Messages

Hi all,

Please find attached an extract of an IPsec.conf with multiple conn sections, for different authentication cases, for IkeV2. Some fields are replaced with fake info (X.Y, Z, modecp@company.com, "Server Certificate Subject"), some options (like algorithms) are supposed to be defined in the %default section.

It contains 6 different cases:
- PSK with mode CP
- PSK without mode CP
- EAP with mode CP
- EAP without mode CP
- Certificate with mode CP
- Certificate + EAP with mode CP

Depending on what the VPN client is requesting, the matching conn section is used.
The rightid (LocalId on VPN client side) allows to distinguish between CP and non CP modes for PSK and EAP.

Regards,

FredTGB

Hi,

After changing port and protocol for the OpenVPN server from 1194/UDP to 1195/TCP, client export configuration keeps using 1194/UDP. Also the generated filename still contain udp-1194.
I've checked that on client side the tunnel opens really with 1195/TCP.

Is this a known issue ?

Thanks,

Fred.

Hi Franco,

Thanks for your reply.

Do you mean it's a Strongswan restriction and EAP passwords can't be handled like xAuth passwords ?

I know xAuth passwords can be specified in ipsec.secrets, but another method is used by Opnsense. I guess this method (to avoid passwords handled as PSK) doesn't apply to EAP.

However, would it be possible to specify EAP passwords directly in the user configuration page (like the tunnel PSK) ? This would avoid to have another place not related to the user where to specify the EAP password. The advantage is for example if you decide to disable a user (including his VPN access), you just do it in one place.

Thanks,

Fred

Hello,

I've created a RW IPsec configuration with IkeV2 and EAP-MSCHAPV2.
It works properly on specific cases, but I have anyway a configuration issue to deploy it easily when having more users to handle.

The issue is about EAP users and passwords. My understanding is I have to set this through "VPN/IPsec/Pre-Shared keys", and add specifically EAP users/passwords.
This is annoying because finally the user database ("System/Access/user") is not used (as set in "VPN/IPsec/Mobile Clients" page), and additionally I can't reuse the same user ID when adding the EAP password, I need to create a new ID.

I've tested the same with IkeV1 and xAuth, and it works well with the user database (no need to create additional passwords).

Could you tell me if my understanding is correct ?
If it is, I'm wondering if it would be possible to have EAP password handled directly from User configuration page (like it is done for "IPsec Pre-Shared Key") ?
If it is not, what is wrong ?

Thanks,

Fred.

Done as #2609.

The generated .p12 is Ok, and can be imported without password.

The suggestion is to have the possibility to specify a password. This is necessary, for security reasons, when you'd like to distribute certificates to users (in my case VPN users).

Regards,

Fred.

Hello,

I second this request.
At least it would be interesting to have one IkeV1 RW configuration and one IkeV2 configuration.

Otherwise, the authentication method in first allows to distinguish multiple phases 1 (authby field in Strongswan ipsec.conf file). When the same auth method is used the remote ID (rightid field in ipsec.conf file) allows to distinguish multiple phases 1). I've already created such Strongswan configurations with success.

Regards,

Fred.

Hello,

I second this request, for user certificates.
I've created a Mobile client VPN settings, and the usual way to create configurations for VPN Client users is to provide an encrypted p12 file.

Thanks,

Fred.