16
General Discussion / IPSec: Mobile clients / Roadwarrior multiple groups (=PSK)
« on: March 04, 2019, 02:58:58 pm »
Hi,
I want to migrate from quite old cisco concentrator to OPNsense. My problem are the multiple clients groups.
Cisco is configured for three road warrior groups, each with own PSK.
Per default OPNsense only allows one mobile client configuration. Via manual duplication of phase1 block in config.xml and restoring the modded version, I was able to setup more mobile clients. Each one has its own PSK.
But unfortunatelly it will not work. Only the last phase 1 entry is working. I already tried to modify ipsec.secrets and replaced WAN ip with %any or %any6.
It does not seem that all PSKs are tried up-down to find the fitting one. But since road warriors have dynamic ips, I have to use %any/%any6.
Any ideas how to fix this?
I want to migrate from quite old cisco concentrator to OPNsense. My problem are the multiple clients groups.
Cisco is configured for three road warrior groups, each with own PSK.
Per default OPNsense only allows one mobile client configuration. Via manual duplication of phase1 block in config.xml and restoring the modded version, I was able to setup more mobile clients. Each one has its own PSK.
But unfortunatelly it will not work. Only the last phase 1 entry is working. I already tried to modify ipsec.secrets and replaced WAN ip with %any or %any6.
Quote
Matching IDs with selectors is fairly straightforward: they have to be equal. In the case of a Road Warrior connection, if an equal match is not found for the Peer's ID, and it is in the form of an IP address, a selector of %any will match the peer's IP address if IPV4 and %any6 will match a the peer's IP address if IPv6. Currently, the obsolete notation 0.0.0.0 may be used in place of %any.
When using IKEv1 an additional complexity arises in the case of authentication by preshared secret: the responder will need to look up the secret before the Peer's ID payload has been decoded, so the ID used will be the IP address.
It does not seem that all PSKs are tried up-down to find the fitting one. But since road warriors have dynamic ips, I have to use %any/%any6.
Any ideas how to fix this?