[1/2] File modified : html/cgi-bin/vpnmain.cgi

Message ID 20180709200731.28762-1-blais.julien.30@gmail.com
State Dropped
Headers show
Series [1/2] File modified : html/cgi-bin/vpnmain.cgi | expand

Commit Message

Julien Blais July 10, 2018, 6:07 a.m. UTC
Added xauthrsasig option instead of cert in /var/ipfire/vpn/config.
By replacing cert with xauth in the 5th place option, the vpn connection is configured to support xauthrsasig, ikev1 is also to be changed manually in the file.
---
 html/cgi-bin/vpnmain.cgi | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

Comments

Michael Tremer July 11, 2018, 3:42 a.m. UTC | #1
Hello Julien?!,

thanks for submitting this patch.

Could you go into more detail about what this patch is doing and why you need
it?

Best,
-Michael

On Mon, 2018-07-09 at 22:07 +0200, jbsky wrote:
> Added xauthrsasig option instead of cert in /var/ipfire/vpn/config.
> By replacing cert with xauth in the 5th place option, the vpn connection is
> configured to support xauthrsasig, ikev1 is also to be changed manually in the
> file.
> ---
>  html/cgi-bin/vpnmain.cgi | 15 ++++++++++-----
>  1 file changed, 10 insertions(+), 5 deletions(-)
> 
> diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
> index 378acb326..a5c50dbda 100644
> --- a/html/cgi-bin/vpnmain.cgi
> +++ b/html/cgi-bin/vpnmain.cgi
> @@ -304,7 +304,7 @@ sub writeipsecfiles {
>  		}
>  
>  		# Local Cert and Remote Cert (unless auth is DN dn-auth)
> -		if ($lconfighash{$key}[4] eq 'cert') {
> +		if (($lconfighash{$key}[4] eq 'cert')||($lconfighash{$key}[4]
> eq 'xauthrsasig')) {
>  			print CONF
> "\tleftcert=${General::swroot}/certs/hostcert.pem\n";
>  			print CONF
> "\trightcert=${General::swroot}/certs/$lconfighash{$key}[1]cert.pem\n" if
> ($lconfighash{$key}[2] ne '%auth-dn');
>  		}
> @@ -408,7 +408,12 @@ sub writeipsecfiles {
>  				print SECRETS $psk_line;
>  			}
>  			print CONF "\tauthby=secret\n";
> -		} else {
> +		}
> +		elsif ($lconfighash{$key}[4] eq 'xauthrsasig') {
> +			print CONF "\tauthby=xauthrsasig\n";
> +			print CONF "\txauth=server\n";
> +		} 
> +		else {
>  			print CONF "\tauthby=rsasig\n";
>  			print CONF "\tleftrsasigkey=%cert\n";
>  			print CONF "\trightrsasigkey=%cert\n";
> @@ -2841,7 +2846,7 @@ END
>  	print "<td align='center' nowrap='nowrap' $col>" .
> $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} .
> ") $confighash{$key}[29]</td>";
>  	if ($confighash{$key}[2] eq '%auth-dn') {
>  		print "<td align='left' nowrap='nowrap'
> $col>$confighash{$key}[9]</td>";
> -	} elsif ($confighash{$key}[4] eq 'cert') {
> +	} elsif (($confighash{$key}[4] eq 'cert')||($confighash{$key}[4] eq
> 'xauthrsasig')) {
>  		print "<td align='left' nowrap='nowrap'
> $col>$confighash{$key}[2]</td>";
>  	} else {
>  		print "<td align='left' $col>&nbsp;</td>";
> @@ -2893,7 +2898,7 @@ END
>  	} else {
>  		print "<td width='2%' $col>&nbsp;</td>";
>  	}
> -	if ($confighash{$key}[4] eq 'cert' && -f
> "${General::swroot}/certs/$confighash{$key}[1].p12") {
> +	if ((($confighash{$key}[4] eq 'cert')||($confighash{$key}[4] eq
> 'xauthrsasig')) && -f "${General::swroot}/certs/$confighash{$key}[1].p12") {
>  		print <<END
>  		<td align='center' $col>
>  		<form method='post' action='$ENV{'SCRIPT_NAME'}'>
> @@ -2904,7 +2909,7 @@ END
>  	</td>
>  END
>  ;
> -	} elsif (($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2] ne
> '%auth-dn')) {
> +	} elsif ((($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2]
> ne '%auth-dn'))||(($confighash{$key}[4] eq 'xauthrsasig') &&
> ($confighash{$key}[2] ne '%auth-dn'))) {
>  		print <<END
>  		<td align='center' $col>
>  		<form method='post' action='$ENV{'SCRIPT_NAME'}'>
Julien Blais July 11, 2018, 4:07 a.m. UTC | #2
Hi Michael,


For it to work, you simply need to generate a Roadwarrior connection per
certificate. Then, change what is red, either replace cert by xauthrsasiget
put ikev1 instead of ikev2.

[root@ipfire ~]# cat /var/ipfire/vpn/config
2,on,Xiaomi,Xiaomi,host,xauthrsasig,,off,,
192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_512,1024|768,aes256,sha2_512,1024|768|none,on,,,clear,on
,ikev1,120,30,off,start,900

Here is the result in the file :

conn Xiaomi
        left=vpn.jbsky.fr
        leftsubnet=192.168.0.0/24
        leftfirewall=yes
        lefthostaccess=yes
        right=%any
        leftcert=/var/ipfire/certs/hostcert.pem
        rightcert=/var/ipfire/certs/Xiaomicert.pem
        ike=aes256-sha2_512-modp1024,aes256-sha2_512-modp768!

esp=aes256-sha2_512-modp1024,aes256-sha2_512-modp768,aes256-sha2_512!
        keyexchange=ikev1
        ikelifetime=3h
        keylife=1h
        dpdaction=clear
        dpddelay=30
        dpdtimeout=120
        authby=xauthrsasig
        xauth=server
        auto=add
        rightsourceip=10.0.10.0/29
        fragmentation=yes

Why this patch? it allows to have a functional visual on VPN connections in
the vpnmain.cgi page. Everything that is IOS or Android works with Xauth,
you do not support this type of device.

