Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HEADS UP: IPsec swanctl conversion

    Scheduled Pinned Locked Moved 2.5 Development Snapshots (Retired)
    6 Posts 4 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • jimpJ
      jimp Rebel Alliance Developer Netgate
      last edited by jimp

      I just committed a sizable change to IPsec behavior on 2.5.0, converting from the deprecated ipsec/stroke configuration format to the new swanctl/vici format. See https://redmine.pfsense.org/issues/9603 for some more background on the motivation for the change.

      I have been testing this in various ways in my lab for several days with great success, but now it's time for wider testing.

      This change is not yet in builds, but will be available soon.
      EDIT: Current CE and Factory 2.5.0 snapshots include all of these changes, and area ready for testing.

      From the commit message:

      • Converted IPsec configuration code from ipsec.conf ipsec/stroke style to swanctl.conf swanctl/vici style. Issue #9603
      • Split up much of the single large IPsec configuration function into multiple functions as appropriate.
      • Optimized code along the way, including reducing code duplication and finding ways to generalize functions to support future expansion.
      • For IKEv1 and IKEv2 with Split Connections enabled, P2 settings are properly respected for each individual P2, such as separate encryption algorithms. This method also fixes #6263
      • Corrected some cosmetic issues on status_ipsec.php, including changes that fix #8847
      • Added a Conect Children button to status_ipsec.php to bring up child SAs when a P1 is connected but P2s disconnected.
      • New GUI option under VPN > IPsec, Mobile Clients tab to enable RADIUS Accounting which was previously on by default. This is now disabled by default as RADIUS accounting data will be sent for every tunnel, not only mobile clients, and if the accounting data fails to reach the RADIUS server, tunnels may be disconnected.

      Additional developer & advanced user notes:

      • For those who may have scripts which touched files in /var/etc/ipsec, note that the structure of this directory has changed to the new swanctl layout.
      • Any usage of /usr/local/sbin/ipsec or stroke must also be changed to /usr/local/sbin/swanctl and VICI. Note that some commands have no direct equivalents, but the same or better information is available in other ways.
      • IPsec start/stop/reload functions now use /usr/local/sbin/strongswanrc
      • IPsec-related functions were converged into ipsec.inc, removed from vpn.inc, and renamed from vpn_ipsec_<name> to ipsec_<name>

      If you have trouble with IPsec on future snapshots, start a new thread in this category and include as much detail as possible, especially a general description of the type of setup, the contents of /var/etc/ipsec/swanctl.conf and the output of various swanctl --list-<name> commands, plus IPsec log contents.

      Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 3
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        @jimp It looks like something is different in the reauth/rekey logic and settings.

        Tunnel on 2.4.4-p3 to 2.5.0:
        con1000: IKEv2, reauthentication every 85860s, no rekeying, dpd delay 10s

        Other side on 2.5.0 to 2.4.4-p3:
        con1000: IKEv2, no reauthentication, rekeying every 77760s, dpd delay 10s

        As far as I know these are configured the same in the gui on both sides. Disable rekey is not checked, disable reauth is not checked.

        This shows as Reauth seconds (-) on the 2.5.0 side's status page.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        jimpJ 1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          The strongswan swanctl docs say reauth is disabled for IKEv2 by default and can cause problems when enabled, but IKEv1 only supports reauth. With swanctl there is no concept of "Phase 1 lifetime", only rekey or reauth times, so now it configures rekey for IKEv2 and reauth for IKEv1.

          I suppose we could split it into two separate GUI fields so someone could choose to enable reauth even when it isn't recommended.

          Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • w0wW
            w0w
            last edited by

            My mobile IPSEC client works without problems.๐Ÿ‘

            1 Reply Last reply Reply Quote 1
            • jimpJ
              jimp Rebel Alliance Developer Netgate @Derelict
              last edited by

              @Derelict said in HEADS UP: IPsec swanctl conversion:

              @jimp It looks like something is different in the reauth/rekey logic and settings.

              I've addressed this in https://redmine.pfsense.org/issues/9983

              I changed the logic so the user has more control now. On upgrade, it will migrate the old lifetime value to a new dedicated Reauth Time box, and I've added a separate box for Rekey Time that users can set for IKEv2 if they choose. So now rather than make assumptions, it maintains consistent behavior with previous versions and gives the user control of the behavior. More details on the issue linked above and on the relevant commit: https://github.com/pfsense/pfsense/commit/9701089ebd5151593390749ddae090a6afe7f360

              Note that IKEv2 can use both reauth and rekey at the same time if the user wants, though I'm not sure why they'd want to. I updated the status page to show both for IKEv2 as well.

              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • M
                msm
                last edited by

                @jimp it looks like the mobile-pool may need to be split now to support both IPv4 and IPv6.

                Configuring 192.168.4.0/24 and 2604:2000:2941:4604::/120 results in the following in /var/etc/ipsec/swanctl.conf

                pools {
        mobile-pool {
                addrs = 192.168.4.0/24,2604:2000:2941:4604::/120
                dns = 192.168.10.1
                subnet = 0.0.0.0/0,::/0
                split_include = 0.0.0.0/0,::/0
                # Search domain and default domain
                28674 = "nyc.example.com"
                28675 = "nyc.example.com"
        }
}

                But it appears that only the first (IPv4) addresses are used...

                $ swanctl --list-pools
mobile-pool          192.168.4.0                         0 / 0 / 254

                I created a (more detailed) issue in https://redmine.pfsense.org/issues/10296

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.