Message ID | 20180709200731.28762-1-blais.julien.30@gmail.com |
---|---|
State | Dropped |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (unknown [172.28.1.200]) by web02.i.ipfire.org (Postfix) with ESMTP id 79A176095F for <patchwork@web02.i.ipfire.org>; Mon, 9 Jul 2018 22:07:57 +0200 (CEST) Received: from mail01.i.ipfire.org (localhost [127.0.0.1]) by mail01.ipfire.org (Postfix) with ESMTP id CD2D1107B211; Mon, 9 Jul 2018 21:07:56 +0100 (BST) Received: from mail-wm0-f48.google.com (mail-wm0-f48.google.com [74.125.82.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 1023A107B20A for <development@lists.ipfire.org>; Mon, 9 Jul 2018 21:07:55 +0100 (BST) Received: by mail-wm0-f48.google.com with SMTP id v128-v6so4773790wme.5 for <development@lists.ipfire.org>; Mon, 09 Jul 2018 13:07:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=Tn7nwRwgQE5vxvii+1GZl28EHsFRMsrB1EGFDC9lySo=; b=fQX+rF+W99hXXBehUzH+O6vezGbW94yyP7wX14pHfDnicUWCUUjebgd2CyhStwnl2O lnw/kkipVra/FMyp4HwYymYsCvuheumf9ToURXq0N5hmx5u26jBEkLujTpY5vFk3FmzE Eks7DW9F5mgavkkQbrUWKC5ZGylGUhnNqp11vW5PKeVgFiKWXsZfyZzXrdo1WYmy3CHj 8PchjgDuuXFjwCaOZBLSD63EIeEonwA72tuUsTyT2JefsO9kHYRwA8uwFDMzXo+/f3gq LfWNRMF8IFCJZt/294Dj414bN3Gj7SZzmk0t0NSYzLYuTAD+8eOAJoCiVmQusua+tKv7 7kGw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=Tn7nwRwgQE5vxvii+1GZl28EHsFRMsrB1EGFDC9lySo=; b=se3s5s/7c+Y/2txhkPQUSH6NR7MeAa8J7iIy1gsgip93Of1tVyYDArAFEyylgaLOeR tADfk8co97LO0rLv9zsm+KZNQTtbaxdEpoMbXu6OWps9CPtfZK7AMjbQpcMHBEYWTQin 2Ibzfnx5W0OpfKeUXzymEpMlu7VoFdwqxF+L5Q63LU4qnvHVBU84EQnxHjsCsYffostl LeMSZA5ZlZwV0Yai5iudWL2I9rn3I60n3lE6cEQzo/K0eamndHtl4qNwTFLl6wVYjdLx rRxkWsqxKNUZXzKNVIltQCNiLWWju9W0IT0DbF5W8a75wH4UfXUFzjifVPodTWduULaN L9pA== X-Gm-Message-State: APt69E13aaXNLdFiAhlcqnh1thsmiSPqAP8BNBjzOD475g8KDImbdGPw RVb2fe/cpis0130ow7GbD/pCZA== X-Google-Smtp-Source: AAOMgpeqi7Tu+FTj0kIdCOWFTfYDAUmixXiUc2skmITPJXHkuVCn5vlOe37eadTUA7+opgkQk2lBhA== X-Received: by 2002:a1c:f308:: with SMTP id q8-v6mr12408134wmq.6.1531166874188; Mon, 09 Jul 2018 13:07:54 -0700 (PDT) Received: from ipfire.dom.jbsky.fr ([62.147.231.53]) by smtp.gmail.com with ESMTPSA id 73-v6sm1337996wmu.37.2018.07.09.13.07.53 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 09 Jul 2018 13:07:53 -0700 (PDT) From: jbsky <blais.julien.30@gmail.com> To: development@lists.ipfire.org Subject: [PATCH 1/2] File modified : html/cgi-bin/vpnmain.cgi Date: Mon, 9 Jul 2018 22:07:31 +0200 Message-Id: <20180709200731.28762-1-blais.julien.30@gmail.com> X-Mailer: git-send-email 2.12.2 Authentication-Results: mail01.ipfire.org; dkim=pass header.d=gmail.com; dmarc=pass (policy=none) header.from=gmail.com; spf=pass smtp.mailfrom=blaisjulien30@gmail.com X-Spamd-Result: default: False [-5.49 / 11.00]; TO_DN_SOME(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; DMARC_POLICY_ALLOW(-0.25)[gmail.com,none]; TAGGED_RCPT(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; PREVIOUSLY_DELIVERED(0.00)[development@lists.ipfire.org]; RCPT_COUNT_TWO(0.00)[2]; FROM_HAS_DN(0.00)[]; R_DKIM_ALLOW(-0.20)[gmail.com]; MIME_GOOD(-0.10)[text/plain]; IP_SCORE(-1.73)[ipnet: 74.125.0.0/16(-4.95), asn: 15169(-3.63), country: US(-0.10)]; BAYES_HAM(-3.00)[100.00%]; RWL_MAILSPIKE_GOOD(0.00)[48.82.125.74.rep.mailspike.net : 127.0.0.18]; MID_RHS_MATCH_FROM(0.00)[]; TAGGED_FROM(0.00)[]; ASN(0.00)[asn:15169, ipnet:74.125.0.0/16, country:US]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FREEMAIL_CC(0.00)[gmail.com]; FREEMAIL_ENVFROM(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; ARC_NA(0.00)[]; RCVD_TLS_LAST(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[48.82.125.74.list.dnswl.org : 127.0.5.0]; R_SPF_ALLOW(-0.20)[+ip4:74.125.0.0/16]; RCVD_VIA_SMTP_AUTH(0.00)[]; MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com]; RCVD_COUNT_THREE(0.00)[3] X-Spam-Status: No, score=-5.49 X-Rspamd-Server: mail01.i.ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <https://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Series |
[1/2] File modified : html/cgi-bin/vpnmain.cgi
|
|
Commit Message
Julien Blais
July 10, 2018, 6:07 a.m. UTC
Added xauthrsasig option instead of cert in /var/ipfire/vpn/config. By replacing cert with xauth in the 5th place option, the vpn connection is configured to support xauthrsasig, ikev1 is also to be changed manually in the file. --- html/cgi-bin/vpnmain.cgi | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-)
Comments