2018-07-10 19:42 GMT+02:00 Michael Tremer <michael.tremer@ipfire.org>:

> Hello Julien?!,
>
> thanks for submitting this patch.
>
> Could you go into more detail about what this patch is doing and why you
> need
> it?
>
> Best,
> -Michael
>
> On Mon, 2018-07-09 at 22:07 +0200, jbsky wrote:
> > Added xauthrsasig option instead of cert in /var/ipfire/vpn/config.
> > By replacing cert with xauth in the 5th place option, the vpn connection
> is
> > configured to support xauthrsasig, ikev1 is also to be changed manually
> in the
> > file.
> > ---
> >  html/cgi-bin/vpnmain.cgi | 15 ++++++++++-----
> >  1 file changed, 10 insertions(+), 5 deletions(-)
> >
> > diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
> > index 378acb326..a5c50dbda 100644
> > --- a/html/cgi-bin/vpnmain.cgi
> > +++ b/html/cgi-bin/vpnmain.cgi
> > @@ -304,7 +304,7 @@ sub writeipsecfiles {
> >               }
> >
> >               # Local Cert and Remote Cert (unless auth is DN dn-auth)
> > -             if ($lconfighash{$key}[4] eq 'cert') {
> > +             if (($lconfighash{$key}[4] eq 'cert')||($lconfighash{$key}[
> 4]
> > eq 'xauthrsasig')) {
> >                       print CONF
> > "\tleftcert=${General::swroot}/certs/hostcert.pem\n";
> >                       print CONF
> > "\trightcert=${General::swroot}/certs/$lconfighash{$key}[1]cert.pem\n"
> if
> > ($lconfighash{$key}[2] ne '%auth-dn');
> >               }
> > @@ -408,7 +408,12 @@ sub writeipsecfiles {
> >                               print SECRETS $psk_line;
> >                       }
> >                       print CONF "\tauthby=secret\n";
> > -             } else {
> > +             }
> > +             elsif ($lconfighash{$key}[4] eq 'xauthrsasig') {
> > +                     print CONF "\tauthby=xauthrsasig\n";
> > +                     print CONF "\txauth=server\n";
> > +             }
> > +             else {
> >                       print CONF "\tauthby=rsasig\n";
> >                       print CONF "\tleftrsasigkey=%cert\n";
> >                       print CONF "\trightrsasigkey=%cert\n";
> > @@ -2841,7 +2846,7 @@ END
> >       print "<td align='center' nowrap='nowrap' $col>" .
> > $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"}
> .
> > ") $confighash{$key}[29]</td>";
> >       if ($confighash{$key}[2] eq '%auth-dn') {
> >               print "<td align='left' nowrap='nowrap'
> > $col>$confighash{$key}[9]</td>";
> > -     } elsif ($confighash{$key}[4] eq 'cert') {
> > +     } elsif (($confighash{$key}[4] eq 'cert')||($confighash{$key}[4] eq
> > 'xauthrsasig')) {
> >               print "<td align='left' nowrap='nowrap'
> > $col>$confighash{$key}[2]</td>";
> >       } else {
> >               print "<td align='left' $col>&nbsp;</td>";
> > @@ -2893,7 +2898,7 @@ END
> >       } else {
> >               print "<td width='2%' $col>&nbsp;</td>";
> >       }
> > -     if ($confighash{$key}[4] eq 'cert' && -f
> > "${General::swroot}/certs/$confighash{$key}[1].p12") {
> > +     if ((($confighash{$key}[4] eq 'cert')||($confighash{$key}[4] eq
> > 'xauthrsasig')) && -f "${General::swroot}/certs/$confighash{$key}[1].p12")
> {
> >               print <<END
> >               <td align='center' $col>
> >               <form method='post' action='$ENV{'SCRIPT_NAME'}'>
> > @@ -2904,7 +2909,7 @@ END
> >       </td>
> >  END
> >  ;
> > -     } elsif (($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2]
> ne
> > '%auth-dn')) {
> > +     } elsif ((($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2]
> > ne '%auth-dn'))||(($confighash{$key}[4] eq 'xauthrsasig') &&
> > ($confighash{$key}[2] ne '%auth-dn'))) {
> >               print <<END
> >               <td align='center' $col>
> >               <form method='post' action='$ENV{'SCRIPT_NAME'}'>
>
<div dir="ltr"><div>Hi Michael,</div><div><br></div><div><br>For it to work, you simply need to generate a Roadwarrior connection per certificate. Then, change what is red, either replace cert by xauthrsasiget put ikev1 instead of ikev2.</div><div>
<div><br></div><div>[root@ipfire ~]# cat /var/ipfire/vpn/config<br></div><div>2,on,Xiaomi,Xiaomi,host,<span style="background-color:rgb(255,0,0)">xauthrsasig</span>,,off,,<a href="http://192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_512,1024|768,aes256,sha2_512,1024|768|none,on,,,clear,on">192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_512,1024|768,aes256,sha2_512,1024|768|none,on,,,clear,on</a>,<span style="background-color:rgb(255,0,0)">ikev1</span>,120,30,off,start,900<br></div>

</div><div><br></div><div>Here is the result in the file :</div><div><br></div><div>conn Xiaomi<br>        left=<a href="http://vpn.jbsky.fr">vpn.jbsky.fr</a><br>        leftsubnet=<a href="http://192.168.0.0/24">192.168.0.0/24</a><br>        leftfirewall=yes<br>        lefthostaccess=yes<br>        right=%any<br>        leftcert=/var/ipfire/certs/hostcert.pem<br>        rightcert=/var/ipfire/certs/Xiaomicert.pem<br>        ike=aes256-sha2_512-modp1024,aes256-sha2_512-modp768!<br>        esp=aes256-sha2_512-modp1024,aes256-sha2_512-modp768,aes256-sha2_512!<br>        keyexchange=ikev1<br>        ikelifetime=3h<br>        keylife=1h<br>        dpdaction=clear<br>        dpddelay=30<br>        dpdtimeout=120<br>        authby=xauthrsasig<br>        xauth=server<br>        auto=add<br>        rightsourceip=<a href="http://10.0.10.0/29">10.0.10.0/29</a><br>        fragmentation=yes<br><br>Why this patch? it allows to have a functional visual on VPN connections in the vpnmain.cgi page. Everything that is IOS or Android works with Xauth, you do not support this type of device.<br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2018-07-10 19:42 GMT+02:00 Michael Tremer <span dir="ltr">&lt;<a href="mailto:michael.tremer@ipfire.org" target="_blank">michael.tremer@ipfire.org</a>&gt;</span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello Julien?!,<br>
<br>
thanks for submitting this patch.<br>
<br>
Could you go into more detail about what this patch is doing and why you need<br>
it?<br>
<br>
Best,<br>
-Michael<br>
<div class="HOEnZb"><div class="h5"><br>
On Mon, 2018-07-09 at 22:07 +0200, jbsky wrote:<br>
&gt; Added xauthrsasig option instead of cert in /var/ipfire/vpn/config.<br>
&gt; By replacing cert with xauth in the 5th place option, the vpn connection is<br>
&gt; configured to support xauthrsasig, ikev1 is also to be changed manually in the<br>
&gt; file.<br>
&gt; ---<br>
&gt;  html/cgi-bin/vpnmain.cgi | 15 ++++++++++-----<br>
&gt;  1 file changed, 10 insertions(+), 5 deletions(-)<br>
&gt; <br>
&gt; diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi<br>
&gt; index 378acb326..a5c50dbda 100644<br>
&gt; --- a/html/cgi-bin/vpnmain.cgi<br>
&gt; +++ b/html/cgi-bin/vpnmain.cgi<br>
&gt; @@ -304,7 +304,7 @@ sub writeipsecfiles {<br>
&gt;               }<br>
&gt;  <br>
&gt;               # Local Cert and Remote Cert (unless auth is DN dn-auth)<br>
&gt; -             if ($lconfighash{$key}[4] eq &#39;cert&#39;) {<br>
&gt; +             if (($lconfighash{$key}[4] eq &#39;cert&#39;)||($lconfighash{$key}[<wbr>4]<br>
&gt; eq &#39;xauthrsasig&#39;)) {<br>
&gt;                       print CONF<br>
&gt; &quot;\tleftcert=${General::swroot}<wbr>/certs/hostcert.pem\n&quot;;<br>
&gt;                       print CONF<br>
&gt; &quot;\trightcert=${General::<wbr>swroot}/certs/$lconfighash{$<wbr>key}[1]cert.pem\n&quot; if<br>
&gt; ($lconfighash{$key}[2] ne &#39;%auth-dn&#39;);<br>
&gt;               }<br>
&gt; @@ -408,7 +408,12 @@ sub writeipsecfiles {<br>
&gt;                               print SECRETS $psk_line;<br>
&gt;                       }<br>
&gt;                       print CONF &quot;\tauthby=secret\n&quot;;<br>
&gt; -             } else {<br>
&gt; +             }<br>
&gt; +             elsif ($lconfighash{$key}[4] eq &#39;xauthrsasig&#39;) {<br>
&gt; +                     print CONF &quot;\tauthby=xauthrsasig\n&quot;;<br>
&gt; +                     print CONF &quot;\txauth=server\n&quot;;<br>
&gt; +             } <br>
&gt; +             else {<br>
&gt;                       print CONF &quot;\tauthby=rsasig\n&quot;;<br>
&gt;                       print CONF &quot;\tleftrsasigkey=%cert\n&quot;;<br>
&gt;                       print CONF &quot;\trightrsasigkey=%cert\n&quot;;<br>
&gt; @@ -2841,7 +2846,7 @@ END<br>
&gt;       print &quot;&lt;td align=&#39;center&#39; nowrap=&#39;nowrap&#39; $col&gt;&quot; .<br>
&gt; $Lang::tr{&quot;$confighash{$key}[<wbr>3]&quot;} . &quot; (&quot; . $Lang::tr{&quot;$confighash{$key}[<wbr>4]&quot;} .<br>
&gt; &quot;) $confighash{$key}[29]&lt;/td&gt;&quot;;<br>
&gt;       if ($confighash{$key}[2] eq &#39;%auth-dn&#39;) {<br>
&gt;               print &quot;&lt;td align=&#39;left&#39; nowrap=&#39;nowrap&#39;<br>
&gt; $col&gt;$confighash{$key}[9]&lt;/td&gt;<wbr>&quot;;<br>
&gt; -     } elsif ($confighash{$key}[4] eq &#39;cert&#39;) {<br>
&gt; +     } elsif (($confighash{$key}[4] eq &#39;cert&#39;)||($confighash{$key}[4] eq<br>
&gt; &#39;xauthrsasig&#39;)) {<br>
&gt;               print &quot;&lt;td align=&#39;left&#39; nowrap=&#39;nowrap&#39;<br>
&gt; $col&gt;$confighash{$key}[2]&lt;/td&gt;<wbr>&quot;;<br>
&gt;       } else {<br>
&gt;               print &quot;&lt;td align=&#39;left&#39; $col&gt;&amp;nbsp;&lt;/td&gt;&quot;;<br>
&gt; @@ -2893,7 +2898,7 @@ END<br>
&gt;       } else {<br>
&gt;               print &quot;&lt;td width=&#39;2%&#39; $col&gt;&amp;nbsp;&lt;/td&gt;&quot;;<br>
&gt;       }<br>
&gt; -     if ($confighash{$key}[4] eq &#39;cert&#39; &amp;&amp; -f<br>
&gt; &quot;${General::swroot}/certs/$<wbr>confighash{$key}[1].p12&quot;) {<br>
&gt; +     if ((($confighash{$key}[4] eq &#39;cert&#39;)||($confighash{$key}[4] eq<br>
&gt; &#39;xauthrsasig&#39;)) &amp;&amp; -f &quot;${General::swroot}/certs/$<wbr>confighash{$key}[1].p12&quot;) {<br>
&gt;               print &lt;&lt;END<br>
&gt;               &lt;td align=&#39;center&#39; $col&gt;<br>
&gt;               &lt;form method=&#39;post&#39; action=&#39;$ENV{&#39;SCRIPT_NAME&#39;}&#39;&gt;<br>
&gt; @@ -2904,7 +2909,7 @@ END<br>
&gt;       &lt;/td&gt;<br>
&gt;  END<br>
&gt;  ;<br>
&gt; -     } elsif (($confighash{$key}[4] eq &#39;cert&#39;) &amp;&amp; ($confighash{$key}[2] ne<br>
&gt; &#39;%auth-dn&#39;)) {<br>
&gt; +     } elsif ((($confighash{$key}[4] eq &#39;cert&#39;) &amp;&amp; ($confighash{$key}[2]<br>
&gt; ne &#39;%auth-dn&#39;))||(($confighash{$<wbr>key}[4] eq &#39;xauthrsasig&#39;) &amp;&amp;<br>
&gt; ($confighash{$key}[2] ne &#39;%auth-dn&#39;))) {<br>
&gt;               print &lt;&lt;END<br>
&gt;               &lt;td align=&#39;center&#39; $col&gt;<br>
&gt;               &lt;form method=&#39;post&#39; action=&#39;$ENV{&#39;SCRIPT_NAME&#39;}&#39;&gt;<br>
</div></div></blockquote></div><br></div>
Tom Rymes July 11, 2018, 4:11 a.m. UTC | #3
If I may ask, why IKEv1? Modern iOS and Android both support IKEv2, 
don't they?

