OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 18.7 Legacy Series »
  • Direct edit of ipsec.conf possible?
« previous next »
  • Print
Pages: [1]

Author Topic: Direct edit of ipsec.conf possible?  (Read 3586 times)

Kofl

  • Newbie
  • *
  • Posts: 27
  • Karma: 5
    • View Profile
Direct edit of ipsec.conf possible?
« on: November 05, 2018, 12:50:34 pm »
Hi,

we have for one VPN connection many subnets to route and via GUI its hard to add them.

Is it possible to edit directly the ipsec.conf or where is OPNsense storing its own configuration for strongswan?

Thanks
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13624
  • Karma: 1173
    • View Profile
Re: Direct edit of ipsec.conf possible?
« Reply #1 on: November 05, 2018, 03:00:18 pm »
The short answer is no...

Which entry are you adding? E.g. manual SPD works via drag+drop
Logged

Kofl

  • Newbie
  • *
  • Posts: 27
  • Karma: 5
    • View Profile
Re: Direct edit of ipsec.conf possible?
« Reply #2 on: November 05, 2018, 04:06:26 pm »
left and right subnets, quite a lot - would be at the ipsec.conf just two lines.
Logged

Kofl

  • Newbie
  • *
  • Posts: 27
  • Karma: 5
    • View Profile
Re: Direct edit of ipsec.conf possible?
« Reply #3 on: November 05, 2018, 06:20:54 pm »
We have 10 subnets on left and 12 subnets on right. How to add that via the GUI, when for every SPD the local network and the remote network must be entered?
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6288
  • Karma: 432
    • View Profile
Re: Direct edit of ipsec.conf possible?
« Reply #4 on: November 05, 2018, 06:39:26 pm »
No Aggregation possible?
Logged
Twitter: mimu_muc
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

Kofl

  • Newbie
  • *
  • Posts: 27
  • Karma: 5
    • View Profile
Re: Direct edit of ipsec.conf possible?
« Reply #5 on: November 05, 2018, 08:25:09 pm »
The VPN "partner" insists on every single small subnet routing
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6288
  • Karma: 432
    • View Profile
Re: Direct edit of ipsec.conf possible?
« Reply #6 on: November 05, 2018, 10:40:34 pm »
Then you have to add all possible combinations by hand or hide all networks on your side behind one.
Logged
Twitter: mimu_muc
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

Kofl

  • Newbie
  • *
  • Posts: 27
  • Karma: 5
    • View Profile
Re: Direct edit of ipsec.conf possible?
« Reply #7 on: November 06, 2018, 08:16:53 am »
Thanks, not really what we expected.
Logged

Kofl

  • Newbie
  • *
  • Posts: 27
  • Karma: 5
    • View Profile
Re: Direct edit of ipsec.conf possible?
« Reply #8 on: November 06, 2018, 11:18:29 am »
Could we maybe work with "Manual SPD entries"?

Quote
Strongswan automatically creates SPD policies for the networks defined in this phase2. If you need to allow other networks to use this ipsec tunnel, you can add them here as a comma seperated list.
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6288
  • Karma: 432
    • View Profile
Re: Direct edit of ipsec.conf possible?
« Reply #9 on: November 06, 2018, 01:20:07 pm »
I only used it for hiding networks behind .. no idea if this would also work.
https://wiki.opnsense.org/manual/how-tos/ipsec-s2s-binat.html
Logged
Twitter: mimu_muc
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

Kofl

  • Newbie
  • *
  • Posts: 27
  • Karma: 5
    • View Profile
Re: Direct edit of ipsec.conf possible?
« Reply #10 on: November 06, 2018, 01:32:54 pm »
yes, we also used it for that. Maybe @Franco can enlighten us?
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13624
  • Karma: 1173
    • View Profile
Re: Direct edit of ipsec.conf possible?
« Reply #11 on: November 06, 2018, 11:01:37 pm »
NAT before IPsec can hide your outgoing networks under a single IP. You still have to list rightsubnets unless they NAT as well and provide services mapped to that IP. ;)


Cheers,
Franco
Logged

Kofl

  • Newbie
  • *
  • Posts: 27
  • Karma: 5
    • View Profile
Re: Direct edit of ipsec.conf possible?
« Reply #12 on: November 07, 2018, 10:57:31 am »
Thx, then we have to go the default way.
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 18.7 Legacy Series »
  • Direct edit of ipsec.conf possible?
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2