@ -4,37 +4,37 @@ IPsec: Setup OPNsense for IKEv1 using XAuth
.. contents :: Index
XAuth was an addition to IKEv1 supporting user authentication credentials additionally to
XAuth was an addition to IKEv1 supporting user authentication credentials additionally to
pre-shared keys or certificates. There are three different types supported by OPNsense which
we will describe here.
Mutual PSK + XAuth: You define a pre-shared key which is the same for every user and after securing
the channel the user authentication via XAuth comes into play.
Mutual RSA + XAuth: Instead of using a pre-shared key, every device needs a client certificate to secure
Mutual RSA + XAuth: Instead of using a pre-shared key, every device needs a client certificate to secure
the connection plus XAuth for authentication. This is the most secure variant for IKEv1/XAuth but also
with the most work to do.
Hybrid RSA + XAuth: Hybrid RSA is the same as Mutual, without the need for a client certificate. Only
the server will be authenticated (like using HTTPS) to prevent man-in-the-middle attacks like with
Hybrid RSA + XAuth: Hybrid RSA is the same as Mutual, without the need for a client certificate. Only
the server will be authenticated (like using HTTPS) to prevent man-in-the-middle attacks like with
Mutual PSK. It is more secure than PSK but does not need the complete roll-out process like with Mutual RSA.
We assume you have read the first part at
:doc: ` how-tos/ ipsec-rw`
We assume you have read the first part at
:doc: ` ipsec-rw`
----------------------------------------------------
Step 1 - Create Certificates (only for RSA variants)
----------------------------------------------------
For Mutual RSA + XAuth and Hybrid RSA + XAuth you need to create a Root CA and a server certificate
for your Firewall.
for your Firewall.
Go to :menuselection: `System --> Trust --> Authorities` and click **Add** . Give it a **Descriptive Name** and as **Method**
choose **Create internal Certificate Authority** . Increase the **Lifetime** and fill in the fields
choose **Create internal Certificate Authority** . Increase the **Lifetime** and fill in the fields
matching your local values. Now go to :menuselection: `System --> Trust --> Certificates` and create a new certificate for
the Firewall itself. Important is to change the **Type** to server. The Common Name can be the hostname
of the Firewall and set as **Alternative Name** the FQDN your Firewall how it is known to the WAN side.
This is most important as your VPN will drop when the FQDN does not match the ones of the certificate.
If you already have a CA roll out a server certificate and import
If you already have a CA roll out a server certificate and import
the CA itself via :menuselection: `System --> Trust --> Authorities` and the certificate with the key in
:menuselection: `System --> Trust --> Certificates` .
@ -103,12 +103,12 @@ Step 3 - Phase 2 Mobile Clients
Press the button that says '+ Show 0 Phase-2 entries'
.. image :: images/ipsec_s2s_vpn_p1a_show_p2.png
:width: 100%
You will see an empty list:
.. image :: images/ipsec_s2s_vpn_p1a_p2_empty.png
:width: 100%
Now press the *+* at the right of this list to add a Phase 2 entry.
@ -138,11 +138,11 @@ Phase 2 proposal (SA/Key Exchange)
**Save** your settings and **Enable IPsec** , Select:
.. image :: images/ipsec_s2s_vpn_p1a_enable.png
:width: 100%
.. Note ::
If you already had IPsec enabled and added Road Warrior setup, it is important to
If you already had IPsec enabled and added Road Warrior setup, it is important to
restart the whole service via services widget in the upper right corner of IPSec pages
or via :menuselection: `System --> Diagnostics --> Services --> Strongswan` since applying configuration only
reloads it, but a restart also loads the required modules of strongSwan.