Tom

On 07/10/2018 2:07 PM, Julien Blais wrote:
> Hi Michael,
> 
> 
> For it to work, you simply need to generate a Roadwarrior connection per 
> certificate. Then, change what is red, either replace cert by 
> xauthrsasiget put ikev1 instead of ikev2.
> 
> [root@ipfire ~]# cat /var/ipfire/vpn/config
> 2,on,Xiaomi,Xiaomi,host,xauthrsasig,,off,,192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_512,1024|768,aes256,sha2_512,1024|768|none,on,,,clear,on 
> <http://192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_512,1024%7C768,aes256,sha2_512,1024%7C768%7Cnone,on,,,clear,on>,ikev1,120,30,off,start,900
> 
> Here is the result in the file :
> 
> conn Xiaomi
>          left=vpn.jbsky.fr <http://vpn.jbsky.fr>
>          leftsubnet=192.168.0.0/24 <http://192.168.0.0/24>
>          leftfirewall=yes
>          lefthostaccess=yes
>          right=%any
>          leftcert=/var/ipfire/certs/hostcert.pem
>          rightcert=/var/ipfire/certs/Xiaomicert.pem
>          ike=aes256-sha2_512-modp1024,aes256-sha2_512-modp768!
>          
> esp=aes256-sha2_512-modp1024,aes256-sha2_512-modp768,aes256-sha2_512!
>          keyexchange=ikev1
>          ikelifetime=3h
>          keylife=1h
>          dpdaction=clear
>          dpddelay=30
>          dpdtimeout=120
>          authby=xauthrsasig
>          xauth=server
>          auto=add
>          rightsourceip=10.0.10.0/29 <http://10.0.10.0/29>
>          fragmentation=yes
> 
> Why this patch? it allows to have a functional visual on VPN connections 
> in the vpnmain.cgi page. Everything that is IOS or Android works with 
> Xauth, you do not support this type of device.
Julien Blais July 11, 2018, 4:17 a.m. UTC | #4
I present what I know that works. Since I haven't tested, but if you say
so, it's to be tested. I was forgetting, of course, xauth needs a
login/password pair to declare in ipsec.user.secret.

Le mar. 10 juil. 2018 à 20:11, Tom Rymes <trymes@rymes.com> a écrit :

> If I may ask, why IKEv1? Modern iOS and Android both support IKEv2,
> don't they?
>
> Tom
>
> On 07/10/2018 2:07 PM, Julien Blais wrote:
> > Hi Michael,
> >
> >
> > For it to work, you simply need to generate a Roadwarrior connection per
> > certificate. Then, change what is red, either replace cert by
> > xauthrsasiget put ikev1 instead of ikev2.
> >
> > [root@ipfire ~]# cat /var/ipfire/vpn/config
> > 2,on,Xiaomi,Xiaomi,host,xauthrsasig,,off,,
> 192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_512,1024|768,aes256,sha2_512,1024|768|none,on,,,clear,on
> <http://192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_512,1024%7C768,aes256,sha2_512,1024%7C768%7Cnone,on,,,clear,on>
> > <
> http://192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_512,1024%7C768,aes256,sha2_512,1024%7C768%7Cnone,on,,,clear,on
> >,ikev1,120,30,off,start,900
> >
> > Here is the result in the file :
> >
> > conn Xiaomi
> >          left=vpn.jbsky.fr <http://vpn.jbsky.fr>
> >          leftsubnet=192.168.0.0/24 <http://192.168.0.0/24>
> >          leftfirewall=yes
> >          lefthostaccess=yes
> >          right=%any
> >          leftcert=/var/ipfire/certs/hostcert.pem
> >          rightcert=/var/ipfire/certs/Xiaomicert.pem
> >          ike=aes256-sha2_512-modp1024,aes256-sha2_512-modp768!
> >
> > esp=aes256-sha2_512-modp1024,aes256-sha2_512-modp768,aes256-sha2_512!
> >          keyexchange=ikev1
> >          ikelifetime=3h
> >          keylife=1h
> >          dpdaction=clear
> >          dpddelay=30
> >          dpdtimeout=120
> >          authby=xauthrsasig
> >          xauth=server
> >          auto=add
> >          rightsourceip=10.0.10.0/29 <http://10.0.10.0/29>
> >          fragmentation=yes
> >
> > Why this patch? it allows to have a functional visual on VPN connections
> > in the vpnmain.cgi page. Everything that is IOS or Android works with
> > Xauth, you do not support this type of device.
>
>
>
>
<div dir="auto"><span style="margin:0px;padding:0px;color:rgb(27,30,37);font-family:roboto,sans-serif;font-size:16px;white-space:pre-wrap;background-color:rgb(248,248,248)">I present what I know that works.  Since I haven&#39;t tested, but if you say so, it&#39;s to be tested. 
 




