IPSEC S2S VPN

Started by Wendo, Today at 05:36:20 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 05:36:20 AM
Hi All

I feel like I'm going crazy here. I'm looking to setup an IPSEC S2S tunnel from an OPNsense firewall to potentially a number of other firewalls. I appear to be running the "new" UI for this and all the docs I can find talk about a legacy mode, and the documentation for legacy mode makes sense. It talks about Phase 1 and Phase 2, it talks about proposals, shared secrets, IKE and ESP and all the normal IPSEC things.

This new UI doesn't even have most of that. I can see you can select proposals when seeing up a new connection, but there appears to be no place to edit or add to the predefined ones. Lifetimes _may_ be under the advanced section of the connection but aren't called lifetimes, instead they are, I'm guessing, Re-auth time and Rekey time. No mention of PFS anywhere.

I get this might all just be trying to make it easier for beginner users, but wow does this not look like any IPSEC setup I've ever encountered (and I've been in networking for a couple of decades)

Am I on the right path here? Can we just not create our own proposals (not to mention what exactly _is_ the default proposal)? Is PFS supported anywhere?

This is about the most useful piece of docs I've found but there are... gaps

Thanks

PS. Sorry for the frustrated tone, but this is, well, frustrating :)
Today at 12:39:05 PM #1
As you can read in the OPNsense doc title, you have linked, Strongswan is used for IPSec and the new GUI implements their new terminology.

Going down to Migrating from tunnels to connections they explain, where you can find the settings in the section now, which were former known as phase 1 and phase 2.

Also for beginners it's recommended to display the the help hints in the GUI. And if you are looking for special settings, you have to enable the advanced mode. Then it gives you options to state rekey time and some more.

Why want you define your own proposals? If I open the drop-down list, I can find any combination, I can think of. I'm missing nothing here.

Referre to the Strongswan docs on how it works and how you enable PFS and what the default proposal is: https://docs.strongswan.org/docs/latest/config/rekeying.html#_ipsec_sas
QuoteTo use PFS, key exchange methods may be added to the proposals for the IPsec SAs e.g.
esp_proposals = aes128-sha256-ecp384-modp3072

I've as well migrated my legacy IPSecs to the new connections. Yes, it took some time of work and diving into the new settings, but now all work again as expected.
Today at 06:51:25 PM #2
Quote from: viragomann on Today at 12:39:05 PMWhy want you define your own proposals? If I open the drop-down list, I can find any combination, I can think of. I'm missing nothing here.

To use PFS, key exchange methods may be added to the proposals for the IPsec SAs e.g.
esp_proposals = aes128-sha256-ecp384-modp3072
expected.

Why do I want to create my own proposals? Because in 95% of cases I don't control the other end of the tunnel and no other firewall I've ever seen limits the combinations available. It's a needless restriction.

PFS seemingly you can enable by selecting a DH group cipher in your phase 2/child ESP proposal

The whole point of OPNsense is to put a useful GUI overtop of the CLI processes. Including a "default" proposal just because the underlying process does, and not listing what it is anywhere other than in the actual processes docs seems insane from a UI point of view. Ironically even with full help on in the GUI, child ESP proposal has zero help and while the main connections proposal help does have something, it doesn't explain what "default" is

VPN's are almost never between two OPNsense devices and require exactly matching tens of settings, why would you make it look completely different, and name damn near every field differently from ever other product made?
Print
Go Up Pages1
User actions