OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of FredTGB »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - FredTGB

Pages: [1]
1
General Discussion / Re: Multiple Roadwarrior IPSEC tunnels?
« on: September 26, 2018, 03:05:57 pm »
Hi all,

Please find attached an extract of an IPsec.conf with multiple conn sections, for different authentication cases, for IkeV2. Some fields are replaced with fake info (X.Y, Z, modecp@company.com, "Server Certificate Subject"), some options (like algorithms) are supposed to be defined in the %default section.

It contains 6 different cases:
- PSK with mode CP
- PSK without mode CP
- EAP with mode CP
- EAP without mode CP
- Certificate with mode CP
- Certificate + EAP with mode CP

Depending on what the VPN client is requesting, the matching conn section is used.
The rightid (LocalId on VPN client side) allows to distinguish between CP and non CP modes for PSK and EAP.

Regards,

FredTGB


2
18.7 Legacy Series / OpenVPN Client export with port/protocol change on server side.
« on: September 17, 2018, 10:56:12 am »
Hi,

After changing port and protocol for the OpenVPN server from 1194/UDP to 1195/TCP, client export configuration keeps using 1194/UDP. Also the generated filename still contain udp-1194.
I've checked that on client side the tunnel opens really with 1195/TCP.

Is this a known issue ?

Thanks,

Fred.

3
General Discussion / Re: Road Warrior IPsec tunnel, with IkeV2 and EAP-MSCHAPV2
« on: August 07, 2018, 09:19:36 am »
Hi Franco,

Thanks for your reply.

Do you mean it's a Strongswan restriction and EAP passwords can't be handled like xAuth passwords ?

I know xAuth passwords can be specified in ipsec.secrets, but another method is used by Opnsense. I guess this method (to avoid passwords handled as PSK) doesn't apply to EAP.

However, would it be possible to specify EAP passwords directly in the user configuration page (like the tunnel PSK) ? This would avoid to have another place not related to the user where to specify the EAP password. The advantage is for example if you decide to disable a user (including his VPN access), you just do it in one place.

Thanks,

Fred

4
General Discussion / Road Warrior IPsec tunnel, with IkeV2 and EAP-MSCHAPV2
« on: August 06, 2018, 02:07:20 pm »
Hello,

I've created a RW IPsec configuration with IkeV2 and EAP-MSCHAPV2.
It works properly on specific cases, but I have anyway a configuration issue to deploy it easily when having more users to handle.

The issue is about EAP users and passwords. My understanding is I have to set this through "VPN/IPsec/Pre-Shared keys", and add specifically EAP users/passwords.
This is annoying because finally the user database ("System/Access/user") is not used (as set in "VPN/IPsec/Mobile Clients" page), and additionally I can't reuse the same user ID when adding the EAP password, I need to create a new ID.

I've tested the same with IkeV1 and xAuth, and it works well with the user database (no need to create additional passwords).

Could you tell me if my understanding is correct ?
If it is, I'm wondering if it would be possible to have EAP password handled directly from User configuration page (like it is done for "IPsec Pre-Shared Key") ?
If it is not, what is wrong ?

Thanks,

Fred.

5
General Discussion / Re: Certificate + PK -> Encrypt w/Password?
« on: August 06, 2018, 11:46:04 am »
Done as #2609.

6
General Discussion / Re: Certificate + PK -> Encrypt w/Password?
« on: August 06, 2018, 08:38:06 am »
The generated .p12 is Ok, and can be imported without password.

The suggestion is to have the possibility to specify a password. This is necessary, for security reasons, when you'd like to distribute certificates to users (in my case VPN users).

Regards,

Fred.

7
General Discussion / Re: Multiple Roadwarrior IPSEC tunnels?
« on: August 03, 2018, 09:31:30 am »
Hello,

I second this request.
At least it would be interesting to have one IkeV1 RW configuration and one IkeV2 configuration.

Otherwise, the authentication method in first allows to distinguish multiple phases 1 (authby field in Strongswan ipsec.conf file). When the same auth method is used the remote ID (rightid field in ipsec.conf file) allows to distinguish multiple phases 1). I've already created such Strongswan configurations with success.

Regards,

Fred.

8
General Discussion / Re: Certificate + PK -> Encrypt w/Password?
« on: August 03, 2018, 09:09:36 am »
Hello,

I second this request, for user certificates.
I've created a Mobile client VPN settings, and the usual way to create configurations for VPN Client users is to provide an encrypted p12 file.

Thanks,

Fred.

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2