IPsec Profile Wizard v. 1.1_1

jimp

I made several updates to the IPsec Profile Wizard package available on pfSense Plus software version 22.05 (and 23.01 once the RC is ready).

I fixed several outstanding issues that affected both Apple and Windows export.

• Apple: Fixed profile generation for ECDSA server certs. Fixes #12705
• Apple: Fixed authentication configuration for EAP user auth types. Fixes #13878
• Apple: Added a field to explicitly set a custom username when using external authentication (EAP-RADIUS, xauth w/RADIUS)
• Windows: Fixed handling of hash for P2 entries with GCM ciphers. Fixes #13877, Fixes #13368, Fixes #12948
• Windows: Fixed unnecessary use of split tunneling/routes when mobile P2 is set with a local network of 0.0.0.0/0. Fixes #13897
• Update package description and link. Fixes #13690

I tested against a variety of IKEv2 mobile IPsec server configurations including EAP-MSCHAPv2/EAP-RADIUS and EAP-TLS servers with RSA and ECDSA server certs as well as with/without GCM ciphers

The clients I tested were macOS 13.2 (Ventura), Windows 11 (22H2), and Windows 10 (22H2)

All profiles exported worked as expected, but as always that's me here in the lab and real world experiences may vary.

The updated package is available now on 22.05 and users on 23.01 will get it when we publish the RC images soon.

EDIT: 1.1_1 fixes a problem with Apple profile generation for EAP-RADIUS and Xauth where it may have included a username in the profile that wasn't a valid value.

keyser

@jimp Excellent - will git it a spin :-)

I wish you could “persuade” netgate to include the multiple IP pools option for IPSec mobile warriors in 23.01.
I find it so dissapointing you still cannot create separate Firewall rules for groups of VPN users….
I developed my own fix more than half a year ago, but it’s a loosing game explaining to costumers that pfSense cannot do this - unless I create a unsupported tweak.

https://forum.netgate.com/topic/172476/a-guide-to-assign-vpn-group-and-user-ip-pool-from-radius-in-22-01-2-6

Here’s the corresponding redmine:

https://redmine.pfsense.org/issues/13227

jimp

That's all unrelated to this package, so it doesn't belong in this thread.

And it's too late for any other features to get into 23.01.

NogBadTheBad

@jimp Have you tried an iPhone / iPad, if I download it to my get a Invalid Profile error?

Same with MacOS 12.6.3, pre 1.1 it imported fine.

jimp

@nogbadthebad said in IPsec Profile Wizard v. 1.1:

@jimp Have you tried an iPhone / iPad, if I download it to my get a Invalid Profile error?

Same with MacOS 12.6.3, pre 1.1 it imported fine.

I don't have any current iOS devices to test against.

What kind of VPN setup do you have (IKEv1 or v2, auth type, P1/P2 settings)? It might be a variation I didn't have available to test.

I was following the latest recommendations from the Apple profile docs, and it works fine on macOS with the setups I tried.

NogBadTheBad

@jimp

EAP-RADIUS Auth

NogBadTheBad

This post is deleted!

jimp

@nogbadthebad said in IPsec Profile Wizard v. 1.1:

@jimp

EAP-RADIUS Auth

If you have a copy of an old profile around, can you do a diff between the old and new profile to see what is different?

I have an idea of what might be the issue here but I haven't confirmed it yet.

jimp

OK I found the problem. It was inserting <external> into the profile for the username, which isn't valid since it looks like a tag in a profile. Not sure why it worked for my client when I tested it unless I had manually set a username somewhere.

I have a couple changes coming which will address that, not only by not using that string in the profile but also showing a field in this case where you can enter in whatever username you want to put in the profile. I'll have that up later today.

jimp

The updated package should be available now (v. 1.1_1)

NogBadTheBad

@jimp Works fine on MacOS & IOS now