Re: [PATCH 1/2] File modified : html/cgi-bin/vpnmain.cgi

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 2617 bytes --]

On Tue, 2018-07-10 at 20:17 +0200, Julien Blais wrote:
> I present what I know that works.  Since I haven't tested, but if you say so,
> it's to be tested. 

I suppose setting rightauth=xauth should work for IKEv2 as well as IKEv1.

> I was forgetting, of course, xauth needs a login/password pair to declare in
> ipsec.user.secret.

This kind of renders the patch useless then if there is no way to set username
and password. This could be added to the connection just like entering the PSK.

Best,
-Michael

> Le mar. 10 juil. 2018 à 20:11, Tom Rymes <trymes(a)rymes.com> a écrit :
> > If I may ask, why IKEv1? Modern iOS and Android both support IKEv2, 
> > don't they?
> > 
> > Tom
> > 
> > On 07/10/2018 2:07 PM, Julien Blais wrote:
> > > Hi Michael,
> > > 
> > > 
> > > For it to work, you simply need to generate a Roadwarrior connection per 
> > > certificate. Then, change what is red, either replace cert by 
> > > xauthrsasiget put ikev1 instead of ikev2.
> > > 
> > > [root(a)ipfire ~]# cat /var/ipfire/vpn/config
> > >
> > 2,on,Xiaomi,Xiaomi,host,xauthrsasig,,off,,192.168.10.0/255.255.255.0,,,10.0.
> > 10.0/29,off,,,off,3,1,aes256,sha2_512,1024|768,aes256,sha2_512,1024|768|none
> > ,on,,,clear,on 
> > > <http://192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha
> > 2_512,1024%7C768,aes256,sha2_512,1024%7C768%7Cnone,on,,,clear,on>,ikev1,120,
> > 30,off,start,900
> > > 
> > > Here is the result in the file :
> > > 
> > > conn Xiaomi
> > >          left=vpn.jbsky.fr <http://vpn.jbsky.fr>
> > >          leftsubnet=192.168.0.0/24 <http://192.168.0.0/24>
> > >          leftfirewall=yes
> > >          lefthostaccess=yes
> > >          right=%any
> > >          leftcert=/var/ipfire/certs/hostcert.pem
> > >          rightcert=/var/ipfire/certs/Xiaomicert.pem
> > >          ike=aes256-sha2_512-modp1024,aes256-sha2_512-modp768!
> > >          
> > > esp=aes256-sha2_512-modp1024,aes256-sha2_512-modp768,aes256-sha2_512!
> > >          keyexchange=ikev1
> > >          ikelifetime=3h
> > >          keylife=1h
> > >          dpdaction=clear
> > >          dpddelay=30
> > >          dpdtimeout=120
> > >          authby=xauthrsasig
> > >          xauth=server
> > >          auto=add
> > >          rightsourceip=10.0.10.0/29 <http://10.0.10.0/29>
> > >          fragmentation=yes
> > > 
> > > Why this patch? it allows to have a functional visual on VPN connections 
> > > in the vpnmain.cgi page. Everything that is IOS or Android works with 
> > > Xauth, you do not support this type of device.
> > 
> > 
> >