[Bug] IPSec VPN: Wrong VPN Types offered with IKEv2

[somova]

In case of setting up a VPN for mobile clients (roadwarrior) the phase1 settings offers wrong authentication methods in conjunction with "IKEv2" as key exchange version.

• Hybrid RSA + Xauth
• Mutual RSA + Xauth
• Mutual PSK + Xauth

If I understand the strongswan documentation correctly [1], "Xauth" is only supported for "IKEv1". I investigated a little bit because it was not possible to get a connection from androids' strongswan client with mode (Mutual RSA + EAP User/Password).

If I manually change the "rightauth2" parameter in the "ipsec.conf" from "xauth" to "eap-mschapv2" the strongswan client on my mobile phone works fine. So I think the authentication methods have to be adapted to IKEv2 (e.g. Mutual RSA + EAP MSCHAPv2, ...) if the latter is selected.

Opnsense version: 17.7.8

[1] https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection

[somova]

Is anybody here familiar with IPSEC IKEv2 and Strongswan respectively using it?

[sempervictus]

My testing of the IPSEC functionality in OPNSense shows that its pathologically broken - they can site-to-site with each other, but aren't compatible with mainstream IKE implementations in v1 or v2. We solved this problem in openstack's vpnaas via libreswan, but getting that to build on BSD is apparently a nightmare (i tried). Our solution was to move as much as we could to OpenVPN and use an alternative ipsec terminator when required.

[somova]

Tests with a manually modified ipsec.conf file work well with a Fritzbox as another tunnel endpoint (tunnel mode) and with an android phone using strongswan client (roadwarrior).

The problem is that the web UI does not allow me to properly setup the ipsec configuration

[somova]

Is there anybody who can help to solve this problem? With every update of the opnsense, I have to manually update the configuration. In my opinion the GUI should allow to configure {left|right}auth and {left|reight}auth2 separately.

[AdSchellevis]

What configuration do you need and for what use-case? IKEv2 + eap-mschapv2 is supported, if I'm not mistaken it's approximately the use-described here https://wiki.strongswan.org/projects/strongswan/wiki/Win7EapMultipleConfig

[somova]

I need mutual RSA + eap-mschapv2. This is not configurable via the GUI

leftauth = pubkey
rightauth = pubkey
rightauth2 = eap-mschapv2

[AdSchellevis]

@somova can you try 6619147 ?

To install the patch, use:
opnsense-patch 661914

[somova]

@AdSchellevis: Thank you, the patch works great.

[fichtner]

Shipping in 18.1.12 then, thanks for testing! ❤️