Show Posts
1
23.1 Legacy Series / seeking advice, IPsec VPN, legacy -> strongswan,
« on: February 03, 2023, 12:49:34 pm »
Hello,
I would appreciate expert advice für a specific scenario based on OPNsense 22.7.11_1-amd64, FreeBSD 13.1-RELEASE-p5, OpenSSL 1.1.1s, 1 Nov 2022 please.
So far I am using IPsec VPN with IPv4, IKE, aggressive, AES (256 bits) + SHA1 + DH Group 2, Mutual PSK successfully. DH Group 2 is konwn to be not compliant with current recommendations but unfortunately a hard interoperability limitation of the VPN endpoint (It is strongly advised to use at least a 2048 bit key length for MODP Diffie-Hellman groups).
The release notes for 23.1 state regarding IPsec:
Please accept my apologies upfront in the event I missed or overlooked any important aspect.
Thank you so much for your expert advice and helping me to manage a future upgrade to 23.x to come successfully.
Thanks to the developers for such great opnsense software and their efforts!
I would appreciate expert advice für a specific scenario based on OPNsense 22.7.11_1-amd64, FreeBSD 13.1-RELEASE-p5, OpenSSL 1.1.1s, 1 Nov 2022 please.
So far I am using IPsec VPN with IPv4, IKE, aggressive, AES (256 bits) + SHA1 + DH Group 2, Mutual PSK successfully. DH Group 2 is konwn to be not compliant with current recommendations but unfortunately a hard interoperability limitation of the VPN endpoint (It is strongly advised to use at least a 2048 bit key length for MODP Diffie-Hellman groups).
The release notes for 23.1 state regarding IPsec:
- 23.1, nicknamed "Quintessential Quail", features Unbound DNS statistics with a blocklist rewrite in Python, improved WAN SLAAC operability, firewall alias BGP ASN type support, PHP 8.1, assorted FreeBSD networking updates, MVC/API pages for packet capture/virtual IPs/IPsec connection management, IPsec configuration file migration to swanctl.conf, new sslh plugin, ddclient custom backend support (including Azure), WireGuard kernel module plugin variant as the new default plus much more.
- ipsec: migrate existing configuration from ipsec.conf to swanctl.conf
- The new IPsec connections pages and API create an independent set of connections following the design of wanctl.conf. Legacy tunnel settings cannot be managed from the API and are not migrated.
- Sorry, I am confused whether or not legacy tunnel settings/configurations will be migrated automatically or not. In the event they will be automatiscally migrated I would like to know at which point during the upgrade they are migrated please, i.e. does automatic migration apply to a fresh install with immediate supply of the existing 22.7.11_1 configuration also?
- DH Group 2 appears to be unavailable in 23.1 for good reasons. In the event of automated legacy tunnel setting/configuration migration how is such conflict (e.g. a deprecated DH Group 2) resolved please?
- Is there an easy way to configure strongswan / charon within opnsense to support DH Group 2 please?
- In the event there is no automated migration: Is there a step by step migration guideline for average users which legacy GUI setting must go into which strongswan GUI field how?
Please accept my apologies upfront in the event I missed or overlooked any important aspect.
Thank you so much for your expert advice and helping me to manage a future upgrade to 23.x to come successfully.
Thanks to the developers for such great opnsense software and their efforts!