Hello Julien?!, thanks for submitting this patch. Could you go into more detail about what this patch is doing and why you need it? Best, -Michael On Mon, 2018-07-09 at 22:07 +0200, jbsky wrote: > Added xauthrsasig option instead of cert in /var/ipfire/vpn/config. > By replacing cert with xauth in the 5th place option, the vpn connection is > configured to support xauthrsasig, ikev1 is also to be changed manually in the > file. > --- > html/cgi-bin/vpnmain.cgi | 15 ++++++++++----- > 1 file changed, 10 insertions(+), 5 deletions(-) > > diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi > index 378acb326..a5c50dbda 100644 > --- a/html/cgi-bin/vpnmain.cgi > +++ b/html/cgi-bin/vpnmain.cgi > @@ -304,7 +304,7 @@ sub writeipsecfiles { > } > > # Local Cert and Remote Cert (unless auth is DN dn-auth) > - if ($lconfighash{$key}[4] eq 'cert') { > + if (($lconfighash{$key}[4] eq 'cert')||($lconfighash{$key}[4] > eq 'xauthrsasig')) { > print CONF > "\tleftcert=${General::swroot}/certs/hostcert.pem\n"; > print CONF > "\trightcert=${General::swroot}/certs/$lconfighash{$key}[1]cert.pem\n" if > ($lconfighash{$key}[2] ne '%auth-dn'); > } > @@ -408,7 +408,12 @@ sub writeipsecfiles { > print SECRETS $psk_line; > } > print CONF "\tauthby=secret\n"; > - } else { > + } > + elsif ($lconfighash{$key}[4] eq 'xauthrsasig') { > + print CONF "\tauthby=xauthrsasig\n"; > + print CONF "\txauth=server\n"; > + } > + else { > print CONF "\tauthby=rsasig\n"; > print CONF "\tleftrsasigkey=%cert\n"; > print CONF "\trightrsasigkey=%cert\n"; > @@ -2841,7 +2846,7 @@ END > print "<td align='center' nowrap='nowrap' $col>" . > $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . > ") $confighash{$key}[29]</td>"; > if ($confighash{$key}[2] eq '%auth-dn') { > print "<td align='left' nowrap='nowrap' > $col>$confighash{$key}[9]</td>"; > - } elsif ($confighash{$key}[4] eq 'cert') { > + } elsif (($confighash{$key}[4] eq 'cert')||($confighash{$key}[4] eq > 'xauthrsasig')) { > print "<td align='left' nowrap='nowrap' > $col>$confighash{$key}[2]</td>"; > } else { > print "<td align='left' $col> </td>"; > @@ -2893,7 +2898,7 @@ END > } else { > print "<td width='2%' $col> </td>"; > } > - if ($confighash{$key}[4] eq 'cert' && -f > "${General::swroot}/certs/$confighash{$key}[1].p12") { > + if ((($confighash{$key}[4] eq 'cert')||($confighash{$key}[4] eq > 'xauthrsasig')) && -f "${General::swroot}/certs/$confighash{$key}[1].p12") { > print <<END > <td align='center' $col> > <form method='post' action='$ENV{'SCRIPT_NAME'}'> > @@ -2904,7 +2909,7 @@ END > </td> > END > ; > - } elsif (($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2] ne > '%auth-dn')) { > + } elsif ((($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2] > ne '%auth-dn'))||(($confighash{$key}[4] eq 'xauthrsasig') && > ($confighash{$key}[2] ne '%auth-dn'))) { > print <<END > <td align='center' $col> > <form method='post' action='$ENV{'SCRIPT_NAME'}'>
Hi Michael, For it to work, you simply need to generate a Roadwarrior connection per certificate. Then, change what is red, either replace cert by xauthrsasiget put ikev1 instead of ikev2. [root@ipfire ~]# cat /var/ipfire/vpn/config 2,on,Xiaomi,Xiaomi,host,xauthrsasig,,off,, 192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_512,1024|768,aes256,sha2_512,1024|768|none,on,,,clear,on ,ikev1,120,30,off,start,900 Here is the result in the file : conn Xiaomi left=vpn.jbsky.fr leftsubnet=192.168.0.0/24 leftfirewall=yes lefthostaccess=yes right=%any leftcert=/var/ipfire/certs/hostcert.pem rightcert=/var/ipfire/certs/Xiaomicert.pem ike=aes256-sha2_512-modp1024,aes256-sha2_512-modp768! esp=aes256-sha2_512-modp1024,aes256-sha2_512-modp768,aes256-sha2_512! keyexchange=ikev1 ikelifetime=3h keylife=1h dpdaction=clear dpddelay=30 dpdtimeout=120 authby=xauthrsasig xauth=server auto=add rightsourceip=10.0.10.0/29 fragmentation=yes Why this patch? it allows to have a functional visual on VPN connections in the vpnmain.cgi page. Everything that is IOS or Android works with Xauth, you do not support this type of device. 2018-07-10 19:42 GMT+02:00 Michael Tremer <michael.tremer@ipfire.org>: > Hello Julien?!, > > thanks for submitting this patch. > > Could you go into more detail about what this patch is doing and why you > need > it? > > Best, > -Michael > > On Mon, 2018-07-09 at 22:07 +0200, jbsky wrote: > > Added xauthrsasig option instead of cert in /var/ipfire/vpn/config. > > By replacing cert with xauth in the 5th place option, the vpn connection > is > > configured to support xauthrsasig, ikev1 is also to be changed manually > in the > > file. > > --- > > html/cgi-bin/vpnmain.cgi | 15 ++++++++++----- > > 1 file changed, 10 insertions(+), 5 deletions(-) > > > > diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi > > index 378acb326..a5c50dbda 100644 > > --- a/html/cgi-bin/vpnmain.cgi > > +++ b/html/cgi-bin/vpnmain.cgi > > @@ -304,7 +304,7 @@ sub writeipsecfiles { > > } > > > > # Local Cert and Remote Cert (unless auth is DN dn-auth) > > - if ($lconfighash{$key}[4] eq 'cert') { > > + if (($lconfighash{$key}[4] eq 'cert')||($lconfighash{$key}[ > 4] > > eq 'xauthrsasig')) { > > print CONF > > "\tleftcert=${General::swroot}/certs/hostcert.pem\n"; > > print CONF > > "\trightcert=${General::swroot}/certs/$lconfighash{$key}[1]cert.pem\n" > if > > ($lconfighash{$key}[2] ne '%auth-dn'); > > } > > @@ -408,7 +408,12 @@ sub writeipsecfiles { > > print SECRETS $psk_line; > > } > > print CONF "\tauthby=secret\n"; > > - } else { > > + } > > + elsif ($lconfighash{$key}[4] eq 'xauthrsasig') { > > + print CONF "\tauthby=xauthrsasig\n"; > > + print CONF "\txauth=server\n"; > > + } > > + else { > > print CONF "\tauthby=rsasig\n"; > > print CONF "\tleftrsasigkey=%cert\n"; > > print CONF "\trightrsasigkey=%cert\n"; > > @@ -2841,7 +2846,7 @@ END > > print "<td align='center' nowrap='nowrap' $col>" . > > $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} > . > > ") $confighash{$key}[29]</td>"; > > if ($confighash{$key}[2] eq '%auth-dn') { > > print "<td align='left' nowrap='nowrap' > > $col>$confighash{$key}[9]</td>"; > > - } elsif ($confighash{$key}[4] eq 'cert') { > > + } elsif (($confighash{$key}[4] eq 'cert')||($confighash{$key}[4] eq > > 'xauthrsasig')) { > > print "<td align='left' nowrap='nowrap' > > $col>$confighash{$key}[2]</td>"; > > } else { > > print "<td align='left' $col> </td>"; > > @@ -2893,7 +2898,7 @@ END > > } else { > > print "<td width='2%' $col> </td>"; > > } > > - if ($confighash{$key}[4] eq 'cert' && -f > > "${General::swroot}/certs/$confighash{$key}[1].p12") { > > + if ((($confighash{$key}[4] eq 'cert')||($confighash{$key}[4] eq > > 'xauthrsasig')) && -f "${General::swroot}/certs/$confighash{$key}[1].p12") > { > > print <<END > > <td align='center' $col> > > <form method='post' action='$ENV{'SCRIPT_NAME'}'> > > @@ -2904,7 +2909,7 @@ END > > </td> > > END > > ; > > - } elsif (($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2] > ne > > '%auth-dn')) { > > + } elsif ((($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2] > > ne '%auth-dn'))||(($confighash{$key}[4] eq 'xauthrsasig') && > > ($confighash{$key}[2] ne '%auth-dn'))) { > > print <<END > > <td align='center' $col> > > <form method='post' action='$ENV{'SCRIPT_NAME'}'> > <div dir="ltr"><div>Hi Michael,</div><div><br></div><div><br>For it to work, you simply need to generate a Roadwarrior connection per certificate. Then, change what is red, either replace cert by xauthrsasiget put ikev1 instead of ikev2.</div><div> <div><br></div><div>[root@ipfire ~]# cat /var/ipfire/vpn/config<br></div><div>2,on,Xiaomi,Xiaomi,host,<span style="background-color:rgb(255,0,0)">xauthrsasig</span>,,off,,<a href="http://192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_512,1024|768,aes256,sha2_512,1024|768|none,on,,,clear,on">192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_512,1024|768,aes256,sha2_512,1024|768|none,on,,,clear,on</a>,<span style="background-color:rgb(255,0,0)">ikev1</span>,120,30,off,start,900<br></div> </div><div><br></div><div>Here is the result in the file :</div><div><br></div><div>conn Xiaomi<br> left=<a href="http://vpn.jbsky.fr">vpn.jbsky.fr</a><br> leftsubnet=<a href="http://192.168.0.0/24">192.168.0.0/24</a><br> leftfirewall=yes<br> lefthostaccess=yes<br> right=%any<br> leftcert=/var/ipfire/certs/hostcert.pem<br> rightcert=/var/ipfire/certs/Xiaomicert.pem<br> ike=aes256-sha2_512-modp1024,aes256-sha2_512-modp768!<br> esp=aes256-sha2_512-modp1024,aes256-sha2_512-modp768,aes256-sha2_512!<br> keyexchange=ikev1<br> ikelifetime=3h<br> keylife=1h<br> dpdaction=clear<br> dpddelay=30<br> dpdtimeout=120<br> authby=xauthrsasig<br> xauth=server<br> auto=add<br> rightsourceip=<a href="http://10.0.10.0/29">10.0.10.0/29</a><br> fragmentation=yes<br><br>Why this patch? it allows to have a functional visual on VPN connections in the vpnmain.cgi page. Everything that is IOS or Android works with Xauth, you do not support this type of device.<br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2018-07-10 19:42 GMT+02:00 Michael Tremer <span dir="ltr"><<a href="mailto:michael.tremer@ipfire.org" target="_blank">michael.tremer@ipfire.org</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello Julien?!,<br> <br> thanks for submitting this patch.<br> <br> Could you go into more detail about what this patch is doing and why you need<br> it?<br> <br> Best,<br> -Michael<br> <div class="HOEnZb"><div class="h5"><br> On Mon, 2018-07-09 at 22:07 +0200, jbsky wrote:<br> > Added xauthrsasig option instead of cert in /var/ipfire/vpn/config.