From 772ef66139dac80ff78ecfb86ab7a0a90e1b2363 Mon Sep 17 00:00:00 2001 From: Monviech <79600909+Monviech@users.noreply.github.com> Date: Mon, 20 Jan 2025 15:45:37 +0100 Subject: [PATCH] vpn/ipsec: Add migration help with swanctl.conf example to vpnet.rst (#661) --- source/manual/vpnet.rst | 164 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 157 insertions(+), 7 deletions(-) diff --git a/source/manual/vpnet.rst b/source/manual/vpnet.rst index 56aa28b4..506459c7 100644 --- a/source/manual/vpnet.rst +++ b/source/manual/vpnet.rst @@ -99,9 +99,9 @@ The following functions are available in the menu (as of OPNsense 23.1): * Inspect log entries related to IPsec - +.................................................................. Migrating from tunnels to connections -------------------------------------------- +.................................................................. Having used the tunnel settings from the early OPNsense days, some terminology might be a bit confusing when moving into the new options offered. This paragraph aims to explain some of the common terms from the tunnel section and their new place in the connections. @@ -130,15 +130,165 @@ is an interesting read as well. If both ends should use their own identifier, fill in both local and remote values. The legacy module requested this information in the phase 1 page and wrote the same information to the secrets. -.. Tip:: - Since OPNsense uses the new Strongswan format also for legacy tunnels, it is rather easy to convert a tunnel manually - when downloading the :code:`swanctf.conf` file from the machine. You can find it in :code:`/usr/local/etc/swanctl/swanctl.conf` - and the format is almost identical to the connections gui available in OPNsense. +Since OPNsense uses the new Strongswan format also for legacy tunnels, it is rather easy to convert a tunnel manually +when downloading the :code:`swanctf.conf` file from the machine. You can download it via :menuselection:`VPN -> IPsec -> Advanced Settings -> swanctl.conf`. +The format is almost identical to the connections gui available in OPNsense. + +Let's take a look at the following ``swanctl.conf`` that contains a legacy ``con1`` tunnel: + +.. code-block:: + + # This file is automatically generated. Do not edit + connections { + con1 { + unique = replace + aggressive = no + version = 2 + mobike = yes + local_addrs = 203.0.113.1 + local-0 { + id = 203.0.113.1 + auth = psk + } + remote-0 { + id = 198.51.100.1 + auth = psk + } + encap = no + remote_addrs = 198.51.100.1 + proposals = aes256-sha256-modp2048 + children { + con1 { + start_action = start + policies = yes + mode = tunnel + sha256_96 = no + local_ts = 192.168.1.0/24 + remote_ts = 172.16.100.0/24 + reqid = 1 + esp_proposals = aes256-sha256-modp2048 + } + } + } + } + pools { + } + secrets { + ike-p1-0 { + id-0 = 198.51.100.1 + secret = 0saGVsbG93b3JsZA== + } + } + +To convert this configuration: + +- Go to :menuselection:`VPN -> IPsec -> Connections` +- Press **+** to add a new Tunnel and enable the `advanced mode` + +.. tabs:: + + .. tab:: Connections + + ========================================== ========================================== ========================================== + **Option** **Value** **swanctl.conf** + ========================================== ========================================== ========================================== + **Proposals** aes256-sha256-modp2048 (remove default) proposals = aes256-sha256-modp2048 + **Unique** Replace unique = replace + **Version** IKEv2 version = 2 + **Local addresses** 203.0.113.1 local_addrs = 203.0.113.1 + **Remote addresses** 198.51.100.1 remote_addrs = 198.51.100.1 + **Description** con1-phase1 + ========================================== ========================================== ========================================== + + Press `Save`, then move to `Local Authentication` and press **+** + + .. tab:: Local Authentication + + ========================================== ========================================== ========================================== + **Option** **Value** **swanctl.conf** + ========================================== ========================================== ========================================== + **Connection** con1-phase1 + **Round** 0 local-0 + **Authentication** Pre-Shared Key auth = psk + **Id** 203.0.113.1 id = 203.0.113.1 + **Description** 203.0.113.1 + ========================================== ========================================== ========================================== + + Press `Save`, then move to `Remote Authentication` and press **+** + + .. tab:: Remote Authentication + + ========================================== ========================================== ========================================== + **Option** **Value** **swanctl.conf** + ========================================== ========================================== ========================================== + **Connection** con1-phase1 + **Round** 0 remote-0 + **Authentication** Pre-Shared Key auth = psk + **Id** 198.51.100.1 id = 198.51.100.1 + **Description** 198.51.100.1 + ========================================== ========================================== ========================================== + + Press `Save`, then move to `Children` and press **+** + + .. tab:: Children + + ========================================== ========================================== ========================================== + **Option** **Value** **swanctl.conf** + ========================================== ========================================== ========================================== + **Connection** con1-phase1 + **Mode** Tunnel mode = tunnel + **Policies** X policies = yes + **Start action** Start start_action = start + **Reqid** 1000 reqid = 1 + **ESP proposals** aes256-sha256-modp2048 (remove default) esp_proposals = aes256-sha256-modp2048 + **Local** 192.168.1.0/24 local_ts = 192.168.1.0/24 + **Remote** 172.16.100.0/24 remote_ts = 172.16.100.0/24 + **Description** con1-phase2 + ========================================== ========================================== ========================================== + + Press `Save`, then `Save` again to store the new `Connection`. + + .. Note:: + + Read about the reqid in the section :ref:`Combining legacy tunnels and connections ` +Now we must configure a `Pre-Shared Key` that matches the `Local Authentication` and `Remote Authentication`: + +- Go to :menuselection:`VPN -> IPsec -> Pre-Shared Keys` +- Press **+** to add a new `Pre-Shared Key` + +.. tabs:: + + .. tab:: Pre-Shared Key + + ========================================== ========================================== ========================================== + **Option** **Value** **swanctl.conf** + ========================================== ========================================== ========================================== + **Local Identifier** 203.0.113.1 (required now) + **Remote Identifier** 198.51.100.1 id-0 = 198.51.100.1 + **Pre-Shared Key** helloworld secret = 0saGVsbG93b3JsZA== + **Type** PSK auth = psk + **Description** con1-phase1 + ========================================== ========================================== ========================================== + + .. Note:: + + Gather the unhashed secret from :menuselection:`VPN -> IPsec -> Tunnel Settings`. + Generally it is good practice to document these secrets in a password manager. + + +After the initial configuration, go to :menuselection:`VPN -> IPsec -> Tunnel Settings` and deactivate the `con1` tunnel by unchecking `Enabled` in `Phase1` and `Phase2`. + +Go back to :menuselection:`VPN -> IPsec -> Connections` and ensure the new tunnel is `Enabled`. Press `Apply` and the new configuration will be active. + + +.. _vpnet-combining-legacy-connections: + +.................................................................. Combining legacy tunnels and connections -------------------------------------------- +.................................................................. It is possible to combine tunnels and connections, but there are some constraints. As our legacy tunnels force a :code:`reqid` for each configured child (phase 2), there is a risk the automated numbering from the new connection children overlaps.