Bulk creation of IPSec phase 2 entries?

[Patrick M. Hausen]

Hi all,

I am in the process of migrating our own installation from Sidewinder zo OPNsense. One drawback in the OPNsense IPSec implementation seems to be that you must spell out each individual phase 2 SA.

E.g. in Sidewinder you could configure:

Local networks: 192.168.1.0/24, 192.168.2.0/24
Remote networks: 172.16.1.0/24, 172.16.2.0/24

and the system would configure 4 SAs.

In OPNsense you have to explicitly specify:

- 192.168.1.0/24 - 172.16.1.0/24
- 192.168.1.0/24 - 172.16.2.0/24
- 192.168.2.0/24 - 172.16.1.0/24
- 192.168.2.0/24 - 172.16.2.0/24

This is all fine and dandy, unless you have a particular peer with 3 local networks and 58 remote networks.

Is there any way to script the generation of these instead of entering them through the UI? Apart from generating XML, I mean?

If I go the road of generating XML, what precisely are these entries?

Code: [Select]

      <ikeid>6</ikeid>
      <uniqid>615166c20325d</uniqid>
      <reqid>43</reqid>
 

My guess:

- ikeid counts from 1 to n through the phase 2 SAs for each phase 1 entry
- reqid counts from 1 to n for each phase 2 SA globally
- uniqid is, well, something unique for each phase 2 SA

Is this correct? If yes, how are the <uniqid> generated?


Thanks!
Patrick

[Patrick M. Hausen]

OK, looks like the <ikeid> connects the phase 2 entries with their parent phase 1 entries:

Code: [Select]

            foreach ($cnf->ipsec->phase1 as $phase1) {
                $p2sequence = 0;
                foreach ($cnf->ipsec->phase2 as $phase2) {
                    if ((string)$phase1->ikeid != (string)$phase2->ikeid) {
                        continue;

<uniqid> is a PHP uniqid() value - 13 hex digits assumed to form a unique id, but not even guaranteed to do so.

Any hints about the motivation for the <reqid> entries greatly appreciated. So far I only found that they seem to be unique and in my current setup increasing from 1 to n without gaps. But what are they for? There already is a <uniqid> to manage individual entries ... sort order?

Kind regards,
Patrick

[mimugmail]

Its for nat inside a Phase2

[Patrick M. Hausen]

So what do I need to do about them if I do not NAT? Just generate them unique and increasing?

[mimugmail]

Yep

[Patrick M. Hausen]

Works as intended - thanks.

Shameless self-plug - this helps a lot when hacking OPNsense:
https://github.com/punktDe/vagrant-opnsense

I wonder why it doesn't get more attention in the forum? I'd always welcome feedback.

Kind regards,
Patrick

[mimugmail]

Because there are around 5 active devs in the Forums with own dev env's already set I'd guess