Added xauthrsasig option instead of cert in /var/ipfire/vpn/config. By replacing cert with xauth in the 5th place option, the vpn connection is configured to support xauthrsasig, ikev1 is also to be changed manually in the file. --- html/cgi-bin/vpnmain.cgi | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 378acb326..a5c50dbda 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -304,7 +304,7 @@ sub writeipsecfiles { }
# Local Cert and Remote Cert (unless auth is DN dn-auth) - if ($lconfighash{$key}[4] eq 'cert') { + if (($lconfighash{$key}[4] eq 'cert')||($lconfighash{$key}[4] eq 'xauthrsasig')) { print CONF "\tleftcert=${General::swroot}/certs/hostcert.pem\n"; print CONF "\trightcert=${General::swroot}/certs/$lconfighash{$key}[1]cert.pem\n" if ($lconfighash{$key}[2] ne '%auth-dn'); } @@ -408,7 +408,12 @@ sub writeipsecfiles { print SECRETS $psk_line; } print CONF "\tauthby=secret\n"; - } else { + } + elsif ($lconfighash{$key}[4] eq 'xauthrsasig') { + print CONF "\tauthby=xauthrsasig\n"; + print CONF "\txauth=server\n"; + } + else { print CONF "\tauthby=rsasig\n"; print CONF "\tleftrsasigkey=%cert\n"; print CONF "\trightrsasigkey=%cert\n"; @@ -2841,7 +2846,7 @@ END print "<td align='center' nowrap='nowrap' $col>" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ") $confighash{$key}[29]</td>"; if ($confighash{$key}[2] eq '%auth-dn') { print "<td align='left' nowrap='nowrap' $col>$confighash{$key}[9]</td>"; - } elsif ($confighash{$key}[4] eq 'cert') { + } elsif (($confighash{$key}[4] eq 'cert')||($confighash{$key}[4] eq 'xauthrsasig')) { print "<td align='left' nowrap='nowrap' $col>$confighash{$key}[2]</td>"; } else { print "<td align='left' $col> </td>"; @@ -2893,7 +2898,7 @@ END } else { print "<td width='2%' $col> </td>"; } - if ($confighash{$key}[4] eq 'cert' && -f "${General::swroot}/certs/$confighash{$key}[1].p12") { + if ((($confighash{$key}[4] eq 'cert')||($confighash{$key}[4] eq 'xauthrsasig')) && -f "${General::swroot}/certs/$confighash{$key}[1].p12") { print <<END <td align='center' $col> <form method='post' action='$ENV{'SCRIPT_NAME'}'> @@ -2904,7 +2909,7 @@ END </td> END ; - } elsif (($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2] ne '%auth-dn')) { + } elsif ((($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2] ne '%auth-dn'))||(($confighash{$key}[4] eq 'xauthrsasig') && ($confighash{$key}[2] ne '%auth-dn'))) { print <<END <td align='center' $col> <form method='post' action='$ENV{'SCRIPT_NAME'}'>
Hello Julien?!,
thanks for submitting this patch.
Could you go into more detail about what this patch is doing and why you need it?
Best, -Michael
On Mon, 2018-07-09 at 22:07 +0200, jbsky wrote:
Added xauthrsasig option instead of cert in /var/ipfire/vpn/config. By replacing cert with xauth in the 5th place option, the vpn connection is configured to support xauthrsasig, ikev1 is also to be changed manually in the file.
