Multiple Roadwarrior IPSEC tunnels?

Started by schnipp, July 12, 2018, 05:56:39 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
July 12, 2018, 05:56:39 PM
Hi all,

to access my LAN from different mobile devices I need multiple IPSEC roadwarrior configurations. Is there a plan to support multiple roadwarrior configurations? For strongswan it is no problem to handle multiple connections in parallel. Thanks
OPNsense 24.7.11_2-amd64
July 12, 2018, 07:53:04 PM #1
What exactly so you mean?
July 12, 2018, 08:27:22 PM #2
In case mobile mobile extensions are enabled, I have only one predefined profile "mobile client" compared to multiple site-to-site profiles. But I also need to configure multiple different tunnels for mobile clients because the devices need different configurations for phase 1 and 2 (e.g. builtin IPSEC client in Linux gnome, Strongswan in android, builtin Windows 7 etc.).
OPNsense 24.7.11_2-amd64
July 12, 2018, 10:35:48 PM #3
Hm, how do you plan to identify which P1 to use when a Client connects?
July 12, 2018, 11:20:23 PM #4
I am not sure, but it should be possible to distinguish different clients by their proposal (distinguished name, claim for authentication etc.).

The fritzbox was able to distinguish different roadwarriors. But as I replaced it by the opnsense I am not able to connect all my devices via vpn anymore.
OPNsense 24.7.11_2-amd64
August 03, 2018, 09:31:30 AM #5
Hello,

I second this request.
At least it would be interesting to have one IkeV1 RW configuration and one IkeV2 configuration.

Otherwise, the authentication method in first allows to distinguish multiple phases 1 (authby field in Strongswan ipsec.conf file). When the same auth method is used the remote ID (rightid field in ipsec.conf file) allows to distinguish multiple phases 1). I've already created such Strongswan configurations with success.

Regards,

Fred.
August 14, 2018, 07:52:30 PM #6
I did some research, strongswan supports multiple connections as a responder. Furthermore, it is capable to share the same address pool for multiple defined connections (since v.5.0.1).

https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp#Responder-Configuration

...and some quite old discussions which helped to improve strongswan

https://wiki.strongswan.org/issues/447
https://wiki.strongswan.org/issues/461
https://wiki.strongswan.org/issues/735

OPNsense 24.7.11_2-amd64
September 24, 2018, 08:08:36 PM #7
Is there a chance to get the support of multiple roadwarrior configurations implemented in the GUI?
OPNsense 24.7.11_2-amd64
September 24, 2018, 08:37:16 PM #8
Not right now, but we already added possibility that you can choose multiple hmac and DHs in Phase1. This should make more systems compatible with one setup.

ATM I'm rewriting documentation and testing a setup which fits all.

But sadly no profile mode like multiple pools etc.
September 25, 2018, 08:48:32 PM #9
Unfortunately, this does not help. Systems used as a roadwarrior need different authentication algorithms which is unique in phase1.

BTW, in phase1 I do not see any possibilities for multiple selection of encryption, hash and DH algorithm like in phase2. My Opnsense version is 18.7.3-amd64.

OPNsense 24.7.11_2-amd64
September 25, 2018, 11:06:10 PM #10
Can you post a working example of ipsec.conf ?
September 26, 2018, 08:33:18 AM #11
Quote from: schnipp on September 25, 2018, 08:48:32 PM

BTW, in phase1 I do not see any possibilities for multiple selection of encryption, hash and DH algorithm like in phase2. My Opnsense version is 18.7.3-amd64.

It's in master and will come in one of the next releases. .5 or .6
September 26, 2018, 03:05:57 PM #12
Hi all,

Please find attached an extract of an IPsec.conf with multiple conn sections, for different authentication cases, for IkeV2. Some fields are replaced with fake info (X.Y, Z, modecp@company.com, "Server Certificate Subject"), some options (like algorithms) are supposed to be defined in the %default section.

It contains 6 different cases:
- PSK with mode CP
- PSK without mode CP
- EAP with mode CP
- EAP without mode CP
- Certificate with mode CP
- Certificate + EAP with mode CP

Depending on what the VPN client is requesting, the matching conn section is used.
The rightid (LocalId on VPN client side) allows to distinguish between CP and non CP modes for PSK and EAP.

Regards,

FredTGB

September 26, 2018, 08:38:26 PM #13
Hi all,

FredTGB many thanks for performing tests with multiple strongswan configurations. When I am back from vacation I can do some additional tests, especially with multiple configurations using the same global address pool for roadwarrior connections. When I have done so far, I'll post the results here.

OPNsense 24.7.11_2-amd64
September 27, 2018, 03:19:55 PM #14
So, if you don't need different pools and already have a P1 for mobile you could do this (without warranty):

https://yourfirewall/vpn_ipsec_phase1.php?mobile=true

And add a second one.
The generated ipsec.conf looks sane .. just try it. If it works for you I'll have a talk to Franco and Ad to add a button for adding multiple Mobiles, but we need your testing results.
Print
Go Up Pages1 2
User actions