Project

General

Profile

Actions

Bug #108

closed

Xauth is forced for IPsec mobile clients

Added by Chris Buechler over 14 years ago. Updated almost 14 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
Start date:
10/02/2009
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.0
Affected Architecture:

Description

Xauth is forced for IPsec mobile clients in 2.0, breaking all upgraded configurations.

Actions #1

Updated by Scott Ullrich over 14 years ago

  • Status changed from New to Feedback
Actions #2

Updated by Chris Buechler over 14 years ago

  • Category changed from VPN (Multiple Types) to IPsec
  • Status changed from Feedback to New

That change is unrelated and should be reverted. The problem will appear in upgraded configurations, and at this time it's not entirely known the exact problems that will occur. Needs testing w/an upgraded configuration.

Actions #3

Updated by Scott Ullrich over 14 years ago

If someone can describe what needs to be fixed, I can give it a go but at the moment I do not understand the logistics of the issue.

Actions #4

Updated by Jim Pingle over 14 years ago

In 1.2.3, for IPsec mobile clients, there was a tab to define a PSK/Identifier pair. This does not exist in 2.0.

In 2.0 it seems we'll have to add this into the user manager. Each user could have two extra fields for ipsec_identifier and ipsec_psk and then these could be used to add the PSKs for mobile users as we have on 1.2.3. (Or perhaps some other more extensible way that packages and other subsystems could add custom per-user account fields)

This way, if someone wants to use xauth, their username and password will be used. If they choose to use a PSK/ID instead, it can use those fields from their account.

I'm not sure how much of the IPsec front end and back end would need to be modified to suit this, at a minimum there would need to be a method of choosing between xauth and id/psk modes, as right now only the xauth options are presented.

For upgraded configurations, we'd have to automatically add in dummy accounts for these, such as ipsecuser01 or ipsecmobile01 or somesuch name.

Actions #5

Updated by Chris Buechler over 14 years ago

I'm not sure how to best handle this, users doesn't seem like a great place for it as that's commonly been used for site to site connectivity in the past, but short of bringing back that PSK tab I don't know where else to put it.

Actions #6

Updated by Scott Ullrich over 14 years ago

Sounds like we need to bring back the PSK tab then. That would also minimize configuration upgrade behavior.

Actions #7

Updated by Jim Pingle over 14 years ago

Bringing back the PSK tab would probably be the best (and easiest) thing to do then. Anyone know if you can have both xauth and id/psk mobile clients going at the same time?

Since xauth is better suited for mobile client access that would probably be the preferred method anyhow, leaving id/psk as more of a legacy use or for remote site-to-site tunnels.

Actions #8

Updated by Jim Pingle almost 14 years ago

  • Status changed from New to Feedback

This is ready for testing. It generates a mobile config in racoon.conf which is equivalent to one found in 1.2.3 if you choose Pre-Shared Key only (no xauth) on the mobile tunnel config.

I also brought back the PSK tab as a part of this update.

Actions #9

Updated by Jim Pingle almost 14 years ago

It appears to work as intended, tunnels establish OK with the new setup. However, ipsec-tools 0.8 does not have working mobile tunnels at the moment, unrelated to this particular issue.

Actions #10

Updated by Chris Buechler almost 14 years ago

  • Status changed from Feedback to Resolved

what we went through here appears to be fine now, can open more specific tickets if there are any outstanding issues in this area.

Actions

Also available in: Atom PDF