html/cgi-bin/vpnmain.cgi | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 378acb326..a5c50dbda 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -304,7 +304,7 @@ sub writeipsecfiles { }
# Local Cert and Remote Cert (unless auth is DN dn-auth)
if ($lconfighash{$key}[4] eq 'cert') {
if (($lconfighash{$key}[4] eq 'cert')||($lconfighash{$key}[4]eq 'xauthrsasig')) { print CONF "\tleftcert=${General::swroot}/certs/hostcert.pem\n"; print CONF "\trightcert=${General::swroot}/certs/$lconfighash{$key}[1]cert.pem\n" if ($lconfighash{$key}[2] ne '%auth-dn'); } @@ -408,7 +408,12 @@ sub writeipsecfiles { print SECRETS $psk_line; } print CONF "\tauthby=secret\n";
} else {
}elsif ($lconfighash{$key}[4] eq 'xauthrsasig') {print CONF "\tauthby=xauthrsasig\n";print CONF "\txauth=server\n";}else { print CONF "\tauthby=rsasig\n"; print CONF "\tleftrsasigkey=%cert\n"; print CONF "\trightrsasigkey=%cert\n";@@ -2841,7 +2846,7 @@ END print "<td align='center' nowrap='nowrap' $col>" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ") $confighash{$key}[29]</td>"; if ($confighash{$key}[2] eq '%auth-dn') { print "<td align='left' nowrap='nowrap' $col>$confighash{$key}[9]</td>";
- } elsif ($confighash{$key}[4] eq 'cert') {
- } elsif (($confighash{$key}[4] eq 'cert')||($confighash{$key}[4] eq
'xauthrsasig')) { print "<td align='left' nowrap='nowrap' $col>$confighash{$key}[2]</td>"; } else { print "<td align='left' $col> </td>"; @@ -2893,7 +2898,7 @@ END } else { print "<td width='2%' $col> </td>"; }
- if ($confighash{$key}[4] eq 'cert' && -f
"${General::swroot}/certs/$confighash{$key}[1].p12") {
- if ((($confighash{$key}[4] eq 'cert')||($confighash{$key}[4] eq
'xauthrsasig')) && -f "${General::swroot}/certs/$confighash{$key}[1].p12") { print <<END <td align='center' $col> <form method='post' action='$ENV{'SCRIPT_NAME'}'> @@ -2904,7 +2909,7 @@ END
</td> END ; - } elsif (($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2] ne '%auth-dn')) { + } elsif ((($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2] ne '%auth-dn'))||(($confighash{$key}[4] eq 'xauthrsasig') && ($confighash{$key}[2] ne '%auth-dn'))) { print <<END <td align='center' $col> <form method='post' action='$ENV{'SCRIPT_NAME'}'>
Hi Michael,
For it to work, you simply need to generate a Roadwarrior connection per certificate. Then, change what is red, either replace cert by xauthrsasiget put ikev1 instead of ikev2.
[root@ipfire ~]# cat /var/ipfire/vpn/config 2,on,Xiaomi,Xiaomi,host,xauthrsasig,,off,, 192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_512,1024|768,aes256,sha2_512,1024|768|none,on,,,clear,on ,ikev1,120,30,off,start,900
Here is the result in the file :
conn Xiaomi left=vpn.jbsky.fr leftsubnet=192.168.0.0/24 leftfirewall=yes lefthostaccess=yes right=%any leftcert=/var/ipfire/certs/hostcert.pem rightcert=/var/ipfire/certs/Xiaomicert.pem ike=aes256-sha2_512-modp1024,aes256-sha2_512-modp768!
esp=aes256-sha2_512-modp1024,aes256-sha2_512-modp768,aes256-sha2_512! keyexchange=ikev1 ikelifetime=3h keylife=1h dpdaction=clear dpddelay=30 dpdtimeout=120 authby=xauthrsasig xauth=server auto=add rightsourceip=10.0.10.0/29 fragmentation=yes
Why this patch? it allows to have a functional visual on VPN connections in the vpnmain.cgi page. Everything that is IOS or Android works with Xauth, you do not support this type of device.
2018-07-10 19:42 GMT+02:00 Michael Tremer michael.tremer@ipfire.org:
Hello Julien?!,
thanks for submitting this patch.
Could you go into more detail about what this patch is doing and why you need it?