<br> > By replacing cert with xauth in the 5th place option, the vpn connection is<br> > configured to support xauthrsasig, ikev1 is also to be changed manually in the<br> > file.<br> > ---<br> > html/cgi-bin/vpnmain.cgi | 15 ++++++++++-----<br> > 1 file changed, 10 insertions(+), 5 deletions(-)<br> > <br> > diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi<br> > index 378acb326..a5c50dbda 100644<br> > --- a/html/cgi-bin/vpnmain.cgi<br> > +++ b/html/cgi-bin/vpnmain.cgi<br> > @@ -304,7 +304,7 @@ sub writeipsecfiles {<br> > }<br> > <br> > # Local Cert and Remote Cert (unless auth is DN dn-auth)<br> > - if ($lconfighash{$key}[4] eq 'cert') {<br> > + if (($lconfighash{$key}[4] eq 'cert')||($lconfighash{$key}[<wbr>4]<br> > eq 'xauthrsasig')) {<br> > print CONF<br> > "\tleftcert=${General::swroot}<wbr>/certs/hostcert.pem\n";<br> > print CONF<br> > "\trightcert=${General::<wbr>swroot}/certs/$lconfighash{$<wbr>key}[1]cert.pem\n" if<br> > ($lconfighash{$key}[2] ne '%auth-dn');<br> > }<br> > @@ -408,7 +408,12 @@ sub writeipsecfiles {<br> > print SECRETS $psk_line;<br> > }<br> > print CONF "\tauthby=secret\n";<br> > - } else {<br> > + }<br> > + elsif ($lconfighash{$key}[4] eq 'xauthrsasig') {<br> > + print CONF "\tauthby=xauthrsasig\n";<br> > + print CONF "\txauth=server\n";<br> > + } <br> > + else {<br> > print CONF "\tauthby=rsasig\n";<br> > print CONF "\tleftrsasigkey=%cert\n";<br> > print CONF "\trightrsasigkey=%cert\n";<br> > @@ -2841,7 +2846,7 @@ END<br> > print "<td align='center' nowrap='nowrap' $col>" .<br> > $Lang::tr{"$confighash{$key}[<wbr>3]"} . " (" . $Lang::tr{"$confighash{$key}[<wbr>4]"} .<br> > ") $confighash{$key}[29]</td>";<br> > if ($confighash{$key}[2] eq '%auth-dn') {<br> > print "<td align='left' nowrap='nowrap'<br> > $col>$confighash{$key}[9]</td><wbr>";<br> > - } elsif ($confighash{$key}[4] eq 'cert') {<br> > + } elsif (($confighash{$key}[4] eq 'cert')||($confighash{$key}[4] eq<br> > 'xauthrsasig')) {<br> > print "<td align='left' nowrap='nowrap'<br> > $col>$confighash{$key}[2]</td><wbr>";<br> > } else {<br> > print "<td align='left' $col>&nbsp;</td>";<br> > @@ -2893,7 +2898,7 @@ END<br> > } else {<br> > print "<td width='2%' $col>&nbsp;</td>";<br> > }<br> > - if ($confighash{$key}[4] eq 'cert' && -f<br> > "${General::swroot}/certs/$<wbr>confighash{$key}[1].p12") {<br> > + if ((($confighash{$key}[4] eq 'cert')||($confighash{$key}[4] eq<br> > 'xauthrsasig')) && -f "${General::swroot}/certs/$<wbr>confighash{$key}[1].p12") {<br> > print <<END<br> > <td align='center' $col><br> > <form method='post' action='$ENV{'SCRIPT_NAME'}'><br> > @@ -2904,7 +2909,7 @@ END<br> > </td><br> > END<br> > ;<br> > - } elsif (($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2] ne<br> > '%auth-dn')) {<br> > + } elsif ((($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2]<br> > ne '%auth-dn'))||(($confighash{$<wbr>key}[4] eq 'xauthrsasig') &&<br> > ($confighash{$key}[2] ne '%auth-dn'))) {<br> > print <<END<br> > <td align='center' $col><br> > <form method='post' action='$ENV{'SCRIPT_NAME'}'><br> </div></div></blockquote></div><br></div>
If I may ask, why IKEv1? Modern iOS and Android both support IKEv2, don't they? Tom On 07/10/2018 2:07 PM, Julien Blais wrote: > Hi Michael, > > > For it to work, you simply need to generate a Roadwarrior connection per > certificate. Then, change what is red, either replace cert by > xauthrsasiget put ikev1 instead of ikev2. > > [root@ipfire ~]# cat /var/ipfire/vpn/config > 2,on,Xiaomi,Xiaomi,host,xauthrsasig,,off,,192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_512,1024|768,aes256,sha2_512,1024|768|none,on,,,clear,on > <http://192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_512,1024%7C768,aes256,sha2_512,1024%7C768%7Cnone,on,,,clear,on>,ikev1,120,30,off,start,900 > > Here is the result in the file : > > conn Xiaomi > left=vpn.jbsky.fr <http://vpn.jbsky.fr> > leftsubnet=192.168.0.0/24 <http://192.168.0.0/24> > leftfirewall=yes > lefthostaccess=yes > right=%any > leftcert=/var/ipfire/certs/hostcert.pem > rightcert=/var/ipfire/certs/Xiaomicert.pem > ike=aes256-sha2_512-modp1024,aes256-sha2_512-modp768! > > esp=aes256-sha2_512-modp1024,aes256-sha2_512-modp768,aes256-sha2_512! > keyexchange=ikev1 > ikelifetime=3h > keylife=1h > dpdaction=clear > dpddelay=30 > dpdtimeout=120 > authby=xauthrsasig > xauth=server > auto=add > rightsourceip=10.0.10.0/29 <http://10.0.10.0/29> > fragmentation=yes > > Why this patch? it allows to have a functional visual on VPN connections > in the vpnmain.cgi page. Everything that is IOS or Android works with > Xauth, you do not support this type of device.
