Hi all
I had to do a fresh install of 24.1 due to some difficulties during the upgrade. During the import of my old config, opnsense seems to discard the IPSec config of my tunnel settings (not my issue, just an annoyance). I have recreated them according to the documentation (https://docs.opnsense.org/manual/how-tos/ipsec-s2s.html), but it seems that strongswan does not 'sees' the configured connection. After enabling the tunnel and restarting IPSec, nothing happens and nothing is displayed in the "Status Overview" or "Lease Status".
The log file (set to debug) just reads:
2024-02-10T10:17:27 Informational charon 00[JOB] spawning 16 worker threads
2024-02-10T10:17:27 Informational charon 00[LIB] loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf curve25519 xcbc cmac hmac kdf gcm drbg curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam whitelist addrblock counters
2024-02-10T10:17:27 Informational charon 00[CFG] loaded 0 RADIUS server configurations
2024-02-10T10:17:27 Informational charon 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
2024-02-10T10:17:27 Informational charon 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
2024-02-10T10:17:27 Informational charon 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
2024-02-10T10:17:27 Informational charon 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
2024-02-10T10:17:27 Informational charon 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
2024-02-10T10:17:27 Informational charon 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
2024-02-10T10:17:27 Informational charon 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
2024-02-10T10:17:27 Informational charon 00[KNL] unable to set UDP_ENCAP: Invalid argument
2024-02-10T10:17:27 Informational charon 00[CFG] using '/sbin/resolvconf' to install DNS servers
2024-02-10T10:17:27 Informational charon 00[LIB] providers loaded by OpenSSL: default legacy
2024-02-10T10:17:27 Informational charon 00[DMN] Starting IKE charon daemon (strongSwan 5.9.13, FreeBSD 13.2-RELEASE-p9, amd64)When modifying the phase 1 / phase 2 settings, the following entries appear in the log:
Quote2024-02-10T10:56:43 Informational charon 05[CFG] loaded 0 RADIUS server configurations
2024-02-10T10:56:43 Informational charon 05[CFG] loaded 0 entries for attr plugin configuration
2024-02-10T10:56:43 Informational charon 05[LIB] no files found matching '/usr/local/etc/strongswan.opnsense.d/*.conf'
Phase1 and Phase2 are enabled, as well as the " Enable IPsec" option. Does anyone have an idea, what I am doing wrong?
I also tried to migrate my tunnel to the new "connection" configuration. But I was not able to find the correct documentation for my use case (an IPSec Tunnel over the internet between my OPNsense and a pfsense firewall with DynDNS). Is there a good guide for that?
Thank you already very much for your support.
All those notices are expected in a typical site-to-site setup. Make sure that `/usr/local/etc/swanctl/swanctl.conf` is populated with expected values; if not maybe ensure the P1 and P2 entries are enabled?
I've been migrating from legacy connections this week and the generated config for both ends up being almost identical; I don't deal with dynamic IPs but I would guess you should just be able to use a domain name instead of IP address for the far side.
What helped me was looking at the contents of `/usr/local/etc/swanctl/swanctl.conf` with the legacy connection and then working towards that in the new connection. The web UI for new connections is aligned very closely to the layout of the config file.
Thanks for the reply. I finally figured out, what went wrong:
My /usr/local/etc/swanctl/swanctl.conf config somehow got corrupted. It looked absolutely correct, but couldn't be loaded by swanctl. I tried to manually reload my settings using swanctl --load-all when it complained about invalid characters at one of the lines containing my pool configuration. Those were in fact the pools I configured in the new 'connection' settings. Unfortunately, I can't reproduce the exact issue with the naming. But after deleting the Pools in the WebGUI and adding them again, the config was valid, swanctl loaded and my connection appeared in the connection overview.