Project

General

Profile

Bug #108

Xauth is forced for IPsec mobile clients

Added by Chris Buechler almost 10 years ago. Updated over 9 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
Start date:
10/02/2009
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.0
Affected Architecture:

Description

Xauth is forced for IPsec mobile clients in 2.0, breaking all upgraded configurations.

Associated revisions

Revision 7998c3f2 (diff)
Added by Scott Ullrich over 9 years ago

Turn off xauth by default. Ticket #108

Revision 1703e5c5 (diff)
Added by Scott Ullrich over 9 years ago

Revert "Turn off xauth by default. Ticket #108"

This reverts commit 7998c3f280370991beca62c6a99ae6dd6051228a.

Revision 958420c5 (diff)
Added by jim-p over 9 years ago

Bring back IPsec PSK Tab/Edit. Part of ticket #108. Still needs backend code to use the resulting keys.

Revision 2ef1b601 (diff)
Added by jim-p over 9 years ago

Write out IPsec PSKs for mobile clients. Part of ticket #108.

Revision 71d61aa5 (diff)
Added by jim-p over 9 years ago

Reorder Auth. Method and PSK field to a more logical sequence. Part of ticket #108.

Revision 1f65618b (diff)
Added by jim-p over 9 years ago

Only enforce peer ID and psk on p1 screen if we are NOT dealing with a pure-psk mobile tunnel (which is the behavior in 1.2.3). Hide irrelevant options. Part of ticket #108.

Revision 9b2e9133 (diff)
Added by jim-p over 9 years ago

Do not specify subnet in sainfo if we are dealing with a mobile PSK-only tunnel. Ticket #108

Revision 36d047f5 (diff)
Added by jim-p over 9 years ago

Only specify peer ID if we are not dealing with a mobile PSK-only tunnel. Ticket #108.

Revision fa1f4827 (diff)
Added by jim-p over 9 years ago

Set generate_policy to "on" to behave as 1.2.3 does in this case. Ticket #108

Revision d98f1fa9 (diff)
Added by jim-p over 9 years ago

Ensure initial_contact is 'on' in this case to behave as 1.2.3 did. Ticket #108

Revision bdf4ad85 (diff)
Added by jim-p over 9 years ago

Set proposal check and passive as needed for this scenario also. Ticket #108

Revision 10d171f2 (diff)
Added by jim-p over 9 years ago

Add a few comments. This should be ready for testing/feedback. Ticket #108

Revision 44d906ca (diff)
Added by Sjon Hortensius over 4 years ago

system_authservers - fix toggle by making it explicit fixes #108

also allow calling toggles without any arguments

History

#1 Updated by Scott Ullrich over 9 years ago

  • Status changed from New to Feedback

#2 Updated by Chris Buechler over 9 years ago

  • Category changed from VPN (Multiple Types) to IPsec
  • Status changed from Feedback to New

That change is unrelated and should be reverted. The problem will appear in upgraded configurations, and at this time it's not entirely known the exact problems that will occur. Needs testing w/an upgraded configuration.

#3 Updated by Scott Ullrich over 9 years ago

If someone can describe what needs to be fixed, I can give it a go but at the moment I do not understand the logistics of the issue.

#4 Updated by Jim Pingle over 9 years ago

In 1.2.3, for IPsec mobile clients, there was a tab to define a PSK/Identifier pair. This does not exist in 2.0.

In 2.0 it seems we'll have to add this into the user manager. Each user could have two extra fields for ipsec_identifier and ipsec_psk and then these could be used to add the PSKs for mobile users as we have on 1.2.3. (Or perhaps some other more extensible way that packages and other subsystems could add custom per-user account fields)

This way, if someone wants to use xauth, their username and password will be used. If they choose to use a PSK/ID instead, it can use those fields from their account.

I'm not sure how much of the IPsec front end and back end would need to be modified to suit this, at a minimum there would need to be a method of choosing between xauth and id/psk modes, as right now only the xauth options are presented.

For upgraded configurations, we'd have to automatically add in dummy accounts for these, such as ipsecuser01 or ipsecmobile01 or somesuch name.

#5 Updated by Chris Buechler over 9 years ago

I'm not sure how to best handle this, users doesn't seem like a great place for it as that's commonly been used for site to site connectivity in the past, but short of bringing back that PSK tab I don't know where else to put it.

#6 Updated by Scott Ullrich over 9 years ago

Sounds like we need to bring back the PSK tab then. That would also minimize configuration upgrade behavior.

#7 Updated by Jim Pingle over 9 years ago

Bringing back the PSK tab would probably be the best (and easiest) thing to do then. Anyone know if you can have both xauth and id/psk mobile clients going at the same time?

Since xauth is better suited for mobile client access that would probably be the preferred method anyhow, leaving id/psk as more of a legacy use or for remote site-to-site tunnels.

#8 Updated by Jim Pingle over 9 years ago

  • Status changed from New to Feedback

This is ready for testing. It generates a mobile config in racoon.conf which is equivalent to one found in 1.2.3 if you choose Pre-Shared Key only (no xauth) on the mobile tunnel config.

I also brought back the PSK tab as a part of this update.

#9 Updated by Jim Pingle over 9 years ago

It appears to work as intended, tunnels establish OK with the new setup. However, ipsec-tools 0.8 does not have working mobile tunnels at the moment, unrelated to this particular issue.

#10 Updated by Chris Buechler over 9 years ago

  • Status changed from Feedback to Resolved

what we went through here appears to be fine now, can open more specific tickets if there are any outstanding issues in this area.

Also available in: Atom PDF