I present what I know that works. Since I haven't tested, but if you say so, it's to be tested. I was forgetting, of course, xauth needs a login/password pair to declare in ipsec.user.secret. Le mar. 10 juil. 2018 à 20:11, Tom Rymes <trymes@rymes.com> a écrit : > If I may ask, why IKEv1? Modern iOS and Android both support IKEv2, > don't they? > > Tom > > On 07/10/2018 2:07 PM, Julien Blais wrote: > > Hi Michael, > > > > > > For it to work, you simply need to generate a Roadwarrior connection per > > certificate. Then, change what is red, either replace cert by > > xauthrsasiget put ikev1 instead of ikev2. > > > > [root@ipfire ~]# cat /var/ipfire/vpn/config > > 2,on,Xiaomi,Xiaomi,host,xauthrsasig,,off,, > 192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_512,1024|768,aes256,sha2_512,1024|768|none,on,,,clear,on > <http://192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_512,1024%7C768,aes256,sha2_512,1024%7C768%7Cnone,on,,,clear,on> > > < > http://192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_512,1024%7C768,aes256,sha2_512,1024%7C768%7Cnone,on,,,clear,on > >,ikev1,120,30,off,start,900 > > > > Here is the result in the file : > > > > conn Xiaomi > > left=vpn.jbsky.fr <http://vpn.jbsky.fr> > > leftsubnet=192.168.0.0/24 <http://192.168.0.0/24> > > leftfirewall=yes > > lefthostaccess=yes > > right=%any > > leftcert=/var/ipfire/certs/hostcert.pem > > rightcert=/var/ipfire/certs/Xiaomicert.pem > > ike=aes256-sha2_512-modp1024,aes256-sha2_512-modp768! > > > > esp=aes256-sha2_512-modp1024,aes256-sha2_512-modp768,aes256-sha2_512! > > keyexchange=ikev1 > > ikelifetime=3h > > keylife=1h > > dpdaction=clear > > dpddelay=30 > > dpdtimeout=120 > > authby=xauthrsasig > > xauth=server > > auto=add > > rightsourceip=10.0.10.0/29 <http://10.0.10.0/29> > > fragmentation=yes > > > > Why this patch? it allows to have a functional visual on VPN connections > > in the vpnmain.cgi page. Everything that is IOS or Android works with > > Xauth, you do not support this type of device. > > > > <div dir="auto"><span style="margin:0px;padding:0px;color:rgb(27,30,37);font-family:roboto,sans-serif;font-size:16px;white-space:pre-wrap;background-color:rgb(248,248,248)">I present what I know that works. Since I haven't tested, but if you say so, it's to be tested. I was forgetting, of course, xauth needs a login/password pair to declare in ipsec.user.secret.</span><div style="margin:0px;padding:0px;color:rgb(27,30,37);font-family:roboto,sans-serif;font-size:16px;white-space:pre-wrap;background-color:rgb(248,248,248);display:inline-block;width:25px;height:10px" dir="auto"></div></div><br><div class="gmail_quote"><div dir="ltr">Le mar. 10 juil. 2018 à 20:11, Tom Rymes <<a href="mailto:trymes@rymes.com">trymes@rymes.com</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">If I may ask, why IKEv1? Modern iOS and Android both support IKEv2, <br> don't they?<br> <br> Tom<br> <br> On 07/10/2018 2:07 PM, Julien Blais wrote:<br> > Hi Michael,<br> > <br> > <br> > For it to work, you simply need to generate a Roadwarrior connection per <br> > certificate. Then, change what is red, either replace cert by <br> > xauthrsasiget put ikev1 instead of ikev2.<br> > <br> > [root@ipfire ~]# cat /var/ipfire/vpn/config<br> > 2,on,Xiaomi,Xiaomi,host,xauthrsasig,,off,,<a href="http://192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_512,1024%7C768,aes256,sha2_512,1024%7C768%7Cnone,on,,,clear,on" rel="noreferrer noreferrer" target="_blank">192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_512,1024|768,aes256,sha2_512,1024|768|none,on,,,clear,on</a> <br> > <<a href="http://192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_512,1024%7C768,aes256,sha2_512,1024%7C768%7Cnone,on,,,clear,on" rel="noreferrer noreferrer" target="_blank">http://192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_512,1024%7C768,aes256,sha2_512,1024%7C768%7Cnone,on,,,clear,on</a>>,ikev1,120,30,off,start,900<br> > <br> > Here is the result in the file :<br> > <br> > conn Xiaomi<br> > left=<a href="http://vpn.jbsky.fr" rel="noreferrer noreferrer" target="_blank">vpn.jbsky.fr</a> <<a href="http://vpn.jbsky.fr" rel="noreferrer noreferrer" target="_blank">http://vpn.jbsky.fr</a>><br> > leftsubnet=<a href="http://192.168.0.0/24" rel="noreferrer noreferrer" target="_blank">192.168.0.0/24</a> <<a href="http://192.168.0.0/24" rel="noreferrer noreferrer" target="_blank">http://192.168.0.0/24</a>><br> > leftfirewall=yes<br> > lefthostaccess=yes<br> > right=%any<br> > leftcert=/var/ipfire/certs/hostcert.pem<br> > rightcert=/var/ipfire/certs/Xiaomicert.pem<br> > ike=aes256-sha2_512-modp1024,aes256-sha2_512-modp768!<br> > <br> > esp=aes256-sha2_512-modp1024,aes256-sha2_512-modp768,aes256-sha2_512!<br> > keyexchange=ikev1<br> > ikelifetime=3h<br> > keylife=1h<br> > dpdaction=clear<br> > dpddelay=30<br> > dpdtimeout=120<br> > authby=xauthrsasig<br> > xauth=server<br> > auto=add<br> > rightsourceip=<a href="http://10.0.10.0/29" rel="noreferrer noreferrer" target="_blank">10.0.10.0/29</a> <<a href="http://10.0.10.0/29" rel="noreferrer noreferrer" target="_blank">http://10.0.10.0/29</a>><br> > fragmentation=yes<br> > <br> > Why this patch? it allows to have a functional visual on VPN connections <br> > in the vpnmain.cgi page. Everything that is IOS or Android works with <br> > Xauth, you do not support this type of device.<br> <br> <br> <br> </blockquote></div>
