Hello Tom,
I completely agree with you. Setting up IPsec connections between two IPFire machines works well out of the box, but everything else is really complicated.
I suppose that this isn't particularly "Development" related, but I think it does touch upon features and functionality that are important to making the project attractive to new users and I also think that, perhaps, some changes might be needed to the WUI to keep up with changes to clients. I would think that a tried-and-true configuration that makes it easy for any user to implement a VPN using built-in clients would be a major benefit to the project.
IPFire supports two methods for roadwarrior VPN clients, OpenVPN and IPSec. Of these, OpenVPN requires a client, while IPSec is supported natively by most or all major operating systems. For various reasons, I prefer IPSec.
Me to.
Perusing the internet, one can find many tutorials for how to configure Strongswan to work with roadwarrior clients, and some of them might even work. There seems to be a lot of confusion out there over which settings are needed to support the various client OSs, too.
Most importantly, the WUI makes it look like this should just work out of the box, but I have not been able to find a good tutorial for using the WUI in IPFire to accomplish this task. There is one here:
https://wiki.ipfire.org/configuration/services/ipsec/example_configuration-_...
However, it is missing many details, and has not kept up with changes in the WUI. Worse, still, it requires one to manually modify the configuration files, which, ideally, should not be necessary.
+1
After messing about with that tutorial, I have succeeded in connecting a Windows 10 computer, but I have not been able to succeed with a MacOS device, and I haven't even dared to try with iOS.
I currently struggle setting up an IPsec connection to an OpenBSD machine. IKE seems to work fine now, but IPFire seems to request a sort of "virtual IP request". This is unwanted since the OpenBSD road warrior is supposed to have a static IP.
Log snippet:
21:21:41 charon: 13[IKE] failed to establish CHILD_SA, keeping IKE_SA 21:21:41 charon: 13[IKE] traffic selectors 10.XXX.XXX.0/24 10.YYY.YYY.0/24 === 10.ZZZ.ZZZ.0/24 10.ZZZ.ZZZ.0/24 inacceptable 21:21:41 charon: 13[IKE] expected a virtual IP request, sending FAILED_CP_REQUIRED
Has anybody managed to set up an road warrior connection with a static IP on the remote end with Linux or OpenBSD?
@Michael: Any hints? :-)
Generally, it seems that quite some bugs are related to IPsec: For example, even though a N2N connection is using /24 remote networks, it says it uses a /3 (virtually _everything_) at the main WebUI page...
Best regards, Peter Müller
As it stands, it is unclear what one should enter for the fields Remote host/IP, Remote Subnet, Local ID, and Remote ID, and I am still unclear on what the proper settings for IKE/ESP settings, DPD, and the other options at the bottom of the page are.
I will continue to experiment and do my best to update the docs, but I'm flying pretty blind here. This leads me to a few questions (the forum has not been of much help in this area):
1.) Does anyone have a good tutorial that they can provide to help me in making this work and in improving the documentation? 2.) What changes to the WUI, if any, are needed to avoid the need to manually edit text files and properly support RoadWarrior connections to Windows 7/8/10, MacOS, Android, and iOS? 3.) What changes need to be made to the certs, configs, etc to support MacOS, iOS, and Android?
Many thanks,
Tom