some backstory
I know that it is possible to get strongswan running.
but it is way to complicated for medium users.
i tried multiple times and keep failing to set it up.
I have 6 different brands connected with ipsec. none of them gives so much trouble as openwrt. however if you want a special usecase, openwrt is the most flexible router os.
so the request is
Would be great if there was a gui option. (just as Teltonika has build for openwrt)
alternativly a simple and easy to follow manual instead of the complete ipse bible would be helpfull.
just a basic site-to-site vpn. no complicated rules etc. even firewalling can be done on the other side.
'Everything' is possible, if someone (you?) does the necessary development, it generally won't do itself - and in case of IPsec, it's never going to be easy (as there are many different ways to set up IPsec connections (and strongswan itself had some quite massive structural changes towards swanctl in recent times as well, so it's been a very moving target as well), it's not at all straight forward).
If you're looking for something simple, use wireguard (and that naturally detracts from the motivation to work on IPsec specifics).
@slh
This section is called "Feature Requests" so people can share what they are missing.
If i was able to develop this myself. i wouldn't need to ask for it
and if wireguard was an option... i would use it.
but for enterprise devices ipsec is simply the only option.
ipsec is a basic function of a firewall, and i miss this from openwrt.
For small locations i use Teltonika wich runs on openwrt and has a gui with ipsec. but even if i take the configuration files. they simply dont work with the manual found on the openwrt wiki. (they are in a different format)
I had to use firewall guis with ipsec in the past and it was always a pain.
Maybe I'm biased but given a clear list of parameters and config strongswanwas always the best of all options for me.
I know it can be hard to get the tunnel working.
normaly i use juniper, that is verry simple (nope, don't even need a gui)
mikrotik, a litle bit harder but it is all straight config.
Draytek. also no problem just read the name of the proposal and match on the other end.
Fritzbox. nothing to configure at all except ip,psk and subnet
tunnels to cloud are most of the time working with the default proposals.
but on openwrt, you have to download multiple packages. and when you think your done, you get errors about missing dependencys that simply no longer exist. there is no use in making a config since it is simply not accepted.
Remark! If youwant to stay with that configuration you have reached the wrong place.
Yes i want to stay with the basic config, i dont want to make over complicated solutions.
let me just place a simple config file and i am done.
I even have strongswan (Charon) config files from a working teltonika/openwrt system. they are in a complete different format as shown on the wiki above.
but all that went offtopic from the request.
Bellow is the GUI from Teltonika.
Has all the options you need and even way more.
I have no idea how the contact is with company using openwrt. but i guess there is some sort of arangement about the use of the software for comercial purpose?
It's only 'easy and simple', if you remain within that walled garden, within a single vendor ecosystem. Yes, IPsec is 'standardized', but it's a huge suite of different standards (even if you just look at IKEv1 vs IKEv2, the different certificates and their encapsulations, ciphers for the different stages, etc.). Interoperability is often 'possible', but very hard to accomplish - you just don't see any of that, if you stay within the same vendor's ecosystem, using their IPsec router and their own VPN client on a computer. The problems already begin, if you want to use a different VPN client on your computer - if you're lucky, it's possible, but it's certainly not going to be easy. Interoperability between the different IPsec implementations is everything but easy.
The above devices are all connecting to my juniper router. so no it is no problem to have them combined. (i guess it normaly takes acout 15 minutes for a new device to get the tunnel up and running. (less than 5 minutes if i already have a device working with that kind of settings.
so yes nice discussion. but it is toaly not related to the question.
the choose of chiphers etc should be no different by gui or cli.
also the automatic installation of the software and a provided default / dummy config file would be really helpfull. the status of the connection in the webinterface would also be helpfull for troubleshooting.