* [PATCH 1/2] File modified : html/cgi-bin/vpnmain.cgi
@ 2018-07-09 20:07 jbsky
2018-07-10 17:42 ` Michael Tremer
0 siblings, 1 reply; 4+ messages in thread
From: jbsky @ 2018-07-09 20:07 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2798 bytes --]
Added xauthrsasig option instead of cert in /var/ipfire/vpn/config.
By replacing cert with xauth in the 5th place option, the vpn connection is configured to support xauthrsasig, ikev1 is also to be changed manually in the file.
---
html/cgi-bin/vpnmain.cgi | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 378acb326..a5c50dbda 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -304,7 +304,7 @@ sub writeipsecfiles {
}
# Local Cert and Remote Cert (unless auth is DN dn-auth)
- if ($lconfighash{$key}[4] eq 'cert') {
+ if (($lconfighash{$key}[4] eq 'cert')||($lconfighash{$key}[4] eq 'xauthrsasig')) {
print CONF "\tleftcert=${General::swroot}/certs/hostcert.pem\n";
print CONF "\trightcert=${General::swroot}/certs/$lconfighash{$key}[1]cert.pem\n" if ($lconfighash{$key}[2] ne '%auth-dn');
}
@@ -408,7 +408,12 @@ sub writeipsecfiles {
print SECRETS $psk_line;
}
print CONF "\tauthby=secret\n";
- } else {
+ }
+ elsif ($lconfighash{$key}[4] eq 'xauthrsasig') {
+ print CONF "\tauthby=xauthrsasig\n";
+ print CONF "\txauth=server\n";
+ }
+ else {
print CONF "\tauthby=rsasig\n";
print CONF "\tleftrsasigkey=%cert\n";
print CONF "\trightrsasigkey=%cert\n";
@@ -2841,7 +2846,7 @@ END
print "<td align='center' nowrap='nowrap' $col>" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ") $confighash{$key}[29]</td>";
if ($confighash{$key}[2] eq '%auth-dn') {
print "<td align='left' nowrap='nowrap' $col>$confighash{$key}[9]</td>";
- } elsif ($confighash{$key}[4] eq 'cert') {
+ } elsif (($confighash{$key}[4] eq 'cert')||($confighash{$key}[4] eq 'xauthrsasig')) {
print "<td align='left' nowrap='nowrap' $col>$confighash{$key}[2]</td>";
} else {
print "<td align='left' $col> </td>";
@@ -2893,7 +2898,7 @@ END
} else {
print "<td width='2%' $col> </td>";
}
- if ($confighash{$key}[4] eq 'cert' && -f "${General::swroot}/certs/$confighash{$key}[1].p12") {
+ if ((($confighash{$key}[4] eq 'cert')||($confighash{$key}[4] eq 'xauthrsasig')) && -f "${General::swroot}/certs/$confighash{$key}[1].p12") {
print <<END
<td align='center' $col>
<form method='post' action='$ENV{'SCRIPT_NAME'}'>
@@ -2904,7 +2909,7 @@ END
</td>
END
;
- } elsif (($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2] ne '%auth-dn')) {
+ } elsif ((($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2] ne '%auth-dn'))||(($confighash{$key}[4] eq 'xauthrsasig') && ($confighash{$key}[2] ne '%auth-dn'))) {
print <<END
<td align='center' $col>
<form method='post' action='$ENV{'SCRIPT_NAME'}'>
--
2.12.2
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] File modified : html/cgi-bin/vpnmain.cgi
2018-07-09 20:07 [PATCH 1/2] File modified : html/cgi-bin/vpnmain.cgi jbsky
@ 2018-07-10 17:42 ` Michael Tremer
0 siblings, 0 replies; 4+ messages in thread
From: Michael Tremer @ 2018-07-10 17:42 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 3161 bytes --]
Hello Julien?!,
thanks for submitting this patch.
Could you go into more detail about what this patch is doing and why you need
it?
Best,
-Michael
On Mon, 2018-07-09 at 22:07 +0200, jbsky wrote:
> Added xauthrsasig option instead of cert in /var/ipfire/vpn/config.
> By replacing cert with xauth in the 5th place option, the vpn connection is
> configured to support xauthrsasig, ikev1 is also to be changed manually in the
> file.
