Page MenuHomeVyOS Platform

ipsec: remote access VPN: "generate ipsec profile ios-remote-access" wrong profile for x509 auth
Needs testing, LowPublic

Description

The "generate ipsec profile ios-remote-access" generates the incorrect profile contents when used with the "authentication client-mode x509" mode introduced in T5870.

For example the profile includes:

<!-- The client uses EAP to authenticate -->
<key>ExtendedAuthEnabled</key>
<integer>1</integer>

Which should be omitted (or set to zero) when using the x509 client mode, which does not perform EAP authentication.

Additionally, newer versions of iOS and macOS require the "EnablePFS" option to be set in order to properly re-key when PFS is enabled in VyOS on the IKE group. This should also be fixed.

Details

Version
1.5-rolling-202407280023 but dates back to 1.4.0
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Event Timeline

lucasec created this object in space S1 VyOS Public.
Viacheslav changed the task status from In progress to Needs testing.Aug 2 2024, 1:52 PM