Best, -Michael
On Mon, 2018-07-09 at 22:07 +0200, jbsky wrote:
Added xauthrsasig option instead of cert in /var/ipfire/vpn/config. By replacing cert with xauth in the 5th place option, the vpn connection
is
configured to support xauthrsasig, ikev1 is also to be changed manually
in the
file.
html/cgi-bin/vpnmain.cgi | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 378acb326..a5c50dbda 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -304,7 +304,7 @@ sub writeipsecfiles { }
# Local Cert and Remote Cert (unless auth is DN dn-auth)
if ($lconfighash{$key}[4] eq 'cert') {
if (($lconfighash{$key}[4] eq 'cert')||($lconfighash{$key}[4]
eq 'xauthrsasig')) { print CONF "\tleftcert=${General::swroot}/certs/hostcert.pem\n"; print CONF "\trightcert=${General::swroot}/certs/$lconfighash{$key}[1]cert.pem\n"
if
($lconfighash{$key}[2] ne '%auth-dn'); } @@ -408,7 +408,12 @@ sub writeipsecfiles { print SECRETS $psk_line; } print CONF "\tauthby=secret\n";
} else {
}elsif ($lconfighash{$key}[4] eq 'xauthrsasig') {print CONF "\tauthby=xauthrsasig\n";print CONF "\txauth=server\n";}else { print CONF "\tauthby=rsasig\n"; print CONF "\tleftrsasigkey=%cert\n"; print CONF "\trightrsasigkey=%cert\n";@@ -2841,7 +2846,7 @@ END print "<td align='center' nowrap='nowrap' $col>" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"}
.
") $confighash{$key}[29]</td>"; if ($confighash{$key}[2] eq '%auth-dn') { print "<td align='left' nowrap='nowrap' $col>$confighash{$key}[9]</td>";
} elsif ($confighash{$key}[4] eq 'cert') {
} elsif (($confighash{$key}[4] eq 'cert')||($confighash{$key}[4] eq'xauthrsasig')) { print "<td align='left' nowrap='nowrap' $col>$confighash{$key}[2]</td>"; } else { print "<td align='left' $col> </td>"; @@ -2893,7 +2898,7 @@ END } else { print "<td width='2%' $col> </td>"; }
if ($confighash{$key}[4] eq 'cert' && -f"${General::swroot}/certs/$confighash{$key}[1].p12") {
if ((($confighash{$key}[4] eq 'cert')||($confighash{$key}[4] eq'xauthrsasig')) && -f "${General::swroot}/certs/$confighash{$key}[1].p12")
{
print <<END <td align='center' $col> <form method='post' action='$ENV{'SCRIPT_NAME'}'>@@ -2904,7 +2909,7 @@ END </td> END ;
} elsif (($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2]ne
'%auth-dn')) {
} elsif ((($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2]ne '%auth-dn'))||(($confighash{$key}[4] eq 'xauthrsasig') && ($confighash{$key}[2] ne '%auth-dn'))) { print <<END <td align='center' $col> <form method='post' action='$ENV{'SCRIPT_NAME'}'>
If I may ask, why IKEv1? Modern iOS and Android both support IKEv2, don't they?
Tom
On 07/10/2018 2:07 PM, Julien Blais wrote:
Hi Michael,
For it to work, you simply need to generate a Roadwarrior connection per certificate. Then, change what is red, either replace cert by xauthrsasiget put ikev1 instead of ikev2.
[root@ipfire ~]# cat /var/ipfire/vpn/config 2,on,Xiaomi,Xiaomi,host,xauthrsasig,,off,,192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_512,1024|768,aes256,sha2_512,1024|768|none,on,,,clear,on http://192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_512,1024%7C768,aes256,sha2_512,1024%7C768%7Cnone,on,,,clear,on,ikev1,120,30,off,start,900
Here is the result in the file :
conn Xiaomi left=vpn.jbsky.fr http://vpn.jbsky.fr leftsubnet=192.168.0.0/24 http://192.168.0.0/24 leftfirewall=yes lefthostaccess=yes right=%any leftcert=/var/ipfire/certs/hostcert.pem rightcert=/var/ipfire/certs/Xiaomicert.pem ike=aes256-sha2_512-modp1024,aes256-sha2_512-modp768!
esp=aes256-sha2_512-modp1024,aes256-sha2_512-modp768,aes256-sha2_512! keyexchange=ikev1 ikelifetime=3h keylife=1h dpdaction=clear dpddelay=30 dpdtimeout=120 authby=xauthrsasig xauth=server auto=add rightsourceip=10.0.10.0/29 http://10.0.10.0/29 fragmentation=yes
Why this patch? it allows to have a functional visual on VPN connections in the vpnmain.cgi page. Everything that is IOS or Android works with Xauth, you do not support this type of device.
