Is Hybrid RSA + XAuth generating backward authentication policies?
-
I'm trying to setup road warriors to use IKEv1, RSA + Xauth. My understanding is that this configuration will allow the server (pfSense) to authenticate to the client using an RSA certificate. The client in turn will authenticate solely by XAuth. The idea being that client configuration is somewhat less burdensome as client certificates need not be distributed.
Looking at the generated ipsec.conf I see the following (along with the rest of the config):
left = [[pfSense WAN IP]]
right = %any
leftid = [[pfSense WAN IP]]
leftauth = xauth-generic
rightauth = pubkey
rightauth2 = xauth
leftcert=/var/etc/ipsec/ipsec.d/certs/cert-1.crt
aggressive = noIf I understand correctly, this is setting the server to require RSA + Xauth from the client, while only providing Xauth from the server to the client.
I believe the leftauth and rightauth clauses may be reversed. Can anyone confirm or deny this?
Thanks!
-
You can check it up here http://www2.strongswan.org/uml/testresults5/ikev1/xauth-rsa/moon.ipsec.conf
The xauth for left is that pfSense calls a script to validate the certificate.
Did you have any trouble or are just wondering? -
I was having trouble connecting with the Shrewsoft Windows client. I'm going to assume something else is wrong with the configuration and try again later. Thanks for the response!