> ---
> html/cgi-bin/vpnmain.cgi | 15 ++++++++++-----
> 1 file changed, 10 insertions(+), 5 deletions(-)
>
> diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
> index 378acb326..a5c50dbda 100644
> --- a/html/cgi-bin/vpnmain.cgi
> +++ b/html/cgi-bin/vpnmain.cgi
> @@ -304,7 +304,7 @@ sub writeipsecfiles {
> }
>
> # Local Cert and Remote Cert (unless auth is DN dn-auth)
> - if ($lconfighash{$key}[4] eq 'cert') {
> + if (($lconfighash{$key}[4] eq 'cert')||($lconfighash{$key}[4]
> eq 'xauthrsasig')) {
> print CONF
> "\tleftcert=${General::swroot}/certs/hostcert.pem\n";
> print CONF
> "\trightcert=${General::swroot}/certs/$lconfighash{$key}[1]cert.pem\n" if
> ($lconfighash{$key}[2] ne '%auth-dn');
> }
> @@ -408,7 +408,12 @@ sub writeipsecfiles {
> print SECRETS $psk_line;
> }
> print CONF "\tauthby=secret\n";
> - } else {
> + }
> + elsif ($lconfighash{$key}[4] eq 'xauthrsasig') {
> + print CONF "\tauthby=xauthrsasig\n";
> + print CONF "\txauth=server\n";
> + }
> + else {
> print CONF "\tauthby=rsasig\n";
> print CONF "\tleftrsasigkey=%cert\n";
> print CONF "\trightrsasigkey=%cert\n";
> @@ -2841,7 +2846,7 @@ END
> print "<td align='center' nowrap='nowrap' $col>" .
> $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} .
> ") $confighash{$key}[29]</td>";
> if ($confighash{$key}[2] eq '%auth-dn') {
> print "<td align='left' nowrap='nowrap'
> $col>$confighash{$key}[9]</td>";
> - } elsif ($confighash{$key}[4] eq 'cert') {
> + } elsif (($confighash{$key}[4] eq 'cert')||($confighash{$key}[4] eq
> 'xauthrsasig')) {
> print "<td align='left' nowrap='nowrap'
> $col>$confighash{$key}[2]</td>";
> } else {
> print "<td align='left' $col> </td>";
> @@ -2893,7 +2898,7 @@ END
> } else {
> print "<td width='2%' $col> </td>";
> }
> - if ($confighash{$key}[4] eq 'cert' && -f
> "${General::swroot}/certs/$confighash{$key}[1].p12") {
> + if ((($confighash{$key}[4] eq 'cert')||($confighash{$key}[4] eq
> 'xauthrsasig')) && -f "${General::swroot}/certs/$confighash{$key}[1].p12") {
> print <<END
> <td align='center' $col>
> <form method='post' action='$ENV{'SCRIPT_NAME'}'>
> @@ -2904,7 +2909,7 @@ END
> </td>
> END
> ;
> - } elsif (($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2] ne
> '%auth-dn')) {
> + } elsif ((($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2]
> ne '%auth-dn'))||(($confighash{$key}[4] eq 'xauthrsasig') &&
> ($confighash{$key}[2] ne '%auth-dn'))) {
> print <<END
> <td align='center' $col>
> <form method='post' action='$ENV{'SCRIPT_NAME'}'>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] File modified : html/cgi-bin/vpnmain.cgi
[not found] <CAP6ncsnpm30AVsfVE2ywCYQsWu-qjuqASC64Y2eZ+Nq7++V6Dg@mail.gmail.com>
@ 2018-07-12 9:30 ` Michael Tremer
0 siblings, 0 replies; 4+ messages in thread
From: Michael Tremer @ 2018-07-12 9:30 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2617 bytes --]
On Tue, 2018-07-10 at 20:17 +0200, Julien Blais wrote:
> I present what I know that works. Since I haven't tested, but if you say so,
> it's to be tested.
I suppose setting rightauth=xauth should work for IKEv2 as well as IKEv1.
> I was forgetting, of course, xauth needs a login/password pair to declare in
> ipsec.user.secret.
This kind of renders the patch useless then if there is no way to set username
and password. This could be added to the connection just like entering the PSK.
Best,
-Michael
> Le mar. 10 juil. 2018 à 20:11, Tom Rymes <trymes(a)rymes.com> a écrit :
> > If I may ask, why IKEv1? Modern iOS and Android both support IKEv2,
> > don't they?
> >
> > Tom
> >
> > On 07/10/2018 2:07 PM, Julien Blais wrote:
> > > Hi Michael,
> > >
> > >
> > > For it to work, you simply need to generate a Roadwarrior connection per
> > > certificate. Then, change what is red, either replace cert by
> > > xauthrsasiget put ikev1 instead of ikev2.
> > >
> > > [root(a)ipfire ~]# cat /var/ipfire/vpn/config
> > >
> > 2,on,Xiaomi,Xiaomi,host,xauthrsasig,,off,,192.168.10.0/255.255.255.0,,,10.0.
