seeking advice, IPsec VPN, legacy -> strongswan,

[N75yH47w]

Hello,

I would appreciate expert advice für a specific scenario based on OPNsense 22.7.11_1-amd64, FreeBSD 13.1-RELEASE-p5, OpenSSL 1.1.1s, 1 Nov 2022 please.

So far I am using IPsec VPN with IPv4, IKE, aggressive, AES (256 bits) + SHA1 + DH Group 2, Mutual PSK successfully. DH Group 2 is konwn to be not compliant with current recommendations but unfortunately a hard interoperability limitation of the VPN endpoint (It is strongly advised to use at least a 2048 bit key length for MODP Diffie-Hellman groups).

The release notes for 23.1 state regarding IPsec:

• 23.1, nicknamed "Quintessential Quail", features Unbound DNS statistics with a blocklist rewrite in Python, improved WAN SLAAC operability, firewall alias BGP ASN type support, PHP 8.1, assorted FreeBSD networking updates, MVC/API pages for packet capture/virtual IPs/IPsec connection management, IPsec configuration file migration to swanctl.conf, new sslh plugin, ddclient custom backend support (including Azure), WireGuard kernel module plugin variant as the new default plus much more.
• ipsec: migrate existing configuration from ipsec.conf to swanctl.conf
• The new IPsec connections pages and API create an independent set of connections following the design of wanctl.conf.  Legacy tunnel settings cannot be managed from the API and are not migrated.

Now my need for information please:

• Sorry, I am confused whether or not legacy tunnel settings/configurations will be migrated automatically or not. In the event they will be automatiscally migrated I would like to know at which point during the upgrade they are migrated please, i.e. does automatic migration apply to a fresh install with immediate supply of the existing 22.7.11_1 configuration also?
• DH Group 2 appears to be unavailable in 23.1 for good reasons. In the event of automated legacy tunnel setting/configuration migration how is such conflict (e.g. a deprecated DH Group 2) resolved please?
• Is there an easy way to configure strongswan / charon within opnsense to support DH Group 2 please?
• In the event there is no automated migration: Is there a step by step migration guideline for average users which legacy GUI setting must go into which strongswan GUI field how?

Please accept my apologies upfront in the event I missed or overlooked any important aspect.

Thank you so much for your expert advice and helping me to manage a future upgrade to 23.x to come successfully.

Thanks to the developers for such great opnsense software and their efforts!

[Patrick M. Hausen]

I am also interested in an answer, here. Will an existing IPsec configuration be migrated automatically when upgrading to 23.1?

I already upgraded my personal and all our office firewalls but did not dare to give our data centre systems the same treatment for this reason. We have dozens of IPsec connections to customers that are all business critical.

[Bunch]

I have 2 OPNSense setup, Home and VPS(for testing)
My home setup was using IPSEC (Mutual RSA + MSCHAPv2), will need to change to EAP-MSCHAPv2
For Mutual RSA + MSCHAPv2, cert exchange succeed, but failed next step, didn't take a deep check as I switched to EAP-MSCHAPv2 immediately.

While my VPS using EAP-MSCHAPv2 keeps working without any changes after update to 23.1.
The legacy setting will keep existence and working.
But probably some parts might fail (at least my Mutual RSA + MSCHAPv2 failed)

My working EAP-MSCHAPv2 setting:
P1. ikev2,eap-mschapv2, aes256gcm16-sha384-ec384
P2. aes256gcm16-sha384-ec384
(I usually keep Phase 2 same as Phase 1)

Update: Since my mobile phone only support ikev2, there are 2 test that I can perform with lowest security as possible
Test1.
P1. Ikev2, eap-mschapv2, aes256-sha1-modp1024
P2. aes256-sha1-modp1024

Test2.
P1. Ikev2, Mutual PSK, aes256gcm16-sha1-modp2048 (lowest Ike combination that my phone support without app)
P2. aes256gcm16-sha1-modp2048

Both of them are set with Legacy interface instead of the new connection interface, guess similar configuration will still work without changes after update

[Ricardo]

If someone creates a fully filled test matrix of Opnsense 23.1+ IPSEC IKEv1, IKEv2, all the possible combinations of cipher suites, site-2-site and roadwarrior setup: windows 7,8,10 stock OS endpoints, stock Android 11,12,13 + Android stronsgswan app client, I myself would donate to that whitepaper at least 50 EUR without thinking for a second.

I have both books that have been written about opnsense, and both lack the required depth and clarity about Ipsec VPN