Page MenuHomePhabricator

ipsec ikev2 multi usergroup roadwarrior configuration
Open, Requires assessmentPublicFEATURE REQUEST

Description

Hello,

unfortunately a ike2 roadwarrior configuration cannot be created with the cli at the moment, because some strongswan parameters are not configurable.

you get a working config with:

set vpn ipsec include-ipsec-conf 'path/to/ipsec.conf'
set vpn ipsec include-ipsec-secrets 'path/to/ipsec.secrets'

to run. unfortunately you have to restart ipsec by hand if you change something in the files.

in the below example there is a working Apple iOS example. The CA is a Microsoft Pki, the iOS Devices get User Certificates with a CN that must match *@001.domain.tld and get the ipsec conf via iOS Profile.

ipsec.conf:

ca CACert
    cacert=/config/auth/ipsec/ca.cer
    crluri=/config/auth/ipsec/ca.pem
    auto=add

conn ikev2-cert-template
 leftcert=server.crt
 leftid="server.domain.tld"
 auto=add
 keyexchange=ikev2
 left=%any
 leftid=@server.domain.tld
 leftsendcert=always
 leftsubnet=0.0.0.0/0
 leftauth=pubkey
 right=%any
 rightauth=eap-tls
 rightdns=10.166.253.11
 rightca="DC=tld DC=domain, CN=pki"
 eap_identity=%identity
 esp=aes256-sha256,aes256-sha1,3des-sha1!
 auto=ignore 

conn ikev2-vpn-10.215.1.0
 also=ikev2-cert-template
 rightid="*@001.domain.tld"
 rightsourceip=10.215.1.0/24
 auto=start 

conn ikev2-vpn-10.215.2.0
 also=ikev2-cert-template
 rightid="*@002.domain.tld"
 rightsourceip=10.215.2.0/24
 auto=start

ipsec.secrets:

: RSA /config/auth/ipsec/server.key

in some other phabricator Task @dmbaturin mention a write of the ipsec config script. Maybe this can be done in the same task

(T57, T264, T842)

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close

Event Timeline

rob created this task.Jul 29 2019, 8:26 PM
pasik added a subscriber: pasik.Jul 30 2019, 9:40 AM