Hi all,
to access my LAN from different mobile devices I need multiple IPSEC roadwarrior configurations. Is there a plan to support multiple roadwarrior configurations? For strongswan it is no problem to handle multiple connections in parallel. Thanks
What exactly so you mean?
In case mobile mobile extensions are enabled, I have only one predefined profile "mobile client" compared to multiple site-to-site profiles. But I also need to configure multiple different tunnels for mobile clients because the devices need different configurations for phase 1 and 2 (e.g. builtin IPSEC client in Linux gnome, Strongswan in android, builtin Windows 7 etc.).
Hm, how do you plan to identify which P1 to use when a Client connects?
I am not sure, but it should be possible to distinguish different clients by their proposal (distinguished name, claim for authentication etc.).
The fritzbox was able to distinguish different roadwarriors. But as I replaced it by the opnsense I am not able to connect all my devices via vpn anymore.
Hello,
I second this request.
At least it would be interesting to have one IkeV1 RW configuration and one IkeV2 configuration.
Otherwise, the authentication method in first allows to distinguish multiple phases 1 (authby field in Strongswan ipsec.conf file). When the same auth method is used the remote ID (rightid field in ipsec.conf file) allows to distinguish multiple phases 1). I've already created such Strongswan configurations with success.
Regards,
Fred.
I did some research, strongswan supports multiple connections as a responder. Furthermore, it is capable to share the same address pool for multiple defined connections (since v.5.0.1).
https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp#Responder-Configuration
...and some quite old discussions which helped to improve strongswan
https://wiki.strongswan.org/issues/447
https://wiki.strongswan.org/issues/461
https://wiki.strongswan.org/issues/735
Is there a chance to get the support of multiple roadwarrior configurations implemented in the GUI?
Not right now, but we already added possibility that you can choose multiple hmac and DHs in Phase1. This should make more systems compatible with one setup.
ATM I'm rewriting documentation and testing a setup which fits all.
But sadly no profile mode like multiple pools etc.
Unfortunately, this does not help. Systems used as a roadwarrior need different authentication algorithms which is unique in phase1.
BTW, in phase1 I do not see any possibilities for multiple selection of encryption, hash and DH algorithm like in phase2. My Opnsense version is 18.7.3-amd64.
Can you post a working example of ipsec.conf ?
Quote from: schnipp on September 25, 2018, 08:48:32 PM
BTW, in phase1 I do not see any possibilities for multiple selection of encryption, hash and DH algorithm like in phase2. My Opnsense version is 18.7.3-amd64.
It's in master and will come in one of the next releases. .5 or .6
Hi all,
Please find attached an extract of an IPsec.conf with multiple conn sections, for different authentication cases, for IkeV2. Some fields are replaced with fake info (X.Y, Z, modecp@company.com, "Server Certificate Subject"), some options (like algorithms) are supposed to be defined in the %default section.
It contains 6 different cases:
- PSK with mode CP
- PSK without mode CP
- EAP with mode CP
- EAP without mode CP
- Certificate with mode CP
- Certificate + EAP with mode CP
Depending on what the VPN client is requesting, the matching conn section is used.
The rightid (LocalId on VPN client side) allows to distinguish between CP and non CP modes for PSK and EAP.
Regards,
FredTGB
Hi all,
FredTGB many thanks for performing tests with multiple strongswan configurations. When I am back from vacation I can do some additional tests, especially with multiple configurations using the same global address pool for roadwarrior connections. When I have done so far, I'll post the results here.
So, if you don't need different pools and already have a P1 for mobile you could do this (without warranty):
https://yourfirewall/vpn_ipsec_phase1.php?mobile=true
And add a second one.
The generated ipsec.conf looks sane .. just try it. If it works for you I'll have a talk to Franco and Ad to add a button for adding multiple Mobiles, but we need your testing results.
So, I am back and added a second mobile connection using the link you mentioned. Afterwards I did some tests, the second connection and two mobile connections using the same virtual ip pool look fine and work in parallel.
But, I found one bug in the GUI. For the additional connection it is not possible to define a phase2 with a subnet which is already defined in the first mobile connection. The GUI shows the following error message during configuration (there is one small adaption of consistency check needed within the backend):
QuoteThe following input errors were detected:
Phase2 with this Local Network is already defined for mobile clients.
Regarding multiple mobile connections which needs to be distinguished the ike daemon gradually tests for a valid configuration :) (see log file excerpt)
Quote
Oct 16 19:26:01 charon: 15[CFG] <con1|8> switching to peer config 'con5'
Oct 16 19:26:01 charon: 15[CFG] <con1|8> selected peer config 'con1' inacceptable: non-matching authentication done
Oct 16 19:26:01 charon: 15[CFG] <con1|8> constraint requires public key authentication, but pre-shared key was used
We should keep in mind, that all clients of the same ip pool can communicate independent to their configured endpoint.
I was also able to use IKEv1 and v2 with Xauth-PSK and EAP-MSCHAPv2 .. let's see if we can make this into stable :)
That sounds good :)