From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH 1/2] File modified : html/cgi-bin/vpnmain.cgi
Date: Thu, 12 Jul 2018 10:30:45 +0100
Message-ID: <9a8c527624c8dda597bd27ba0ae01861ed03383f.camel@ipfire.org>
In-Reply-To:
 <CAP6ncsnpm30AVsfVE2ywCYQsWu-qjuqASC64Y2eZ+Nq7++V6Dg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0601239275585108756=="
List-Id: <development.lists.ipfire.org>

--===============0601239275585108756==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

On Tue, 2018-07-10 at 20:17 +0200, Julien Blais wrote:
> I present what I know that works.  Since I haven't tested, but if you say s=
o,
> it's to be tested.=20

I suppose setting rightauth=3Dxauth should work for IKEv2 as well as IKEv1.

> I was forgetting, of course, xauth needs a login/password pair to declare in
> ipsec.user.secret.

This kind of renders the patch useless then if there is no way to set username
and password. This could be added to the connection just like entering the PS=
K.

Best,
-Michael

> Le mar. 10 juil. 2018 =C3=A0 20:11, Tom Rymes <trymes(a)rymes.com> a =C3=A9=
crit :
> > If I may ask, why IKEv1? Modern iOS and Android both support IKEv2,=20
> > don't they?
> >=20
> > Tom
> >=20
> > On 07/10/2018 2:07 PM, Julien Blais wrote:
> > > Hi Michael,
> > >=20
> > >=20
> > > For it to work, you simply need to generate a Roadwarrior connection pe=
r=20
> > > certificate. Then, change what is red, either replace cert by=20
> > > xauthrsasiget put ikev1 instead of ikev2.
> > >=20
> > > [root(a)ipfire ~]# cat /var/ipfire/vpn/config
> > >
> > 2,on,Xiaomi,Xiaomi,host,xauthrsasig,,off,,192.168.10.0/255.255.255.0,,,10=
.0.
> > 10.0/29,off,,,off,3,1,aes256,sha2_512,1024|768,aes256,sha2_512,1024|768|n=
one
> > ,on,,,clear,on=20
> > > <http://192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,=
sha
> > 2_512,1024%7C768,aes256,sha2_512,1024%7C768%7Cnone,on,,,clear,on>,ikev1,1=
20,
> > 30,off,start,900
> > >=20
> > > Here is the result in the file :
> > >=20
> > > conn Xiaomi
> > >          left=3Dvpn.jbsky.fr <http://vpn.jbsky.fr>
> > >          leftsubnet=3D192.168.0.0/24 <http://192.168.0.0/24>
> > >          leftfirewall=3Dyes
> > >          lefthostaccess=3Dyes
> > >          right=3D%any
> > >          leftcert=3D/var/ipfire/certs/hostcert.pem
> > >          rightcert=3D/var/ipfire/certs/Xiaomicert.pem
> > >          ike=3Daes256-sha2_512-modp1024,aes256-sha2_512-modp768!
> > >         =20
> > > esp=3Daes256-sha2_512-modp1024,aes256-sha2_512-modp768,aes256-sha2_512!
> > >          keyexchange=3Dikev1
> > >          ikelifetime=3D3h
> > >          keylife=3D1h
> > >          dpdaction=3Dclear
> > >          dpddelay=3D30
> > >          dpdtimeout=3D120
> > >          authby=3Dxauthrsasig
> > >          xauth=3Dserver
> > >          auto=3Dadd
> > >          rightsourceip=3D10.0.10.0/29 <http://10.0.10.0/29>
> > >          fragmentation=3Dyes
> > >=20
> > > Why this patch? it allows to have a functional visual on VPN connection=
s=20
> > > in the vpnmain.cgi page. Everything that is IOS or Android works with=20
> > > Xauth, you do not support this type of device.
> >=20
> >=20
> >=20

--===============0601239275585108756==--