Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
IPsec tunnel 23.1.1_2 manual SPD entries
« previous
next »
Print
Pages: [
1
]
Author
Topic: IPsec tunnel 23.1.1_2 manual SPD entries (Read 1919 times)
atom
Full Member
Posts: 207
Karma: 4
IPsec tunnel 23.1.1_2 manual SPD entries
«
on:
February 23, 2023, 02:17:23 pm »
Hello,
I'm looking for a way to add manual SPD entries with the "Connections[new]" interface.
It looks like you can add more networks in "Edit Child", but the networks don't show up in 'setkey -DP" and the traffic goes directly to WAN instead of IPsec. Any idea ?
Regards,
atom
Logged
iceknight
Newbie
Posts: 4
Karma: 0
Re: IPsec tunnel 23.1.1_2 manual SPD entries
«
Reply #1 on:
July 28, 2023, 08:16:18 pm »
Hello,
Did you find a solution to this problem? I also need to add manual SPD entries to the Connections[new] tunnels and have not found where to do so.
Thanks,
Iceknight
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1628
Karma: 178
Re: IPsec tunnel 23.1.1_2 manual SPD entries
«
Reply #2 on:
July 28, 2023, 08:34:27 pm »
I did it like this:
In Connections [new] you open "Edit Child" and there you have to input a unique "Reqid", for example 110 or something. If you have more children in that connection, give them 111, 112 etc...
Then you go into "VPN: IPsec: Security Policy Database: Manual" and "+" and then you put the Reqid 110 from before.
Source network is the Network you want to allow being translated with your NAT rule. Destination Network can be left empty.
EDIT:
I see that since the last time I have checked this option, there has been a new "Child" option added. So it might be possible to leave the reqid dynamic, and choose the child here instead. But I didn't test that yet.
Logged
Hardware:
DEC740
iceknight
Newbie
Posts: 4
Karma: 0
Re: IPsec tunnel 23.1.1_2 manual SPD entries
«
Reply #3 on:
July 28, 2023, 10:30:35 pm »
Thanks for the confirmation on this. I was looking at this option but wasn't sure it would work. Let me give it a shot. Did you have to reboot the firewall to get it to work or just restating ipsec?
Logged
iceknight
Newbie
Posts: 4
Karma: 0
Re: IPsec tunnel 23.1.1_2 manual SPD entries
«
Reply #4 on:
July 28, 2023, 11:39:31 pm »
I just tried the recommended settings and they worked, no need of reboot or Ipsec restart, just need to bring down each tunnel individually, disable old IPsec tunnels, and enable new Connections tunnels and it worked like a charm. I also setup the manual SPDs using the new "Child" option instead of setting a numeric Reqid.
For anyone else looking to implement this don't forget to first remove the existing SPDs by looking up their Reqid in the "Manual" tab and then removing those entries from the "Installed" tab list of the SP database, before bringing up the migrated tunnels.
Logged
smema79
Newbie
Posts: 29
Karma: 0
Re: IPsec tunnel 23.1.1_2 manual SPD entries
«
Reply #5 on:
September 27, 2024, 08:00:01 am »
hello
with last version of OPN (24.7.5), I added in "IPsec: Security Policy Database" the manual subnet but it is not routed. Of-course the line for this subnet to nat 1-1 exists.
I tried to select Child and change also with the numeric ReqID of the Children declared to the connection but nothing.
If I add this subnet inside the 'Children' area of the connection, together with the real one used in the phase2, the traffic is routed inside and the nat 1-1 does the traslation.
Am I doing something wrong or has something else changed?
Thanks
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
IPsec tunnel 23.1.1_2 manual SPD entries