Xauth is forced for IPsec mobile clients
Xauth is forced for IPsec mobile clients in 2.0, breaking all upgraded configurations.
Revert "Turn off xauth by default. Ticket #108"
This reverts commit 7998c3f280370991beca62c6a99ae6dd6051228a.
Bring back IPsec PSK Tab/Edit. Part of ticket #108. Still needs backend code to use the resulting keys.
Reorder Auth. Method and PSK field to a more logical sequence. Part of ticket #108.
Only enforce peer ID and psk on p1 screen if we are NOT dealing with a pure-psk mobile tunnel (which is the behavior in 1.2.3). Hide irrelevant options. Part of ticket #108.
Do not specify subnet in sainfo if we are dealing with a mobile PSK-only tunnel. Ticket #108
Only specify peer ID if we are not dealing with a mobile PSK-only tunnel. Ticket #108.
Set generate_policy to "on" to behave as 1.2.3 does in this case. Ticket #108
Ensure initial_contact is 'on' in this case to behave as 1.2.3 did. Ticket #108
Set proposal check and passive as needed for this scenario also. Ticket #108
#2 Updated by Chris Buechler over 9 years ago
- Category changed from VPN to IPsec
- Status changed from Feedback to New
That change is unrelated and should be reverted. The problem will appear in upgraded configurations, and at this time it's not entirely known the exact problems that will occur. Needs testing w/an upgraded configuration.
#4 Updated by Jim Pingle over 9 years ago
In 1.2.3, for IPsec mobile clients, there was a tab to define a PSK/Identifier pair. This does not exist in 2.0.
In 2.0 it seems we'll have to add this into the user manager. Each user could have two extra fields for ipsec_identifier and ipsec_psk and then these could be used to add the PSKs for mobile users as we have on 1.2.3. (Or perhaps some other more extensible way that packages and other subsystems could add custom per-user account fields)
This way, if someone wants to use xauth, their username and password will be used. If they choose to use a PSK/ID instead, it can use those fields from their account.
I'm not sure how much of the IPsec front end and back end would need to be modified to suit this, at a minimum there would need to be a method of choosing between xauth and id/psk modes, as right now only the xauth options are presented.
For upgraded configurations, we'd have to automatically add in dummy accounts for these, such as ipsecuser01 or ipsecmobile01 or somesuch name.
#7 Updated by Jim Pingle over 9 years ago
Bringing back the PSK tab would probably be the best (and easiest) thing to do then. Anyone know if you can have both xauth and id/psk mobile clients going at the same time?
Since xauth is better suited for mobile client access that would probably be the preferred method anyhow, leaving id/psk as more of a legacy use or for remote site-to-site tunnels.
#8 Updated by Jim Pingle about 9 years ago
- Status changed from New to Feedback
This is ready for testing. It generates a mobile config in racoon.conf which is equivalent to one found in 1.2.3 if you choose Pre-Shared Key only (no xauth) on the mobile tunnel config.
I also brought back the PSK tab as a part of this update.