Route-based IPSEC / if_ipsec

[mimugmail]

Hi,

I'm targeting route-based IPSec and need some modifications.
Before I start digging into it I just want to ask if it's ok to:

• make a new button in phase2: install policy yes/no
• make auto = route to auto = start when button install routes in Advanced is NOT ticked

If yes I'd try this by mysef ..

[AdSchellevis]

Hi Michael,

What do you mean with a new button in phase2?
Adding route-based would certainly be a good addition to have, I can help you review some code and suggest changes as long as the commits are in a manageable state (not too large).

Best,

Ad

[mimugmail]

Sorry, I mean a checkbox ..

[AdSchellevis]

clear, that makes sense :)

[mimugmail]

Ok, I have a running setup. Quite easy but I need some additional commands like setting up a GRE/GIF tunnel. ATM .. I'm a bit underskilled for this.

Steps to reproduce:

• Create a VPN with left und right subnet 0.0.0.0/0
• In Advanced set Don't install routes
• In P1 we need a checkbox "Install Policy", default checked which sets installpolicy = yes (which is already set to yes some where. Then uncheck it.
• We need a if/else that when in Advanced Dont install routes is ticked, don't set auto = route, instead auto = start.
• In P1 we new a new integer field for a "reqid" which sets reqid = XXX in con

This is fairly easy, now the tricky part:

• For P1 we need a IF Install Policy = no && IF req != '' then

ifconfig ipsec0 create reqid <reqid>
ifconfig ipsec0 inet tunnel <left-ip> <right-ip> up
ifconfig ipsec0 inet <left-tunnel-ip>/32 <right-tunnel-ip>

Then you can create a new gateway with right-tunnel-ip and set as many routes as you wish.

Perhaps you could also create a new checkbox in P1 with "Enable Route-Based VPN" as a selector for IF bla

[mimugmail]

If you are motivated you could create a new branch for this for testing ..

[ccesario]

Aybe this reference canal help https://redmine.pfsense.org/issues/8544

[ccesario]

@mimugmail is the feature working into 18.7.2 version?

[ccesario]

Hi folks, is there any progress with this feature!?

[fichtner]

Nope. All hands welcome.

[AdSchellevis]

pkg install -f opnsense
opnsense-patch 9ccabe6 4c3d069 a045d3e d9dbcaf 8a55989 77743cf 139ef62 ee8fd03

[alexanderharm]

We still run it on 19.1.4 with the suggested patches and it works fine so far. We didn't dare to upgrade yet, though.

[jroehler23]

So, then don't do it. After this, it won't work anymore ;)

I have seen in some post that the reqid option in the IPSec settings was removed after 19.1.4. I think this is the major problem. In my logs I can see on both sides that IPSec is watching/working with different ids.

[fichtner]

So, then don't do it. After this, it won't work anymore ;)

@jroehler23 If you're trying to be funny this may come off as rude to some who work on this code and use it successfully. I just want to point that out very friendly.

[fichtner]

FWIW, it would be even better to open a support ticket with all the info of your case condensed, because a number of bugs were fixed in 19.1.4 - 19.1.6 and the feature is still relatively young and the issue here is already closed and there's not much sense reopening it as it refers to the initial implementation and things have changed since.

[jroehler23]

@fichtner I know this is a feature for milestone 19.7, so for me it seems to be beta. And normally in the course of development, comments like mine shouldn't be treated so seriously. But you are right, it was not in my mind to blame somebody for his "bad work" or something like this! I apologize if somebody took it the wrong way. It should just be a hint for others to be careful to update to 19.1.6, because it has taken me days to come to this point.

I will open a new ticket with my issue.

[fichtner]

Thanks. No worries. Can only get better. :)

For reference the ticket is #3443