-
Notifications
You must be signed in to change notification settings - Fork 725
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug] IPSec VPN: Wrong VPN Types offered with IKEv2 #1961
Comments
Is anybody here familiar with IPSEC IKEv2 and Strongswan respectively using it? |
My testing of the IPSEC functionality in OPNSense shows that its pathologically broken - they can site-to-site with each other, but aren't compatible with mainstream IKE implementations in v1 or v2. We solved this problem in openstack's vpnaas via libreswan, but getting that to build on BSD is apparently a nightmare (i tried). Our solution was to move as much as we could to OpenVPN and use an alternative ipsec terminator when required. |
Tests with a manually modified ipsec.conf file work well with a Fritzbox as another tunnel endpoint (tunnel mode) and with an android phone using strongswan client (roadwarrior). The problem is that the web UI does not allow me to properly setup the ipsec configuration |
Is there anybody who can help to solve this problem? With every update of the opnsense, I have to manually update the configuration. In my opinion the GUI should allow to configure {left|right}auth and {left|reight}auth2 separately. |
What configuration do you need and for what use-case? IKEv2 + eap-mschapv2 is supported, if I'm not mistaken it's approximately the use-described here https://wiki.strongswan.org/projects/strongswan/wiki/Win7EapMultipleConfig |
I need mutual RSA + eap-mschapv2. This is not configurable via the GUI
|
@AdSchellevis: Thank you, the patch works great. |
Shipping in 18.1.12 then, thanks for testing! ❤️ |
In case of setting up a VPN for mobile clients (roadwarrior) the phase1 settings offers wrong authentication methods in conjunction with "IKEv2" as key exchange version.
If I understand the strongswan documentation correctly [1], "Xauth" is only supported for "IKEv1". I investigated a little bit because it was not possible to get a connection from androids' strongswan client with mode (Mutual RSA + EAP User/Password).
If I manually change the "rightauth2" parameter in the "ipsec.conf" from "xauth" to "eap-mschapv2" the strongswan client on my mobile phone works fine. So I think the authentication methods have to be adapted to IKEv2 (e.g. Mutual RSA + EAP MSCHAPv2, ...) if the latter is selected.
Opnsense version: 17.7.8
[1] https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
The text was updated successfully, but these errors were encountered: