Strongswan does not allow presistant SETKEY entries. All are wiped after reboot



  • I have an IPSec tunnel to a Sonicwall 5600 passing all traffic.
    On PFSense 2.1.5 I have added 2 setkey entries to allow traffic to the LAN interface, otherwise all traffic is just passed into the tunnel and the LAN interface is not reachable, which is a problem as I have a captive portal.

    The LAN subnet is: 192.168.12.0/22
    PFSense WAN interface 192.168.11.253
    Sonicwall WAN Interface: 192.168.20.253
    Please don't get irritated by the WAN being a private Network, it is a Private IP Network around the World routed by a service provider so these addresses are actually WAN addresses.

    Doing a setkey -DP on PFSense 2.1.5 shows:

    $ setkey -DP
    192.168.12.0/22[any] 192.168.12.1[any] 255
    in none
    spid=2 seq=3 pid=59523
    refcnt=1
    0.0.0.0/0[any] 192.168.12.0/22[any] 255
    in ipsec
    esp/tunnel/192.168.20.253-192.168.11.253/unique#16386
    spid=4 seq=2 pid=59523
    refcnt=1
    192.168.12.1[any] 192.168.12.0/22[any] 255
    out none
    spid=1 seq=1 pid=59523
    refcnt=1
    192.168.12.0/22[any] 0.0.0.0/0[any] 255
    out ipsec
    esp/tunnel/192.168.11.253-192.168.20.253/unique#16385
    spid=3 seq=0 pid=59523
    refcnt=1

    Trying to set the same on PFSense 2.2 with following commands:

    spdflush;
    flush;

    spdadd 192.168.12.1 192.168.12.0/22 any -P out none;

    spdadd 192.168.12.0/22 192.168.12.1 any -P in none;

    spdadd 192.168.12.0/22 0.0.0.0/0 any -P out ipsec
    esp/tunnel/192.168.11.253-192.168.20.253/unique:1;

    spdadd 0.0.0.0/0 192.168.12.0/22 any -P in ipsec
    esp/tunnel/192.168.20.253-192.168.11.253/unique:1;

    All entries show up and the interface is reachable. But after every reboot of the firewall all entries get wiped and replaced by these:

    192.168.12.0/22[any] 0.0.0.0/0[any] 255
    out ipsec
    esp/tunnel/192.168.11.253-192.168.20.253/unique#16385
    spid=1 seq=0 pid=59523
    refcnt=1

    0.0.0.0/0[any] 192.168.12.0/22[any] 255
    in ipsec
    esp/tunnel/192.168.20.253-192.168.11.253/unique#16386
    spid=2 seq=2 pid=59523
    refcnt=1

    Which again make the interface unreachable.
    Is this a BUG in strongswan that you cannot set persistent routes?


  • Banned

    If you are messing with shell, obviously none of that will survive reboot and/or service restart and/or any config modifications via the web GUI. None of that gets saved to config.xml. Cannot see how it'd be any different with previous versions.



  • So you can't enter these routes via the GUI. Only possible way is Shell.
    If you say Shell will not survive a reboot how will it be possible to alter your routes for an IPSec tunnel?


  • Banned

    Install the Shellcmd package if you want to run something on boot. Or Cron and Filer. Anything not tracked via config.xml can (and will) get lost sooner or later.

    Note: None of the above will solve the issue with service restarts or config overwritten from the GUI. Patch the code properly to allow what you need if you have such need.



  • Well on PFSense 2.1.5 there was simply a file in /var/etc/ipsec/spd.conf
    which had the spdadd parameters required in it.
    Is there a similar config file in Strongswan which can be altered or does this not exist any more.
    Sorry might seem like a stupid question but I am trying to learn this, so I am everything but an expert.

    Thanks


  • Banned

    Look, you do not manually configure things via shell, end of story. If you have need for a feature that does not exist, then file a new feature request in Redmine - https://redmine.pfsense.org/projects/pfsense/


Log in to reply