If I may ask, why IKEv1? Modern iOS and Android both support IKEv2, 
don't they?

Tom

On 07/10/2018 2:07 PM, Julien Blais wrote:
> Hi Michael,
> 
> 
> For it to work, you simply need to generate a Roadwarrior connection per 
> certificate. Then, change what is red, either replace cert by 
> xauthrsasiget put ikev1 instead of ikev2.
> 
> [root(a)ipfire ~]# cat /var/ipfire/vpn/config
> 2,on,Xiaomi,Xiaomi,host,xauthrsasig,,off,,192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_512,1024|768,aes256,sha2_512,1024|768|none,on,,,clear,on 
> <http://192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_512,1024%7C768,aes256,sha2_512,1024%7C768%7Cnone,on,,,clear,on>,ikev1,120,30,off,start,900
> 
> Here is the result in the file :
> 
> conn Xiaomi
>          left=vpn.jbsky.fr <http://vpn.jbsky.fr>
>          leftsubnet=192.168.0.0/24 <http://192.168.0.0/24>
>          leftfirewall=yes
>          lefthostaccess=yes
>          right=%any
>          leftcert=/var/ipfire/certs/hostcert.pem
>          rightcert=/var/ipfire/certs/Xiaomicert.pem
>          ike=aes256-sha2_512-modp1024,aes256-sha2_512-modp768!
>          
> esp=aes256-sha2_512-modp1024,aes256-sha2_512-modp768,aes256-sha2_512!
>          keyexchange=ikev1
>          ikelifetime=3h
>          keylife=1h
>          dpdaction=clear
>          dpddelay=30
>          dpdtimeout=120
>          authby=xauthrsasig
>          xauth=server
>          auto=add
>          rightsourceip=10.0.10.0/29 <http://10.0.10.0/29>
>          fragmentation=yes
> 
> Why this patch? it allows to have a functional visual on VPN connections 
> in the vpnmain.cgi page. Everything that is IOS or Android works with 
> Xauth, you do not support this type of device.