OPNsense Forum

English Forums => 18.7 Legacy Series => Topic started by: Kofl on November 05, 2018, 12:50:34 pm

Title: Direct edit of ipsec.conf possible?
Post by: Kofl on November 05, 2018, 12:50:34 pm
Hi,

we have for one VPN connection many subnets to route and via GUI its hard to add them.

Is it possible to edit directly the ipsec.conf or where is OPNsense storing its own configuration for strongswan?

Thanks
Title: Re: Direct edit of ipsec.conf possible?
Post by: franco on November 05, 2018, 03:00:18 pm
The short answer is no...

Which entry are you adding? E.g. manual SPD works via drag+drop
Title: Re: Direct edit of ipsec.conf possible?
Post by: Kofl on November 05, 2018, 04:06:26 pm
left and right subnets, quite a lot - would be at the ipsec.conf just two lines.
Title: Re: Direct edit of ipsec.conf possible?
Post by: Kofl on November 05, 2018, 06:20:54 pm
We have 10 subnets on left and 12 subnets on right. How to add that via the GUI, when for every SPD the local network and the remote network must be entered?
Title: Re: Direct edit of ipsec.conf possible?
Post by: mimugmail on November 05, 2018, 06:39:26 pm
No Aggregation possible?
Title: Re: Direct edit of ipsec.conf possible?
Post by: Kofl on November 05, 2018, 08:25:09 pm
The VPN "partner" insists on every single small subnet routing
Title: Re: Direct edit of ipsec.conf possible?
Post by: mimugmail on November 05, 2018, 10:40:34 pm
Then you have to add all possible combinations by hand or hide all networks on your side behind one.
Title: Re: Direct edit of ipsec.conf possible?
Post by: Kofl on November 06, 2018, 08:16:53 am
Thanks, not really what we expected.
Title: Re: Direct edit of ipsec.conf possible?
Post by: Kofl on November 06, 2018, 11:18:29 am
Could we maybe work with "Manual SPD entries"?

Quote
Strongswan automatically creates SPD policies for the networks defined in this phase2. If you need to allow other networks to use this ipsec tunnel, you can add them here as a comma seperated list.
Title: Re: Direct edit of ipsec.conf possible?
Post by: mimugmail on November 06, 2018, 01:20:07 pm
I only used it for hiding networks behind .. no idea if this would also work.
https://wiki.opnsense.org/manual/how-tos/ipsec-s2s-binat.html
Title: Re: Direct edit of ipsec.conf possible?
Post by: Kofl on November 06, 2018, 01:32:54 pm
yes, we also used it for that. Maybe @Franco can enlighten us?
Title: Re: Direct edit of ipsec.conf possible?
Post by: franco on November 06, 2018, 11:01:37 pm
NAT before IPsec can hide your outgoing networks under a single IP. You still have to list rightsubnets unless they NAT as well and provide services mapped to that IP. ;)


Cheers,
Franco
Title: Re: Direct edit of ipsec.conf possible?
Post by: Kofl on November 07, 2018, 10:57:31 am
Thx, then we have to go the default way.