HEADS UP: IPsec swanctl conversion

  • Rebel Alliance Developer Netgate

    I just committed a sizable change to IPsec behavior on 2.5.0, converting from the deprecated ipsec/stroke configuration format to the new swanctl/vici format. See https://redmine.pfsense.org/issues/9603 for some more background on the motivation for the change.

    I have been testing this in various ways in my lab for several days with great success, but now it's time for wider testing.

    This change is not yet in builds, but will be available soon.
    EDIT: Current CE and Factory 2.5.0 snapshots include all of these changes, and area ready for testing.

    From the commit message:

    • Converted IPsec configuration code from ipsec.conf ipsec/stroke style to swanctl.conf swanctl/vici style. Issue #9603
    • Split up much of the single large IPsec configuration function into multiple functions as appropriate.
    • Optimized code along the way, including reducing code duplication and finding ways to generalize functions to support future expansion.
    • For IKEv1 and IKEv2 with Split Connections enabled, P2 settings are properly respected for each individual P2, such as separate encryption algorithms. This method also fixes #6263
    • Corrected some cosmetic issues on status_ipsec.php, including changes that fix #8847
    • Added a Conect Children button to status_ipsec.php to bring up child SAs when a P1 is connected but P2s disconnected.
    • New GUI option under VPN > IPsec, Mobile Clients tab to enable RADIUS Accounting which was previously on by default. This is now disabled by default as RADIUS accounting data will be sent for every tunnel, not only mobile clients, and if the accounting data fails to reach the RADIUS server, tunnels may be disconnected.

    Additional developer & advanced user notes:

    • For those who may have scripts which touched files in /var/etc/ipsec, note that the structure of this directory has changed to the new swanctl layout.
    • Any usage of /usr/local/sbin/ipsec or stroke must also be changed to /usr/local/sbin/swanctl and VICI. Note that some commands have no direct equivalents, but the same or better information is available in other ways.
    • IPsec start/stop/reload functions now use /usr/local/sbin/strongswanrc
    • IPsec-related functions were converged into ipsec.inc, removed from vpn.inc, and renamed from vpn_ipsec_<name> to ipsec_<name>

    If you have trouble with IPsec on future snapshots, start a new thread in this category and include as much detail as possible, especially a general description of the type of setup, the contents of /var/etc/ipsec/swanctl.conf and the output of various swanctl --list-<name> commands, plus IPsec log contents.

  • LAYER 8 Netgate

    @jimp It looks like something is different in the reauth/rekey logic and settings.

    Tunnel on 2.4.4-p3 to 2.5.0:
    con1000: IKEv2, reauthentication every 85860s, no rekeying, dpd delay 10s

    Other side on 2.5.0 to 2.4.4-p3:
    con1000: IKEv2, no reauthentication, rekeying every 77760s, dpd delay 10s

    As far as I know these are configured the same in the gui on both sides. Disable rekey is not checked, disable reauth is not checked.

    This shows as Reauth seconds (-) on the 2.5.0 side's status page.

  • Rebel Alliance Developer Netgate

    The strongswan swanctl docs say reauth is disabled for IKEv2 by default and can cause problems when enabled, but IKEv1 only supports reauth. With swanctl there is no concept of "Phase 1 lifetime", only rekey or reauth times, so now it configures rekey for IKEv2 and reauth for IKEv1.

    I suppose we could split it into two separate GUI fields so someone could choose to enable reauth even when it isn't recommended.

  • My mobile IPSEC client works without problems.👍

  • Rebel Alliance Developer Netgate

    @Derelict said in HEADS UP: IPsec swanctl conversion:

    @jimp It looks like something is different in the reauth/rekey logic and settings.

    I've addressed this in https://redmine.pfsense.org/issues/9983

    I changed the logic so the user has more control now. On upgrade, it will migrate the old lifetime value to a new dedicated Reauth Time box, and I've added a separate box for Rekey Time that users can set for IKEv2 if they choose. So now rather than make assumptions, it maintains consistent behavior with previous versions and gives the user control of the behavior. More details on the issue linked above and on the relevant commit: https://github.com/pfsense/pfsense/commit/9701089ebd5151593390749ddae090a6afe7f360

    Note that IKEv2 can use both reauth and rekey at the same time if the user wants, though I'm not sure why they'd want to. I updated the status page to show both for IKEv2 as well.

  • @jimp it looks like the mobile-pool may need to be split now to support both IPv4 and IPv6.

    Configuring and 2604:2000:2941:4604::/120 results in the following in /var/etc/ipsec/swanctl.conf

    pools {
            mobile-pool {
                    addrs =,2604:2000:2941:4604::/120
                    dns =
                    subnet =,::/0
                    split_include =,::/0
                    # Search domain and default domain
                    28674 = "nyc.example.com"
                    28675 = "nyc.example.com"

    But it appears that only the first (IPv4) addresses are used...

    $ swanctl --list-pools
    mobile-pool                         0 / 0 / 254

    I created a (more detailed) issue in https://redmine.pfsense.org/issues/10296

Log in to reply