Re: IPSec Roadwarrior Configuration

["Peter Müller" <peter.mueller@link38.eu>]

[-- Attachment #1: Type: text/plain, Size: 3832 bytes --]

Hello Tom,

I completely agree with you. Setting up IPsec connections between two
IPFire machines works well out of the box, but everything else is really
complicated.

> I suppose that this isn't particularly "Development" related, but I 
> think it does touch upon features and functionality that are important 
> to making the project attractive to new users and I also think that, 
> perhaps, some changes might be needed to the WUI to keep up with changes 
> to clients. I would think that a tried-and-true configuration that makes 
> it easy for any user to implement a VPN using built-in clients would be 
> a major benefit to the project.
> 
> IPFire supports two methods for roadwarrior VPN clients, OpenVPN and 
> IPSec. Of these, OpenVPN requires a client, while IPSec is supported 
> natively by most or all major operating systems. For various reasons, I 
> prefer IPSec.
Me to.
> 
> Perusing the internet, one can find many tutorials for how to configure 
> Strongswan to work with roadwarrior clients, and some of them might even 
> work. There seems to be a lot of confusion out there over which settings 
> are needed to support the various client OSs, too.
> 
> Most importantly, the WUI makes it look like this should just work out 
> of the box, but I have not been able to find a good tutorial for using 
> the WUI in IPFire to accomplish this task. There is one here:
> 
> https://wiki.ipfire.org/configuration/services/ipsec/example_configuration-_roadwarrior_with_windows
> 
> However, it is missing many details, and has not kept up with changes in 
> the WUI. Worse, still, it requires one to manually modify the 
> configuration files, which, ideally, should not be necessary.
+1
> 
> After messing about with that tutorial, I have succeeded in connecting a 
> Windows 10 computer, but I have not been able to succeed with a MacOS 
> device, and I haven't even dared to try with iOS.
I currently struggle setting up an IPsec connection to an OpenBSD machine.
IKE seems to work fine now, but IPFire seems to request a sort of "virtual
IP request". This is unwanted since the OpenBSD road warrior is supposed
to have a static IP.

Log snippet:

21:21:41 charon:  13[IKE] failed to establish CHILD_SA, keeping IKE_SA 
21:21:41 charon:  13[IKE] traffic selectors 10.XXX.XXX.0/24 10.YYY.YYY.0/24 === 10.ZZZ.ZZZ.0/24 10.ZZZ.ZZZ.0/24 inacceptable 
21:21:41 charon:  13[IKE] expected a virtual IP request, sending FAILED_CP_REQUIRED 

Has anybody managed to set up an road warrior connection with a static
IP on the remote end with Linux or OpenBSD?

@Michael: Any hints? :-)

Generally, it seems that quite some bugs are related to IPsec: For example,
even though a N2N connection is using /24 remote networks, it says it uses
a /3 (virtually _everything_) at the main WebUI page...

Best regards,
Peter Müller
> 
> As it stands, it is unclear what one should enter for the fields Remote 
> host/IP, Remote Subnet, Local ID, and Remote ID, and I am still unclear 
> on what the proper settings for IKE/ESP settings, DPD, and the other 
> options at the bottom of the page are.
> 
> I will continue to experiment and do my best to update the docs, but I'm 
> flying pretty blind here. This leads me to a few questions (the forum 
> has not been of much help in this area):
> 
> 1.) Does anyone have a good tutorial that they can provide to help me in 
> making this work and in improving the documentation?
> 2.) What changes to the WUI, if any, are needed to avoid the need to 
> manually edit text files and properly support RoadWarrior connections to 
> Windows 7/8/10, MacOS, Android, and iOS?
> 3.) What changes need to be made to the certs, configs, etc to support 
> MacOS, iOS, and Android?
> 
> Many thanks,
> 
> Tom