I present what I know that works. Since I haven't tested, but if you say so, it's to be tested. I was forgetting, of course, xauth needs a login/password pair to declare in ipsec.user.secret.
Le mar. 10 juil. 2018 à 20:11, Tom Rymes trymes@rymes.com a écrit :
If I may ask, why IKEv1? Modern iOS and Android both support IKEv2, don't they?
Tom
On 07/10/2018 2:07 PM, Julien Blais wrote:
Hi Michael,
For it to work, you simply need to generate a Roadwarrior connection per certificate. Then, change what is red, either replace cert by xauthrsasiget put ikev1 instead of ikev2.
[root@ipfire ~]# cat /var/ipfire/vpn/config 2,on,Xiaomi,Xiaomi,host,xauthrsasig,,off,,
192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_512,1024|768,aes256,sha2_512,1024|768|none,on,,,clear,on http://192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_512,1024%7C768,aes256,sha2_512,1024%7C768%7Cnone,on,,,clear,on
<
http://192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_5...
,ikev1,120,30,off,start,900
Here is the result in the file :
conn Xiaomi left=vpn.jbsky.fr http://vpn.jbsky.fr leftsubnet=192.168.0.0/24 http://192.168.0.0/24 leftfirewall=yes lefthostaccess=yes right=%any leftcert=/var/ipfire/certs/hostcert.pem rightcert=/var/ipfire/certs/Xiaomicert.pem ike=aes256-sha2_512-modp1024,aes256-sha2_512-modp768!
esp=aes256-sha2_512-modp1024,aes256-sha2_512-modp768,aes256-sha2_512! keyexchange=ikev1 ikelifetime=3h keylife=1h dpdaction=clear dpddelay=30 dpdtimeout=120 authby=xauthrsasig xauth=server auto=add rightsourceip=10.0.10.0/29 http://10.0.10.0/29 fragmentation=yes
Why this patch? it allows to have a functional visual on VPN connections in the vpnmain.cgi page. Everything that is IOS or Android works with Xauth, you do not support this type of device.
On Tue, 2018-07-10 at 20:17 +0200, Julien Blais wrote:
I present what I know that works. Since I haven't tested, but if you say so, it's to be tested.
I suppose setting rightauth=xauth should work for IKEv2 as well as IKEv1.
I was forgetting, of course, xauth needs a login/password pair to declare in ipsec.user.secret.
This kind of renders the patch useless then if there is no way to set username and password. This could be added to the connection just like entering the PSK.
Best, -Michael
Le mar. 10 juil. 2018 à 20:11, Tom Rymes trymes@rymes.com a écrit :
If I may ask, why IKEv1? Modern iOS and Android both support IKEv2, don't they?
Tom
On 07/10/2018 2:07 PM, Julien Blais wrote:
Hi Michael,
For it to work, you simply need to generate a Roadwarrior connection per certificate. Then, change what is red, either replace cert by xauthrsasiget put ikev1 instead of ikev2.
[root@ipfire ~]# cat /var/ipfire/vpn/config
2,on,Xiaomi,Xiaomi,host,xauthrsasig,,off,,192.168.10.0/255.255.255.0,,,10.0. 10.0/29,off,,,off,3,1,aes256,sha2_512,1024|768,aes256,sha2_512,1024|768|none ,on,,,clear,on
<http://192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha
2_512,1024%7C768,aes256,sha2_512,1024%7C768%7Cnone,on,,,clear,on>,ikev1,120, 30,off,start,900
Here is the result in the file :
conn Xiaomi left=vpn.jbsky.fr http://vpn.jbsky.fr leftsubnet=192.168.0.0/24 http://192.168.0.0/24 leftfirewall=yes lefthostaccess=yes right=%any leftcert=/var/ipfire/certs/hostcert.pem rightcert=/var/ipfire/certs/Xiaomicert.pem ike=aes256-sha2_512-modp1024,aes256-sha2_512-modp768!
esp=aes256-sha2_512-modp1024,aes256-sha2_512-modp768,aes256-sha2_512! keyexchange=ikev1 ikelifetime=3h keylife=1h dpdaction=clear dpddelay=30 dpdtimeout=120 authby=xauthrsasig xauth=server auto=add rightsourceip=10.0.10.0/29 http://10.0.10.0/29 fragmentation=yes
Why this patch? it allows to have a functional visual on VPN connections in the vpnmain.cgi page. Everything that is IOS or Android works with Xauth, you do not support this type of device.
