upstream/opnsense-docs
1
0
Fork 0
mirror of https://github.com/opnsense/docs.git synced 2026-05-28 04:02:12 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

vpn/ipsec: Add migration help with swanctl.conf example to vpnet.rst (#661)

Browse source
This commit is contained in:
Monviech 2025-01-20 15:45:37 +01:00 committed by GitHub
parent b5e5440769
commit 772ef66139
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 157 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

164
source/manual/vpnet.rst
View file

@ -99,9 +99,9 @@ The following functions are available in the menu (as of OPNsense 23.1):
* Inspect log entries related to IPsec
..................................................................
Migrating from tunnels to connections
-------------------------------------------
..................................................................
Having used the tunnel settings from the early OPNsense days, some terminology might be a bit confusing when moving into the new options offered.
This paragraph aims to explain some of the common terms from the tunnel section and their new place in the connections.
@ -130,15 +130,165 @@ is an interesting read as well.
If both ends should use their own identifier, fill in both local and remote values. The legacy module requested this information in the phase 1
page and wrote the same information to the secrets.
.. Tip::
Since OPNsense uses the new Strongswan format also for legacy tunnels, it is rather easy to convert a tunnel manually
when downloading the :code:`swanctf.conf` file from the machine. You can find it in :code:`/usr/local/etc/swanctl/swanctl.conf`
and the format is almost identical to the connections gui available in OPNsense.
Since OPNsense uses the new Strongswan format also for legacy tunnels, it is rather easy to convert a tunnel manually
when downloading the :code:`swanctf.conf` file from the machine. You can download it via :menuselection:`VPN -> IPsec -> Advanced Settings -> swanctl.conf`.
The format is almost identical to the connections gui available in OPNsense.
Let's take a look at the following ``swanctl.conf`` that contains a legacy ``con1`` tunnel:
.. code-block::
# This file is automatically generated. Do not edit
connections {
con1 {
unique = replace
aggressive = no
version = 2
mobike = yes
local_addrs = 203.0.113.1
local-0 {
id = 203.0.113.1
auth = psk
}
remote-0 {
id = 198.51.100.1
auth = psk
}
encap = no
remote_addrs = 198.51.100.1
proposals = aes256-sha256-modp2048
children {
con1 {
start_action = start
policies = yes
mode = tunnel
sha256_96 = no
local_ts = 192.168.1.0/24
remote_ts = 172.16.100.0/24
reqid = 1
esp_proposals = aes256-sha256-modp2048
}
}
}
}
pools {
}
secrets {
ike-p1-0 {
id-0 = 198.51.100.1
secret = 0saGVsbG93b3JsZA==
}
}
To convert this configuration:
- Go to :menuselection:`VPN -> IPsec -> Connections`
- Press **+** to add a new Tunnel and enable the `advanced mode`
.. tabs::
.. tab:: Connections
========================================== ========================================== ==========================================
**Option** **Value** **swanctl.conf**
========================================== ========================================== ==========================================
**Proposals** aes256-sha256-modp2048 (remove default) proposals = aes256-sha256-modp2048
**Unique** Replace unique = replace
**Version** IKEv2 version = 2
**Local addresses** 203.0.113.1 local_addrs = 203.0.113.1
**Remote addresses** 198.51.100.1 remote_addrs = 198.51.100.1
**Description** con1-phase1
========================================== ========================================== ==========================================
Press `Save`, then move to `Local Authentication` and press **+**
.. tab:: Local Authentication
========================================== ========================================== ==========================================
**Option** **Value** **swanctl.conf**
========================================== ========================================== ==========================================
**Connection** con1-phase1
**Round** 0 local-0
**Authentication** Pre-Shared Key auth = psk
**Id** 203.0.113.1 id = 203.0.113.1
**Description** 203.0.113.1
========================================== ========================================== ==========================================
Press `Save`, then move to `Remote Authentication` and press **+**
.. tab:: Remote Authentication
========================================== ========================================== ==========================================
**Option** **Value** **swanctl.conf**
========================================== ========================================== ==========================================
**Connection** con1-phase1
**Round** 0 remote-0
**Authentication** Pre-Shared Key auth = psk
**Id** 198.51.100.1 id = 198.51.100.1
**Description** 198.51.100.1
========================================== ========================================== ==========================================
Press `Save`, then move to `Children` and press **+**
.. tab:: Children
========================================== ========================================== ==========================================
**Option** **Value** **swanctl.conf**
========================================== ========================================== ==========================================
**Connection** con1-phase1
**Mode** Tunnel mode = tunnel
**Policies** X policies = yes
**Start action** Start start_action = start
**Reqid** 1000 reqid = 1
**ESP proposals** aes256-sha256-modp2048 (remove default) esp_proposals = aes256-sha256-modp2048
**Local** 192.168.1.0/24 local_ts = 192.168.1.0/24
**Remote** 172.16.100.0/24 remote_ts = 172.16.100.0/24
**Description** con1-phase2
========================================== ========================================== ==========================================
Press `Save`, then `Save` again to store the new `Connection`.
.. Note::
Read about the reqid in the section :ref:`Combining legacy tunnels and connections <vpnet-combining-legacy-connections>`
Now we must configure a `Pre-Shared Key` that matches the `Local Authentication` and `Remote Authentication`:
- Go to :menuselection:`VPN -> IPsec -> Pre-Shared Keys`
- Press **+** to add a new `Pre-Shared Key`
.. tabs::
.. tab:: Pre-Shared Key
========================================== ========================================== ==========================================
**Option** **Value** **swanctl.conf**
========================================== ========================================== ==========================================
**Local Identifier** 203.0.113.1 (required now)
**Remote Identifier** 198.51.100.1 id-0 = 198.51.100.1
**Pre-Shared Key** helloworld secret = 0saGVsbG93b3JsZA==
**Type** PSK auth = psk
**Description** con1-phase1
========================================== ========================================== ==========================================
.. Note::
Gather the unhashed secret from :menuselection:`VPN -> IPsec -> Tunnel Settings`.
Generally it is good practice to document these secrets in a password manager.
After the initial configuration, go to :menuselection:`VPN -> IPsec -> Tunnel Settings` and deactivate the `con1` tunnel by unchecking `Enabled` in `Phase1` and `Phase2`.
Go back to :menuselection:`VPN -> IPsec -> Connections` and ensure the new tunnel is `Enabled`. Press `Apply` and the new configuration will be active.
.. _vpnet-combining-legacy-connections:
..................................................................
Combining legacy tunnels and connections
-------------------------------------------
..................................................................
It is possible to combine tunnels and connections, but there are some constraints. As our legacy tunnels force a :code:`reqid`
for each configured child (phase 2), there is a risk the automated numbering from the new connection children overlaps.