[Solved] Update migration of IPsec with "Mutual RSA + EAP-MSCHAPV2" broken.

[schnipp]

A few days ago I updated my Opnsense from version 22.7.11_1 to 23.1_6 and noticed that some of my roadwarrior IPsec connections do not work anymore. The username and password for the second authentication round (EAP-MSCHAPv2) is not accepted by the Opnsense.

I investigated the configuration file (/usr/local/etc/swanctl/swanctl.conf) and saw the possible issue. The following shows a config excerpt of the affected connection.


        local-0 {
            id =
            auth = pubkey
            certs = cert-1.crt
        }
        remote-0 {
            id = %any
            auth = pubkey
            eap_id = %any
        }
        remote_addrs = %any
        encap = no
        dpd_delay = 10 s
        dpd_timeout = 60 s
        pools = defaultv4
        remote-1 {
            auth = eap-mschapv2
        }


It looks like the parameter "eap_id" is misplaced in section "remote-0" which only handles the first certificate based authentication. The parameter must move to section "remote-1" which handles the second authentication round based on password based authentication (mschapv2).

A fix would be appreciated. But, if the new configuration interface in the WebUI is stable enough, I can try to fix the issue that way.

• Does anybody already has experience with the stability of the new WebUI interface (Connections [new])?
• What about the old config dialogue, can it still be used in parallel for editing connections and manual tests regarding migration?

[mimugmail]

If you dont get a response best to open an issuein github

[schnipp]

If you dont get a response best to open an issuein github

Thank you. I'll do that if I cannot solve it with the new interface. Maybe, it is such a special case, which only affects less people. If the new interface solves it, it is not necessary to put energy in this topic.

[glasi]

        local-0 {
            id =
            auth = pubkey
            certs = cert-1.crt
        }
        remote-0 {
            id = %any
            auth = pubkey
            eap_id = %any
        }
        remote_addrs = %any
        encap = no
        dpd_delay = 10 s
        dpd_timeout = 60 s
        pools = defaultv4
        remote-1 {
            auth = eap-mschapv2
        }

Well spotted!

I changed the configuration manually according to your findings. After reloading the configuration with swanctl --load-conns Mutual RSA + EAP-MSCHAPV2 works as expected.

The next time I restart or when I make changes via the GUI, my manual changes are of course gone.

[franco]

> Does anybody already has experience with the stability of the new WebUI interface (Connections [new])?

The stability is very similar since both the old and the new GUI use swanctl.conf as its base.

> What about the old config dialogue, can it still be used in parallel for editing connections and manual tests regarding migration?

Yes. It could be that old dialog is more prone to automatic migration issues to swanctl.conf format having been carried out. The new dialog follows swanctl.conf syntax more closely so such hiccups are less likely to occur.

Nevertheless, old one will be fixed as it's clearly a regression.


Thanks,
Franco

[franco]

PS: Can you guys confirm READCTED ?

(see below)

[franco]

Hmm perhaps the patch will not apply. Let me make a backport....

https://github.com/opnsense/core/commit/7504f4f3af17

# opnsense-patch 7504f4f3af17

[glasi]

Patch works like a charm. Top!

[schnipp]

The stability is very similar since both the old and the new GUI use swanctl.conf as its base.

[...]
Yes. It could be that old dialog is more prone to automatic migration issues to swanctl.conf format having been carried out. The new dialog follows swanctl.conf syntax more closely so such hiccups are less likely to occur.

Nevertheless, old one will be fixed as it's clearly a regression.

I have already tested the new WebUI interface and I am overwhelmed. The interface looks great, very good job and many thanks. Also my wish of multiple authentication rounds has been integrated :). I will do some additional tests with the new interface when migrating the remaining connections. If I find any bug, I'll raise a ticket in github.

Regarding the regression I can test the patch the next days and can give you feedback.

Thanks.

[franco]

@glasi thanks, it will be in 23.1.1 tomorrow

@schnipp thank you for the kind words, I passed them along. Feedback for bug won't be necessary but bug tickets for remaining issues are more than welcome. Make sure to use 23.1.1 as it seems to close a few other bugs along the way.


Cheers,
Franco

[schnipp]

Just updated to 23.1.1 the problem is now solved  :)