If I may ask, why IKEv1? Modern iOS and Android both support IKEv2,
don't they?
Tom
On 07/10/2018 2:07 PM, Julien Blais wrote:
> Hi Michael,
>
>
> For it to work, you simply need to generate a Roadwarrior connection per
> certificate. Then, change what is red, either replace cert by
> xauthrsasiget put ikev1 instead of ikev2.
>
> [root@ipfire ~]# cat /var/ipfire/vpn/config
> 2,on,Xiaomi,Xiaomi,host,xauthrsasig,,off,,192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_512,1024|768,aes256,sha2_512,1024|768|none,on,,,clear,on
> <http://192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_512,1024%7C768,aes256,sha2_512,1024%7C768%7Cnone,on,,,clear,on>,ikev1,120,30,off,start,900
>
> Here is the result in the file :
>
> conn Xiaomi
> left=vpn.jbsky.fr <http://vpn.jbsky.fr>
> leftsubnet=192.168.0.0/24 <http://192.168.0.0/24>
> leftfirewall=yes
> lefthostaccess=yes
> right=%any
> leftcert=/var/ipfire/certs/hostcert.pem
> rightcert=/var/ipfire/certs/Xiaomicert.pem
> ike=aes256-sha2_512-modp1024,aes256-sha2_512-modp768!
>
> esp=aes256-sha2_512-modp1024,aes256-sha2_512-modp768,aes256-sha2_512!
> keyexchange=ikev1
> ikelifetime=3h
> keylife=1h
> dpdaction=clear
> dpddelay=30
> dpdtimeout=120
> authby=xauthrsasig
> xauth=server
> auto=add
> rightsourceip=10.0.10.0/29 <http://10.0.10.0/29>
> fragmentation=yes
>
> Why this patch? it allows to have a functional visual on VPN connections
> in the vpnmain.cgi page. Everything that is IOS or Android works with
> Xauth, you do not support this type of device.