Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HEADS UP: IPsec Changes

    Scheduled Pinned Locked Moved
    Plus 22.01 Development Snapshots (Retired)
    1
    1
    581
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • jimpJ
      jimp Rebel Alliance Developer Netgate
      last edited by

      I just committed a significant set of IPsec changes which change IPsec in some fundamental ways. Some of which are not user-visible, others which are.

      The most significant thing to watch out for is to ensure that assigned IPsec VTI interface names are updated appropriately on upgrade.

      Highlights of changes:

      • VTI changes
        • VTI Interface name format has changed (again)
          • Upgrade code will update assignments appropriately, but if the old names were hardcoded in custom/manual settings somewhere, users will need to adjust them appropriately.
        • Interface names are now ipsecY where Y is the P2 reqid which is unique and constant
        • The reqid in config.xml and for connection names is a low number (e.g. 24) but when applied in the strongSwan configuration and interface it is 5000+reqid so 5024 in this example
          • High enough to avoid conflicts with reqid values dynamically allocated by strongSwan (See https://redmine.pfsense.org/issues/12155 )
          • Low enough to not approach upper limits on FreeBSD interface names (max is ipsec32767) or FreeBSD reqid values (16383)
      • IPsec configuration
        • Vast speed improvement when applying IPsec settings ( https://redmine.pfsense.org/issues/12026 )
        • P1 information is shown when editing a P2, along with a link to the relevant P1
        • Slight reorganization of some P1 and P2 sections
        • IKE ID and reqid values are shown in the GUI in the tunnel list and when editing to assist in matching log and status information
        • strongSwan configuration changes
          • Changed internal connection names to a more easily identified pattern (conX for P1, conX_Y for P2 when split, X=IKE ID, Y=reqid)
            • This means it's easy to always find the correct matching entry in config.xml without having to match in other ways.
            • Helps with issues such as https://redmine.pfsense.org/issues/11910
          • Added comments in swanctl.conf for P1/P2 descriptions
      • IPsec status
        • Vast speed improvement on IPsec status ( https://redmine.pfsense.org/issues/11951 )
        • Fixed issues with P1 descriptions not matching properly ( https://redmine.pfsense.org/issues/11910 )
        • Shows P2 descriptions where possible
        • Shows disconnected P2 entries ( https://redmine.pfsense.org/issues/6275 )
        • Shows count of both connected and disconnected P2s
        • Improvements to connect/disconnect functionality
        • Links to P1/P2 edit screens from status entries
        • Status output is sorted
        • Connect and disconnect buttons now use AJAX
      • IPsec Widget
        • Widget output redesigned to show better statistics and information
        • Active and total counts for P1, P2, and Mobile leases
        • Full listing of P1/P2 entries with AJAX connect/disconnect buttons
      • Various other code optimizations and speed improvements in IPsec

      This should make it into snapshots soon. If you have problems with IPsec on snapshots, please start a new thread to discuss and diagnose the issues.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 4
      • jimpJ jimp pinned this topic on
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.