2.2 Beta IPSEC GUI My Certificate does not configure strongswan Cert/Key



  • Hi, PFsense experts,

    I tried to connect windows7 buildin IKEV2 IPsec Client and Android StronSwan Client to "mobileIPsec".
    Unfortunately there is an issue with this Beta 2.2.

    • GUI page VPN- IPsec- Edit Phase 1entry:(Mobile Client),  section Phase 1 proposal (Authentication) field "My Certificate" does not configure strongswan Cert+Key at strongswan.

    • server certfile missing at /ipsec.d/certs

    • server keyfile missing at /ipsec.d/private

    • ipsec.secrets files empty! please add reference to server Keyfile " : RSA keyfile"

    • ipsec.conf missing reference to server cert file "leftcert = certfile"

    Could some expert open ticket or fix listed GUI configurations, ??

    ( build from 23.10.2014 Release 2.2 Beta (AMD64) was in use)

    after manual configuration I got Mobile Client IPSec working with IKEV2!

    Successfully tested :

    • Windows7 build in VPN client connected by IKEV2  (mutualRSA)
    • Android StrongSwan Client (mutual RSA)

    Just some other possible GUI improvements:

    If "Key Exchange Version = V2" is selected:

    • within IKEV2 is no support for  PSK: -> you could remove  PSK based methods from list of "Authentication Methods"
    • within IKEV2 is no support for aggressive mode -> "Negotiation mode" can be omitted in GUI

    No need to fix to special proposals in Phase1 and pase2 algorithms:
    at least with IKEV2 there is much better proposal negotiation. I removed proposal entries 
    ike = aes256-sha1-modp1024!
    esp = aes256-sha1!
    in ipsec.conf to avoid proposal alignment issues. Strongswan accept then what client offers, if supported.   
    Consider not all different clients might support all proposals, so better not fix to any special proposal if not needed…
    ->I recommend adding some "accept peer proposals" functionality in GUI for PH1 and PH2, if selected remove proposal. This might be helpful for beginners as easy setup!

    Regards
    Martin W



  • I just tested this and it work correctly certificates are put in the proper config and files.

    Is this an upgraded configuration of sorts?



  • It was from older apha snapshot converted +edited Setup!
    Certs+key have been imported in cert manager!

    I did retest on other box with upgrade from 2.1.5 nano to 2.2beta and same issue after upgrade. Certs+keys not configured, tunnel broken.
    Only difference there, it was an IKEv1, mutal RSA, IPsec main mode, tunnel!

    On other box I will retest with new  config starting from defaults …



  • Retest with new config, starting from default was also failed!

    Steps done:

    • set to factory default
    • assign Interfaces, wan (dhcp eth), lan eth
    • create internal root ca with GUI
    • create Server Cert from localCa  with GUI
    • create mobile ipsec, all setting default, Xauth section: select internal database, Group Authentication None
    • add pase1: all Default, but Authetication set to mutual RSA, main  mode, Identifier local and remote set to ASN1, select ServerCert and local CA
    • add pase 2 : all Default

    enable IPSEC VPN, log's show loaded configuration con1 loaded.

    If I check /var/etc/ipsec/  I can see missing configuration:

    ipsec.d/private/    -> empty no private key!
    ipsec.d/certs/  -> empty no cert stored
    ipsec.secrets    -> file exist but empty  " : RSA Keyfile" should be in to point to key

    -> Bug seem to be present also in  legacy config,  IKEv1+ main mode + mutualRSA so it seem to be not related to IKEV2 as originally suspected.

    Any ideas what might be wrong?

    Is there someone with Cert based "mutual RSA" + "IKE main mode" working 2.2 IPSec ???

    (tested on todays snapshot 2.2Beta on AMD64)