From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tom Rymes To: development@lists.ipfire.org Subject: Roadwarrior IPSec Revisitec Date: Sun, 09 Dec 2018 20:20:29 -0500 Message-ID: <935B91AC-BC57-4079-98D0-987E953FE434@rymes.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5217821898802818116==" List-Id: --===============5217821898802818116== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Folks, I just revisited the IPSec roadwarrior configuration mess today, and I= am hoping that I might be able to help in getting things squared away on tha= t front. Configuring tunnels is a complete PITA for modern clients, and it pu= shes a lot of people over to OpenVPN because =E2=80=9CIPSec is too complicate= d.=E2=80=9D=20 To summarize the current status, the Roadwarrior configs written by IPFire do= not work with modern clients, and include outdated and deprecated IPSec sett= ings. Combine that with the fact that each client seems to need its own uniqu= e combination of settings, and you get a big mess. So, my thought was to modify the vpnmain.cgi script such that it provides mul= tiple options when creating tunnels. Currently, it asks if you want to create: - Host-to-Net Tunnel (Roadwarrior) - Net-to-Net Tunnel To replace this, I am envisioning: - Host-to-Net Tunnel - Windows Client - Host-to-Net Tunnel - MacOS Client - Host-to-Net Tunnel - iOS Client - Host-to-Net Tunnel - Android Client - Net-To Net Tunnel This would be a good start, but I am hoping to eventually be able to have the= WUI write out the config such that one tunnel could service all clients (whi= ch is not easily achieved just yet). This would eliminate the need to have mu= ltiple types of roadwarrior setups. Checkboxes in the configuration page coul= d be used to enable and disable different client OSes, as doing so can improv= e security (by disabling weaker ciphers, mostly). Once the WUi is modified to actually write out a config that works with moder= n clients, then I was thinking that creation of Windows install scripts and A= pple Configuration Profiles would be a really nice feature if possible. Does anyone have any input? Tom --===============5217821898802818116==--