OPNsense Forum
English Forums => Virtual private networks => Topic started by: MoonbeamFrame on August 29, 2023, 01:37:43 pm
-
Before I consider upgrading to 23.7 I need to migrate 24 VPN's currently configured via Tunnel Settings to Connections [new] .
While I have already moved some of the OPNsense to OPNsense tunnels I have still to get a Draytek tunnel running.
They are all currently configured using the same template, so if I get get one running I'll be able to get the rest done.
Draytek configuration:
- Dial-out, Always on
- IKEv2
- PSK
- AES with authentication
- IKE Phase 1 aes256/sha256/dh14 [aes256-sha256-modp2048]
I have also tried aes256/sha256/dh21 [aes256-sha256-ecp521]
- IKE Phase 2 aes256/sha256
- IKE phase 1 key lifetime 86400
- IKE phase 2 key lifetime 86400
- pfs enabled
I have also created and tested a Draytek profile that will handle dial-in and Dial-out to see if this would work.
The reason for the Dial-out setting is that a few of the Draytek sites have more than one subnet. If the OPNsense firewall originates the connection then only the primary subnet SA establishes. If the Draytek router originates the connection then all SA's establish.
As already noted in the forum, and when I migrated an OPNsense to OPNsense tunnel, the ESP rules were not automatically created. From watching the traffic I have created rules to cover ESP, ISAKMP and IPsec NAT-T.
One thing I am not sure about is that having created a Pre-Shared Key entry for the connection using an email addresses as the Local Identifier, that this email address is what is used in the Local Authentication Id field when Authentication is Pre-Shared Key (which is what I have used).
If anyone has managed to get a Connections [new] for Draytek router I would appreciate any tips.
-
This doesn't answer your question specifically, but just my two cents on it.... In IPSec for a Phase 1 tunnel, at the very top, there's a field that defines whether either side can attempt to establish the tunnel, or if one side does it immediately, on traffic, or just listens for a connection. I've used this in the past to dictate when tunnels are established.
As far as the "Connections (new)" section is concerned, I'm an old crusty OPNsense user, having switched over around 2016. I'm still confused what this "Connections (new)" section is for. I know what I'd like it to be for - multiple IP addresses for the same location, like for where we have redundant internet connections and if one goes down or is unavailable, it "fails over" to the next one in the list - but I've not found the documentation stating officially what its purpose is.
-
As far as the "Connections (new)" section is concerned, I'm an old crusty OPNsense user, having switched over around 2016. I'm still confused what this "Connections (new)" section is for.
It is a replacement for VPN: IPsec: Tunnel Settings which has now been deprecated.
From the 23.7 release notes:
o IPsec "tunnel settings" GUI is now deprecated and manual migration to the "connections" GUI is recommended. An appropriate EoL announcement will be made next year.
I am making progress in that I can now get a tunnel up. It is running with no changes to the Draytek end of the connection. That is I am using the same connection profile on the Draytek to either the old Tunnel Settings or new Connections [new] profile on the OPNsense firewall.
My next hurdle is that when using the Connections [new] profile I am not seeing any traffic moving across the firewall. This is not consistent with what I saw when migrating OPNsense to OPNsense tunnels.
A question that also comes to mind is that for future tunnels I'll need to create additional pre-shared keys [in VPN: IPsec: Pre-Shared Keys] with the same Local Identifier. The creation of pre-shared keys prevents duplicates but allows multiple Local Identifiers with unique Remote Identifiers. How does the local/remote authentication know which of the multiple Local Identifiers to use?