I tested with ikev2, unfortunately, it doesn't work.
Jul 10 22:33:58 ipfire charon: 13[IKE] no IKE config found for IP1...IP2 sending NO_PROPOSAL_CHOSEN
I remind you that you have a page dedicated to this type of connection, here I can read IKEv1. :) https://wiki.ipfire.org/configuration/services/ipsec/example_configuration-_... As a reminder, the configuration to put in the file /etc/ipsec.user.secret.user
cat /etc/ipsec.user.secret.user Xiaomi : XAUTH "PASSWORD" To apply the idea I propose, you need to know how to use the Bash, and add a login/password data set, it's as easy as modifying in the vpn config file.
I wish to highlight one positive point, by going through the @ipfire:444 frontend, changing the options of a VPN connection, example IKEv1->IKEv2->IKEv1, keeps the xauthrsasig parameter.
It's not an unnecessary fix, that despite a change from the @IPFIRE:444 interface, it keeps the "xauthrsasig" record and writes the VPN connection configuration correctly.
The real question is who will use this improvement?
This is a first step towards XAUTH support, but you still have to want to take it.
Le jeu. 12 juil. 2018 à 11:30, Michael Tremer michael.tremer@ipfire.org a écrit :
On Tue, 2018-07-10 at 20:17 +0200, Julien Blais wrote:
I present what I know that works. Since I haven't tested, but if you
say so,
it's to be tested.
I suppose setting rightauth=xauth should work for IKEv2 as well as IKEv1.
I was forgetting, of course, xauth needs a login/password pair to
declare in
ipsec.user.secret.
This kind of renders the patch useless then if there is no way to set username and password. This could be added to the connection just like entering the PSK.
Best, -Michael
Le mar. 10 juil. 2018 à 20:11, Tom Rymes trymes@rymes.com a écrit :
If I may ask, why IKEv1? Modern iOS and Android both support IKEv2, don't they?
Tom
On 07/10/2018 2:07 PM, Julien Blais wrote:
Hi Michael,
For it to work, you simply need to generate a Roadwarrior connection
per
certificate. Then, change what is red, either replace cert by xauthrsasiget put ikev1 instead of ikev2.
[root@ipfire ~]# cat /var/ipfire/vpn/config
2,on,Xiaomi,Xiaomi,host,xauthrsasig,,off,,192.168.10.
0/255.255.255.0,,,10.0.
10.0/29,off,,,off,3,1,aes256,sha2_512,1024|768,aes256,sha2_
512,1024|768|none
,on,,,clear,on
off,3,1,aes256,sha
2_512,1024%7C768,aes256,sha2_512,1024%7C768%7Cnone,on,,,
clear,on>,ikev1,120,
30,off,start,900
Here is the result in the file :
conn Xiaomi left=vpn.jbsky.fr http://vpn.jbsky.fr leftsubnet=192.168.0.0/24 http://192.168.0.0/24 leftfirewall=yes lefthostaccess=yes right=%any leftcert=/var/ipfire/certs/hostcert.pem rightcert=/var/ipfire/certs/Xiaomicert.pem ike=aes256-sha2_512-modp1024,aes256-sha2_512-modp768!
esp=aes256-sha2_512-modp1024,aes256-sha2_512-modp768,
aes256-sha2_512!
keyexchange=ikev1 ikelifetime=3h keylife=1h dpdaction=clear dpddelay=30 dpdtimeout=120 authby=xauthrsasig xauth=server auto=add rightsourceip=10.0.10.0/29 <http://10.0.10.0/29> fragmentation=yesWhy this patch? it allows to have a functional visual on VPN
connections
in the vpnmain.cgi page. Everything that is IOS or Android works
with
Xauth, you do not support this type of device.
-
jbsky -
Julien Blais
-
Michael Tremer -
Tom Rymes