I was forgetting, of course, xauth needs a login/password pair to declare in ipsec.user.secret.</span><div style="margin:0px;padding:0px;color:rgb(27,30,37);font-family:roboto,sans-serif;font-size:16px;white-space:pre-wrap;background-color:rgb(248,248,248);display:inline-block;width:25px;height:10px" dir="auto"></div></div><br><div class="gmail_quote"><div dir="ltr">Le mar. 10 juil. 2018 à 20:11, Tom Rymes &lt;<a href="mailto:trymes@rymes.com">trymes@rymes.com</a>&gt; a écrit :<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">If I may ask, why IKEv1? Modern iOS and Android both support IKEv2, <br>
don&#39;t they?<br>
<br>
Tom<br>
<br>
On 07/10/2018 2:07 PM, Julien Blais wrote:<br>
&gt; Hi Michael,<br>
&gt; <br>
&gt; <br>
&gt; For it to work, you simply need to generate a Roadwarrior connection per <br>
&gt; certificate. Then, change what is red, either replace cert by <br>
&gt; xauthrsasiget put ikev1 instead of ikev2.<br>
&gt; <br>
&gt; [root@ipfire ~]# cat /var/ipfire/vpn/config<br>
&gt; 2,on,Xiaomi,Xiaomi,host,xauthrsasig,,off,,<a href="http://192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_512,1024%7C768,aes256,sha2_512,1024%7C768%7Cnone,on,,,clear,on" rel="noreferrer noreferrer" target="_blank">192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_512,1024|768,aes256,sha2_512,1024|768|none,on,,,clear,on</a> <br>
&gt; &lt;<a href="http://192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_512,1024%7C768,aes256,sha2_512,1024%7C768%7Cnone,on,,,clear,on" rel="noreferrer noreferrer" target="_blank">http://192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_512,1024%7C768,aes256,sha2_512,1024%7C768%7Cnone,on,,,clear,on</a>&gt;,ikev1,120,30,off,start,900<br>
&gt; <br>
&gt; Here is the result in the file :<br>
&gt; <br>
&gt; conn Xiaomi<br>
&gt;          left=<a href="http://vpn.jbsky.fr" rel="noreferrer noreferrer" target="_blank">vpn.jbsky.fr</a> &lt;<a href="http://vpn.jbsky.fr" rel="noreferrer noreferrer" target="_blank">http://vpn.jbsky.fr</a>&gt;<br>
&gt;          leftsubnet=<a href="http://192.168.0.0/24" rel="noreferrer noreferrer" target="_blank">192.168.0.0/24</a> &lt;<a href="http://192.168.0.0/24" rel="noreferrer noreferrer" target="_blank">http://192.168.0.0/24</a>&gt;<br>
&gt;          leftfirewall=yes<br>
&gt;          lefthostaccess=yes<br>
&gt;          right=%any<br>
&gt;          leftcert=/var/ipfire/certs/hostcert.pem<br>
&gt;          rightcert=/var/ipfire/certs/Xiaomicert.pem<br>
&gt;          ike=aes256-sha2_512-modp1024,aes256-sha2_512-modp768!<br>
&gt;          <br>
&gt; esp=aes256-sha2_512-modp1024,aes256-sha2_512-modp768,aes256-sha2_512!<br>
&gt;          keyexchange=ikev1<br>
&gt;          ikelifetime=3h<br>
&gt;          keylife=1h<br>
&gt;          dpdaction=clear<br>
&gt;          dpddelay=30<br>
&gt;          dpdtimeout=120<br>
&gt;          authby=xauthrsasig<br>
&gt;          xauth=server<br>
&gt;          auto=add<br>
&gt;          rightsourceip=<a href="http://10.0.10.0/29" rel="noreferrer noreferrer" target="_blank">10.0.10.0/29</a> &lt;<a href="http://10.0.10.0/29" rel="noreferrer noreferrer" target="_blank">http://10.0.10.0/29</a>&gt;<br>
&gt;          fragmentation=yes<br>
&gt; <br>
&gt; Why this patch? it allows to have a functional visual on VPN connections <br>
&gt; in the vpnmain.cgi page. Everything that is IOS or Android works with <br>
&gt; Xauth, you do not support this type of device.<br>
<br>
<br>
<br>
</blockquote></div>
Michael Tremer July 12, 2018, 7:30 p.m. UTC | #5
On Tue, 2018-07-10 at 20:17 +0200, Julien Blais wrote:
> I present what I know that works.  Since I haven't tested, but if you say so,
> it's to be tested. 

I suppose setting rightauth=xauth should work for IKEv2 as well as IKEv1.

> I was forgetting, of course, xauth needs a login/password pair to declare in
> ipsec.user.secret.

This kind of renders the patch useless then if there is no way to set username
and password. This could be added to the connection just like entering the PSK.

Best,
-Michael

> Le mar. 10 juil. 2018 à 20:11, Tom Rymes <trymes@rymes.com> a écrit :
> > If I may ask, why IKEv1? Modern iOS and Android both support IKEv2, 
> > don't they?
> > 
> > Tom
> > 
> > On 07/10/2018 2:07 PM, Julien Blais wrote:
> > > Hi Michael,
> > > 
> > > 
> > > For it to work, you simply need to generate a Roadwarrior connection per 
> > > certificate. Then, change what is red, either replace cert by 
> > > xauthrsasiget put ikev1 instead of ikev2.
> > > 
> > > [root@ipfire ~]# cat /var/ipfire/vpn/config
> > >
> > 2,on,Xiaomi,Xiaomi,host,xauthrsasig,,off,,192.168.10.0/255.255.255.0,,,10.0.
> > 10.0/29,off,,,off,3,1,aes256,sha2_512,1024|768,aes256,sha2_512,1024|768|none
> > ,on,,,clear,on 
> > > <http://192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha
> > 2_512,1024%7C768,aes256,sha2_512,1024%7C768%7Cnone,on,,,clear,on>,ikev1,120,
> > 30,off,start,900
> > > 
> > > Here is the result in the file :
> > > 
> > > conn Xiaomi
> > >          left=vpn.jbsky.fr <http://vpn.jbsky.fr>
> > >          leftsubnet=192.168.0.0/24 <http://192.168.0.0/24>
> > >          leftfirewall=yes
> > >          lefthostaccess=yes
> > >          right=%any
> > >          leftcert=/var/ipfire/certs/hostcert.pem
> > >          rightcert=/var/ipfire/certs/Xiaomicert.pem
> > >          ike=aes256-sha2_512-modp1024,aes256-sha2_512-modp768!
> > >          
> > > esp=aes256-sha2_512-modp1024,aes256-sha2_512-modp768,aes256-sha2_512!
> > >          keyexchange=ikev1
> > >          ikelifetime=3h
> > >          keylife=1h
> > >          dpdaction=clear
> > >          dpddelay=30
> > >          dpdtimeout=120
> > >          authby=xauthrsasig
> > >          xauth=server
> > >          auto=add
> > >          rightsourceip=10.0.10.0/29 <http://10.0.10.0/29>
> > >          fragmentation=yes
> > > 
> > > Why this patch? it allows to have a functional visual on VPN connections 
> > > in the vpnmain.cgi page. Everything that is IOS or Android works with 
> > > Xauth, you do not support this type of device.
> > 
> > 
> >
Julien Blais July 12, 2018, 9:32 p.m. UTC | #6
I tested with ikev2, unfortunately, it doesn't work.

