Text only | Text with Images

OPNsense Forum

Archive => 21.7 Legacy Series => Topic started by: Patrick M. Hausen on September 27, 2021, 08:53:18 AM

Title: Bulk creation of IPSec phase 2 entries?
Post by: Patrick M. Hausen on September 27, 2021, 08:53:18 AM
Hi all,

I am in the process of migrating our own installation from Sidewinder zo OPNsense. One drawback in the OPNsense IPSec implementation seems to be that you must spell out each individual phase 2 SA.

E.g. in Sidewinder you could configure:

Local networks: 192.168.1.0/24, 192.168.2.0/24
Remote networks: 172.16.1.0/24, 172.16.2.0/24

and the system would configure 4 SAs.

In OPNsense you have to explicitly specify:

- 192.168.1.0/24 - 172.16.1.0/24
- 192.168.1.0/24 - 172.16.2.0/24
- 192.168.2.0/24 - 172.16.1.0/24
- 192.168.2.0/24 - 172.16.2.0/24

This is all fine and dandy, unless you have a particular peer with 3 local networks and 58 remote networks.

Is there any way to script the generation of these instead of entering them through the UI? Apart from generating XML, I mean?

If I go the road of generating XML, what precisely are these entries?
Code Select
      <ikeid>6</ikeid>
      <uniqid>615166c20325d</uniqid>
      <reqid>43</reqid>
 

My guess:

- ikeid counts from 1 to n through the phase 2 SAs for each phase 1 entry
- reqid counts from 1 to n for each phase 2 SA globally
- uniqid is, well, something unique for each phase 2 SA

Is this correct? If yes, how are the <uniqid> generated?


Thanks!
Patrick
Title: Re: Bulk creation of IPSec phase 2 entries?
Post by: Patrick M. Hausen on September 27, 2021, 04:22:57 PM
OK, looks like the <ikeid> connects the phase 2 entries with their parent phase 1 entries:
Code Select
            foreach ($cnf->ipsec->phase1 as $phase1) {
                $p2sequence = 0;
                foreach ($cnf->ipsec->phase2 as $phase2) {
                    if ((string)$phase1->ikeid != (string)$phase2->ikeid) {
                        continue;


<uniqid> is a PHP uniqid() value - 13 hex digits assumed to form a unique id, but not even guaranteed to do so.

Any hints about the motivation for the <reqid> entries greatly appreciated. So far I only found that they seem to be unique and in my current setup increasing from 1 to n without gaps. But what are they for? There already is a <uniqid> to manage individual entries ... sort order?

Kind regards,
Patrick
Title: Re: Bulk creation of IPSec phase 2 entries?
Post by: mimugmail on September 27, 2021, 08:57:34 PM
Its for nat inside a Phase2
Title: Re: Bulk creation of IPSec phase 2 entries?
Post by: Patrick M. Hausen on September 27, 2021, 09:55:09 PM
So what do I need to do about them if I do not NAT? Just generate them unique and increasing?
Title: Re: Bulk creation of IPSec phase 2 entries?
Post by: mimugmail on September 28, 2021, 07:54:49 AM
Yep :)
Title: Re: Bulk creation of IPSec phase 2 entries?
Post by: Patrick M. Hausen on September 28, 2021, 09:40:56 AM
Works as intended - thanks.

Shameless self-plug - this helps a lot when hacking OPNsense:
https://github.com/punktDe/vagrant-opnsense

I wonder why it doesn't get more attention in the forum? I'd always welcome feedback.

Kind regards,
Patrick
Title: Re: Bulk creation of IPSec phase 2 entries?
Post by: mimugmail on September 28, 2021, 11:15:19 AM
Because there are around 5 active devs in the Forums with own dev env's already set I'd guess  :-\
Text only | Text with Images