Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IPsec site-2-site firewall rules not adopted dynamically #8200

Open
2 tasks done
TheLion092 opened this issue Jan 9, 2025 · 1 comment
Open
2 tasks done

IPsec site-2-site firewall rules not adopted dynamically #8200

TheLion092 opened this issue Jan 9, 2025 · 1 comment
Labels
support Community support

Comments

@TheLion092
Copy link

TheLion092 commented Jan 9, 2025
edited
Loading

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

Describe the bug

Automatically created firewall rules of an ipsec vpn tunnel are dynamically changed in the rules when the ip address of the remote site (dyndns) is changed, but are not adopted. The VPN rule only works again after you make a manual change to the rules, e.g. switch on the logging of another rule and press apply.

To Reproduce

Steps to reproduce the behavior:

  1. Create a site 2 site ipsec vpn tunnel
  2. On Phase 1 at "Peer identifier" select "Distinguished Name" and use a dyndns address
  3. After creating the tunnel go to Firewall > Rules >WAN and open "Automatically generated rules (end of ruleset)"
  4. See the automatically generated rule for the tunnel and the inserted ip adress of the endpoint
  5. Renew the WAN ip address of the endpoint
  6. See that the automatically generated rules ip address changed dynamically within seconds
  7. The new WAN ip address of the endpoint is still blocked by the firewall
  8. Make any change in the firewall ruleset eg. enable logging of any rule and press APPLY
  9. The new WAN ip address of the endpoint gets permited

Expected behavior
The firewall ruleset needs to be reloaded when it detects a new entry in the ip adress field of an automatically generated rule

Describe alternatives you considered
No alternatives

Screenshots
No screenshot

Relevant log files
No relevant log files.

Additional context
No additional context

Environment

OPNsense 24.7.11_2-amd64
FreeBSD 14.1-RELEASE-p6
OpenSSL 3.0.15

Deciso DEC850 V1
@Monviech
Copy link
Member

The auto-added IPsec firewall rules are a legacy feature.
https://docs.opnsense.org/manual/vpnet.html#firewall-rules

The note there sounds like your issue, the fqdn in the auto generated rule is guessed.

I would disable the auto added vpn rules and create manual firewall rules with a host alias.

@Monviech Monviech added the support Community support label Jan 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
support Community support
Milestone
No milestone
Development

No branches or pull requests
2 participants
@TheLion092 @Monviech