Strongswan does not allow presistant SETKEY entries. All are wiped after reboot

swalz

I have an IPSec tunnel to a Sonicwall 5600 passing all traffic.
On PFSense 2.1.5 I have added 2 setkey entries to allow traffic to the LAN interface, otherwise all traffic is just passed into the tunnel and the LAN interface is not reachable, which is a problem as I have a captive portal.

The LAN subnet is: 192.168.12.0/22
PFSense WAN interface 192.168.11.253
Sonicwall WAN Interface: 192.168.20.253
Please don't get irritated by the WAN being a private Network, it is a Private IP Network around the World routed by a service provider so these addresses are actually WAN addresses.

Doing a setkey -DP on PFSense 2.1.5 shows:

$ setkey -DP
192.168.12.0/22[any] 192.168.12.1[any] 255
in none
spid=2 seq=3 pid=59523
refcnt=1
0.0.0.0/0[any] 192.168.12.0/22[any] 255
in ipsec
esp/tunnel/192.168.20.253-192.168.11.253/unique#16386
spid=4 seq=2 pid=59523
refcnt=1
192.168.12.1[any] 192.168.12.0/22[any] 255
out none
spid=1 seq=1 pid=59523
refcnt=1
192.168.12.0/22[any] 0.0.0.0/0[any] 255
out ipsec
esp/tunnel/192.168.11.253-192.168.20.253/unique#16385
spid=3 seq=0 pid=59523
refcnt=1

Trying to set the same on PFSense 2.2 with following commands:

spdflush;
flush;

spdadd 192.168.12.1 192.168.12.0/22 any -P out none;

spdadd 192.168.12.0/22 192.168.12.1 any -P in none;

spdadd 192.168.12.0/22 0.0.0.0/0 any -P out ipsec
esp/tunnel/192.168.11.253-192.168.20.253/unique:1;

spdadd 0.0.0.0/0 192.168.12.0/22 any -P in ipsec
esp/tunnel/192.168.20.253-192.168.11.253/unique:1;

All entries show up and the interface is reachable. But after every reboot of the firewall all entries get wiped and replaced by these:

192.168.12.0/22[any] 0.0.0.0/0[any] 255
out ipsec
esp/tunnel/192.168.11.253-192.168.20.253/unique#16385
spid=1 seq=0 pid=59523
refcnt=1

0.0.0.0/0[any] 192.168.12.0/22[any] 255
in ipsec
esp/tunnel/192.168.20.253-192.168.11.253/unique#16386
spid=2 seq=2 pid=59523
refcnt=1

Which again make the interface unreachable.
Is this a BUG in strongswan that you cannot set persistent routes?

doktornotor

If you are messing with shell, obviously none of that will survive reboot and/or service restart and/or any config modifications via the web GUI. None of that gets saved to config.xml. Cannot see how it'd be any different with previous versions.

swalz

So you can't enter these routes via the GUI. Only possible way is Shell.
If you say Shell will not survive a reboot how will it be possible to alter your routes for an IPSec tunnel?

doktornotor

Install the Shellcmd package if you want to run something on boot. Or Cron and Filer. Anything not tracked via config.xml can (and will) get lost sooner or later.

Note: None of the above will solve the issue with service restarts or config overwritten from the GUI. Patch the code properly to allow what you need if you have such need.

swalz

Well on PFSense 2.1.5 there was simply a file in /var/etc/ipsec/spd.conf
which had the spdadd parameters required in it.
Is there a similar config file in Strongswan which can be altered or does this not exist any more.
Sorry might seem like a stupid question but I am trying to learn this, so I am everything but an expert.

Thanks

doktornotor

Look, you do not manually configure things via shell, end of story. If you have need for a feature that does not exist, then file a new feature request in Redmine - https://redmine.pfsense.org/projects/pfsense/