Jul 10 22:33:58 ipfire charon: 13[IKE] no IKE config found for IP1...IP2
sending NO_PROPOSAL_CHOSEN


I remind you that you have a page dedicated to this type of connection,
here I can read IKEv1. :)
https://wiki.ipfire.org/configuration/services/ipsec/example_configuration-_roadwarrior_with_android
As a reminder, the configuration to put in the file
/etc/ipsec.user.secret.user

cat /etc/ipsec.user.secret.user
Xiaomi : XAUTH "PASSWORD"
To apply the idea I propose, you need to know how to use the Bash, and add
a login/password data set, it's as easy as modifying in the vpn config file.

I wish to highlight one positive point, by going through the @ipfire:444
frontend, changing the options of a VPN connection, example
IKEv1->IKEv2->IKEv1, keeps the xauthrsasig parameter.

It's not an unnecessary fix, that despite a change from the @IPFIRE:444
interface, it keeps the "xauthrsasig" record and writes the VPN connection
configuration correctly.

The real question is who will use this improvement?

This is a first step towards XAUTH support, but you still have to want to
take it.

Le jeu. 12 juil. 2018 à 11:30, Michael Tremer <michael.tremer@ipfire.org> a
écrit :

> On Tue, 2018-07-10 at 20:17 +0200, Julien Blais wrote:
> > I present what I know that works.  Since I haven't tested, but if you
> say so,
> > it's to be tested.
>
> I suppose setting rightauth=xauth should work for IKEv2 as well as IKEv1.
>
> > I was forgetting, of course, xauth needs a login/password pair to
> declare in
> > ipsec.user.secret.
>
> This kind of renders the patch useless then if there is no way to set
> username
> and password. This could be added to the connection just like entering the
> PSK.
>
> Best,
> -Michael
>
> > Le mar. 10 juil. 2018 à 20:11, Tom Rymes <trymes@rymes.com> a écrit :
> > > If I may ask, why IKEv1? Modern iOS and Android both support IKEv2,
> > > don't they?
> > >
> > > Tom
> > >
> > > On 07/10/2018 2:07 PM, Julien Blais wrote:
> > > > Hi Michael,
> > > >
> > > >
> > > > For it to work, you simply need to generate a Roadwarrior connection
> per
> > > > certificate. Then, change what is red, either replace cert by
> > > > xauthrsasiget put ikev1 instead of ikev2.
> > > >
> > > > [root@ipfire ~]# cat /var/ipfire/vpn/config
> > > >
> > > 2,on,Xiaomi,Xiaomi,host,xauthrsasig,,off,,192.168.10.
> 0/255.255.255.0,,,10.0.
> > > 10.0/29,off,,,off,3,1,aes256,sha2_512,1024|768,aes256,sha2_
> 512,1024|768|none
> > > ,on,,,clear,on
> > > > <http://192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,
> off,3,1,aes256,sha
> > > 2_512,1024%7C768,aes256,sha2_512,1024%7C768%7Cnone,on,,,
> clear,on>,ikev1,120,
> > > 30,off,start,900
> > > >
> > > > Here is the result in the file :
> > > >
> > > > conn Xiaomi
> > > >          left=vpn.jbsky.fr <http://vpn.jbsky.fr>
> > > >          leftsubnet=192.168.0.0/24 <http://192.168.0.0/24>
> > > >          leftfirewall=yes
> > > >          lefthostaccess=yes
> > > >          right=%any
> > > >          leftcert=/var/ipfire/certs/hostcert.pem
> > > >          rightcert=/var/ipfire/certs/Xiaomicert.pem
> > > >          ike=aes256-sha2_512-modp1024,aes256-sha2_512-modp768!
> > > >
> > > > esp=aes256-sha2_512-modp1024,aes256-sha2_512-modp768,
> aes256-sha2_512!
> > > >          keyexchange=ikev1
> > > >          ikelifetime=3h
> > > >          keylife=1h
> > > >          dpdaction=clear
> > > >          dpddelay=30
> > > >          dpdtimeout=120
> > > >          authby=xauthrsasig
> > > >          xauth=server
> > > >          auto=add
> > > >          rightsourceip=10.0.10.0/29 <http://10.0.10.0/29>
> > > >          fragmentation=yes
> > > >
> > > > Why this patch? it allows to have a functional visual on VPN
> connections
> > > > in the vpnmain.cgi page. Everything that is IOS or Android works
> with
> > > > Xauth, you do not support this type of device.
> > >
> > >
> > >
>
<div dir="ltr"><div dir="auto"><div dir="auto"><font size="2"><span style="font-family:arial,helvetica,sans-serif">I tested with ikev2, unfortunately, it doesn&#39;t work.</span></font></div><div dir="auto"><font size="2"><span style="font-family:arial,helvetica,sans-serif"><br></span></font></div><div dir="auto"><font size="2"><span style="font-family:arial,helvetica,sans-serif">Jul 10 22:33:58 ipfire charon: 13[IKE] no IKE config found for IP1...IP2 sending NO_PROPOSAL_CHOSEN</span></font></div><div dir="auto"><font size="2"><span style="font-family:arial,helvetica,sans-serif"><br></span></font></div><div dir="auto"><font size="2"><span style="font-family:arial,helvetica,sans-serif">
<div><font size="2" face="roboto, sans-serif" color="#1b1e25"><span style="white-space:pre-wrap"><br></span></font></div><div><font size="2" face="roboto, sans-serif" color="#1b1e25"><span style="white-space:pre-wrap">I remind you that you have a page dedicated to this type of connection, here I can read IKEv1. :)<br></span></font></div><div><font size="2" face="roboto, sans-serif" color="#1b1e25"><span style="white-space:pre-wrap"></span></font><font face="roboto, sans-serif" color="#1b1e25"><span style="font-size:16px;white-space:pre-wrap"><font size="2"><a href="https://wiki.ipfire.org/configuration/services/ipsec/example_configuration-_roadwarrior_with_android">https://wiki.ipfire.org/configuration/services/ipsec/example_configuration-_roadwarrior_with_android</a></font></span></font></div><div><font face="roboto, sans-serif" color="#1b1e25"><span style="font-size:16px;white-space:pre-wrap"><font size="2"></font></span></font></div><div><font face="roboto, sans-serif" color="#1b1e25"><span style="font-size:16px;white-space:pre-wrap"><font size="2">
<div dir="auto"><font size="2"><span style="font-family:arial,helvetica,sans-serif">As a reminder, the configuration to put in the file <font size="2"><span style="font-family:arial,helvetica,sans-serif">/etc/ipsec.user.secret.user</span></font></span></font></div><div dir="auto"><font size="2"><span style="font-family:arial,helvetica,sans-serif"><font size="2"><span style="font-family:arial,helvetica,sans-serif"><br></span></font></span></font></div><div dir="auto"><font size="2"><span style="font-family:arial,helvetica,sans-serif"><font size="2"><span style="font-family:arial,helvetica,sans-serif"></span></font>cat /etc/ipsec.user.secret.user<br>Xiaomi : XAUTH &quot;PASSWORD&quot;</span></font><font face="roboto, sans-serif" color="#1b1e25"><span style="font-size:16px;white-space:pre-wrap"><br></span></font></div></font></span></font></div><div dir="auto"><font face="roboto, sans-serif" color="#1b1e25"><span style="font-size:16px;white-space:pre-wrap"><font size="2">
