Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
23.7 Legacy Series
»
Migrating from the legacy ipsec to the new Connections
« previous
next »
Print
Pages: [
1
]
Author
Topic: Migrating from the legacy ipsec to the new Connections (Read 1213 times)
GurliGebis
Newbie
Posts: 42
Karma: 3
Migrating from the legacy ipsec to the new Connections
«
on:
August 08, 2023, 02:54:26 pm »
Hey,
I'm looking into migrating my IKEv2 ipsec tunnels from the legacy setup to the new setup.
However, it seems like several fields from the "classic" setup is missing, like the phase1 certificate and identifier.
Is there a guide somewhere that tells what from the old setup maps to what in the new setup?
Also, I would expect it to be on feature parity before being deprecated, but that doesn't seem to be the case right now (Unless I'm missing something)
Logged
franco
Administrator
Hero Member
Posts: 17660
Karma: 1611
Re: Migrating from the legacy ipsec to the new Connections
«
Reply #1 on:
August 08, 2023, 02:59:57 pm »
There are 3 use cases documented for the new connections GUI that may help:
https://docs.opnsense.org/manual/vpnet.html#examples
There are more use cases that need to be moved over yet I'm unaware of any missing settings. Some older crypto options are not available though.
Cheers,
Franco
Logged
GurliGebis
Newbie
Posts: 42
Karma: 3
Re: Migrating from the legacy ipsec to the new Connections
«
Reply #2 on:
August 08, 2023, 03:20:47 pm »
Okay, that explains why half of the things needed to set it up is missing.
From how I read the 23.7 announcement, it sounds like the legacy version is going to be removed next year - I assume there it will be matching the old one by then
Since the old one already is generating swanctl.conf instead of the old config file (not sure what the name of it is now) - shouldn't it be somewhat possible to create a migration, so old legacy setups just gets converted? (I mean if setting A in the legacy setup and setting X in the new results in the same in the config file, it should be possible to transfer over)
Logged
franco
Administrator
Hero Member
Posts: 17660
Karma: 1611
Re: Migrating from the legacy ipsec to the new Connections
«
Reply #3 on:
August 08, 2023, 04:21:59 pm »
> Okay, that explains why half of the things needed to set it up is missing.
This may be a misconception of the new GUI and the swanctl.conf layout being used. Care to name what you are missing?
> From how I read the 23.7 announcement, it sounds like the legacy version is going to be removed next year - I assume there it will be matching the old one by then
Possibly in 2025, but no date has been set.
> Since the old one already is generating swanctl.conf instead of the old config file (not sure what the name of it is now) - shouldn't it be somewhat possible to create a migration, so old legacy setups just gets converted?
The old settings more or less resemble ipsec.conf / racoon IPsec daemon layout and got squeezed into swanctl.conf layout in 23.1, but the amount of precision work here was already high enough as it is and doing a full migration into a clean swanctl.conf settings layout is practically impossible without breakage so it will not be done.
The legacy/rewrite split for IPsec worked out very well from a technical perspective so we repeated the effort for OpenVPN in 23.7.
Cheers,
Franco
Logged
GurliGebis
Newbie
Posts: 42
Karma: 3
Re: Migrating from the legacy ipsec to the new Connections
«
Reply #4 on:
August 08, 2023, 08:55:47 pm »
I'm using a IKEv2 tunnel for remote clients to connect in using Microsoft Active Directory credentials (EAP-RADIUS).
So in the legacy setup, I have to define a certificate for strongswan to identify itself to the clients.
I can also see there is a "children" section in the generated swanctl.conf file, which contains what I can only assume is the phase2 parameters, which is also missing in the new UI
It's good to hear that there is no rush to remove the old UI (which is what I was fearing, and what got me a bit scared, since the new seems to be quiet early in development still)
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
23.7 Legacy Series
»
Migrating from the legacy ipsec to the new Connections