Authentication methods not available as documented?

-flo- 0 · Nov 15, 2024, 9:39 AM

When editing a tunnel phase 1 I can select an authentication method. My pfSense offers "Mutual Certificate" and "Mutual PSK".

According to the documentation there should be more options like "EAP-TLS".

Why is it missing the other options?

jimp · Nov 15, 2024, 4:43 PM

Some authentication types are only available for Mobile/Remote Access IPsec tunnels. Some are also only available for IKEv1 or IKEv2. The documentation calls this out for entries that only work in certain configurations. Note where it says things like "Used with mobile IPsec and IKEv2" -- if you are using a non-mobile IKEv1 tunnel then the option for things like EAP-TLS will not be valid, so they are hidden.

If you are trying to create a remote access server setup, you need to follow a special procedure to create a "mobile" IPsec Phase 1. pfSense can act as a remote access IPsec "server" but not as a client.

If you are configuring a site-to-site tunnel, it should be using IKEv2.

-flo- 0 · Nov 15, 2024, 8:17 PM

@jimp said in Authentication methods not available as documented?:

a special procedure

I already have settings configured. Do I get it right that the options are dependent from which way I create a phase 1 entry?

So I need to do this via this button:

Is this possible if I already have configurations?

jimp · Nov 18, 2024, 1:56 PM

If that button still shows up in your GUI then you don't have a mobile Phase 1 yet, and you need to click that button to create it. You can't change an existing Phase 1 entry to be a mobile entry.

-flo- 0 · Nov 20, 2024, 7:54 AM

@jimp
I already have a working mobile setup with "ancient settings" which I would prefer to keep until a new setup is confirmed to work.

So I disabled the existing setting and tried to configure a new mobile setting. While I can setup multiple phase 1 and 2 tunnel configs there is only one set of settings for mobile.

Just to be sure: I should probably delete everything and start from scratch with the mobile settigs, right?

(If so, this is not a problem. I just need to know so I can make sure I have a suitable backup of my config.)

jimp · Nov 20, 2024, 1:47 PM

There can be only one mobile P1 at a time. You can either remove the old one and create a new one, or change the settings on the old one to match what you want it to be now.