Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec v2 - EAP-TLS Support

    General pfSense Questions
    10
    46
    22.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hege
      last edited by

      Does the ipsec v2 have EAP-TLS support?
      If not, it would be nice, so we can use IKEv2 VPN by Windows Phone / and native VPN Connection by Windows 7+ without any other software installed.

      Windows Phone only supports PEAP-MSCHAPv2 and EAP-TLS
      http://technet.microsoft.com/en-us/windows/dn673608

      1 Reply Last reply Reply Quote 0
      • E
        eri--
        last edited by

        It normally should be possible.

        I have not tested it due to no phone available to use.

        1 Reply Last reply Reply Quote 0
        • C
          charliem
          last edited by

          @hege:

          Does the ipsec v2 have EAP-TLS support?

          I haven't tested it, but I can say that psSense 2.2 Strongswan loads both EAP-TLS and EAP-TTLS plugins:

          Sep 11 18:08:42 pfsense charon: 00[LIB] loaded plugins: charon curl unbound aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-default stroke smp updown
           eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-md5 eap-mschapv2 eap-dynamic eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock
          
          
          1 Reply Last reply Reply Quote 0
          • H
            hege
            last edited by

            Ok, thank you.

            I will test it again with different settings.

            Sep 12 11:20:24 	charon: 11[CFG] no alternative config found
            Sep 12 11:20:24 	charon: 11[CFG] <con1|116> no alternative config found
            Sep 12 11:20:24 	charon: 11[IKE] peer requested EAP, config inacceptable
            Sep 12 11:20:24 	charon: 11[IKE] <con1|116> peer requested EAP, config inacceptable
            Sep 12 11:20:24 	charon: 11[CFG] selected peer config 'con1'</con1|116></con1|116>
            
            1 Reply Last reply Reply Quote 0
            • E
              eri--
              last edited by

              Oh that is not enabled in the config.

              I am working on finalizing the eap part of the authentication.
              What is your client?

              1 Reply Last reply Reply Quote 0
              • H
                hege
                last edited by

                Windows Phone 8.1
                and
                Windows 8.1 Pro

                Please let me know, if i can test something for you

                1 Reply Last reply Reply Quote 0
                • E
                  eri--
                  last edited by

                  I just pushed the first implementation for EAP-TLS.
                  Though please do testing and see if anything can be fixed or made working.

                  1 Reply Last reply Reply Quote 0
                  • Raul RamosR
                    Raul Ramos
                    last edited by

                    Mannnnnn (ermal). I lost a lot of hours trying to connect my WP8.1 through Iosec VPN. I mentions this earlier, a month ago? :P.

                    OK i will test this to and report back.

                    A BIG Thanks for this.

                    pfSense:
                    ASRock -> Wolfdale1333-D667 (2GB TeamElite Ram)
                    Marvell 88SA8040 Sata to CF(Sandisk 4GB) Controller
                    NIC's: RTL8100E (Internal ) and Intel® PRO/1000 PT Dual (Intel 82571GB)

                    1 Reply Last reply Reply Quote 0
                    • H
                      hege
                      last edited by

                      @ermal:

                      I just pushed the first implementation for EAP-TLS.
                      Though please do testing and see if anything can be fixed or made working.

                      Thank you!

                      It seems that there is a lot more work needed for get this working.

                      With original config by pfsense

                      Sep 13 14:55:08 	charon: 11[IKE] configured EAP-only authentication, but peer does not support it
                      Sep 13 14:55:08 	charon: 11[IKE] <con1|11> configured EAP-only authentication, but peer does not support it</con1|11>
                      

                      With customized config
                      leftauth =  pubkey
                      rightauth = eap-tls

                      Sep 13 14:56:57 	charon: 11[TLS] sending fatal TLS alert 'certificate unknown'
                      Sep 13 14:56:57 	charon: 11[TLS] no trusted certificate found for '(ClientLanIP)' to verify TLS peer
                      Sep 13 14:56:57 	charon: 11[TLS] received TLS peer certificate 'C=AT, ST=Austria, L=XXXX, O=XXXXX, OU=XXXXXX, CN=(PCName), E=XXXXXX'
                      
                      

                      With customized config2
                      leftauth = pubkey
                      rightauth = eap-tls
                      eap_identity = "C=AT, ST=Austria, L=XXXX, O=XXXXX, OU=XXXXXX, CN=(PCName), E=XXXXXX"

                      With above changes in the config, i can connect with WP8 and Win8, but there is no traffic throughput - FW Rules are ok.
                      Same issue here?: https://forum.pfsense.org/index.php?topic=80300.0

                      Sep 13 15:00:13 	charon: 11[IKE] CHILD_SA con1{1} established with SPIs c11f9fdf_i 7d19592a_o and TS (pfSenseLANNET)/24|/0 === 10.11.12.0/24|/0
                      Sep 13 15:00:13 	charon: 11[IKE] <con1|13> CHILD_SA con1{1} established with SPIs c11f9fdf_i 7d19592a_o and TS (pfSenseLANNET)/24|/0 === 10.11.12.0/24|/0
                      ..
                      Sep 13 15:00:13 	charon: 11[IKE] <con1|13> assigning virtual IP 10.11.12.1 to peer 'C=AT, ST=Austria, L=XXXX, O=XXXXX, OU=XXXXXX, CN=(PCName), E=XXXXXX'
                      Sep 13 15:00:13 	charon: 11[CFG] reassigning offline lease to 'C=AT, ST=Austria, L=XXXX, O=XXXXX, OU=XXXXXX, CN=(PCName), E=XXXXXX'
                      Sep 13 15:00:13 	charon: 11[IKE] peer requested virtual IP %any
                      ..
                      Sep 13 15:00:13 	charon: 11[IKE] authentication of '(ClientLanIP)' with EAP successful
                      Sep 13 15:00:13 	charon: 11[IKE] <con1|13> authentication of '(ClientLanIP)' with EAP successful
                      ..
                      Sep 13 15:00:13 	charon: 11[IKE] EAP method EAP_TLS succeeded, MSK established
                      Sep 13 15:00:13 	charon: 11[IKE] <con1|13> EAP method EAP_TLS succeeded, MSK established</con1|13></con1|13></con1|13></con1|13>
                      

