https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162009-12-02T22:25:58ZpfSense bugtrackerpfSense - Bug #108: Xauth is forced for IPsec mobile clientshttps://redmine.pfsense.org/issues/108?journal_id=4752009-12-02T22:25:58ZScott Ullrichsullrich@gmail.com
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Feedback</i></li></ul> pfSense - Bug #108: Xauth is forced for IPsec mobile clientshttps://redmine.pfsense.org/issues/108?journal_id=4782009-12-02T22:46:11ZChris Buechlercbuechler@gmail.com
<ul><li><strong>Category</strong> changed from <i>VPN (Multiple Types)</i> to <i>IPsec</i></li><li><strong>Status</strong> changed from <i>Feedback</i> to <i>New</i></li></ul><p>That change is unrelated and should be reverted. The problem will appear in upgraded configurations, and at this time it's not entirely known the exact problems that will occur. Needs testing w/an upgraded configuration.</p> pfSense - Bug #108: Xauth is forced for IPsec mobile clientshttps://redmine.pfsense.org/issues/108?journal_id=6782009-12-23T17:32:26ZScott Ullrichsullrich@gmail.com
<ul></ul><p>If someone can describe what needs to be fixed, I can give it a go but at the moment I do not understand the logistics of the issue.</p> pfSense - Bug #108: Xauth is forced for IPsec mobile clientshttps://redmine.pfsense.org/issues/108?journal_id=6862009-12-23T18:26:22ZJim Pingle
<ul></ul><p>In 1.2.3, for IPsec mobile clients, there was a tab to define a PSK/Identifier pair. This does not exist in 2.0.</p>
<p>In 2.0 it seems we'll have to add this into the user manager. Each user could have two extra fields for ipsec_identifier and ipsec_psk and then these could be used to add the PSKs for mobile users as we have on 1.2.3. (Or perhaps some other more extensible way that packages and other subsystems could add custom per-user account fields)</p>
<p>This way, if someone wants to use xauth, their username and password will be used. If they choose to use a PSK/ID instead, it can use those fields from their account.</p>
<p>I'm not sure how much of the IPsec front end and back end would need to be modified to suit this, at a minimum there would need to be a method of choosing between xauth and id/psk modes, as right now only the xauth options are presented.</p>
<p>For upgraded configurations, we'd have to automatically add in dummy accounts for these, such as ipsecuser01 or ipsecmobile01 or somesuch name.</p> pfSense - Bug #108: Xauth is forced for IPsec mobile clientshttps://redmine.pfsense.org/issues/108?journal_id=6902009-12-23T18:36:55ZChris Buechlercbuechler@gmail.com
<ul></ul><p>I'm not sure how to best handle this, users doesn't seem like a great place for it as that's commonly been used for site to site connectivity in the past, but short of bringing back that PSK tab I don't know where else to put it.</p> pfSense - Bug #108: Xauth is forced for IPsec mobile clientshttps://redmine.pfsense.org/issues/108?journal_id=6912009-12-23T18:40:06ZScott Ullrichsullrich@gmail.com
<ul></ul><p>Sounds like we need to bring back the PSK tab then. That would also minimize configuration upgrade behavior.</p> pfSense - Bug #108: Xauth is forced for IPsec mobile clientshttps://redmine.pfsense.org/issues/108?journal_id=6922009-12-23T18:51:12ZJim Pingle
<ul></ul><p>Bringing back the PSK tab would probably be the best (and easiest) thing to do then. Anyone know if you can have both xauth and id/psk mobile clients going at the same time?</p>
<p>Since xauth is better suited for mobile client access that would probably be the preferred method anyhow, leaving id/psk as more of a legacy use or for remote site-to-site tunnels.</p> pfSense - Bug #108: Xauth is forced for IPsec mobile clientshttps://redmine.pfsense.org/issues/108?journal_id=18212010-05-06T21:27:39ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Feedback</i></li></ul><p>This is ready for testing. It generates a mobile config in racoon.conf which is equivalent to one found in 1.2.3 if you choose Pre-Shared Key only (no xauth) on the mobile tunnel config.</p>
<p>I also brought back the PSK tab as a part of this update.</p> pfSense - Bug #108: Xauth is forced for IPsec mobile clientshttps://redmine.pfsense.org/issues/108?journal_id=19172010-05-17T13:56:26ZJim Pingle
<ul></ul><p>It appears to work as intended, tunnels establish OK with the new setup. However, ipsec-tools 0.8 does not have working mobile tunnels at the moment, unrelated to this particular issue.</p> pfSense - Bug #108: Xauth is forced for IPsec mobile clientshttps://redmine.pfsense.org/issues/108?journal_id=19222010-05-17T18:03:03ZChris Buechlercbuechler@gmail.com
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Resolved</i></li></ul><p>what we went through here appears to be fine now, can open more specific tickets if there are any outstanding issues in this area.</p>