From mboxrd@z Thu Jan  1 00:00:00 1970
From: Tom Rymes <trymes@rymes.com>
To: development@lists.ipfire.org
Subject: Re: [PATCH 1/2] File modified : html/cgi-bin/vpnmain.cgi
Date: Tue, 10 Jul 2018 14:11:47 -0400
Message-ID: <06b43974-8e19-8194-b376-03ebc0f797b5@rymes.com>
In-Reply-To:
 <CAP6ncskL8qFApLXavVfseB_mv=7m6Z9kUyfrri4_dZKa4AqPWQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3911966399742754116=="
List-Id: <development.lists.ipfire.org>

--===============3911966399742754116==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

If I may ask, why IKEv1? Modern iOS and Android both support IKEv2,=20
don't they?

Tom

On 07/10/2018 2:07 PM, Julien Blais wrote:
> Hi Michael,
>=20
>=20
> For it to work, you simply need to generate a Roadwarrior connection per=20
> certificate. Then, change what is red, either replace cert by=20
> xauthrsasiget put ikev1 instead of ikev2.
>=20
> [root(a)ipfire ~]# cat /var/ipfire/vpn/config
> 2,on,Xiaomi,Xiaomi,host,xauthrsasig,,off,,192.168.10.0/255.255.255.0,,,10.0=
.10.0/29,off,,,off,3,1,aes256,sha2_512,1024|768,aes256,sha2_512,1024|768|none=
,on,,,clear,on=20
> <http://192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2=
_512,1024%7C768,aes256,sha2_512,1024%7C768%7Cnone,on,,,clear,on>,ikev1,120,30=
,off,start,900
>=20
> Here is the result in the file :
>=20
> conn Xiaomi
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 left=3Dvpn.jbsky.fr <http://vpn=
.jbsky.fr>
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 leftsubnet=3D192.168.0.0/24 <ht=
tp://192.168.0.0/24>
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 leftfirewall=3Dyes
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 lefthostaccess=3Dyes
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 right=3D%any
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 leftcert=3D/var/ipfire/certs/ho=
stcert.pem
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 rightcert=3D/var/ipfire/certs/X=
iaomicert.pem
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ike=3Daes256-sha2_512-modp1024,=
aes256-sha2_512-modp768!
>         =20
> esp=3Daes256-sha2_512-modp1024,aes256-sha2_512-modp768,aes256-sha2_512!
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 keyexchange=3Dikev1
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ikelifetime=3D3h
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 keylife=3D1h
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 dpdaction=3Dclear
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 dpddelay=3D30
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 dpdtimeout=3D120
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 authby=3Dxauthrsasig
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 xauth=3Dserver
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 auto=3Dadd
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 rightsourceip=3D10.0.10.0/29 <h=
ttp://10.0.10.0/29>
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 fragmentation=3Dyes
>=20
> Why this patch? it allows to have a functional visual on VPN connections=20
> in the vpnmain.cgi page. Everything that is IOS or Android works with=20
> Xauth, you do not support this type of device.




--===============3911966399742754116==--