IPSec: Security issues in authenticating connections

[somova]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Describe the bug
Security issues have been observed in case multiple IPsec connections are configured. It is not an issue of strongswan itself rather than an issue of configuring IPsec connections via the webgui. The problem is that there is not a one-to-one-mapping of webgui elements to important configuration parameters.

Authentication: In some cases it is not possible to define the trust anchor of (roadwarrior) IPsec connections. This results in a missing configuration parameter (e.g. rightca) in the config file and strongswan threats all available certificate authorities as valid for a specific connection. In this case a valid user of an IPsec connection can switch to another one and possibly elevate access rights.

• Regarding the following selectable authentication methods in the webgui there is no possibility to select an appropriate trust anchor: Example: Hybrid RSA + Xauth, Mutual RSA + EAP-MSCHAPv2 etc.
• Instead of choosing a CA for remote endpoint authentication Opnsense should alternatively allow selecting a specific remote endpoint certificate.

Last known working Opnsense version: n/a

To Reproduce
Steps to reproduce the behavior:

1. Go to 'VPN -> IPsec -> Tunnel Settings'
2. Click on 'new phase 1 entry (or edit an exisiting one)'
3. Traverse all certificate related authentication schemes (IKEv1/v2 and peer-to-peer/mobile connections) and check whether a CA (or specific certificate) for remote endpoint authentication is configurable.
4. Compare configuration to the config file '/usr/local/etc/ipsec.conf"

Expected behavior

• Configuration of a CA or a specific certificate has to be mandatory for remote endpoint in case any certificate based authentication scheme is selected.
• Authentication parameters map one-to-one to strongswan parameters (e.g. leftcert, rightcert, rightca)

[somova]

Bump

[OPNsense-bot]

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository,
please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue,
just let us know, so we can reopen the issue and assign an owner to it.