Hi Michael,
For it to work, you simply need to generate a Roadwarrior connection per certificate. Then, change what is red, either replace cert by xauthrsasiget put ikev1 instead of ikev2.
[root@ipfire ~]# cat /var/ipfire/vpn/config 2,on,Xiaomi,Xiaomi,host,xauthrsasig,,off,, 192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_512,1024|768,aes256,sha2_512,1024|768|none,on,,,clear,on ,ikev1,120,30,off,start,900
Here is the result in the file :
conn Xiaomi left=vpn.jbsky.fr leftsubnet=192.168.0.0/24 leftfirewall=yes lefthostaccess=yes right=%any leftcert=/var/ipfire/certs/hostcert.pem rightcert=/var/ipfire/certs/Xiaomicert.pem ike=aes256-sha2_512-modp1024,aes256-sha2_512-modp768!
esp=aes256-sha2_512-modp1024,aes256-sha2_512-modp768,aes256-sha2_512! keyexchange=ikev1 ikelifetime=3h keylife=1h dpdaction=clear dpddelay=30 dpdtimeout=120 authby=xauthrsasig xauth=server auto=add rightsourceip=10.0.10.0/29 fragmentation=yes
Why this patch? it allows to have a functional visual on VPN connections in the vpnmain.cgi page. Everything that is IOS or Android works with Xauth, you do not support this type of device.
2018-07-10 19:42 GMT+02:00 Michael Tremer michael.tremer@ipfire.org:
Hello Julien?!,
thanks for submitting this patch.
Could you go into more detail about what this patch is doing and why you need it?
Best, -Michael
On Mon, 2018-07-09 at 22:07 +0200, jbsky wrote:
Added xauthrsasig option instead of cert in /var/ipfire/vpn/config. By replacing cert with xauth in the 5th place option, the vpn connection
is
configured to support xauthrsasig, ikev1 is also to be changed manually
in the
file.
html/cgi-bin/vpnmain.cgi | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 378acb326..a5c50dbda 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -304,7 +304,7 @@ sub writeipsecfiles { }
# Local Cert and Remote Cert (unless auth is DN dn-auth)
if ($lconfighash{$key}[4] eq 'cert') {
if (($lconfighash{$key}[4] eq 'cert')||($lconfighash{$key}[
4]
eq 'xauthrsasig')) { print CONF "\tleftcert=${General::swroot}/certs/hostcert.pem\n"; print CONF "\trightcert=${General::swroot}/certs/$lconfighash{$key}[1]cert.pem\n"
if
($lconfighash{$key}[2] ne '%auth-dn'); } @@ -408,7 +408,12 @@ sub writeipsecfiles { print SECRETS $psk_line; } print CONF "\tauthby=secret\n";
} else {
}
elsif ($lconfighash{$key}[4] eq 'xauthrsasig') {
print CONF "\tauthby=xauthrsasig\n";
print CONF "\txauth=server\n";
}
else { print CONF "\tauthby=rsasig\n"; print CONF "\tleftrsasigkey=%cert\n"; print CONF "\trightrsasigkey=%cert\n";
@@ -2841,7 +2846,7 @@ END print "<td align='center' nowrap='nowrap' $col>" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"}
.
") $confighash{$key}[29]</td>"; if ($confighash{$key}[2] eq '%auth-dn') { print "<td align='left' nowrap='nowrap' $col>$confighash{$key}[9]</td>";
} elsif ($confighash{$key}[4] eq 'cert') {
} elsif (($confighash{$key}[4] eq 'cert')||($confighash{$key}[4] eq
'xauthrsasig')) { print "<td align='left' nowrap='nowrap' $col>$confighash{$key}[2]</td>"; } else { print "<td align='left' $col> </td>"; @@ -2893,7 +2898,7 @@ END } else { print "<td width='2%' $col> </td>"; }
if ($confighash{$key}[4] eq 'cert' && -f
"${General::swroot}/certs/$confighash{$key}[1].p12") {
if ((($confighash{$key}[4] eq 'cert')||($confighash{$key}[4] eq
'xauthrsasig')) && -f "${General::swroot}/certs/$confighash{$key}[1].p12")
{
print <<END <td align='center' $col> <form method='post' action='$ENV{'SCRIPT_NAME'}'>
@@ -2904,7 +2909,7 @@ END </td> END ;
} elsif (($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2]
ne
'%auth-dn')) {
} elsif ((($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2]
ne '%auth-dn'))||(($confighash{$key}[4] eq 'xauthrsasig') && ($confighash{$key}[2] ne '%auth-dn'))) { print <<END <td align='center' $col> <form method='post' action='$ENV{'SCRIPT_NAME'}'>