From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: IPSec Roadwarrior Configuration Date: Mon, 29 Jan 2018 15:58:50 +0100 Message-ID: <20180129155850.6dbe2413.peter.mueller@link38.eu> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8086733123070512992==" List-Id: --===============8086733123070512992== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Tom, I completely agree with you. Setting up IPsec connections between two IPFire machines works well out of the box, but everything else is really complicated. > I suppose that this isn't particularly "Development" related, but I=20 > think it does touch upon features and functionality that are important=20 > to making the project attractive to new users and I also think that,=20 > perhaps, some changes might be needed to the WUI to keep up with changes=20 > to clients. I would think that a tried-and-true configuration that makes=20 > it easy for any user to implement a VPN using built-in clients would be=20 > a major benefit to the project. >=20 > IPFire supports two methods for roadwarrior VPN clients, OpenVPN and=20 > IPSec. Of these, OpenVPN requires a client, while IPSec is supported=20 > natively by most or all major operating systems. For various reasons, I=20 > prefer IPSec. Me to. >=20 > Perusing the internet, one can find many tutorials for how to configure=20 > Strongswan to work with roadwarrior clients, and some of them might even=20 > work. There seems to be a lot of confusion out there over which settings=20 > are needed to support the various client OSs, too. >=20 > Most importantly, the WUI makes it look like this should just work out=20 > of the box, but I have not been able to find a good tutorial for using=20 > the WUI in IPFire to accomplish this task. There is one here: >=20 > https://wiki.ipfire.org/configuration/services/ipsec/example_configuration-= _roadwarrior_with_windows >=20 > However, it is missing many details, and has not kept up with changes in=20 > the WUI. Worse, still, it requires one to manually modify the=20 > configuration files, which, ideally, should not be necessary. +1 >=20 > After messing about with that tutorial, I have succeeded in connecting a=20 > Windows 10 computer, but I have not been able to succeed with a MacOS=20 > device, and I haven't even dared to try with iOS. I currently struggle setting up an IPsec connection to an OpenBSD machine. IKE seems to work fine now, but IPFire seems to request a sort of "virtual IP request". This is unwanted since the OpenBSD road warrior is supposed to have a static IP. Log snippet: 21:21:41 charon: 13[IKE] failed to establish CHILD_SA, keeping IKE_SA=20 21:21:41 charon: 13[IKE] traffic selectors 10.XXX.XXX.0/24 10.YYY.YYY.0/24 = =3D=3D=3D 10.ZZZ.ZZZ.0/24 10.ZZZ.ZZZ.0/24 inacceptable=20 21:21:41 charon: 13[IKE] expected a virtual IP request, sending FAILED_CP_RE= QUIRED=20 Has anybody managed to set up an road warrior connection with a static IP on the remote end with Linux or OpenBSD? @Michael: Any hints? :-) Generally, it seems that quite some bugs are related to IPsec: For example, even though a N2N connection is using /24 remote networks, it says it uses a /3 (virtually _everything_) at the main WebUI page... Best regards, Peter M=C3=BCller >=20 > As it stands, it is unclear what one should enter for the fields Remote=20 > host/IP, Remote Subnet, Local ID, and Remote ID, and I am still unclear=20 > on what the proper settings for IKE/ESP settings, DPD, and the other=20 > options at the bottom of the page are. >=20 > I will continue to experiment and do my best to update the docs, but I'm=20 > flying pretty blind here. This leads me to a few questions (the forum=20 > has not been of much help in this area): >=20 > 1.) Does anyone have a good tutorial that they can provide to help me in=20 > making this work and in improving the documentation? > 2.) What changes to the WUI, if any, are needed to avoid the need to=20 > manually edit text files and properly support RoadWarrior connections to=20 > Windows 7/8/10, MacOS, Android, and iOS? > 3.) What changes need to be made to the certs, configs, etc to support=20 > MacOS, iOS, and Android? >=20 > Many thanks, >=20 > Tom --===============8086733123070512992==--