Implemented IPsec Mobile client expert tunnel configuration

[stumbaumr]

Hi,

we have the requirement to assign separate virtual IP pools to different IPsec mobile user groups. I understand that adjusting the WebUI to cater for our specific need is rather complex. I went through comparable requests from other people and realised their requirements are still well different from ours.

So my conclusion was that there are two possible setups

• The existing options are good enough for most people
• The desired options are so complex that a WebUi will never be sufficient

I opened therefore a feature request (#3295 ) to allow for an expert tunnel configuration.

This PR is the result from above feature request.

We had to rearrange some of the code for generation strongswan.conf which is in our opinion backwards compatible.

The only new fixed addition is class_group = yes - but that should have no influence as well.

So we are awaiting possible feedback and hope to get that expert tunnel config included.

Best regards
Mark & Rainer

[AdSchellevis]

maybe we could think of some sort of hooking, but plain text gui input for configuration files is something we don't want to support (impossible to validate, prone to all sorts of errors).

[stumbaumr]

So are you going to remove the „Advanced configuration“ from OpenVPN?
There seems to be no validation as well...

[AdSchellevis]

Unfortunately not, no, it's one of the very few leftovers from our legacy base. Although we're not planning on implementing new future issues.

For new components we often try to support template hooks, which allow bootstrapping custom configs, which isn't available for regular users. Maybe we can think of something flexible here as well, if time permits we would like to cleanup some parts in IPsec anyway.

[stumbaumr]

So we are just going to go live with our patch then and maintain it until there is a proper solution...

[stumbaumr]

So then: How about just always having a include ipsec.*.conf in ipsec.conf and a include ipsec.*.secrets at the bottom of the generated files?

Would a PR for that be acceptable? It requires anyhow knowledge of the command line and only the knowledgable are creating files manually.

[AdSchellevis]

@stumbaumr I think it will, strongswan indeed has an excellent include option there.

[stumbaumr]

So is a PR acceptable that only adds the includes for all the time or do you want a checkbox to activate that funktionality specifically?

I can imagine users complaining about magically appearing conn's that are configured on the filesystem and then forgotten about...

I would put that checkbox under "Advanced settings"...

[fabianfrz]

Our includes are usually hardcoded:

• Squid: https://github.com/opnsense/core/blob/master/src/opnsense/service/templates/OPNsense/Proxy/squid.conf#L281-L291
• nginx (similar as squid): https://github.com/opnsense/plugins/blob/master/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf#L67, https://github.com/opnsense/plugins/blob/master/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf#L242, https://github.com/opnsense/plugins/blob/master/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf#L259

suricata also includes files in a specific directory as far as I can remember.