<div dir="auto"><font size="2"><span style="font-family:arial,helvetica,sans-serif"><span style="color:rgb(27,30,37);white-space:pre-wrap;background-color:rgb(248,248,248)">To apply the idea I propose, you need to know how to use the Bash, and add a login/password data set, it&#39;s as easy as modifying in the vpn config file.</span></span></font></div><div dir="auto"><font size="2"><span style="font-family:arial,helvetica,sans-serif"><span style="color:rgb(27,30,37);white-space:pre-wrap;background-color:rgb(248,248,248)"></span></span></font><font size="2"><span style="font-family:arial,helvetica,sans-serif"><br></span></font></div><div dir="auto"><font color="#1b1e25"><span style="font-family:arial,helvetica,sans-serif">I wish to highlight one positive point, by going through the @ipfire:444 frontend, changing the options of a VPN connection, example IKEv1-&gt;IKEv2-&gt;IKEv1, keeps the xauthrsasig parameter.</span><font face="roboto, sans-serif"><br></font></font></div><div dir="auto"><font color="#1b1e25"><font face="roboto, sans-serif"><br></font></font></div><div dir="auto"><font color="#1b1e25"><font face="roboto, sans-serif">It&#39;s not an unnecessary fix, that despite a change from the @IPFIRE:444 interface, it keeps the &quot;xauthrsasig&quot; record and writes the VPN connection configuration correctly.</font></font><font face="roboto, sans-serif" color="#1b1e25"><span style="font-size:16px;white-space:pre-wrap"></span></font></div></font></span></font><div><br><font face="roboto, sans-serif" color="#1b1e25"><span style="font-size:16px;white-space:pre-wrap"></span></font></div><div><font size="2" face="roboto, sans-serif" color="#1b1e25"><span style="white-space:pre-wrap">The real question is who will use this improvement?</span></font></div><div><font size="2" face="roboto, sans-serif" color="#1b1e25"><span style="white-space:pre-wrap"><br></span></font></div></div><div dir="auto">This is a first step towards XAUTH support, but you still have to want to take it.<br></div></span></font></div></div><br><div class="gmail_quote"><div dir="ltr">Le jeu. 12 juil. 2018 à 11:30, Michael Tremer &lt;<a href="mailto:michael.tremer@ipfire.org" target="_blank">michael.tremer@ipfire.org</a>&gt; a écrit :<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Tue, 2018-07-10 at 20:17 +0200, Julien Blais wrote:<br>
&gt; I present what I know that works.  Since I haven&#39;t tested, but if you say so,<br>
&gt; it&#39;s to be tested. <br>
<br>
I suppose setting rightauth=xauth should work for IKEv2 as well as IKEv1.<br>
<br>
&gt; I was forgetting, of course, xauth needs a login/password pair to declare in<br>
&gt; ipsec.user.secret.<br>
<br>
This kind of renders the patch useless then if there is no way to set username<br>
and password. This could be added to the connection just like entering the PSK.<br>
<br>
Best,<br>
-Michael<br>
<br>
&gt; Le mar. 10 juil. 2018 à 20:11, Tom Rymes &lt;<a href="mailto:trymes@rymes.com" rel="noreferrer" target="_blank">trymes@rymes.com</a>&gt; a écrit :<br>
&gt; &gt; If I may ask, why IKEv1? Modern iOS and Android both support IKEv2, <br>
&gt; &gt; don&#39;t they?<br>
&gt; &gt; <br>
&gt; &gt; Tom<br>
&gt; &gt; <br>
&gt; &gt; On 07/10/2018 2:07 PM, Julien Blais wrote:<br>
&gt; &gt; &gt; Hi Michael,<br>
&gt; &gt; &gt; <br>
&gt; &gt; &gt; <br>
&gt; &gt; &gt; For it to work, you simply need to generate a Roadwarrior connection per <br>
&gt; &gt; &gt; certificate. Then, change what is red, either replace cert by <br>
&gt; &gt; &gt; xauthrsasiget put ikev1 instead of ikev2.<br>
&gt; &gt; &gt; <br>
&gt; &gt; &gt; [root@ipfire ~]# cat /var/ipfire/vpn/config<br>
&gt; &gt; &gt;<br>
&gt; &gt; 2,on,Xiaomi,Xiaomi,host,<wbr>xauthrsasig,,off,,<a href="http://192.168.10.0/255.255.255.0,,,10.0" rel="noreferrer noreferrer" target="_blank">192.168.10.<wbr>0/255.255.255.0,,,10.0</a>.<br>
&gt; &gt; 10.0/29,off,,,off,3,1,aes256,<wbr>sha2_512,1024|768,aes256,sha2_<wbr>512,1024|768|none<br>
&gt; &gt; ,on,,,clear,on <br>
&gt; &gt; &gt; &lt;<a href="http://192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha" rel="noreferrer noreferrer" target="_blank">http://192.168.10.0/255.255.<wbr>255.0,,,10.0.10.0/29,off,,,<wbr>off,3,1,aes256,sha</a><br>
&gt; &gt; 2_512,1024%7C768,aes256,sha2_<wbr>512,1024%7C768%7Cnone,on,,,<wbr>clear,on&gt;,ikev1,120,<br>
&gt; &gt; 30,off,start,900<br>
&gt; &gt; &gt; <br>
&gt; &gt; &gt; Here is the result in the file :<br>
&gt; &gt; &gt; <br>
&gt; &gt; &gt; conn Xiaomi<br>
&gt; &gt; &gt;          left=<a href="http://vpn.jbsky.fr" rel="noreferrer noreferrer" target="_blank">vpn.jbsky.fr</a> &lt;<a href="http://vpn.jbsky.fr" rel="noreferrer noreferrer" target="_blank">http://vpn.jbsky.fr</a>&gt;<br>
&gt; &gt; &gt;          leftsubnet=<a href="http://192.168.0.0/24" rel="noreferrer noreferrer" target="_blank">192.168.0.0/24</a> &lt;<a href="http://192.168.0.0/24" rel="noreferrer noreferrer" target="_blank">http://192.168.0.0/24</a>&gt;<br>
&gt; &gt; &gt;          leftfirewall=yes<br>
&gt; &gt; &gt;          lefthostaccess=yes<br>
&gt; &gt; &gt;          right=%any<br>
&gt; &gt; &gt;          leftcert=/var/ipfire/certs/<wbr>hostcert.pem<br>
&gt; &gt; &gt;          rightcert=/var/ipfire/certs/<wbr>Xiaomicert.pem<br>
&gt; &gt; &gt;          ike=aes256-sha2_512-modp1024,<wbr>aes256-sha2_512-modp768!<br>
&gt; &gt; &gt;          <br>
&gt; &gt; &gt; esp=aes256-sha2_512-modp1024,<wbr>aes256-sha2_512-modp768,<wbr>aes256-sha2_512!<br>
&gt; &gt; &gt;          keyexchange=ikev1<br>
&gt; &gt; &gt;          ikelifetime=3h<br>
&gt; &gt; &gt;          keylife=1h<br>
&gt; &gt; &gt;          dpdaction=clear<br>
&gt; &gt; &gt;          dpddelay=30<br>
&gt; &gt; &gt;          dpdtimeout=120<br>
&gt; &gt; &gt;          authby=xauthrsasig<br>
&gt; &gt; &gt;          xauth=server<br>
&gt; &gt; &gt;          auto=add<br>
&gt; &gt; &gt;          rightsourceip=<a href="http://10.0.10.0/29" rel="noreferrer noreferrer" target="_blank">10.0.10.0/29</a> &lt;<a href="http://10.0.10.0/29" rel="noreferrer noreferrer" target="_blank">http://10.0.10.0/29</a>&gt;<br>
&gt; &gt; &gt;          fragmentation=yes<br>
&gt; &gt; &gt; <br>
&gt; &gt; &gt; Why this patch? it allows to have a functional visual on VPN connections <br>
&gt; &gt; &gt; in the vpnmain.cgi page. Everything that is IOS or Android works with <br>
&gt; &gt; &gt; Xauth, you do not support this type of device.<br>
&gt; &gt; <br>
&gt; &gt; <br>
&gt; &gt; <br>
</blockquote></div>
</div>

