa-dst-address of the policy, which used to be configurable, became read-only properties, and once the peer property of the policy gets set, both the sa-xxx-address are really dynamically inherited from the peer's ones. But the configuration auto-conversion does not automatically do the reverse matching and assign peer value to policies based on sa-src-address and sa-dst-address.