How do I configure IPSEC in the new connections with remote endpoint as hostname and Identities as IP addresses?
In the old config I just put hostname in Remote Endpoint and setup PSK and setup Identities to My IP and Remote IP.
How do I configure that in the new IPSEC PSK setup?
The identities can be set in "VPN: IPsec: Connections" when the mask for a new connection is open and it was saved one time. Local Authentication and Remote Authentication. It can be anything, IP address, hostname, FQDN, etc...
Set Authentication to "Pre-Shared Key" and set the ID to what you want.
The IDs should match in "VPN: IPsec: Pre-Shared Keys"
I need it to resolv the hostname from Remote Endpolint and use IP as Remote Identity. Thats how it worked before. I don't see how I can do that now. If I put the hostname in Remote Authentication it does not resolv it and use the IP.
Here is what ID supports, OPNsense uses swantcl below unaltered. I dont know about resolving hostnames, but if its supported it should be stated here:
https://docs.strongswan.org/docs/5.9/config/identityParsing.html
Quote
If the string begins with @, the type is set to FQDN and the encoding is the literal string after that prefix. In strongSwan versions before 5.0.0 this prefix prevented that a FQDN was resolved into an IP address whereas current versions don't automatically resolve FQDNs when parsing identities.
Can I use DNS type then in the GUI of the new IPSEC?
"If the value has the form <type>:<value> (supported since version 5.2.2), the type and value are explicitly specified:
The following types are known: ipv4, ipv6, ipv4net, ipv6net, ipv4range, ipv6range, rfc822, email, userfqdn, fqdn, dns, asn1dn, asn1gn and keyid. Custom type prefixes may be specified by surrounding the numerical type value with curly brackets."
Yea probably. Inputting something like "dns:example.com" creates it in "usr/local/etc/swanctl/swanctl.conf". It would be interesting if it does what you want and solves your problem.
StrongSwan swanctl also seems to be version >5.9 so it should be supported to work.
I'll try that next week.
Where in the GUI should I use it?
PSK definition or Remote Identity in Connection setup?
Probably in both. I will also test this since it interests me.