IPsec v2 - EAP-TLS Support
-
@ermal:
i used a config from strongswan samples for eap-tls.
This one?
https://wiki.strongswan.org/projects/strongswan/wiki/EapTlsBy default, the Gateway uses IKEv2 certificate authentication to prove its identity to the clients. But as EAP-TLS is a mutual authentication protocol, EAP-only authentication can be used by specifying leftauth=eap.
As far as I understand it's possible to use eap-tls on the gateway, but usually it's pubkey.
-
Hi there,
I'm relatively new to pfSense. I have managed to get MSCHAP-v2 with IPSec working on Windows Phone 8.1 Update 1 by editing the files mentioned in this topic. I have been running pfSense 2.2 RC for a while now, so I was just wondering whether this kind of configuration will be implemented directly by pfSense, seeing as it is possible by the underlying software? If not, is there any way to prevent the configuration files from being auto re-generated by pfSense?
-
Hi,
I just created a bounty for eap-tls.
https://forum.pfsense.org/index.php?topic=86727.0
@kathode
I think an implementation of mschap-v2 will be a lot of work, because it requires a different format in ipsec.secrets. -
kathode can you explain how you did so i can give a look to integrate in master branch?
-
Required Config:
leftauth=pubkey
rightauth=eap-mschapv2
eap_identity=%anyand secret in ipsec.secrets:
user@domain.loc : EAP "password"ipsec rereadall
ipsec reload -
Can you post the full ipsec.conf?
-
Sorry, this ok?
conn con1 aggressive = yes fragmentation = yes keyexchange = ikev2 reauth = no rekey = no reqid = 1 installpolicy = yes type = tunnel dpdaction = clear dpddelay = 10s dpdtimeout = 60s auto = add left = My WAN IP right = %any leftid = my.cert.CN ikelifetime = 28800s lifetime = 3600s rightsourceip = 10.12.34.0/24 rightsubnet = 10.12.34.0/24 leftsubnet = My LAN NET/24 ike = aes256-sha256-modp1024! esp = aes256-sha1-modp1024,aes192-sha1-modp1024,aes128-sha1-modp1024,aes128gcm128-sha1-modp1024,aes128gcm96-sha1-modp 1024,aes128gcm64-sha1-modp1024,aes192gcm128-sha1-modp1024,aes192gcm96-sha1-modp1024,aes192gcm64-sha1-modp1024,aes256gcm128-sh a1-modp1024,aes256gcm96-sha1-modp1024,aes256gcm64-sha1-modp1024! leftauth=pubkey rightauth=eap-mschapv2 leftcert=/var/etc/ipsec/ipsec.d/certs/cert-1.crt eap_identity=%anyand in ipsec.secrets:
user@domain.loc : EAP "password"I modified the config, generated by your eap-tls implementation.
-
Ok this is merged on to master branch.
You have a config option to configure EAP-MSchapv2 and it will generate this config.
The preshared-keys entries can be specified the type PSK/EAP now.You can either use the patch with the patch package or gitsync to master since at this times the differences are not huge with 2.2
-
Sorry I forgot one important thing:
The link to the private key has to be in ipsec.secrets (not only eap-mschapv2)
" : RSA /var/etc/ipsec/ipsec.d/private/cert-3.key"(space at start)
https://wiki.strongswan.org/projects/strongswan/wiki/RsaSecretI applied your patch, added the RSA key to the ipsec.secrets, and used this commands:
ipsec rereadall
ipsec reloadeap-mschapv2 WORKING on Win 8.1 Pro and Windows Phone 8.1!
Config:
Phase1: AES256/SHA1/DH2
Phase2: AES256/SHA1/PFS -
That is already done according to me though i will double check.
Done it was just forgotten.
Test it and let me know. -
FYI,
this has been merged into 2.2 as well.
-
I just made a fresh test. (Windows Phone 8.1 / Windows 8.1 Pro / Windows 7 Pro)
Everything is working fine with mschapI would say, eap-mschapv2 is now fully implemented, working and tested.
