OPNsense Forum

English Forums => Virtual private networks => Topic started by: gratuxri on November 04, 2020, 11:00:12 am

Title: ipsec ike1 hybrid-rsa xauth failed #4438
Post by: gratuxri on November 04, 2020, 11:00:12 am
Hello, my issue on https://github.com/opnsense/core/issues/4438 (https://github.com/opnsense/core/issues/4438) was marked as support, I try here now:
I have followed howto at https://docs.opnsense.org/manual/how-tos/ipsec-road.html and https://docs.opnsense.org/manual/how-tos/ipsec-rw-srv-ikev1xauth.html as a result working ipsec ike1 hybrid-rsa xauth, but without working xauth authentication.
Here are some logs with replaced ${USER}, ${FQDN}
2020-11-02T00:25:07 | charon[38591] | 15[IKE] <con1|3> XAuth authentication of '${USER}' failed
2020-11-02T00:25:07 | charon[38591] | 15[IKE] <con1|3> no XAuth secret found for '${FQDN}' - '${USER}'

After adding to /usr/local/etc/ipsec.secrets.opnsense.d/user.secrets lines like
[ <servername> ] <username> : XAUTH "<password>"
It works correctly.

Any ideas on which place it's going wrong?
Title: Re: ipsec ike1 hybrid-rsa xauth failed #4438
Post by: mimugmail on November 04, 2020, 01:45:46 pm
The compatability matrix doesnt list any supported client, so it's not verified to work. Why so you not choose anything more compatible?
Title: Re: ipsec ike1 hybrid-rsa xauth failed #4438
Post by: gratuxri on November 06, 2020, 04:45:31 pm
I choose this setup, because every android phone support this without extra software + no rollout for certificates is needed and you can use just letencrypt certificate. This 3 arguments is very important for me. And yes, I know, that it's not very secure, but it's just handy.