Patch

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 378acb326..a5c50dbda 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -304,7 +304,7 @@  sub writeipsecfiles {
 		}
 
 		# Local Cert and Remote Cert (unless auth is DN dn-auth)
-		if ($lconfighash{$key}[4] eq 'cert') {
+		if (($lconfighash{$key}[4] eq 'cert')||($lconfighash{$key}[4] eq 'xauthrsasig')) {
 			print CONF "\tleftcert=${General::swroot}/certs/hostcert.pem\n";
 			print CONF "\trightcert=${General::swroot}/certs/$lconfighash{$key}[1]cert.pem\n" if ($lconfighash{$key}[2] ne '%auth-dn');
 		}
@@ -408,7 +408,12 @@  sub writeipsecfiles {
 				print SECRETS $psk_line;
 			}
 			print CONF "\tauthby=secret\n";
-		} else {
+		}
+		elsif ($lconfighash{$key}[4] eq 'xauthrsasig') {
+			print CONF "\tauthby=xauthrsasig\n";
+			print CONF "\txauth=server\n";
+		} 
+		else {
 			print CONF "\tauthby=rsasig\n";
 			print CONF "\tleftrsasigkey=%cert\n";
 			print CONF "\trightrsasigkey=%cert\n";
@@ -2841,7 +2846,7 @@  END
 	print "<td align='center' nowrap='nowrap' $col>" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ") $confighash{$key}[29]</td>";
 	if ($confighash{$key}[2] eq '%auth-dn') {
 		print "<td align='left' nowrap='nowrap' $col>$confighash{$key}[9]</td>";
-	} elsif ($confighash{$key}[4] eq 'cert') {
+	} elsif (($confighash{$key}[4] eq 'cert')||($confighash{$key}[4] eq 'xauthrsasig')) {
 		print "<td align='left' nowrap='nowrap' $col>$confighash{$key}[2]</td>";
 	} else {
 		print "<td align='left' $col>&nbsp;</td>";
@@ -2893,7 +2898,7 @@  END
 	} else {
 		print "<td width='2%' $col>&nbsp;</td>";
 	}
-	if ($confighash{$key}[4] eq 'cert' && -f "${General::swroot}/certs/$confighash{$key}[1].p12") {
+	if ((($confighash{$key}[4] eq 'cert')||($confighash{$key}[4] eq 'xauthrsasig')) && -f "${General::swroot}/certs/$confighash{$key}[1].p12") {
 		print <<END
 		<td align='center' $col>
 		<form method='post' action='$ENV{'SCRIPT_NAME'}'>
@@ -2904,7 +2909,7 @@  END
 	</td>
 END
 ;
-	} elsif (($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2] ne '%auth-dn')) {
+	} elsif ((($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2] ne '%auth-dn'))||(($confighash{$key}[4] eq 'xauthrsasig') && ($confighash{$key}[2] ne '%auth-dn'))) {
 		print <<END
 		<td align='center' $col>
 		<form method='post' action='$ENV{'SCRIPT_NAME'}'>