New IPSEC setup with hostname in Remote endpoint and PSK

Started by olest, October 27, 2023, 10:56:30 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 27, 2023, 10:56:30 AM
How do I configure IPSEC in the new connections with remote endpoint as hostname and Identities as IP addresses?

In the old config I just put hostname in Remote Endpoint and setup PSK and setup Identities to My IP and Remote IP.

How do I configure that in the new IPSEC PSK setup?
October 27, 2023, 10:59:44 AM #1
The identities can be set in "VPN: IPsec: Connections" when the mask for a new connection is open and it was saved one time. Local Authentication and Remote Authentication. It can be anything, IP address, hostname, FQDN, etc...

Set Authentication to "Pre-Shared Key" and set the ID to what you want.

The IDs should match in "VPN: IPsec: Pre-Shared Keys"
Hardware:
DEC740
October 27, 2023, 11:03:06 AM #2
I need it to resolv the hostname from Remote Endpolint and use IP as Remote Identity. Thats how it worked before. I don't see how I can do that now. If I put the hostname in Remote Authentication it does not resolv it and use the IP.
October 27, 2023, 11:10:25 AM #3 Last Edit: October 27, 2023, 11:12:55 AM by Monviech
Here is what ID supports, OPNsense uses swantcl below unaltered. I dont know about resolving hostnames, but if its supported it should be stated here:

https://docs.strongswan.org/docs/5.9/config/identityParsing.html

Quote
If the string begins with @, the type is set to FQDN and the encoding is the literal string after that prefix. In strongSwan versions before 5.0.0 this prefix prevented that a FQDN was resolved into an IP address whereas current versions don't automatically resolve FQDNs when parsing identities.
Hardware:
DEC740
October 27, 2023, 11:25:44 AM #4
Can I use DNS type then in the GUI of the new IPSEC?

"If the value has the form <type>:<value> (supported since version 5.2.2), the type and value are explicitly specified:

The following types are known: ipv4, ipv6, ipv4net, ipv6net, ipv4range, ipv6range, rfc822, email, userfqdn, fqdn, dns, asn1dn, asn1gn and keyid. Custom type prefixes may be specified by surrounding the numerical type value with curly brackets."
October 27, 2023, 11:32:20 AM #5
Yea probably. Inputting something like "dns:example.com" creates it in "usr/local/etc/swanctl/swanctl.conf". It would be interesting if it does what you want and solves your problem.

StrongSwan swanctl also seems to be version >5.9 so it should be supported to work.
Hardware:
DEC740
October 27, 2023, 12:14:09 PM #6
I'll try that next week.

Where in the GUI should I use it?

PSK definition or Remote Identity in Connection setup?
October 27, 2023, 12:19:47 PM #7
Probably in both. I will also test this since it interests me.
Hardware:
DEC740
Print
Go Up Pages1
User actions