About adding more ipsec

[Zero_Kong]

When I added the ipsec configuration, I found that it only supports up to 32 configurations.
Check the ipsec establishment to ipsec3200 in the terminal.
What is the maximum number of ipsec supported by opnsense?

Code: [Select]

LAN (vtnet7)    -> v4: 172.16.1.254/24
 OPT5 (vtnet5)   -> v4: 10.0.0.185/24
 test(ipsec1000) -> v4: 172.31.0.3/32
 opt1 (vtnet1)   -> v4: 1.1.2.1/24
 opt1(site2 - opt1) (ipsec27000) -> v4: 169.254.0.116/32
 opt1(site2 - opt2) (ipsec47000) ->
 opt1(site2 - opt3) (ipsec32000) -> v4: 169.254.0.126/32
 opt1(site2 - opt4) (ipsec37000) ->
 opt1(site2 - wan) (ipsec42000) ->
 opt1(site3 - opt1) (ipsec2000) -> v4: 169.254.0.18/32
 opt1(site3 - opt2) (ipsec22000) -> v4: 169.254.0.58/32
 opt1(site3 - opt3) (ipsec7000) -> v4: 169.254.0.28/32
 opt1(site3 - opt4) (ipsec12000) -> v4: 169.254.0.38/32
 opt1(site3 - wan) (ipsec17000) -> v4: 169.254.0.48/32
 opt2 (vtnet2)   -> v4: 1.1.3.1/24
 opt2(site2 - opt1) (ipsec31000) -> v4: 169.254.0.124/32
 opt2(site2 - opt2) (ipsec51000) ->
 opt2(site2 - opt3) (ipsec36000) ->
 opt2(site2 - opt4) (ipsec41000) ->
 opt2(site2 - wan) (ipsec46000) ->
 opt2(site3 - opt1) (ipsec6000) -> v4: 169.254.0.26/32
 opt2(site3 - opt2) (ipsec26000) -> v4: 169.254.0.66/32
 opt2(site3 - opt3) (ipsec11000) -> v4: 169.254.0.36/32
 opt2(site3 - opt4) (ipsec16000) -> v4: 169.254.0.46/32
 opt2(site3 - wan) (ipsec21000) -> v4: 169.254.0.56/32
 opt3 (vtnet3)   -> v4: 1.1.4.1/24
 opt3(site2 - opt1) (ipsec28000) -> v4: 169.254.0.118/32
 opt3(site2 - opt2) (ipsec48000) ->
 opt3(site2 - opt3) (ipsec33000) ->
 opt3(site2 - opt4) (ipsec38000) ->
 opt3(site2 - wan) (ipsec43000) ->
 opt3(site3 - opt1) (ipsec3000) -> v4: 169.254.0.20/32
 opt3(site3 - opt2) (ipsec23000) -> v4: 169.254.0.60/32
 opt3(site3 - opt3) (ipsec8000) -> v4: 169.254.0.30/32
 opt3(site3 - opt4) (ipsec13000) -> v4: 169.254.0.40/32
 opt3(site3 - wan) (ipsec18000) -> v4: 169.254.0.50/32
 opt4 (vtnet4)   -> v4: 1.1.5.1/24
 opt4(site2 - opt1) (ipsec29000) -> v4: 169.254.0.120/32
 opt4(site2 - opt2) (ipsec49000) ->
 opt4(site2 - opt3) (ipsec34000) ->
 opt4(site2 - opt4) (ipsec39000) ->
 opt4(site2 - wan) (ipsec44000) ->
 opt4(site3 - opt1) (ipsec4000) -> v4: 169.254.0.22/32
 opt4(site3 - opt2) (ipsec24000) -> v4: 169.254.0.62/32
 opt4(site3 - opt3) (ipsec9000) -> v4: 169.254.0.32/32
 opt4(site3 - opt4) (ipsec14000) -> v4: 169.254.0.42/32
 opt4(site3 - wan) (ipsec19000) -> v4: 169.254.0.52/32
 wan (vtnet0)    -> v4: 1.1.1.1/24
 wan(site2 - opt1) (ipsec30000) -> v4: 169.254.0.122/32
 wan(site2 - opt2) (ipsec50000) ->
 wan(site2 - opt3) (ipsec35000) ->
 wan(site2 - opt4) (ipsec40000) ->
 wan(site2 - wan) (ipsec45000) ->
 wan(site3 - opt1) (ipsec5000) -> v4: 169.254.0.24/32
 wan(site3 - opt2) (ipsec25000) -> v4: 169.254.0.64/32
 wan(site3 - opt3) (ipsec10000) -> v4: 169.254.0.34/32
 wan(site3 - opt4) (ipsec15000) -> v4: 169.254.0.44/32
 wan(site3 - wan) (ipsec20000) -> v4: 169.254.0.54/32


[Zero_Kong]

65535/2=32767.5‬
If it is greater than 32767, an error will occur
Because opnsense creates ipsec every time it increases by 1000

Code: [Select]

root@DEV:~ # ifconfig ipsec32767 create
root@DEV:~ # ifconfig ipsec32768 create
ifconfig: SIOCIFCREATE2: No space left on device
ipsec32767 is ok but ipsec32768 

[franco]

Looks like the device index is a signed int so we get that restriction from somewhere in the kernel.

Changing this to unsigned int would enable 2x the interfaces, but in this particular case we talk about 32 vs. 64 interfaces max. It would seem we need to decrease the offset, but as far as I remember it was used to avoid collisions somewhere in Strongswan to allow enough phase 2 entries per phase 1 interface.


Cheers,
Franco

[Zero_Kong]

emmmm thx
I have another question about ospf.
Passive Interfaces have ipsec interface
But there are other virtual ipsec interface .
e.g. ipsce1000.....
Should these virtual ipsecs interface be selected?