If I may ask, why IKEv1? Modern iOS and Android both support IKEv2, don't they?
Tom
On 07/10/2018 2:07 PM, Julien Blais wrote:
Hi Michael,
For it to work, you simply need to generate a Roadwarrior connection per certificate. Then, change what is red, either replace cert by xauthrsasiget put ikev1 instead of ikev2.
[root@ipfire ~]# cat /var/ipfire/vpn/config 2,on,Xiaomi,Xiaomi,host,xauthrsasig,,off,,192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_512,1024|768,aes256,sha2_512,1024|768|none,on,,,clear,on http://192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_512,1024%7C768,aes256,sha2_512,1024%7C768%7Cnone,on,,,clear,on,ikev1,120,30,off,start,900
Here is the result in the file :
conn Xiaomi left=vpn.jbsky.fr http://vpn.jbsky.fr leftsubnet=192.168.0.0/24 http://192.168.0.0/24 leftfirewall=yes lefthostaccess=yes right=%any leftcert=/var/ipfire/certs/hostcert.pem rightcert=/var/ipfire/certs/Xiaomicert.pem ike=aes256-sha2_512-modp1024,aes256-sha2_512-modp768!
esp=aes256-sha2_512-modp1024,aes256-sha2_512-modp768,aes256-sha2_512! keyexchange=ikev1 ikelifetime=3h keylife=1h dpdaction=clear dpddelay=30 dpdtimeout=120 authby=xauthrsasig xauth=server auto=add rightsourceip=10.0.10.0/29 http://10.0.10.0/29 fragmentation=yes
Why this patch? it allows to have a functional visual on VPN connections in the vpnmain.cgi page. Everything that is IOS or Android works with Xauth, you do not support this type of device.