From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tom Rymes To: development@lists.ipfire.org Subject: Re: Roadwarrior IPSec Revisitec Date: Sun, 09 Dec 2018 20:22:51 -0500 Message-ID: <182A6807-0C08-41FA-8167-C7A006A19162@rymes.com> In-Reply-To: <935B91AC-BC57-4079-98D0-987E953FE434@rymes.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8723909380572261927==" List-Id: --===============8723909380572261927== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable I forgot to mention that I revisited my earlier wiki example for creating a M= acOS Roadwarrior configuration. I was able to fix bad photos, eliminate some = errors and bad information, and generally clean things up a bit.=20 https://wiki.ipfire.org/configuration/services/ipsec/example_configuration-_r= oadwarrior_with_macos As you can see, it=E2=80=99s a pretty ugly process, and needlessly complex. Please chime in if you have suggestions. Tom > On Dec 9, 2018, at 8:20 PM, Tom Rymes wrote: >=20 > Folks, I just revisited the IPSec roadwarrior configuration mess today, and= I am hoping that I might be able to help in getting things squared away on t= hat front. Configuring tunnels is a complete PITA for modern clients, and it = pushes a lot of people over to OpenVPN because =E2=80=9CIPSec is too complica= ted.=E2=80=9D=20 >=20 > To summarize the current status, the Roadwarrior configs written by IPFire = do not work with modern clients, and include outdated and deprecated IPSec se= ttings. Combine that with the fact that each client seems to need its own uni= que combination of settings, and you get a big mess. >=20 > So, my thought was to modify the vpnmain.cgi script such that it provides m= ultiple options when creating tunnels. Currently, it asks if you want to crea= te: >=20 > - Host-to-Net Tunnel (Roadwarrior) > - Net-to-Net Tunnel >=20 > To replace this, I am envisioning: >=20 > - Host-to-Net Tunnel - Windows Client > - Host-to-Net Tunnel - MacOS Client > - Host-to-Net Tunnel - iOS Client > - Host-to-Net Tunnel - Android Client > - Net-To Net Tunnel >=20 > This would be a good start, but I am hoping to eventually be able to have t= he WUI write out the config such that one tunnel could service all clients (w= hich is not easily achieved just yet). This would eliminate the need to have = multiple types of roadwarrior setups. Checkboxes in the configuration page co= uld be used to enable and disable different client OSes, as doing so can impr= ove security (by disabling weaker ciphers, mostly). >=20 > Once the WUi is modified to actually write out a config that works with mod= ern clients, then I was thinking that creation of Windows install scripts and= Apple Configuration Profiles would be a really nice feature if possible. >=20 > Does anyone have any input? >=20 > Tom --===============8723909380572261927==--