Page MenuHomeVyOS Platform
Create Task
Maniphest T1549

ipsec ikev2 multi usergroup roadwarrior configuration
Not ApplicablePublicFEATURE REQUEST
Actions

Description

Hello,

unfortunately a ike2 roadwarrior configuration cannot be created with the cli at the moment, because some strongswan parameters are not configurable.

you get a working config with:

set vpn ipsec include-ipsec-conf 'path/to/ipsec.conf'
set vpn ipsec include-ipsec-secrets 'path/to/ipsec.secrets'

to run. unfortunately you have to restart ipsec by hand if you change something in the files.

in the below example there is a working Apple iOS example. The CA is a Microsoft Pki, the iOS Devices get User Certificates with a CN that must match *@001.domain.tld and get the ipsec conf via iOS Profile.

ipsec.conf:

ca CACert
    cacert=/config/auth/ipsec/ca.cer
    crluri=/config/auth/ipsec/ca.pem
    auto=add

conn ikev2-cert-template
 leftcert=server.crt
 leftid="server.domain.tld"
 auto=add
 keyexchange=ikev2
 left=%any
 leftid=@server.domain.tld
 leftsendcert=always
 leftsubnet=0.0.0.0/0
 leftauth=pubkey
 right=%any
 rightauth=eap-tls
 rightdns=10.166.253.11
 rightca="DC=tld DC=domain, CN=pki"
 eap_identity=%identity
 esp=aes256-sha256,aes256-sha1,3des-sha1!
 auto=ignore 

conn ikev2-vpn-10.215.1.0
 also=ikev2-cert-template
 rightid="*@001.domain.tld"
 rightsourceip=10.215.1.0/24
 auto=start 

conn ikev2-vpn-10.215.2.0
 also=ikev2-cert-template
 rightid="*@002.domain.tld"
 rightsourceip=10.215.2.0/24
 auto=start

ipsec.secrets:

: RSA /config/auth/ipsec/server.key

in some other phabricator Task @dmbaturin mention a write of the ipsec config script. Maybe this can be done in the same task

(T57, T264, T842)

Details

Version
-
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedsarthurdevT2816 Rewrite IPsec scripts with the new XML/Python approach
 Not ApplicableFEATURE REQUESTNoneT1549 ipsec ikev2 multi usergroup roadwarrior configuration

Event Timeline

rob created this task.Jul 29 2019, 8:26 PM
pasik subscribed.Jul 30 2019, 9:40 AM
dmbaturin added a parent task: T2816: Rewrite IPsec scripts with the new XML/Python approach.Aug 20 2020, 3:39 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Nov 6 2021, 11:25 AM
dmbaturin edited projects, added VyOS 1.4 Sagitta; removed VyOS 1.3 Equuleus (1.3.0).Nov 9 2021, 5:00 AM
dmbaturin set Is it a breaking change? to Unspecified (possibly destroys the router).
dmbaturin set Issue type to Unspecified (please specify).
Viacheslav subscribed.Nov 16 2023, 1:18 PM

As I undestand it is possible now to create multiple auth ID's

vyos@r4# set vpn ipsec authentication psk FOO id 
Possible completions:
   <text>               ID used for authentication

Not sure about other options.

@rob Did you check it? As the syntax to old for ipsec.conf but we are usin strongswan.conf now

dmbaturin closed this task as Not Applicable.Jan 9 2024, 3:43 PM
dmbaturin removed a project: VyOS 1.4 Sagitta.

Since we do have proper support for IKEv2 remote access VPN, the issue of configuring it with a workaround is no longer relevant, I suppose.