"
OK, pfSense gives explicit warning that PSK mode is deprecated by OpenVPN and will be removed.
I wish OpnSense would do the same to avoid confusion.
I wish OpnSense would do the same to avoid confusion.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#2
Virtual private networks / Re: Preshared Key in openVPN Instances
July 21, 2025, 02:35:46 PM
I resurrected this old post, but I am equally concerned.
Cannot migrate legacy OpenVPN PtP tunnels because other endpoint does not support certificates.
What can be done here?
Cannot migrate legacy OpenVPN PtP tunnels because other endpoint does not support certificates.
What can be done here?
#3
Virtual private networks / Re: IPSec Connections setup with PSK
July 18, 2025, 11:08:28 AM
Well, it works, and thanks for forcing me to read documentation carefully.
But it leaves a lot to be wished for.
But it leaves a lot to be wished for.
- PSK seems to be just forced into certificate authentication presentation and is conterintuitive. Not sure which one of them is the major use case. In my experience nobody uses certificates for tunnels.
- now MOBIKE default value has reversed.
- it is possible to enter more than one network in children setup, which was not possible before, but that does not work anyway.
- life time and rekey time value migration is a mess, although I reckon current setting may be closer to Strongswan presentation.
- reqid value, which was not even visible in legacy setup, but now, according to documentation, is highly recommended, is difficult to track and can be easily be set to the same value for multiple children.
#4
Virtual private networks / Re: IPSec Connections setup with PSK
July 17, 2025, 07:31:37 PM
Thanks. But this is exactly what I was asking about - when there are multiple keys and multiple connections (I downloaded my swanctl.conf, yes), then in new, Connection setup for each "Pre-Shared Key" the "Local Identifier"- which is the value of "id" in "local-0" - is the same (local) IP address.
This means I have to specify the same "Id" for each tunnel, but how can this work if actual keys are different?
This means I have to specify the same "Id" for each tunnel, but how can this work if actual keys are different?
#5
Virtual private networks / IPSec Connections setup with PSK
July 17, 2025, 06:39:20 PM
Hi,
I have some questions how to configure new IPSec Connections with good old PSKs when there are multiple IPSec tunnels on the same router.
First question - PSK setup.
I have multiple IPSec tunnels configured, in all of them OpnSense firewall is identified by it's IP address. Note, I cannot change remote end setup, I can only migrate existing connections.
So, in "VPN: IPsec: Pre-Shared Keys" I have multiple PSKs defined, local identifier is always OpnSense's external IP address.
But how is then this PSK referred in Connection setup?
Or, to put this differently, how do I find "ID" and "Round" values when setting up a new connection?
It may seem easy when you have just one tunnel and one PSK, but I have multiple.
Thanks,
shpokas
I have some questions how to configure new IPSec Connections with good old PSKs when there are multiple IPSec tunnels on the same router.
First question - PSK setup.
I have multiple IPSec tunnels configured, in all of them OpnSense firewall is identified by it's IP address. Note, I cannot change remote end setup, I can only migrate existing connections.
So, in "VPN: IPsec: Pre-Shared Keys" I have multiple PSKs defined, local identifier is always OpnSense's external IP address.
But how is then this PSK referred in Connection setup?
Or, to put this differently, how do I find "ID" and "Round" values when setting up a new connection?
It may seem easy when you have just one tunnel and one PSK, but I have multiple.
Thanks,
shpokas
Pages1
