IPSEC widget

conbonbur · Jul 9, 2021, 10:51 AM

Hello.
First post here.
After updating pfSense to version 2.5.2 i noticed that the IPSEC Widgets presents the summary of all active tunnels no longer detail one by one of the various tunnels as in version 2.5.1.
May i ask you if it can be fixed?

Thank you.

marc42 · Jul 19, 2021, 2:03 PM

Hello,

I was looking for something rather similar - I would like to have a widget tab or status list for the configured tunnels that I can sort (or copy/paste and sort in any spreadsheet) with one entry on every line. The 2.5.1 widget got close, but still had cells over multiple rows; the 2.5.2 widget is completely useless to me.

The best list would be simple as this:
Source;Destination;Child_IP;P1 Description;P2 Description;Status

Could you please implement a list like this, either as an ipsec status overview or perhaps as a new detailed overview tab in the ipsec widget?

Thank you,
Marc

jimp · Jul 19, 2021, 6:03 PM

@marc42 said in IPSEC widget:

I was looking for something rather similar - I would like to have a widget tab or status list for the configured tunnels that I can sort (or copy/paste and sort in any spreadsheet) with one entry on every line. The 2.5.1 widget got close, but still had cells over multiple rows; the 2.5.2 widget is completely useless to me.

The best list would be simple as this:
Source;Destination;Child_IP;P1 Description;P2 Description;Status

Could you please implement a list like this, either as an ipsec status overview or perhaps as a new detailed overview tab in the ipsec widget?

That may not be viable because IPsec doesn't work that way in every case.

Unless you're doing split tunneling, for example, the traffic selectors get combined so there is only one child SA which carries all possible pairings of source and destination networks. There isn't a viable way to split all that out, and it doesn't scale well.

The widget is not meant to be a detailed status. If you need details, you can use the full status page or run swanctl directly and parse what you want from that (e.g. swanctl --list-sas --raw or swanctl --list-sas --pretty.

marc42 · Jul 20, 2021, 7:07 AM

Thank you for your reply. But the swanctl gets me only half the truth I am looking for. I would explicitly like to see all configured tunnels, the established ones as well as the ones that are currently down.
With the latter the --raw output seems slightly broken, as there is one line per established tunnel and one line for all installed tunnel configs.

My config is set to split tunneling with like 200 unique peers, each P1 configured with its own net or IP in P2. In our old firewall I had a nice overview on all configured nets an IPs corresponding to the peer name (i.e. description).
To keep track of all configured peer nets and IPs in pfsense is virtually impossible. The 2.51 widget was the closest match to achieve this overview, but with the 2.5.2 widget even this is now lost.

The nicest output would still be a simple list with no merged table cells, just one line per entry. If there are multiple P2 entries to one P1 entry, then the P1 entry could be listed multiple times - easy to read, easy to sort.

I'd be much obliged if anyone could write and send me a patch to get such a list.

conbonbur · Jul 20, 2021, 7:23 AM

@jimp
Hi Jimp.
Thank you for the prompt reply.
IPSEC won't work that way but the widget before 2.5.2 still showed the detail of each activated tunnel so i wonder if it's possible to get it back.
Better, i ask you if there is the will to bring it back to the pre-update behavior.
Thank you.

AnHeLL · Jul 20, 2021, 11:06 AM

Hi all,

Justo to clarify, let me show you something:

This is version 2.5.1

After update, this is version 2.5.2

It sounds like the widget is grouping child SA in a single interface (WAN in this case).

It doesn't matter the configuration applied, it always shows the same in one line.

This widget is really usefull to see you active-inactive IPSec tunnels in one view so it would be great to have this functionallity back up and running.

Wait for you news.

Thanks.

marc42 · Jul 20, 2021, 12:13 PM

To add to the confusion (I hope not), this is an example on how it looks on my systems.

With 2.5.1, the destination, I get the Interface (Source), and Destination with P2 net/IP above P1 endpoint along with only the P2 description and status:

This at least gave an output on all P2 destinations, even though the combined cells were troublesome.

On a System with a 2.5.2 view (actually pfsense+ 21.05), this looks much less useful, especially the +11 others:

Here I get only a few P2 net/IP endpoints, and thus no real overview on all configured states.

Maybe we could just have additional tabs in the widget, listing all P1 states/tunnels, all P2 states/tunnels with each corresponding descriptions?

cswroe · Jul 20, 2021, 5:04 PM

https://forum.netgate.com/topic/165185/ipsec-status-on-dashboard-is-broken-on-2-5-2-after-upgrade

jimp · Jul 30, 2021, 6:10 PM

I just redid the widget (again) when working on IPsec. Give 2.6.0 or 21.09 snapshots a try once the commit gets in a snapshot. Hopefully on a test or lab system :-)

conbonbur · Aug 2, 2021, 7:11 AM

Ok. Thank you for the effort.