About adding more ipsec

Started by Zero_Kong, July 01, 2020, 04:14:58 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 01, 2020, 04:14:58 AM
When I added the ipsec configuration, I found that it only supports up to 32 configurations.
Check the ipsec establishment to ipsec3200 in the terminal.
What is the maximum number of ipsec supported by opnsense?
Code Select

LAN (vtnet7)    -> v4: 172.16.1.254/24
OPT5 (vtnet5)   -> v4: 10.0.0.185/24
test(ipsec1000) -> v4: 172.31.0.3/32
opt1 (vtnet1)   -> v4: 1.1.2.1/24
opt1(site2 - opt1) (ipsec27000) -> v4: 169.254.0.116/32
opt1(site2 - opt2) (ipsec47000) ->
opt1(site2 - opt3) (ipsec32000) -> v4: 169.254.0.126/32
opt1(site2 - opt4) (ipsec37000) ->
opt1(site2 - wan) (ipsec42000) ->
opt1(site3 - opt1) (ipsec2000) -> v4: 169.254.0.18/32
opt1(site3 - opt2) (ipsec22000) -> v4: 169.254.0.58/32
opt1(site3 - opt3) (ipsec7000) -> v4: 169.254.0.28/32
opt1(site3 - opt4) (ipsec12000) -> v4: 169.254.0.38/32
opt1(site3 - wan) (ipsec17000) -> v4: 169.254.0.48/32
opt2 (vtnet2)   -> v4: 1.1.3.1/24
opt2(site2 - opt1) (ipsec31000) -> v4: 169.254.0.124/32
opt2(site2 - opt2) (ipsec51000) ->
opt2(site2 - opt3) (ipsec36000) ->
opt2(site2 - opt4) (ipsec41000) ->
opt2(site2 - wan) (ipsec46000) ->
opt2(site3 - opt1) (ipsec6000) -> v4: 169.254.0.26/32
opt2(site3 - opt2) (ipsec26000) -> v4: 169.254.0.66/32
opt2(site3 - opt3) (ipsec11000) -> v4: 169.254.0.36/32
opt2(site3 - opt4) (ipsec16000) -> v4: 169.254.0.46/32
opt2(site3 - wan) (ipsec21000) -> v4: 169.254.0.56/32
opt3 (vtnet3)   -> v4: 1.1.4.1/24
opt3(site2 - opt1) (ipsec28000) -> v4: 169.254.0.118/32
opt3(site2 - opt2) (ipsec48000) ->
opt3(site2 - opt3) (ipsec33000) ->
opt3(site2 - opt4) (ipsec38000) ->
opt3(site2 - wan) (ipsec43000) ->
opt3(site3 - opt1) (ipsec3000) -> v4: 169.254.0.20/32
opt3(site3 - opt2) (ipsec23000) -> v4: 169.254.0.60/32
opt3(site3 - opt3) (ipsec8000) -> v4: 169.254.0.30/32
opt3(site3 - opt4) (ipsec13000) -> v4: 169.254.0.40/32
opt3(site3 - wan) (ipsec18000) -> v4: 169.254.0.50/32
opt4 (vtnet4)   -> v4: 1.1.5.1/24
opt4(site2 - opt1) (ipsec29000) -> v4: 169.254.0.120/32
opt4(site2 - opt2) (ipsec49000) ->
opt4(site2 - opt3) (ipsec34000) ->
opt4(site2 - opt4) (ipsec39000) ->
opt4(site2 - wan) (ipsec44000) ->
opt4(site3 - opt1) (ipsec4000) -> v4: 169.254.0.22/32
opt4(site3 - opt2) (ipsec24000) -> v4: 169.254.0.62/32
opt4(site3 - opt3) (ipsec9000) -> v4: 169.254.0.32/32
opt4(site3 - opt4) (ipsec14000) -> v4: 169.254.0.42/32
opt4(site3 - wan) (ipsec19000) -> v4: 169.254.0.52/32
wan (vtnet0)    -> v4: 1.1.1.1/24
wan(site2 - opt1) (ipsec30000) -> v4: 169.254.0.122/32
wan(site2 - opt2) (ipsec50000) ->
wan(site2 - opt3) (ipsec35000) ->
wan(site2 - opt4) (ipsec40000) ->
wan(site2 - wan) (ipsec45000) ->
wan(site3 - opt1) (ipsec5000) -> v4: 169.254.0.24/32
wan(site3 - opt2) (ipsec25000) -> v4: 169.254.0.64/32
wan(site3 - opt3) (ipsec10000) -> v4: 169.254.0.34/32
wan(site3 - opt4) (ipsec15000) -> v4: 169.254.0.44/32
wan(site3 - wan) (ipsec20000) -> v4: 169.254.0.54/32
July 01, 2020, 04:31:30 AM #1 Last Edit: July 01, 2020, 04:36:08 AM by Zero_Kong
65535/2=32767.5‬
If it is greater than 32767, an error will occur
Because opnsense creates ipsec every time it increases by 1000
Code Select

root@DEV:~ # ifconfig ipsec32767 create
root@DEV:~ # ifconfig ipsec32768 create
ifconfig: SIOCIFCREATE2: No space left on device

ipsec32767 is ok but ipsec32768  :-[ :-[
July 02, 2020, 04:06:44 PM #2
Looks like the device index is a signed int so we get that restriction from somewhere in the kernel.

Changing this to unsigned int would enable 2x the interfaces, but in this particular case we talk about 32 vs. 64 interfaces max. It would seem we need to decrease the offset, but as far as I remember it was used to avoid collisions somewhere in Strongswan to allow enough phase 2 entries per phase 1 interface.


Cheers,
Franco
July 04, 2020, 08:39:41 AM #3
emmmm thx
I have another question about ospf.
Passive Interfaces have ipsec interface
But there are other virtual ipsec interface .
e.g. ipsce1000.....
Should these virtual ipsecs interface be selected?
Print
Go Up Pages1
User actions