20.7.1 - Can't select correct Authentication Method on IPsec Stage 1 config

[danielm]

I just wanted to create a new stage 1 for ipsec since I was having problems with my other one (couldn't get EAP-TLS working with win10) and noticed that weirdly, I can't select the correct auth method!
I can only select "Mutual RSA", "Mutual PSK" and "Mutual Public Key", despite Key Exchange set to IKEv2.
This seems wrong!
For pictures see what I appended. (webif is set to german, but you will still get the point)
I saw a similar issue from 2017, that was supposedly fixed, but I'm starting to think maybe it wasn't fully fixed after all:
https://github.com/opnsense/core/issues/1961
I already had issues with the selection the first time, but somehow it worked then, idk what I did back then to make it show the selections I needed.

Does anyone know what the problem is and/or how to fix it, or at least can point me in the right direction?

[Fright]

first try to fill mobile client config and enable mobile client support ("Enable IPsec Mobile Client Support" flag in eng interface)
press "Save".
after that all supported phase1 auth methods will be displayed in new tunnel config screen

[danielm]

Since I already tried to set it up once, mobile client section is already configured as you suggested. (see screenshot)

Could the problem be that I already have another phase 1 entry, even though it is disabled currently?

[Fright]

yep, it looks like it needs to be removed and phase1 creation must be started from mobile client menu.
you can try without deletion, start new phase1 config creation and add "?mobile=true" to URL. But i cant predict results if you end up with two Mobile Client Tunnel configs )
maybe everything will be fine if you do not enable both

[danielm]

Ah crap, I thought I could keep the old one since it almost worked.
I also thought it was designed so that you could have multiple parallel phase 1's for different compatibility schemes, for example a more insecure one that is backwards compatible for old devices, without sacrificing on the new ones.
I'll try your suggestion though I think (hoping things dont break majorly)

[Fright]

I think it will be ok with two moble policies.
I agree that it is convenient to keep several settings and enable them if necessary.
You can request it in github (just small trigger in tunnel settings GUI  "site-to-site <-> client access")

[danielm]

Thing is, I thought it was already there since I searched for it and came to
https://forum.opnsense.org/index.php?topic=9357.0
which seems to suggest it should work.

[Fright]

it's a little different
multiple proposals already there.
I'm talking about the ability to create separate policies and the ability to switch them.
or multiple proposals is enough for you?
if I understood you correctly, the problem is in Auth Method. afaik we cannot define multiple auth methods in one policy. in multiple proposal we can define multiple encryption and hash options. not auth methods

[danielm]

Right, I need a different auth method, so I need seperate policies.
I will try your "trick" now and report back later if it worked

[danielm]

Okay so I tried your suggestion and you were right!
Adding that suffix to the URL opened up the selections, so I could finally select MSCHAPV2....
Now I have both the old phase 1 (and 2) disabled, and the new phase 1, along with a few phase 2s (multiple subnets reachable for clients), and the VPN actually works!
After configuring FW rules and DNS, I'm pretty happy with the system for now.
Do you think we should file a bug report for the problem? Feels like erroneous behaviour to me....
Whatever the case, thanks for the great suggestion, was just what I needed   

[Fright]

Glad it worked!
I don’t know about the report, I don’t even use ipsec on opnsense for now 
But of course some description (in which mode we are and how to switch modes) on the tunnel configuration page would be nice. The ability to manually create additional client access policy (some switch between site-to-site and client access mode in tunnel config GUI and  some "Tunnel settings association" dropdown in Mobile Clients GUI) would be even better.
if you have а time to create a request it would be great