On Tue, 2018-07-10 at 20:17 +0200, Julien Blais wrote: > I present what I know that works. Since I haven't tested, but if you say so, > it's to be tested. I suppose setting rightauth=xauth should work for IKEv2 as well as IKEv1. > I was forgetting, of course, xauth needs a login/password pair to declare in > ipsec.user.secret. This kind of renders the patch useless then if there is no way to set username and password. This could be added to the connection just like entering the PSK. Best, -Michael > Le mar. 10 juil. 2018 à 20:11, Tom Rymes <trymes@rymes.com> a écrit : > > If I may ask, why IKEv1? Modern iOS and Android both support IKEv2, > > don't they? > > > > Tom > > > > On 07/10/2018 2:07 PM, Julien Blais wrote: > > > Hi Michael, > > > > > > > > > For it to work, you simply need to generate a Roadwarrior connection per > > > certificate. Then, change what is red, either replace cert by > > > xauthrsasiget put ikev1 instead of ikev2. > > > > > > [root@ipfire ~]# cat /var/ipfire/vpn/config > > > > > 2,on,Xiaomi,Xiaomi,host,xauthrsasig,,off,,192.168.10.0/255.255.255.0,,,10.0. > > 10.0/29,off,,,off,3,1,aes256,sha2_512,1024|768,aes256,sha2_512,1024|768|none > > ,on,,,clear,on > > > <http://192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha > > 2_512,1024%7C768,aes256,sha2_512,1024%7C768%7Cnone,on,,,clear,on>,ikev1,120, > > 30,off,start,900 > > > > > > Here is the result in the file : > > > > > > conn Xiaomi > > > left=vpn.jbsky.fr <http://vpn.jbsky.fr> > > > leftsubnet=192.168.0.0/24 <http://192.168.0.0/24> > > > leftfirewall=yes > > > lefthostaccess=yes > > > right=%any > > > leftcert=/var/ipfire/certs/hostcert.pem > > > rightcert=/var/ipfire/certs/Xiaomicert.pem > > > ike=aes256-sha2_512-modp1024,aes256-sha2_512-modp768! > > > > > > esp=aes256-sha2_512-modp1024,aes256-sha2_512-modp768,aes256-sha2_512! > > > keyexchange=ikev1 > > > ikelifetime=3h > > > keylife=1h > > > dpdaction=clear > > > dpddelay=30 > > > dpdtimeout=120 > > > authby=xauthrsasig > > > xauth=server > > > auto=add > > > rightsourceip=10.0.10.0/29 <http://10.0.10.0/29> > > > fragmentation=yes > > > > > > Why this patch? it allows to have a functional visual on VPN connections > > > in the vpnmain.cgi page. Everything that is IOS or Android works with > > > Xauth, you do not support this type of device. > > > > > >
I tested with ikev2, unfortunately, it doesn't work. Jul 10 22:33:58 ipfire charon: 13[IKE] no IKE config found for IP1...IP2 sending NO_PROPOSAL_CHOSEN I remind you that you have a page dedicated to this type of connection, here I can read IKEv1. :) https://wiki.ipfire.org/configuration/services/ipsec/example_configuration-_roadwarrior_with_android As a reminder, the configuration to put in the file /etc/ipsec.user.secret.user cat /etc/ipsec.user.secret.user Xiaomi : XAUTH "PASSWORD" To apply the idea I propose, you need to know how to use the Bash, and add a login/password data set, it's as easy as modifying in the vpn config file. I wish to highlight one positive point, by going through the @ipfire:444 frontend, changing the options of a VPN connection, example IKEv1->IKEv2->IKEv1, keeps the xauthrsasig parameter. It's not an unnecessary fix, that despite a change from the @IPFIRE:444 interface, it keeps the "xauthrsasig" record and writes the VPN connection configuration correctly. The real question is who will use this improvement? This is a first step towards XAUTH support, but you still have to want to take it. Le jeu. 12 juil. 2018 à 11:30, Michael Tremer <michael.tremer@ipfire.org> a écrit : > On Tue, 2018-07-10 at 20:17 +0200, Julien Blais wrote: > > I present what I know that works. Since I haven't tested, but if you > say so, > > it's to be tested. > > I suppose setting rightauth=xauth should work for IKEv2 as well as IKEv1. > > > I was forgetting, of course, xauth needs a login/password pair to > declare in > > ipsec.user.secret. > > This kind of renders the patch useless then if there is no way to set > username > and password. This could be added to the connection just like entering the > PSK. > > Best, > -Michael > > > Le mar. 10 juil. 2018 à 20:11, Tom Rymes <trymes@rymes.com> a écrit : > > > If I may ask, why IKEv1? Modern iOS and Android both support IKEv2, > > > don't they? > > > > > > Tom > > > > > > On 07/10/2018 2:07 PM, Julien Blais wrote: > > > > Hi Michael, > > > > > > > > > > > > For it to work, you simply need to generate a Roadwarrior connection > per > > > > certificate. Then, change what is red, either replace cert by > > > > xauthrsasiget put ikev1 instead of ikev2. > > > > > > > > [root@ipfire ~]# cat /var/ipfire/vpn/config > > > > > > > 2,on,Xiaomi,Xiaomi,host,xauthrsasig,,off,,192.168.10. > 0/255.255.255.0,,,10.0. > > > 10.0/29,off,,,off,3,1,aes256,sha2_512,1024|768,aes256,sha2_ > 512,1024|768|none > > > ,on,,,clear,on > > > > <http://192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,, > off,3,1,aes256,sha > > > 2_512,1024%7C768,aes256,sha2_512,1024%7C768%7Cnone,on,,, > clear,on>,ikev1,120, > > > 30,off,start,900 > > > > > > > > Here is the result in the file : > > > > > > > > conn Xiaomi > > > > left=vpn.jbsky.fr <http://vpn.jbsky.fr> > > > > leftsubnet=192.168.0.0/24 <http://192.168.0.0/24> > > > > leftfirewall=yes > > > > lefthostaccess=yes > > > > right=%any > > > > leftcert=/var/ipfire/certs/hostcert.pem > > > > rightcert=/var/ipfire/certs/Xiaomicert.pem > > > > ike=aes256-sha2_512-modp1024,aes256-sha2_512-modp768! > > > > > > > > esp=aes256-sha2_512-modp1024,aes256-sha2_512-modp768, > aes256-sha2_512! > > > > keyexchange=ikev1 > > > > ikelifetime=3h > > > > keylife=1h > > > > dpdaction=clear > > > > dpddelay=30 > > > > dpdtimeout=120 > > > > authby=xauthrsasig > > > > xauth=server > > > > auto=add > > > > rightsourceip=10.0.10.0/29 <http://10.0.10.0/29> > > > > fragmentation=yes > > > > > > > > Why this patch? it allows to have a functional visual on VPN > connections > > > > in the vpnmain.cgi page. Everything that is IOS or Android works > with > > > > Xauth, you do not support this type of device. > > > > > > > > > > <div dir="ltr"><div dir="auto"><div dir="auto"><font size="2"><span style="font-family:arial,helvetica,sans-serif">I tested with ikev2, unfortunately, it doesn't work.