IPSEC - Differences between new and legacy mode

[smema79]

Hello everyone.

I have read the docs on the portal regarding to the IPSEC section and I have some questions about it.
I would like to thank from the outset those who will take the time to give me answers.

1) I understand that the new modality was implemented to improve the usability of the IPsec system, relegating the old one under "Tunnel Settings" (former legacy mode). For those who have VPNs configured in Legacy mode, will they then have to be migrated to the new version in the next future?

2) The new version seems to me to be missing the lifetime values that is usually indicated for SA and IKE. correct?

3) can the two modes co-exist with each other?

4) since this is an OPN decision, will there then be some function that will allow the conversion of legacy tunnels to the new mode?

Thanks again

[franco]

Hi,

1.) Eventually the tunnel configuration will disappear. Migration was discussed but -- historically this section was for racoon IPsec which was also supported by StrongSwan but now deprecated and the new MVC connections offer the swanctl.conf Syntax and a more straight-forward approach to IPsec -- in the end it's unlikely that an automatic migration will take place perhaps leading up to OPNsense 24.1 removing the legacy IPsec tunnel configuration so everything needs to be moved over at the end of the 23.7.x series in order to keep working.

2.) There is a dicussion about this here.. it seems to be a bit convoluted: https://github.com/opnsense/core/issues/6370

3.) Yes, as long as both are available (see first point). ;)

4.) See first point. It's difficult. The official doc is here: https://wiki.strongswan.org/projects/strongswan/wiki/Fromipsecconf


Cheers,
Franco

[smema79]

Thank you for the clarification :)

Inviato dal mio SM-A336B utilizzando Tapatalk