Skip to content

IPSec: multiple improvements #1485

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
gsanchietti merged 7 commits into from
Jan 26, 2026
Merged

IPSec: multiple improvements #1485

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
7686303
fix: ipsec, avoid delete during edit
gsanchietti Jan 21, 2026
a81f5e9
feat: ipsectunnel, change closeaction
gsanchietti Jan 21, 2026
8b1f765
fix: ipsectunnel, minimize tunnel deletion
gsanchietti Jan 21, 2026
963ad34
feat: ipsec, return status of each children
gsanchietti Jan 21, 2026
24b671e
feat(api): ipsec, add restart
gsanchietti Jan 22, 2026
eb46bd8
fix(api): ipsec, change default for closeaction
gsanchietti Jan 22, 2026
47ec22e
fix(api): ipsec, improve option diff
gsanchietti Jan 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
69 changes: 63 additions & 6 deletions packages/ns-api/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4240,19 +4240,57 @@ Response example:
{
"id": "ns_81df3995",
"name": "tun1",
"enabled": "1",
"status": "ESTABLISHED",
"connected": "yes",
"children": [
{
"name": "ns_81df3995_tunnel_1",
"installed": true,
"local_subnet": [
"192.168.100.0/24"
],
"remote_subnet": [
"192.168.200.0/24"
]
},
{
"name": "ns_81df3995_tunnel_2",
"installed": true,
"local_subnet": [
"192.168.100.0/24"
],
"remote_subnet": [
"192.168.210.0/24"
]
}
],
"raw_output": "ns_81df3995: #1, ESTABLISHED, IKEv1, 8aa580a8a0b5edf1_i* e9fd7cd6550ed7a9_r\n local 'tun1.local' @ 192.168.122.49[500]\n remote 'tun1.remote' @ 192.168.122.50[500]\n AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048\n established 336s ago, rekeying in 3221s\n ns_81df3995_tunnel_1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128/MODP_2048\n installed 336s ago, rekeying in 2951s, expires in 3624s\n in c08d184d (-|0x00000001), 0 bytes, 0 packets\n out c35d0c6c (-|0x00000001), 0 bytes, 0 packets\n local 192.168.100.0/24\n remote 192.168.200.0/24\n ns_81df3995_tunnel_2: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128/MODP_2048\n installed 336s ago, rekeying in 3050s, expires in 3624s\n in cddc9495 (-|0x00000001), 0 bytes, 0 packets\n out c019eb7b (-|0x00000001), 0 bytes, 0 packets\n local 192.168.100.0/24\n remote 192.168.210.0/24\n",
"local": [
"192.168.100.0/24"
],
"remote": [
"192.168.200.0/24"
],
"enabled": "1",
"connected": false
"192.168.200.0/24",
"192.168.210.0/24"
]
}
]
}
```

Fields:
- `status`: IKE status from swanctl (e.g., "ESTABLISHED", "CONNECTING", etc.)
- `connected`: Connection state with three possible values:
- `"yes"`: All child tunnels are installed and status is ESTABLISHED
- `"warning"`: Not all child tunnels are installed but status is ESTABLISHED
- `"no"`: Status is not ESTABLISHED
- `children`: Array of child SAs with installation status:
- `name`: Tunnel identifier
- `installed`: `true` if tunnel has INSTALLED child SA, `false` otherwise
- `local_subnet`: List of local subnets for this specific tunnel child
- `remote_subnet`: List of remote subnets for this specific tunnel child
- `raw_output`: Raw output from `swanctl --list-sas` for this tunnel, including detailed status of IKE and child SAs (useful for debugging)

### list-wans

List available wans:
Expand Down Expand Up @@ -4320,6 +4358,7 @@ Response example:
},
"ipcomp": "false",
"dpdaction": "restart",
"closeaction": "trap",
