IPSEC ModeConfig - how to request IP from a remote Server

[davidn]

I'm trying to configure an opnsense 25.1 installation as a roadwarrior to an IPSEC head-end that has modeconfig enabled, and supplies an IP address to the roadwarrior.

I have an example strongswan configuration on a debian server that successfully connects, but it does so because I have configured the connection's "vips" parameter as 0.0.0.0 in swanctl.conf in order to request an IP address from the remote server.

I am trying to set up the same connection profile in opnsense but I have been unable to find where to configure this parameter for an IPSEC connection.

If there is not a way to configure that from the UI, is it possible to perform some sort of supplemental configuration from the shell?

[Monviech (Cedrik)]

Does anything in this manual help you?

https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html

[davidn]

Thank you for that suggestion. I could easily be missing something, but the instructions there seem highly focused on setting up opnsense as the server rather than the roadwarrior client. Looking into the strongswan documentation and testing on a standalone strongswan instance is how I was able to determine that I needed to set the VIPS parameter on the connection definition in swanctl.conf.

So far, I have not found anything in the opnsense UI that seems to map to setting that parameter. The Swanctl.xml file also does not reference that parameter which leads me to believe it may not be UI-accessible.

[Monviech (Cedrik)]

If you think something is missing and you know the exact parameter (best with link to strongswan swanctl docs) you can open an issue here:

https://github.com/opnsense/core/issues