Multiple Roadwarrior IPSEC tunnels?

[schnipp]

Hi all,

to access my LAN from different mobile devices I need multiple IPSEC roadwarrior configurations. Is there a plan to support multiple roadwarrior configurations? For strongswan it is no problem to handle multiple connections in parallel. Thanks

[mimugmail]

What exactly so you mean?

[schnipp]

In case mobile mobile extensions are enabled, I have only one predefined profile "mobile client" compared to multiple site-to-site profiles. But I also need to configure multiple different tunnels for mobile clients because the devices need different configurations for phase 1 and 2 (e.g. builtin IPSEC client in Linux gnome, Strongswan in android, builtin Windows 7 etc.).

[mimugmail]

Hm, how do you plan to identify which P1 to use when a Client connects?

[schnipp]

I am not sure, but it should be possible to distinguish different clients by their proposal (distinguished name, claim for authentication etc.).

The fritzbox was able to distinguish different roadwarriors. But as I replaced it by the opnsense I am not able to connect all my devices via vpn anymore.

[FredTGB]

Hello,

I second this request.
At least it would be interesting to have one IkeV1 RW configuration and one IkeV2 configuration.

Otherwise, the authentication method in first allows to distinguish multiple phases 1 (authby field in Strongswan ipsec.conf file). When the same auth method is used the remote ID (rightid field in ipsec.conf file) allows to distinguish multiple phases 1). I've already created such Strongswan configurations with success.

Regards,

Fred.

[schnipp]

I did some research, strongswan supports multiple connections as a responder. Furthermore, it is capable to share the same address pool for multiple defined connections (since v.5.0.1).

https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp#Responder-Configuration

…and some quite old discussions which helped to improve strongswan

https://wiki.strongswan.org/issues/447
https://wiki.strongswan.org/issues/461
https://wiki.strongswan.org/issues/735

[schnipp]

Is there a chance to get the support of multiple roadwarrior configurations implemented in the GUI?

[mimugmail]

Not right now, but we already added possibility that you can choose multiple hmac and DHs in Phase1. This should make more systems compatible with one setup.

ATM I'm rewriting documentation and testing a setup which fits all.

But sadly no profile mode like multiple pools etc.

[schnipp]

Unfortunately, this does not help. Systems used as a roadwarrior need different authentication algorithms which is unique in phase1.

BTW, in phase1 I do not see any possibilities for multiple selection of encryption, hash and DH algorithm like in phase2. My Opnsense version is 18.7.3-amd64.

[mimugmail]

Can you post a working example of ipsec.conf ?

[mimugmail]

BTW, in phase1 I do not see any possibilities for multiple selection of encryption, hash and DH algorithm like in phase2. My Opnsense version is 18.7.3-amd64.

It's in master and will come in one of the next releases. .5 or .6

[FredTGB]

Hi all,

Please find attached an extract of an IPsec.conf with multiple conn sections, for different authentication cases, for IkeV2. Some fields are replaced with fake info (X.Y, Z, modecp@company.com, "Server Certificate Subject"), some options (like algorithms) are supposed to be defined in the %default section.

It contains 6 different cases:
- PSK with mode CP
- PSK without mode CP
- EAP with mode CP
- EAP without mode CP
- Certificate with mode CP
- Certificate + EAP with mode CP

Depending on what the VPN client is requesting, the matching conn section is used.
The rightid (LocalId on VPN client side) allows to distinguish between CP and non CP modes for PSK and EAP.

Regards,

FredTGB

[schnipp]

Hi all,

FredTGB many thanks for performing tests with multiple strongswan configurations. When I am back from vacation I can do some additional tests, especially with multiple configurations using the same global address pool for roadwarrior connections. When I have done so far, I'll post the results here.

[mimugmail]

So, if you don't need different pools and already have a P1 for mobile you could do this (without warranty):

https://yourfirewall/vpn_ipsec_phase1.php?mobile=true

And add a second one.
The generated ipsec.conf looks sane .. just try it. If it works for you I'll have a talk to Franco and Ad to add a button for adding multiple Mobiles, but we need your testing results.