Messages

I'm using a IKEv2 tunnel for remote clients to connect in using Microsoft Active Directory credentials (EAP-RADIUS).
So in the legacy setup, I have to define a certificate for strongswan to identify itself to the clients.
I can also see there is a "children" section in the generated swanctl.conf file, which contains what I can only assume is the phase2 parameters, which is also missing in the new UI :)

It's good to hear that there is no rush to remove the old UI (which is what I was fearing, and what got me a bit scared, since the new seems to be quiet early in development still)

Okay, that explains why half of the things needed to set it up is missing.

From how I read the 23.7 announcement, it sounds like the legacy version is going to be removed next year - I assume there it will be matching the old one by then :)

Since the old one already is generating swanctl.conf instead of the old config file (not sure what the name of it is now) - shouldn't it be somewhat possible to create a migration, so old legacy setups just gets converted? (I mean if setting A in the legacy setup and setting X in the new results in the same in the config file, it should be possible to transfer over)

Hey,

I'm looking into migrating my IKEv2 ipsec tunnels from the legacy setup to the new setup.
However, it seems like several fields from the "classic" setup is missing, like the phase1 certificate and identifier.

Is there a guide somewhere that tells what from the old setup maps to what in the new setup?
Also, I would expect it to be on feature parity before being deprecated, but that doesn't seem to be the case right now (Unless I'm missing something)

I just had to set up views.

What I did was to create a config file for it manually, and then include that using the "Custom Options" field.

I optimized it a bit, instead of having to use a conditional forwarder for my internal dns, i included a custom config for unbound that overrides the host only for my IOT VLAN :)

Okay, I'll leave it as is - it seems to be working now, which is the most important part.

Limiting IoT devices is an interresting challenge.

Me too - do you think it would have worked lowering the alias interval to something lower than the TTL on the records?

can try to enable "Do not use the local DNS service as a nameserver for this system" on "System: Settings: General"
https://docs.opnsense.org/manual/settingsmenu.html#general

Yep, that did the trick.
Had to do some other tricks to get the app to work (conditional forwarding that domain directly outside from my internal dns server).

It is a mess, but it works :)

neato realy should share cloud ip-ranges

device is configured to use the opnsense as DNS

in this case there is one wild idea: point beehive.neatocloud.com and nucleo.neatocloud.com to LAN interface IPs (need virtual IP for second address) and port-forward requests from IoT on 443 ports to Host-Aliases . probably it will be necessary to reduce the Aliases Resolve Interval  a little
(need to be tested. just an idea)

I just tried this - the only problem with this is that if I set a host override on the opnsense box, it causes it to resolve the alias to this ip too, since it is using itself as a DNS server.

Hmm, the port forward idea might work.
Would a virtual ip on the same VLAN work?

No devices on that VLAN is allowed to talk on port 53, except with the gateway, so I'm pretty sure it is only using the gateway as dns. Also, the dns logfile shows the requests 🙂

Hmm, so you say the alias is not using the same dns response the device is getting? That makes it impossible to get working, or am I missing something?

Hmm, okay.

It is weird, the device is configured to use the opnsense as DNS, so they should resolve the same records both.
But somehow, it seems like the device is getting another response than what is added to the pfTable. (Looking at the firewall log, it shows it trying to connect to one of the other IP's than the one currently in the table.)

Adding the entire AWS address pool sounds a bit too much.

The right solution would be for OpnSense to take all the A records and add all the results to the pfTable.
If there is no way to do it currently, I'll create a ticket in github about it :)

What parameters should I set? (not sure, since there does not seems to be any wrt. this).

The one I'm trying to use is "nucleo.neatocloud.com" - if I look it up at https://www.ultratools.com/tools/dnsLookup, it get three different A records.

However, when I add "nucleo.neatocloud.com" as a Host alias, only one of them gets added to the pfTable.
Which one changes in a round robin fashion, like normal DNS does when there is more than on A record.

So what I'm asking is, if there is a way to ensure that all the A records are added to the pfTable, and not just one of them.

I'm trying to limit my IOT network, to only talk to what it needs to.

I have a hostname that one of my devices needs to talk to, and if I use an online dns resolver, I can see it resolves to 3 A records (with different IP's).

The problem is, it seems that only one of these gets added to the pfTable for the alias.
So it seems like it only uses the first response it gets, instead of looking up the entire record for the host.

Is there a way to fix this, or am I back to having to allow HTTPS traffic for this device to all IP's?