</span></font></div><div dir="auto"><font size="2"><span style="font-family:arial,helvetica,sans-serif"><br></span></font></div><div dir="auto"><font size="2"><span style="font-family:arial,helvetica,sans-serif">Jul 10 22:33:58 ipfire charon: 13[IKE] no IKE config found for IP1...IP2 sending NO_PROPOSAL_CHOSEN</span></font></div><div dir="auto"><font size="2"><span style="font-family:arial,helvetica,sans-serif"><br></span></font></div><div dir="auto"><font size="2"><span style="font-family:arial,helvetica,sans-serif"> <div><font size="2" face="roboto, sans-serif" color="#1b1e25"><span style="white-space:pre-wrap"><br></span></font></div><div><font size="2" face="roboto, sans-serif" color="#1b1e25"><span style="white-space:pre-wrap">I remind you that you have a page dedicated to this type of connection, here I can read IKEv1. :)<br></span></font></div><div><font size="2" face="roboto, sans-serif" color="#1b1e25"><span style="white-space:pre-wrap"></span></font><font face="roboto, sans-serif" color="#1b1e25"><span style="font-size:16px;white-space:pre-wrap"><font size="2"><a href="https://wiki.ipfire.org/configuration/services/ipsec/example_configuration-_roadwarrior_with_android">https://wiki.ipfire.org/configuration/services/ipsec/example_configuration-_roadwarrior_with_android</a></font></span></font></div><div><font face="roboto, sans-serif" color="#1b1e25"><span style="font-size:16px;white-space:pre-wrap"><font size="2"></font></span></font></div><div><font face="roboto, sans-serif" color="#1b1e25"><span style="font-size:16px;white-space:pre-wrap"><font size="2"> <div dir="auto"><font size="2"><span style="font-family:arial,helvetica,sans-serif">As a reminder, the configuration to put in the file <font size="2"><span style="font-family:arial,helvetica,sans-serif">/etc/ipsec.user.secret.user</span></font></span></font></div><div dir="auto"><font size="2"><span style="font-family:arial,helvetica,sans-serif"><font size="2"><span style="font-family:arial,helvetica,sans-serif"><br></span></font></span></font></div><div dir="auto"><font size="2"><span style="font-family:arial,helvetica,sans-serif"><font size="2"><span style="font-family:arial,helvetica,sans-serif"></span></font>cat /etc/ipsec.user.secret.user<br>Xiaomi : XAUTH "PASSWORD"</span></font><font face="roboto, sans-serif" color="#1b1e25"><span style="font-size:16px;white-space:pre-wrap"><br></span></font></div></font></span></font></div><div dir="auto"><font face="roboto, sans-serif" color="#1b1e25"><span style="font-size:16px;white-space:pre-wrap"><font size="2"> <div dir="auto"><font size="2"><span style="font-family:arial,helvetica,sans-serif"><span style="color:rgb(27,30,37);white-space:pre-wrap;background-color:rgb(248,248,248)">To apply the idea I propose, you need to know how to use the Bash, and add a login/password data set, it's as easy as modifying in the vpn config file.</span></span></font></div><div dir="auto"><font size="2"><span style="font-family:arial,helvetica,sans-serif"><span style="color:rgb(27,30,37);white-space:pre-wrap;background-color:rgb(248,248,248)"></span></span></font><font size="2"><span style="font-family:arial,helvetica,sans-serif"><br></span></font></div><div dir="auto"><font color="#1b1e25"><span style="font-family:arial,helvetica,sans-serif">I wish to highlight one positive point, by going through the @ipfire:444 frontend, changing the options of a VPN connection, example IKEv1->IKEv2->IKEv1, keeps the xauthrsasig parameter.</span><font face="roboto, sans-serif"><br></font></font></div><div dir="auto"><font color="#1b1e25"><font face="roboto, sans-serif"><br></font></font></div><div dir="auto"><font color="#1b1e25"><font face="roboto, sans-serif">It's not an unnecessary fix, that despite a change from the @IPFIRE:444 interface, it keeps the "xauthrsasig" record and writes the VPN connection configuration correctly.</font></font><font face="roboto, sans-serif" color="#1b1e25"><span style="font-size:16px;white-space:pre-wrap"></span></font></div></font></span></font><div><br><font face="roboto, sans-serif" color="#1b1e25"><span style="font-size:16px;white-space:pre-wrap"></span></font></div><div><font size="2" face="roboto, sans-serif" color="#1b1e25"><span style="white-space:pre-wrap">The real question is who will use this improvement?</span></font></div><div><font size="2" face="roboto, sans-serif" color="#1b1e25"><span style="white-space:pre-wrap"><br></span></font></div></div><div dir="auto">This is a first step towards XAUTH support, but you still have to want to take it.<br></div></span></font></div></div><br><div class="gmail_quote"><div dir="ltr">Le jeu. 12 juil. 2018 à 11:30, Michael Tremer <<a href="mailto:michael.tremer@ipfire.org" target="_blank">michael.tremer@ipfire.org</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Tue, 2018-07-10 at 20:17 +0200, Julien Blais wrote:<br> > I present what I know that works. Since I haven't tested, but if you say so,<br> > it's to be tested. <br> <br> I suppose setting rightauth=xauth should work for IKEv2 as well as IKEv1.