                      IPv4 Routes: (seems wrong for me)

                      10.11.12.0/24 	(pfSense-WAN-GW) 	US 	0 	1500 	hn0
                      

                      IPsec Overview:

                      IPsecOverview.png
                      IPsecOverview.png_thumb

                      1 Reply Last reply Reply Quote 0
                      • Raul RamosR
                        Raul Ramos
                        last edited by

                        Hi

                        Can i use PEAP-MSCHAPv2 now? or have to be in config to? I see EAP-TLS but not PEAP-MSCHAPv2. I can't connect even less pass traffic.

                        @hege what are your config on pfsense phase 1,2, mobile in Algorithms and proposal? have you information of this on a MS Site i see in one place this information, i can't find it.

                        Thanks

                        pfSense:
                        ASRock -> Wolfdale1333-D667 (2GB TeamElite Ram)
                        Marvell 88SA8040 Sata to CF(Sandisk 4GB) Controller
                        NIC's: RTL8100E (Internal ) and Intel® PRO/1000 PT Dual (Intel 82571GB)

                        1 Reply Last reply Reply Quote 0
                        • H
                          hege
                          last edited by

                          No, that requires a different config.

                          Edit:

                          Required Config:
                                  leftauth=pubkey
                                  rightauth=eap-mschapv2
                                  eap_identity=%any

                          and secret in ipsec.secrets:
                          user@domain.loc : EAP "password"

                          ipsec rereadall
                          ipsec reload

                          just tested it with WP8 + Win8, but still no traffic throughput

                          1 Reply Last reply Reply Quote 0
                          • Raul RamosR
                            Raul Ramos
                            last edited by

                            I will play with certs and try EAP-TLS but have you the Algorithms proposal and hashes compatible with WP8.1?

                            Thanks

                            pfSense:
                            ASRock -> Wolfdale1333-D667 (2GB TeamElite Ram)
                            Marvell 88SA8040 Sata to CF(Sandisk 4GB) Controller
                            NIC's: RTL8100E (Internal ) and Intel® PRO/1000 PT Dual (Intel 82571GB)

                            1 Reply Last reply Reply Quote 0
                            • H
                              hege
                              last edited by

                              @mais_um:

                              ..have you the Algorithms proposal and hashes compatible with WP8.1?

                              You can find the available proposals in the log files (with higher loglevel)
                              I use this one: (Windows 8 and WP8)

                              Phase1:
                              AES 256
                              SHA 256
                              DH2

                              Phase2:
                              AES 256
                              SHA1
                              PFS 2

                              1 Reply Last reply Reply Quote 0
                              • E
                                eri--
                                last edited by

                                @hepe,

                                i used a config from strongswan samples for eap-tls.
                                Though i will see to allow specifying different left and right auth.

                                1 Reply Last reply Reply Quote 0
                                • H
                                  hege
                                  last edited by

                                  @ermal:

                                  i used a config from strongswan samples for eap-tls.

                                  This one?
                                  https://wiki.strongswan.org/projects/strongswan/wiki/EapTls

                                  By default, the Gateway uses IKEv2 certificate authentication to prove its identity to the clients. But as EAP-TLS is a mutual authentication protocol, EAP-only authentication can be used by specifying leftauth=eap.

                                  As far as I understand it's possible to use eap-tls on the gateway, but usually it's pubkey.

                                  1 Reply Last reply Reply Quote 0
                                  • K
                                    kathode
                                    last edited by

                                    Hi there,

                                    I'm relatively new to pfSense. I have managed to get MSCHAP-v2 with IPSec working on Windows Phone 8.1 Update 1 by editing the files mentioned in this topic. I have been running pfSense 2.2 RC for a while now, so I was just wondering whether this kind of configuration will be implemented directly by pfSense, seeing as it is possible by the underlying software? If not, is there any way to prevent the configuration files from being auto re-generated by pfSense?

                                    1 Reply Last reply Reply Quote 0
                                    • H
                                      hege
                                      last edited by

                                      Hi,

                                      I just created a bounty for eap-tls.

                                      https://forum.pfsense.org/index.php?topic=86727.0

                                      @kathode
                                      I think an implementation of mschap-v2 will be a lot of work, because it requires a different format in  ipsec.secrets.

                                      1 Reply Last reply Reply Quote 0
                                      • E
                                        eri--
                                        last edited by

                                        kathode can you explain how you did so i can give a look to integrate in master branch?

                                        1 Reply Last reply Reply Quote 0
                                        • H
                                          hege
                                          last edited by

                                          @hege:

                                          Required Config:
                                                  leftauth=pubkey
                                                  rightauth=eap-mschapv2
                                                  eap_identity=%any

                                          and secret in ipsec.secrets:
                                          user@domain.loc : EAP "password"

                                          ipsec rereadall
                                          ipsec reload

                                          1 Reply Last reply Reply Quote 0
                                          • E
                                            eri--
                                            last edited by

                                            Can you post the full ipsec.conf?

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.