Category: OPNsense

OPNsense has deprecated the traditional IPsec Tunnel Settings (based on the legacy ipsec.conf format) in favor of the modern Connections interface powered by swanctl. The legacy system is now marked as deprecated, and migration to the new interface is strongly recommended for long-term support and improved maintainability.

This guide provides a complete, step-by-step process to migrate a site-to-site IPsec tunnel using Pre-Shared Key (PSK) authentication from the legacy Tunnel Settings to the new Connections system. The instructions are based on real-world testing on OPNsense 25.7 and newer.

Prerequisites

• OPNsense version 25.7 or later.
• A full configuration backup (System > Configuration > Backups).
• Document your existing legacy configuration:
  • Phase 1 (IKE) settings
  • Phase 2 (ESP) settings
  • Pre-Shared Key
  • Local and Remote Identifiers
  • Local and remote protected subnets
• Ensure the legacy tunnel is still operational for reference and rollback if needed.

Important Safety Note: Disable the legacy tunnel before enabling the new connection to prevent UDP port conflicts on ports 500 and 4500.

Step-by-Step Migration

Step 1: Create the New IPsec Connection

1. Go to VPN > IPsec > Connections.
2. Click the + button to add a new connection.
3. Enable Advanced Mode (toggle usually located at the top of the edit page).

General Settings:

• Enabled: Check after successful testing
• Description: Provide a clear name for the tunnel (e.g., “Site-to-Site Tunnel”)
• Key Exchange Version: IKEv2 (recommended)
• Interface: Select your WAN (or appropriate outbound) interface
• Remote Gateway: Enter the remote peer’s public IP address or hostname

Step 2: Configure Authentication and Identifiers

Correct identifier configuration is one of the most common sources of authentication failures after migration.

Local Authentication:

• Authentication: Pre-Shared Key
• ID (Local ID): Choose a consistent identifier — preferably a hostname or your public IP address

Remote Authentication:

• Authentication: Pre-Shared Key
• ID (Remote ID): The identifier used by the remote peer (its public IP or hostname)

Step 3: Add a Child Configuration (Phase 2)

In the Children section, click + to add a new child:

• Description: Descriptive name (e.g., “LAN-to-RemoteLAN”)
• Local Network: Your internal protected subnet
• Remote Network: The remote internal protected subnet
• Protocol: ESP

Step 4: Configure Proposals

Remove any default proposals to avoid mismatches.

IKE Proposals (Connection level):

• Encryption: AES / 256 bits (CBC) or AES-GCM-256
• Hash / Integrity: SHA256
• DH Key Group: 14 (modp2048)

ESP Proposals (Child level):

• Encryption: AES / 256 bits or AES-GCM-256
• Hash: SHA256 (leave empty when using GCM)
• PFS Group: 14 (modp2048)

Performance Note: On systems with AES-NI hardware acceleration (common on Intel CPUs), AES-GCM proposals offer excellent performance. If the remote peer rejects GCM, fall back to AES-CBC-256 + SHA256 + modp2048 for maximum compatibility.

Step 5: Configure the Pre-Shared Key

1. Navigate to VPN > IPsec > Pre-Shared Keys.
2. Add a new entry with the following settings:
   • Local Identifier: Must exactly match the Local ID configured in Step 2
   • Remote Identifier: Must exactly match the Remote ID configured in Step 2
   • Pre-Shared Key: Enter the exact same secret used in the legacy tunnel
   • Type: PSK

Step 6: Apply Changes and Test

1. Disable the legacy tunnel under VPN > IPsec > Tunnel Settings [legacy].
2. Save and apply all changes in the Connections section.
3. Restart the IPsec service from VPN > IPsec > Status.
4. Temporarily increase logging to Debug level for detailed output (VPN > IPsec > Log File).
5. Generate test traffic across the tunnel or allow the remote side to initiate the connection.
6. Verify tunnel status under VPN > IPsec > Status or the Connections overview. The status should show as “Established”.

Common Issues and Troubleshooting

• NO_PROPOSAL_CHOSEN The remote peer does not accept the offered algorithms. Start with the more compatible AES-CBC-256 + SHA256 + modp2048 combination. Once confirmed working, you can test stronger AES-GCM proposals.
• “no shared key found for … – ‘%any’” This is the most frequent error after migration. Ensure the Local ID, Remote ID, and the Pre-Shared Key entry match exactly on both firewalls. Using hostnames as identifiers is often more reliable than raw IP addresses.
• Half-open IKE_SA deleted after timeout Indicates a proposal mismatch or failed authentication. Review the charon logs carefully and verify that proposals and identifiers are identical on both ends.

Final Recommendations

• Keep the legacy tunnel configuration disabled (but not deleted) until the new tunnel has proven stable for at least 48 hours.
• Test connectivity thoroughly with real traffic (ping, file transfers, or application flows) after migration.
• Prefer AES-GCM proposals on modern hardware with AES-NI once compatibility with the remote peer is confirmed.
• For complex setups (multiple tunnels, road-warrior clients, or route-based VTI interfaces), refer to the official documentation.