<br> <br> > I was forgetting, of course, xauth needs a login/password pair to declare in<br> > ipsec.user.secret.<br> <br> This kind of renders the patch useless then if there is no way to set username<br> and password. This could be added to the connection just like entering the PSK.<br> <br> Best,<br> -Michael<br> <br> > Le mar. 10 juil. 2018 à 20:11, Tom Rymes <<a href="mailto:trymes@rymes.com" rel="noreferrer" target="_blank">trymes@rymes.com</a>> a écrit :<br> > > If I may ask, why IKEv1? Modern iOS and Android both support IKEv2, <br> > > don't they?<br> > > <br> > > Tom<br> > > <br> > > On 07/10/2018 2:07 PM, Julien Blais wrote:<br> > > > Hi Michael,<br> > > > <br> > > > <br> > > > For it to work, you simply need to generate a Roadwarrior connection per <br> > > > certificate. Then, change what is red, either replace cert by <br> > > > xauthrsasiget put ikev1 instead of ikev2.<br> > > > <br> > > > [root@ipfire ~]# cat /var/ipfire/vpn/config<br> > > ><br> > > 2,on,Xiaomi,Xiaomi,host,<wbr>xauthrsasig,,off,,<a href="http://192.168.10.0/255.255.255.0,,,10.0" rel="noreferrer noreferrer" target="_blank">192.168.10.<wbr>0/255.255.255.0,,,10.0</a>.<br> > > 10.0/29,off,,,off,3,1,aes256,<wbr>sha2_512,1024|768,aes256,sha2_<wbr>512,1024|768|none<br> > > ,on,,,clear,on <br> > > > <<a href="http://192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha" rel="noreferrer noreferrer" target="_blank">http://192.168.10.0/255.255.<wbr>255.0,,,10.0.10.0/29,off,,,<wbr>off,3,1,aes256,sha</a><br> > > 2_512,1024%7C768,aes256,sha2_<wbr>512,1024%7C768%7Cnone,on,,,<wbr>clear,on>,ikev1,120,<br> > > 30,off,start,900<br> > > > <br> > > > Here is the result in the file :<br> > > > <br> > > > conn Xiaomi<br> > > > left=<a href="http://vpn.jbsky.fr" rel="noreferrer noreferrer" target="_blank">vpn.jbsky.fr</a> <<a href="http://vpn.jbsky.fr" rel="noreferrer noreferrer" target="_blank">http://vpn.jbsky.fr</a>><br> > > > leftsubnet=<a href="http://192.168.0.0/24" rel="noreferrer noreferrer" target="_blank">192.168.0.0/24</a> <<a href="http://192.168.0.0/24" rel="noreferrer noreferrer" target="_blank">http://192.168.0.0/24</a>><br> > > > leftfirewall=yes<br> > > > lefthostaccess=yes<br> > > > right=%any<br> > > > leftcert=/var/ipfire/certs/<wbr>hostcert.pem<br> > > > rightcert=/var/ipfire/certs/<wbr>Xiaomicert.pem<br> > > > ike=aes256-sha2_512-modp1024,<wbr>aes256-sha2_512-modp768!<br> > > > <br> > > > esp=aes256-sha2_512-modp1024,<wbr>aes256-sha2_512-modp768,<wbr>aes256-sha2_512!<br> > > > keyexchange=ikev1<br> > > > ikelifetime=3h<br> > > > keylife=1h<br> > > > dpdaction=clear<br> > > > dpddelay=30<br> > > > dpdtimeout=120<br> > > > authby=xauthrsasig<br> > > > xauth=server<br> > > > auto=add<br> > > > rightsourceip=<a href="http://10.0.10.0/29" rel="noreferrer noreferrer" target="_blank">10.0.10.0/29</a> <<a href="http://10.0.10.0/29" rel="noreferrer noreferrer" target="_blank">http://10.0.10.0/29</a>><br> > > > fragmentation=yes<br> > > > <br> > > > Why this patch? it allows to have a functional visual on VPN connections <br> > > > in the vpnmain.cgi page. Everything that is IOS or Android works with <br> > > > Xauth, you do not support this type of device.<br> > > <br> > > <br> > > <br> </blockquote></div> </div>
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 378acb326..a5c50dbda 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -304,7 +304,7 @@ sub writeipsecfiles { } # Local Cert and Remote Cert (unless auth is DN dn-auth) - if ($lconfighash{$key}[4] eq 'cert') { + if (($lconfighash{$key}[4] eq 'cert')||($lconfighash{$key}[4] eq 'xauthrsasig')) { print CONF "\tleftcert=${General::swroot}/certs/hostcert.pem\n"; print CONF "\trightcert=${General::swroot}/certs/$lconfighash{$key}[1]cert.pem\n" if ($lconfighash{$key}[2] ne '%auth-dn'); } @@ -408,7 +408,12 @@ sub writeipsecfiles { print SECRETS $psk_line; } print CONF "\tauthby=secret\n"; - } else { + } + elsif ($lconfighash{$key}[4] eq 'xauthrsasig') { + print CONF "\tauthby=xauthrsasig\n"; + print CONF "\txauth=server\n"; + } + else { print CONF "\tauthby=rsasig\n"; print CONF "\tleftrsasigkey=%cert\n"; print CONF "\trightrsasigkey=%cert\n"; @@ -2841,7 +2846,7 @@ END print "<td align='center' nowrap='nowrap' $col>" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ") $confighash{$key}[29]</td>"; if ($confighash{$key}[2] eq '%auth-dn') { print "<td align='left' nowrap='nowrap' $col>$confighash{$key}[9]</td>"; - } elsif ($confighash{$key}[4] eq 'cert') { + } elsif (($confighash{$key}[4] eq 'cert')||($confighash{$key}[4] eq 'xauthrsasig')) { print "<td align='left' nowrap='nowrap' $col>$confighash{$key}[2]</td>"; } else { print "<td align='left' $col> </td>"; @@ -2893,7 +2898,7 @@ END } else { print "<td width='2%' $col> </td>"; } - if ($confighash{$key}[4] eq 'cert' && -f "${General::swroot}/certs/$confighash{$key}[1].p12") { + if ((($confighash{$key}[4] eq 'cert')||($confighash{$key}[4] eq 'xauthrsasig')) && -f "${General::swroot}/certs/$confighash{$key}[1].p12") { print <<END <td align='center' $col> <form method='post' action='$ENV{'SCRIPT_NAME'}'> @@ -2904,7 +2909,7 @@ END </td> END ; - } elsif (($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2] ne '%auth-dn')) { + } elsif ((($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2] ne '%auth-dn'))||(($confighash{$key}[4] eq 'xauthrsasig') && ($confighash{$key}[2] ne '%auth-dn'))) { print <<END <td align='center' $col> <form method='post' action='$ENV{'SCRIPT_NAME'}'>