OPNsense Forum

English Forums => General Discussion => Topic started by: FredTGB on August 06, 2018, 02:07:20 pm

Title: Road Warrior IPsec tunnel, with IkeV2 and EAP-MSCHAPV2
Post by: FredTGB on August 06, 2018, 02:07:20 pm

Hello,

I've created a RW IPsec configuration with IkeV2 and EAP-MSCHAPV2.
It works properly on specific cases, but I have anyway a configuration issue to deploy it easily when having more users to handle.

The issue is about EAP users and passwords. My understanding is I have to set this through "VPN/IPsec/Pre-Shared keys", and add specifically EAP users/passwords.
This is annoying because finally the user database ("System/Access/user") is not used (as set in "VPN/IPsec/Mobile Clients" page), and additionally I can't reuse the same user ID when adding the EAP password, I need to create a new ID.

I've tested the same with IkeV1 and xAuth, and it works well with the user database (no need to create additional passwords).

Could you tell me if my understanding is correct ?
If it is, I'm wondering if it would be possible to have EAP password handled directly from User configuration page (like it is done for "IPsec Pre-Shared Key") ?
If it is not, what is wrong ?

Thanks,

Fred.

Title: Re: Road Warrior IPsec tunnel, with IkeV2 and EAP-MSCHAPV2
Post by: franco on August 07, 2018, 08:56:58 am

Hi Fred,

Preshared keys are more or less unhashed passwords. Xauth handles local authentication so here you can use the user database hashed passwords, but not for preshared key lookup.


Cheers,
Franco

Title: Re: Road Warrior IPsec tunnel, with IkeV2 and EAP-MSCHAPV2
Post by: FredTGB on August 07, 2018, 09:19:36 am

Hi Franco,

Thanks for your reply.

Do you mean it's a Strongswan restriction and EAP passwords can't be handled like xAuth passwords ?

I know xAuth passwords can be specified in ipsec.secrets, but another method is used by Opnsense. I guess this method (to avoid passwords handled as PSK) doesn't apply to EAP.

However, would it be possible to specify EAP passwords directly in the user configuration page (like the tunnel PSK) ? This would avoid to have another place not related to the user where to specify the EAP password. The advantage is for example if you decide to disable a user (including his VPN access), you just do it in one place.

Thanks,

Fred

Title: Re: Road Warrior IPsec tunnel, with IkeV2 and EAP-MSCHAPV2
Post by: nothing on March 15, 2020, 06:58:37 am

I have the same problem.
I can't see the reason why we have the ability to use the same PSK (password) for ANY user, but can't use user's password for VPN login password.

@FredTGB, have you managed to work around this?

Title: Re: Road Warrior IPsec tunnel, with IkeV2 and EAP-MSCHAPV2
Post by: mimugmail on March 15, 2020, 07:02:31 am

Quote from: nothing on March 15, 2020, 06:58:37 am

I have the same problem.
I can't see the reason why we have the ability to use the same PSK (password) for ANY user, but can't use user's password for VPN login password.

@FredTGB, have you managed to work around this?

Did you read the documentation? I wrote a guide how every combination works (when supported)