Reference: Official OPNsense IPsec documentation: https://docs.opnsense.org/manual/vpnet.html

Migrating to the new Connections interface brings your IPsec configuration in line with current StrongSwan best practices and ensures continued support in future OPNsense releases.

Repeatable Migration Guide: Legacy ISC DHCPv4 → Dnsmasq DHCP + Unbound DNS (with DNS over TLS, Reverse DNS, and Optional Active Directory Support) OPNsense 26.1

Prerequisites

• OPNsense 26.1 or newer.
• Full configuration backup (System > Configuration > Backups).
• Documented ISC DHCP settings (ranges, static mappings, domain, lease time).
• Your LAN subnet: 192.168.1.0/24 (based on your PTR zone).
• Local domain (example: home.lan).
• For AD environments: Note your Active Directory domain name (e.g., corp.local or ad.example.com) and the IP address(es) of your domain controller(s) that run DNS.

Step 1: Export Static Mappings from ISC DHCPv4

1. Go to Services > ISC DHCPv4.
2. Export static mappings.
3. Save the file.

Step 2: Configure Dnsmasq DNS & DHCP

General Tab

• Enable: Leave unchecked for now.
• Interface(s): Select LAN and any other internal interfaces.
• Listen port (DNS): 53053
• Do not forward to system defined DNS: Checked
• DHCP fqdn: Enabled
• Save.

DHCP Ranges Tab

• Interface: LAN
• Range: e.g., 192.168.1.100 – 192.168.1.200
• Gateway: OPNsense LAN IP
• DNS servers: Leave blank
• Lease time: 86400 (or preferred)
• Domain: home.lan
• Save.

Hosts Tab (Static Mappings)

• Import or add entries with MAC, IP, Hostname, and Domain set to home.lan.

Step 3: System Domain Setting

1. Go to System > Settings > General.
2. Set Domain to home.lan.
3. Save.

Step 4: Configure Unbound

Unbound General Tab

• Services > Unbound DNS > General
• Enabled: Yes
• Enable DNSSEC Support: Unchecked
• Save.

Query Forwarding Tab (Add the following entries)

Forward 1 – Local Domain (A records from Dnsmasq)

• Domain: .home.lan (leading dot)
• Server IP: 127.0.0.1
• Server Port: 53053
• Save

Forward 2 – Reverse DNS (PTR records)

• Domain: 1.168.192.in-addr.arpa
• Server IP: 127.0.0.1
• Server Port: 53053
• Save

Optional Step – Active Directory Domain Forwarding (Only perform this if you have an on-premises Active Directory)

Add one or more entries for your AD domain:

• Domain: .corp.local (or your exact AD domain name, with leading dot)
• Server IP: IP address of your primary Domain Controller (e.g., 192.168.1.10)
• Server Port: 53 (standard DNS port)
• Save

If you have multiple domain controllers for redundancy, add additional forwarding rules for each DC IP.

Important Notes for AD Forwarding:

• This forwards all queries for the AD domain directly to your domain controllers.
• Do not forward the AD domain to Dnsmasq (53053) unless your DCs are not handling DNS.
• If your AD domain is the same as your local home.lan, decide which service is authoritative and forward accordingly.
• For reverse zones used by AD (e.g., additional in-addr.arpa zones), you may need extra forwarding rules pointing to the DC.

DNS over TLS Tab (Quad9)

Add the four Quad9 entries:

• 9.9.9.9, 149.112.112.112, 2620:fe::fe, 2620:fe::9 — all on port 853 with Verify CN dns.quad9.net

Save and apply all Unbound changes.

Step 5: Disable ISC DHCPv4 and Enable Dnsmasq

1. Disable ISC DHCPv4 completely and apply.
2. Enable Dnsmasq in the General tab and apply.

Step 6: Force DNS through Unbound (Prevent Leaks)

• Create the Destination NAT rule for port 53 redirect to 127.0.0.1:53 (as previously described).
• Add the optional Block rule for outbound DNS port 53 on LAN.

Step 7: Final Verification

1. Restart Unbound.
2. Test from a client:
   • nslookup mydevice.home.lan → Should resolve via Dnsmasq.
   • nslookup 192.168.1.50 → Should return hostname (PTR).
   • nslookup dc1.corp.local (or any AD resource) → Should resolve via your Domain Controller.
   • nslookup google.com → Should use Quad9 over TLS.
3. Visit https://on.quad9.net/ to confirm DoT.

Additional Recommendations for Active Directory Environments

• Ensure your Domain Controllers receive the correct DNS settings via DHCP or static configuration (usually point to themselves or other DCs).
• If you experience issues with Kerberos, Group Policy, or SRV records, verify that the AD domain forwarding rule is correctly prioritized in Unbound.
• Consider adding domain-insecure: “corp.local” via a custom Unbound configuration file if you encounter validation problems (advanced).