Bug 11615

Summary: IPSec Roadwarrior tunnels do not work with Windows, Mac, or iOS without modification in CLI
Product: IPFire Reporter: Tom Rymes <tomvend>
Component: ---Assignee: Michael Tremer <michael.tremer>
Status: NEW --- QA Contact:
Severity: Minor Usability    
Priority: Will affect an average number of users CC: peter.mueller, peter.mueller
Version: 2   
Hardware: x86_64   
OS: Windows   
Bug Depends on:    
Bug Blocks: 11618    

Description Tom Rymes 2018-02-05 23:11:14 UTC 
Please see discussion on the development mailing list and the how-to articles in the wiki:

https://wiki.ipfire.org/configuration/services/ipsec/example_configuration-_roadwarrior_with_windows

https://wiki.ipfire.org/configuration/services/ipsec/example_configuration-_roadwarrior_with_macos

Long story short, the WUI cannot create Roadwarrior IPSec connections that work with the most common (and secure) operating systems, namely Windows 10, Android, iOS, and MacOS. Specifically, the following must be added to /etc/ipsec.users.conf:

conn CONNECTION_NAME
      leftsendcert=always
      leftallowany=yes
      rightdns=10.100.2.1
      rekey=no
      reauth=no

Windows 10 only requires a subset of that, but both OSes require manual entries via the CLI. At a minimum, the IPSec configuration generated by the WUI should include those settings (by default or optionally) needed by the most common OS options. In addition, the hostname used when creating the root/host certificate(s) should be added as a SAN (feature request already opened by another user) in those certificates, as that is also a requirement for functionality with MacOS/iOS.

The gold-standard here, in my opinion, is Algo, which creates a fully functional IPSec configuration, including certificates and options that tailor the ciphers to each operating system (i.e.: weaker ciphers are enabled if Windows must be supported). To make it that much easier, it also produces a script for Windows and a mobile profile for iOS/MacOS that greatly simplifies certificate installation and connection creation. For example:

Installing VPN connection in Windows 10:

1.) Download script file and certificate .p12 file.
2.) Open administrative powershell window
3.) CD to directory where script was downloaded.
4.) execute command "scriptname ADD"
5.) type the password for the .p12 file.

Installing VPN in MacOS:
1.) Download Mobileconfig file.
2.) Double-click Mobileconfig file.
3.) Type .p12 file password.

That's it! Replicating that functionality would be a major feature enhancement for IPFire, IMHO! Perhaps something we could put up on the "Fund this feature" page?
Comment 1 Peter Müller 2018-02-06 19:59:12 UTC 
Although I cannot reproduce the problem (no Windows or Mac OS clients here), this certainly is a problem since users with no or little console experience might be unalbe to fix this by themselfes.

Since there are some more IPsec/Firewall GUI related bugs, funding seems to be an option for me.
Comment 2 Tom Rymes 2018-02-06 23:55:43 UTC 
I had reached out to Michael about this and indicated that I was willing to contribute to this project if it were made a wishlist project. He indicated that getting funding for wishlist projects is a challenge.

I understand the difficulty, but I think that this feature and the Ad blocking via DNS blacklist feature might draw more support (especially the ad-blocking feature).

I stand ready to contribute money, as I lack the coding skills to contribute functionality.
Comment 3 Peter Müller 2022-02-19 19:27:46 UTC 
Has the situation of this bug changed since?

Especially with regards to https://blog.ipfire.org/post/ipfire-2-25-core-update-158-released, IPsec and Apple devices should work much better now.
Comment 4 Tom Rymes 2022-02-21 07:18:03 UTC 
I can confirm Apple devices now work well, though I need to better test split tunneling. I can't say for the windows devices, unfortunately, and I am not able to check at the moment.

I think it would be nice if we could also provide a download link for Windows with a Powershell script and certificate bundle to install the connection more easily, and using a better Cipher selection.