OSX IKEv2 Mutual RSA
-
When using OSX IKEv2 with RSA authentication and IPsec in pfSense is set to Mutual RSA, clients are unable to connect because of a missing setting in ipsec.conf:
leftsendcert = always
As soon as i add that setting in ipsec.conf, clients are able to connect.
I have found a bugfix from a few months ago [1], but as far as i can see this was only applied for EAP methods.
Is there a reason why this setting was not added for (Mutual) RSA authentication?
-
Most likely because using mobile IKEv2 IPsec from OS X without EAP is very rare and not tested nor used much. Why Mutual RSA and not EAP-TLS?
-
Most likely because using mobile IKEv2 IPsec from OS X without EAP is very rare and not tested nor used much.
Well, i can at least confirm that it does work when using the leftsendcert setting.
Why Mutual RSA and not EAP-TLS?
I chose for RSA authentication because i once read this [1] strongSwan page. It states: "While EAP-TLS is a secure and very flexible protocol, it is rather slow when used over IKE." Ofcourse, i did not run any speedtests/benchmarks myself between both methods.
Besides that EAP-TLS is more common and supported on clients, is there any advantage to use EAP-TLS instead of Mutual RSA ?
I actually thought the RSA cert authentication was the default (less hassle) method to go with.ย :)
-
Most people prefer security (though even more opt for EAP-RADIUS or EAP-MSCHAPv2 so they can have user auth)
You can open a new redmine entry (target = 2.3.1) and we can look into adding that for the next version.
-
Most people prefer security
Which is what i prefer as well. I was not aware that Mutual RSA would be a less secure authentication method, compared to EAP-TLS. Guess i need todo some more research.
You can open a new redmine entry (target = 2.3.1) and we can look into adding that for the next version.
Great! I just did: https://redmine.pfsense.org/issues/6082
Thanks in advance!