Issues with new "IPSec" version with Connections.

[mrzaz]

Hello,

I am running 26.1.5 and have a IPSec legacy connection setup working OK to a destination node
an is trying to replace it with the new IPSec Connections but it fails all the time.

I have tried to migrate the settings from old to new at the best of my abilities but it does not come up. :-/
Is there anything specific I need to think about ?

Here is the IPSec settings and will respond to myself with more screenshots of new IPSec and old.

//Dan Lundqvist

[mrzaz]

More screenshots.

//Danne

[mrzaz]

Last screenshot.

//Dan Lundqvist

[user.42]

1st screenshot: local address

is it the address of the wan interface or is it the public ip which differs from the wan interface ip?

[mrzaz]

Hi,
Thanks for answering.

The "Local addresses" is my public WAN IP address that is static, not DHCP or DHCP reserved.
My WAN is not double-NATed but real public static IP. Internet reaches my WAN directly.
I even have recursive DNS lookup on two of my three IPs I "own" (helps running my mailserver as more legit)

The "Remote address" is a domain-name the resolves to a A-record in DNS.

And is using the exact IP/PSK and similar in my IPSec legacy working totally fine and is up
and could reach network on the other side of IPSec.

From what I could see, both local and remote accepts "single IPv4/IPv6 addresses, DNS names, CIDR subnets or IP address ranges."

I do not use pools so that is switched off.

I'm a little puzzled about the Local and Remote Authentication screens.
The connection is the only one selectable in the drop down menu and auth = PSK
but don't know if I need to specify anything in the "Round" and "ID" ?

If I read this correctly it is more to do when using certificates.

"IKE identity to use for authentication round. When using certificate authentication
the IKE identity must be contained in the certificate; either as the subject DN or
as a subjectAltName (the identity will default to the certificate's subject DN if
not specified). Refer to https://docs.strongswan.org/docs/5.9/config/identityParsing.html
for details on how identities are parsed and may be configured."

I have not been needing to create any certificate in the legacy IPSec OpnSense setup.

The Children (aka ~= Phase 2) is having the following:
Connection = <connection name>
Mode = Tunnel
Policies = YES.  (As I am not using VTI in the setup but a straight old fashion IPSec.)
Start action = Start
DPD action = Start
Reqid = <blank>    This one I am not sure if needs to be populated with anything if not using manual certificates ?
ESP proposals = default
Local = 192.168.120.0/24    ; this is my LAN
Remote = 192.168.100.0/24    ; this is remote LAN.

In the PreSharedKey setting i have setup a PSK.
Local Identifier = <my public static IP>
Remote Identifier = a specific DNS A-record domain name
Pre-Shared Key = Our PSK shared key that works in legacy IPSec right now.
Type = PSK

I just realized one thing.

In Legcay IPSec you are manually defining "My identifier" and "Peer identifier"
where in my legacy setting I could not find that setting !?

My identifier = My IP address  (my WAN IP address same as defined in Connections "Local addresses".
Peer identifier = Distinguished name = <a specific domain name like "xxx.yyy.zz" format.

There must be something I'm missing but could not find out what that is.

Firewall is set to following on WAN:
- Allow ESP for IPSec (IPv4)
- Allow IKE port500 for IPSec. (Udp ISAKMP (500)
- I also have "IPSEC-NAT-T (4500)" on WAN. (Allow IPSec IKEv2 MOBIKE NAT-Traversal)

Best regards
Dan Lundqvist
Stockholm, Sweden

Ps. I have using OpnSense for many years and pfSense (before they stagnated and I moved to much better OpnSense and never looked back. :-)
I have been using both legacy IPSec standard but also VTI tunnels (OpnSense<->OpneSense) with at least
3 VTI plus one standard IPSec at the same time.

Anecdote is that I have had my own domain since 2000, and been running a mailserver since late 2002 with at least 1-2
real persons since day one entrusting me as their main email provider for 20+ years. :-)

[user.42]

What is the log output? Something like: no matching peer config found? The ID fields in "Edit local" and "Edit Remote" are part of the strongswan config (/usr/local/etc/swanctl/swanctl.conf)

[viragomann]

And is using the exact IP/PSK and similar in my IPSec legacy working totally fine and is up
and could reach network on the other side of IPSec.

For testing the new connection you have to disable the legacy, however.

I'm a little puzzled about the Local and Remote Authentication screens.

The are the authentication settings.
In local you define, how your server authenticates on the remote site.
And in remote you define, how the remote site has to authenticate on your server.

I think, it's necessary to state a local and a remote identifier in the pre-shared key settings. And then use the same in the local and remote settings of the connection. This is the only way, IPSec can select the proper PSK in case, you've multiple.
This means, you will have to enter the respective ID from the PSK in the authentication settings.

Reqid = <blank>    This one I am not sure if needs to be populated with anything if not using manual certificates ?

Recent versions set a unique requid automatically, as I've read. This didn't work in the past, however. So I've stated a unique one (above of 10) for each tunnel.

ESP proposals = default

You should remove the check at default and select a proper for your needs here. The same is true for the phase 1.
According to your screenshot of the legacy settings, you need aes256-sha256-modp1024[DH2].

In Legcay IPSec you are manually defining "My identifier" and "Peer identifier"
where in my legacy setting I could not find that setting !?

You mean in the new connections?
As mention, you have to state in the PSK  and authentication settings.

Ps. I have using OpnSense for many years and pfSense (before they stagnated and I moved to much better OpnSense and never looked back. :-)

Me too. :-)