Allowing custom connection definitions to be set from the GUI



  • TL;DR: pfSense functionality addition of adding custom options/connections to 'ipsec.conf' + 'strongswan.con' using the pfSense GUI

    First of all, great decision including strongSwan and getting rid of Racoon.

    There might be scenario's in which one would like to get an IPSEC connection setup with custom options that the GUI doesn't account for (I can name a few). There are 2 ways forward as I see it:

    1. Request for additional functionality -> Add the necessary custom options in the GUI. Upon approval and code change, the additional functionality would be available in an upcoming release of pfSense
    2. Create your own custom files (ipsec.conf, strongswan.conf), change /etc/inc/vpn.inc to not overwrite the manually edited files (ipsec.conf, strongswan.conf), and additionally, making sure these files will be copied back to /var/etc/ipsec after a reboot (using something like shellcmd, or a custom RC script)

    The way forward is option 1 i'd say, however, luck and time passes by before getting to your goal, one that the whole pfSense community could be enjoying. The workaround is option 2, however, it is quite a hack, and it makes easy upgrading of pfSense to future versions time consuming and error prone.

    To meet one in the middle, how about being able to set custom options for strongSwan from the GUI ? Meaning; being able to add custom connections to the 'ipsec.conf' file, and perhaps also adding custom options to the 'strongswan.conf' file. There are a couple of packages that the GUI allows configuration additions for (named, DNS forwarder, DNS resolver). These package GUI sections provide one with a box in which custom options can be specified. These options will be appended to the package's configuration file, and all is well, and more importantly, not a ugly hack as previously mentioned option 2. Most importantly, it would allow for custom configurations not supported for through the GUI, until said custom configuration/functionality is either being accepted for inclusion, or rejected for inclusion within pfSense.

    Is it feasible to include GUI options for adding custom IPSEC configuration ?

    It has been done before it seems, at least for the OSPF package (reference: https://www.reddit.com/r/PFSENSE/comments/3108ph/is_there_any_way_to_preventing_pfsense_from/).



  • Any news on this? We're looking for similar functionality with IPSec (multiple mobile client profiles). Maybe a Redmine issue may work better?



  • I would find this option useful as well, to be able to set connection inactivity configuration.


Log in to reply