Needed Win 8 Client config:
Security: IKEv2
Data encryption: Require encryption
Authentication
Use EAP Microsoft: Secured password (EAP-MSCHAP v2)The pfSense vpn cert need at least this EKU: 1.3.6.1.5.5.7.3.1
Also the vpn cert used by pfSense has to be accepted by the Win 8 machine (full trust of chain)@kathode I think you have to say "Thank you ermal!" :D
-
The pfSense vpn cert need at least this EKU: 1.3.6.1.5.5.7.3.1
To confirm/clarify, that EKU is "TLS Web server authentication" which is added to the cert when "Server Certificate" is chosen in the pfSense GUI.
-
First of all, thank you ermal and everyone else who contributed to this! Lack of EAP-MSCHAPv2 support has been preventing me to connect to my pfSense from my Windows Phone 8.1 phone but not any more.
I struggled hours to get this to work. So that no one else does the same mistakes, here are everything I did wrong. First, I accidently used an old certificate generated - I believe for OpenVPN - a long time ago. Problem with this one was that it was a client certificate so it didn't include the needed EKU. After generating a proper server cert (and with my pfSense box DynDNS name in Alternate Names) I finally managed to get IPSec to work with my Android tablet using strongSwan client.
At this point my WP8.1 phone nor Windows 8 PC still didn't want to connect. This time the problem was that although I had installed the server cert so that Win8/WP8 would trust it, I hadn't installed CA root cert which is also required, as stated in http://technet.microsoft.com/en-us/library/dd941612%28v=ws.10%29.aspx. After installing the root cert in the Trusted Root Certification Authorities per-computer certificate store (very important it's exactly this one) Win8 PC finally connected.
With WP8 I stumbled a small problem, though. Whereas Win8 PC reports the configured identifier properly (let's call it user), my Lumia prefixes it with Windows Phone so pfSense sees it as Windows Phone\user. This would require identifier to be in ipsec.secrets as in "Windows Phone\user" : EAP password. However, pfSense GUI doesn't allow spaces, backslashes or quotation marks to be included in identifiers. If I manually add the above line in ipsec.secrets and reload it, connection works also with WP8. Configuration is overwritten quite often automatically, though, so this workaroung doesn't work for very long.
Would it be difficult to make the inclusion of _Windows Phone_ possible in key identifiers? Or is there another way to do this?
Again, thank you everyone who has been involved in this!
-
just use
user@domain.atGui Description: :)
Identifier
This can be either an IP address, fully qualified domain name or an e-mail address.Edit:
EAP-TLS now working
Cert requirements,
-
Full trust of chain (Root CA have to be installed on the client)
-
pfSense Server Cert needs the EKU "Server Authentification", also the FQDN in the Subject Alternative Names
-
pfSense Client Cert needs the EKU "Client Authentification", also the CN name as a FQDN in the SAN
-
-
I was able to make this work with MSCHAPv2, and documented the process. It'll be up on the wiki in the next couple days.
-
Thanks a lot ermal and others for the effort! I am really impressed with pfSense so far. The RC snapshot I am running has been up for over 22 days with no faults whatsoever :-)
In my previous test configuration I also had to write "Windows Phone\user" to ipsec.secrets like wta mentioned. I guess user@domain needs to be input on the WP8.1 VPN client configuration side? Is that the case hege?
I apologise for the delay, as I have been travelling. I am not currently able to test the latest snapshot due to other commitments, but should be able to do so within the next three weeks.
Thanks
-
I guess user@domain needs to be input on the WP8.1 VPN client configuration side? Is that the case hege?
Yes, I am using the users e-mail as the identifier, that is very easy and avoids additional support cases. ("what is my username?")….
-
Here's some extra guidance for those looking to get this working:
https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2
Comments/additions/suggestions welcome, of course.
I could do one for EAP-TLS as well if someone notes more specifically what the differences are with the configuration on both sides.
-
The "Client Certificate" part is only required if you want to use eap-tls, eap-mschap is using credentials for user authentification, so no client cert is used.
EAP-TLS on pfSense:
different authentication method
no need for preshared keyEAP-TLS Windows:
Import the client cert as in your description (cert must have the CN as SAN value)
Authentification:
Microsoft: Smart Card or other certificate
Properties
Use a certificate on this computer
Advanced
Certificate Issuer
Choose your imported CA Certificate
Extended Key Usage
Client Authentification
Verify the servers identity by validating the certificate
Connect to these servers
pfSense host (same as in CN)
Trusted Root Certificate Authorities
Choose your imported CA Certificate
Uncheck: Use a different user name for the connection
