OPNsense Forum
Archive => 16.7 Legacy Series => Topic started by: vadimkara on July 12, 2016, 03:06:01 pm
-
Why there is no EAP-MSACHAPv2, authentication method? It's very usefull to connect remote desktop stations.
-
at least it looks possible: https://wiki.strongswan.org/projects/strongswan/wiki/Win7EapMultipleConfig
-
its 100% possible in strongswan, but no frontend for this feature
-
Hi vadimkara,
eap-mschapv2 should be quite easy to add, I don't have time to test, but if you want to give it a try, this commit may work:
https://github.com/opnsense/core/commit/4638d99c0a51a3286f324f0036310e95ce81fef2 (https://github.com/opnsense/core/commit/4638d99c0a51a3286f324f0036310e95ce81fef2)
opnsense-patch 4638d99c
The config is generated to /usr/local/etc/ipsec.conf.
Regards,
Ad
-
Plaease add "Peer identifier" any, and fix ui bug
-
Did you try the current setup and inspect the config?
I don't think peer identifier is used for other then psk options..... (see function ipsec_find_id() and use of it in ipsec.inc)
In case you don't have time to test, please let me know, I can easily revert/undo the changes.... like I said, I don't have enough time at the moment to test this myself.
-
dont working at all error 809
-
ok, I've reverted the changes.
In case you want to investigate further and pinpoint the needed changes in ipsec.conf for your configuration, just let me know. It's probably very easy to add, as long as you have a setup to test and time to spare.
-
Could you please add option to select preshared key as EAP or PSK.
If I manually go to var/local/etc/ipsec.secrets and change default PSK to EAP after restart ipsec service via gui I end up with key type set as PSK again. When I do connect from windows 7 using EAP-MSCHAPv2 the log on opnsense shows that it is missing EAP key to authenticate.
Thank you.
-
Hi Voltara2000,
Can you create an issue on github (https://github.com/opnsense/core/issues (https://github.com/opnsense/core/issues)) for your feature request?
This helps us keeping track of our open requests.
Best regards,
Ad
-
Hi,
Unfortunately, I don't have an account for github. Don't want to open one just for this. Could you or someone else make a future request on github? This should allow using windows 7, 8 or 10 build in vpn to be able to make roadwarrior to office network.
Thank you,
Andrei
-
Created: https://github.com/opnsense/core/issues/1214
-
And fixed. ;)
-
Thank you very much!
Cannot wait to give this a test. Would this fix be included in 16.7.7 update?
-
If you cannot wait you can use the opnsense-patch utility on the command line to fetch the commit ;)
-
Let's help out ;)
Commit:
https://github.com/opnsense/core/commit/5dc95bac
Command:
# opnsense-patch 5dc95bac
Cheers,
Franco
-
Hi,
I have applied patch. From the gui side everything looks good.
When I tried to connect I have got the following error: Error Description: 13801: IKE authentication credentials are unacceptable. I didn't have a chance to go over my config and certificates. I will do that on this weekend and try to figure out what is the cause of that.
Thank you,
Andrei
-
Hi,
After some testing with Windows 7 and StrongSwan android client I am getting the same error on both.
Please see attached final part of the Log. What could be the problem? Anyone has any suggestions?
Thank you,
Andrei
-
Hi Andrei,
EAP is working, but the verify against the certificate/chain does not.
Cheers,
Franco
-
Hi Franco,
What do you think causing this behavior? Opensense implementation of the StrongSwan or wrong configuration on my side? I have checked my certificates few times and they look ok. I have followed pfsense guide https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 for setting this connection. I will try to recreate same config on pfsense to see the logs and compare, will also post opnsense generated file config vs pfsense for same scenario.
Thank you,
Andrei