search

opnsense / core

OPNsense GUI, API and systems backend
https://opnsense.org/
BSD 2-Clause "Simplified" License
3.35k stars 749 forks source link

[FR] IPSEC: Allow multiple P1's when remote gateway is 0.0.0.0 #1714

Closed mimugmail closed 7 years ago

mimugmail commented 7 years ago

Hi,

I'm trying to replace a huge hub and spoke network based on Cisco, IKEv2, endpoints with dynamic IPs. With Cisco I create a dynamic crypto map and then multiple connections differentiated by FQDN.

Within OPN I can do this when remote gateway is set to 0.0.0.0 and the via the FQDN the correct config is chosen. The problem I have is, that when I duplicate P1, edit the FQDN to a different type I'm getting an error that the remote IP is already in used:

https://github.com/opnsense/core/blob/master/src/www/vpn_ipsec_phase1.php#L235

Is there a way to extend this check with some !isset remoteip 0.0.0.0?

I duplicated the conn /usr/local/etc/ipsec.conf and restarted ipsec by hand. It works great so far:

conn viaUI
  aggressive = no
  fragmentation = yes
  keyexchange = ikev2
  mobike = yes
  reauth = yes
  rekey = yes
  forceencaps = no
  installpolicy = yes
  type = tunnel
  dpdaction = none
  left = IP
  right = 0.0.0.0
  leftid = IP
  ikelifetime = 28800s
  lifetime = 28800s
  ike = aes256-sha256-modp2048!
  leftauth = psk
  rightauth = psk
  rightid = Location1
  rightsubnet = 172.21.29.0/24
  leftsubnet = 0.0.0.0/0
  esp = aes256-sha1,aes256-sha256,aes192-sha1,aes192-sha256,aes128-sha1,aes128-sha256!
  auto = add

conn COPIED
  aggressive = no
  fragmentation = yes
  keyexchange = ikev2
  mobike = yes
  reauth = yes
  rekey = yes
  forceencaps = no
  installpolicy = yes
  type = tunnel
  dpdaction = none
  left = IP
  right = 0.0.0.0
  leftid = IP
  ikelifetime = 28800s
  lifetime = 28800s
  ike = aes256-sha256-modp2048!
  leftauth = psk
  rightauth = psk
  rightid = Location2
  rightsubnet = 172.21.30.0/24
  leftsubnet = 0.0.0.0/0
  esp = aes256-sha1,aes256-sha256,aes192-sha1,aes192-sha256,aes128-sha1,aes128-sha256!
  auto = add
fichtner commented 7 years ago

I think this check dates back to IKEv1, it should not apply to IKEv2?

fichtner commented 7 years ago

hrm, can you try this as multi-phase 2, but on phase 1 set: Tunnelisolation

mimugmail commented 7 years ago

Tunnelisolation would work, but you need to separate the conf in P1 with a unique identifier. Otherwise every spoke must have the same PSK (like it was with IKEv1)

With this approach you can set a different PSK for every connection

fichtner commented 7 years ago

I was just trying to get out of the work... ;)

I think we should only reject if this is IKEv1.

mimugmail commented 7 years ago

The trick here is when you have 0.0.0.0 as remote gateway you can have multiple backup lines with a tracking setup. In my lab here I have a leased line with static IP, a ADSL with dynamic IP and a LTE fallback. So no matter when leased and ADSL fails it switches to LTE and you have around 10 pings lost (already tested here with cheap cisco spokes)

mimugmail commented 7 years ago

@fichtner Thanks! Really, this would enable OPN to do real enterprise VPN. I already run setups like this with Cisco ASA, 100 site-2-sites and automatic failovers.

fichtner commented 7 years ago 
# opnsense-patch 738f998
mimugmail commented 7 years ago

Wonderful!

zwischenablage01

That's why I love this project so much 👍

fichtner commented 7 years ago

splendid, thanks for pushing forward! :)

QuadPiece commented 5 years ago

Thank you for implementing this feature. I just had a need for the same thing when moving from a Watchguard firewall.

However, I could only find this info by Googling my way to this GitHub issue. Could this perhaps be documented somewhere in the user interface?

vcxsrv_2019-03-04_14-44-54

For reference, here's a screenshot of the IKEv2 remote gateway setting from a Watchguard firewall:

pm_fb_2019-03-04_14-43-58

brandlit commented 1 year ago

Is it possible that the feature will be implemented for IKEv1 as well?