IPsec tunnel 23.1.1_2 manual SPD entries

Started by atom, February 23, 2023, 02:17:23 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 23, 2023, 02:17:23 PM
Hello,
I'm looking for a way to add manual SPD entries with the "Connections[new]" interface.
It looks like you can add more networks in "Edit Child", but the networks don't show up in 'setkey -DP" and the traffic goes directly to WAN instead of IPsec. Any idea ?
Regards,
atom
July 28, 2023, 08:16:18 PM #1
Hello,

Did you find a solution to this problem? I also need to add manual SPD entries to the Connections[new] tunnels and have not found where to do so.
Thanks,
Iceknight
July 28, 2023, 08:34:27 PM #2
I did it like this:

In Connections [new] you open "Edit Child" and there you have to input a unique "Reqid", for example 110 or something. If you have more children in that connection, give them 111, 112 etc...

Then you go into "VPN: IPsec: Security Policy Database: Manual" and "+" and then you put the Reqid 110 from before.
Source network is the Network you want to allow being translated with your NAT rule. Destination Network can be left empty.


EDIT:
I see that since the last time I have checked this option, there has been a new "Child" option added. So it might be possible to leave the reqid dynamic, and choose the child here instead. But I didn't test that yet.







Hardware:
DEC740
July 28, 2023, 10:30:35 PM #3
Thanks for the confirmation on this. I was looking at this option but wasn't sure it would work. Let me give it a shot. Did you have to reboot the firewall to get it to work or just restating ipsec?
July 28, 2023, 11:39:31 PM #4
I just tried the recommended settings and they worked, no need of reboot or Ipsec restart, just need to bring down each tunnel individually, disable old IPsec tunnels, and enable new Connections tunnels and it worked like a charm. I also setup the manual SPDs using the new "Child" option instead of setting a numeric Reqid.

For anyone else looking to implement this don't forget to first remove the existing SPDs by looking up their Reqid in the "Manual" tab and then removing those entries from the "Installed" tab list of the SP database, before bringing up the migrated tunnels.
September 27, 2024, 08:00:01 AM #5
hello
with last version of OPN (24.7.5), I added in "IPsec: Security Policy Database" the manual subnet but it is not routed. Of-course the line for this subnet to nat 1-1 exists.

I tried to select Child and change also with the numeric ReqID of the Children declared to the connection but nothing.

If I add this subnet inside the 'Children' area of the connection, together with the real one used in the phase2, the traffic is routed inside and the nat 1-1 does the traslation.

Am I doing something wrong or has something else changed?

Thanks
Print
Go Up Pages1
User actions