pfSense

If someone can describe what needs to be fixed, I can give it a go but at the moment I do not understand the logistics of the issue.

In 1.2.3, for IPsec mobile clients, there was a tab to define a PSK/Identifier pair. This does not exist in 2.0.

In 2.0 it seems we'll have to add this into the user manager. Each user could have two extra fields for ipsec_identifier and ipsec_psk and then these could be used to add the PSKs for mobile users as we have on 1.2.3. (Or perhaps some other more extensible way that packages and other subsystems could add custom per-user account fields)

This way, if someone wants to use xauth, their username and password will be used. If they choose to use a PSK/ID instead, it can use those fields from their account.

I'm not sure how much of the IPsec front end and back end would need to be modified to suit this, at a minimum there would need to be a method of choosing between xauth and id/psk modes, as right now only the xauth options are presented.

For upgraded configurations, we'd have to automatically add in dummy accounts for these, such as ipsecuser01 or ipsecmobile01 or somesuch name.

I'm not sure how to best handle this, users doesn't seem like a great place for it as that's commonly been used for site to site connectivity in the past, but short of bringing back that PSK tab I don't know where else to put it.

Sounds like we need to bring back the PSK tab then. That would also minimize configuration upgrade behavior.

Bringing back the PSK tab would probably be the best (and easiest) thing to do then. Anyone know if you can have both xauth and id/psk mobile clients going at the same time?

Since xauth is better suited for mobile client access that would probably be the preferred method anyhow, leaving id/psk as more of a legacy use or for remote site-to-site tunnels.

It appears to work as intended, tunnels establish OK with the new setup. However, ipsec-tools 0.8 does not have working mobile tunnels at the moment, unrelated to this particular issue.