"remote_subnet": "192.168.200.0/24",
"local_subnet": "192.168.100.0/24",
"ns_name": "tun1",
Expand All @@ -4337,7 +4376,7 @@ Response example:

Create a tunnel:
```
api-cli ns.ipsectunnel add-tunnel --data '{"ns_name": "tun1", "ike": {"hash_algorithm": "md5", "encryption_algorithm": "3des", "dh_group": "modp1024", "rekeytime": "3600"}, "esp": {"hash_algorithm": "md5", "encryption_algorithm": "3des", "dh_group": "modp1024", "rekeytime": "3600"}, "pre_shared_key": "xxxxxxxxxxxxxxxxxxx", "local_identifier": "@ipsec1.local", "remote_identifier": "@ipsec1.remote", "local_subnet": ["192.168.100.0/24"], "remote_subnet": ["192.168.200.0/24"], "enabled": "1", "local_ip": "192.168.122.49", "keyexchange": "ike", "ipcomp": "false", "dpdaction": "restart", "gateway": "10.10.0.172"}'
api-cli ns.ipsectunnel add-tunnel --data '{"ns_name": "tun1", "ike": {"hash_algorithm": "md5", "encryption_algorithm": "3des", "dh_group": "modp1024", "rekeytime": "3600"}, "esp": {"hash_algorithm": "md5", "encryption_algorithm": "3des", "dh_group": "modp1024", "rekeytime": "3600"}, "pre_shared_key": "xxxxxxxxxxxxxxxxxxx", "local_identifier": "@ipsec1.local", "remote_identifier": "@ipsec1.remote", "local_subnet": ["192.168.100.0/24"], "remote_subnet": ["192.168.200.0/24"], "enabled": "1", "local_ip": "192.168.122.49", "keyexchange": "ike", "ipcomp": "false", "dpdaction": "restart", "closeaction": "trap", "gateway": "10.10.0.172"}'
```

Response example:
Expand All @@ -4349,7 +4388,7 @@ Response example:

Edit a tunnel:
```
api-cli ns.ipsectunnel add-tunnel --data '{"id": "ns_81df3995", "ns_name": "tun1", "ike": {"hash_algorithm": "md5", "encryption_algorithm": "3des", "dh_group": "modp1024", "rekeytime": "3600"}, "esp": {"hash_algorithm": "md5", "encryption_algorithm": "3des", "dh_group": "modp1024", "rekeytime": "3600"}, "pre_shared_key": "xxxxxxxxxxxxxxxxxxx", "local_identifier": "@ipsec1.local", "remote_identifier": "@ipsec1.remote", "local_subnet": ["192.168.100.0/24"], "remote_subnet": ["192.168.200.0/24"], "enabled": "1", "local_ip": "192.168.122.49", "keyexchange": "ike", "ipcomp": "false", "dpdaction": "restart", "gateway": "10.10.0.172"}'
api-cli ns.ipsectunnel edit-tunnel --data '{"id": "ns_81df3995", "ns_name": "tun1", "ike": {"hash_algorithm": "md5", "encryption_algorithm": "3des", "dh_group": "modp1024", "rekeytime": "3600"}, "esp": {"hash_algorithm": "md5", "encryption_algorithm": "3des", "dh_group": "modp1024", "rekeytime": "3600"}, "pre_shared_key": "xxxxxxxxxxxxxxxxxxx", "local_identifier": "@ipsec1.local", "remote_identifier": "@ipsec1.remote", "local_subnet": ["192.168.100.0/24"], "remote_subnet": ["192.168.200.0/24"], "enabled": "1", "local_ip": "192.168.122.49", "keyexchange": "ike", "ipcomp": "false", "dpdaction": "restart", "closeaction": "trap", "gateway": "10.10.0.172"}'
```

Response example:
Expand Down Expand Up @@ -4436,6 +4475,24 @@ Result example:
}
```

### restart

Restart the swanctl daemon. Use this endpoint after adding or removing networks from an IPSec tunnel. **Not needed when modifying an existing tunnel's configuration.**

```
api-cli ns.ipsectunnel restart
```

Response example:
```json
{"result": "success"}
```

Error response example:
```json
{"error": "restart_failed"}
```

## ns.netdata

Configure netdata reporting daemon.
Expand Down
Loading
Loading