I present what I know that works. Since I haven't tested, but if you say so, it's to be tested. I was forgetting, of course, xauth needs a login/password pair to declare in ipsec.user.secret.

Le mar. 10 juil. 2018 à 20:11, Tom Rymes <trymes@rymes.com> a écrit :
If I may ask, why IKEv1? Modern iOS and Android both support IKEv2,
don't they?

Tom

On 07/10/2018 2:07 PM, Julien Blais wrote:
> Hi Michael,
>
>
> For it to work, you simply need to generate a Roadwarrior connection per
> certificate. Then, change what is red, either replace cert by
> xauthrsasiget put ikev1 instead of ikev2.
>
> [root@ipfire ~]# cat /var/ipfire/vpn/config
> 2,on,Xiaomi,Xiaomi,host,xauthrsasig,,off,,192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_512,1024|768,aes256,sha2_512,1024|768|none,on,,,clear,on
> <http://192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_512,1024%7C768,aes256,sha2_512,1024%7C768%7Cnone,on,,,clear,on>,ikev1,120,30,off,start,900
>
> Here is the result in the file :
>
> conn Xiaomi
>          left=vpn.jbsky.fr <http://vpn.jbsky.fr>
>          leftsubnet=192.168.0.0/24 <http://192.168.0.0/24>
>          leftfirewall=yes
>          lefthostaccess=yes
>          right=%any
>          leftcert=/var/ipfire/certs/hostcert.pem
>          rightcert=/var/ipfire/certs/Xiaomicert.pem
>          ike=aes256-sha2_512-modp1024,aes256-sha2_512-modp768!
>         
> esp=aes256-sha2_512-modp1024,aes256-sha2_512-modp768,aes256-sha2_512!
>          keyexchange=ikev1
>          ikelifetime=3h
>          keylife=1h
>          dpdaction=clear
>          dpddelay=30
>          dpdtimeout=120
>          authby=xauthrsasig
>          xauth=server
>          auto=add
>          rightsourceip=10.0.10.0/29 <http://10.0.10.0/29>
>          fragmentation=yes
>
> Why this patch? it allows to have a functional visual on VPN connections
> in the vpnmain.cgi page. Everything that is IOS or Android works with
> Xauth, you do not support this type of device.