> > 10.0/29,off,,,off,3,1,aes256,sha2_512,1024|768,aes256,sha2_512,1024|768|none
> > ,on,,,clear,on
> > > <http://192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha
> > 2_512,1024%7C768,aes256,sha2_512,1024%7C768%7Cnone,on,,,clear,on>,ikev1,120,
> > 30,off,start,900
> > >
> > > Here is the result in the file :
> > >
> > > conn Xiaomi
> > > left=vpn.jbsky.fr <http://vpn.jbsky.fr>
> > > leftsubnet=192.168.0.0/24 <http://192.168.0.0/24>
> > > leftfirewall=yes
> > > lefthostaccess=yes
> > > right=%any
> > > leftcert=/var/ipfire/certs/hostcert.pem
> > > rightcert=/var/ipfire/certs/Xiaomicert.pem
> > > ike=aes256-sha2_512-modp1024,aes256-sha2_512-modp768!
> > >
> > > esp=aes256-sha2_512-modp1024,aes256-sha2_512-modp768,aes256-sha2_512!
> > > keyexchange=ikev1
> > > ikelifetime=3h
> > > keylife=1h
> > > dpdaction=clear
> > > dpddelay=30
> > > dpdtimeout=120
> > > authby=xauthrsasig
> > > xauth=server
> > > auto=add
> > > rightsourceip=10.0.10.0/29 <http://10.0.10.0/29>
> > > fragmentation=yes
> > >
> > > Why this patch? it allows to have a functional visual on VPN connections
> > > in the vpnmain.cgi page. Everything that is IOS or Android works with
> > > Xauth, you do not support this type of device.
> >
> >
> >
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] File modified : html/cgi-bin/vpnmain.cgi
[not found] <CAP6ncskL8qFApLXavVfseB_mv=7m6Z9kUyfrri4_dZKa4AqPWQ@mail.gmail.com>
@ 2018-07-10 18:11 ` Tom Rymes
0 siblings, 0 replies; 4+ messages in thread
From: Tom Rymes @ 2018-07-10 18:11 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 1927 bytes --]
If I may ask, why IKEv1? Modern iOS and Android both support IKEv2,
don't they?
Tom
On 07/10/2018 2:07 PM, Julien Blais wrote:
> Hi Michael,
>
>
> For it to work, you simply need to generate a Roadwarrior connection per
> certificate. Then, change what is red, either replace cert by
> xauthrsasiget put ikev1 instead of ikev2.
>
> [root(a)ipfire ~]# cat /var/ipfire/vpn/config
> 2,on,Xiaomi,Xiaomi,host,xauthrsasig,,off,,192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_512,1024|768,aes256,sha2_512,1024|768|none,on,,,clear,on
> <http://192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_512,1024%7C768,aes256,sha2_512,1024%7C768%7Cnone,on,,,clear,on>,ikev1,120,30,off,start,900
>
> Here is the result in the file :
>
> conn Xiaomi
> left=vpn.jbsky.fr <http://vpn.jbsky.fr>
> leftsubnet=192.168.0.0/24 <http://192.168.0.0/24>
> leftfirewall=yes
> lefthostaccess=yes
> right=%any
> leftcert=/var/ipfire/certs/hostcert.pem
> rightcert=/var/ipfire/certs/Xiaomicert.pem
> ike=aes256-sha2_512-modp1024,aes256-sha2_512-modp768!
>
> esp=aes256-sha2_512-modp1024,aes256-sha2_512-modp768,aes256-sha2_512!
> keyexchange=ikev1
> ikelifetime=3h
> keylife=1h
> dpdaction=clear
> dpddelay=30
> dpdtimeout=120
> authby=xauthrsasig
> xauth=server
> auto=add
> rightsourceip=10.0.10.0/29 <http://10.0.10.0/29>
> fragmentation=yes
>
> Why this patch? it allows to have a functional visual on VPN connections
> in the vpnmain.cgi page. Everything that is IOS or Android works with
> Xauth, you do not support this type of device.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-07-12 9:30 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-07-09 20:07 [PATCH 1/2] File modified : html/cgi-bin/vpnmain.cgi jbsky
2018-07-10 17:42 ` Michael Tremer
[not found] <CAP6ncskL8qFApLXavVfseB_mv=7m6Z9kUyfrri4_dZKa4AqPWQ@mail.gmail.com>
2018-07-10 18:11 ` Tom Rymes
[not found] <CAP6ncsnpm30AVsfVE2ywCYQsWu-qjuqASC64Y2eZ+Nq7++V6Dg@mail.gmail.com>
2018-07-12 9:30 ` Michael Tremer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox