Hello,
I've been trying to set up a connection from an RUT950 router to a remote IPsec responder (StrongSwan on a Linux server), in a "road-warrior" configuration:
- server/responder authenticated with a server certificate,
- client (RUT950) authenticated with username/password (EAP-MSCHAPV2)
It's a configuration I've managed to run on traditional Linux StrongSwan clients using something like this:
ca vpn1
cacert=/etc/vuci-uploads/cbid.ipsec.vpn1.cacertMyCA.crt
auto=add
conn vpnext1
keyexchange=ikev2
leftsourceip=%config
leftauth=eap-mschapv2
leftsendcert=never
leftid=my_rut950
eap_identity=my_rut950
right=myvpnserver.example.com
rightid=myvpnserver.example.com
auto=start
It is almost achievable with the IPsec front-end of the RUT950 router (FW: RUT9_R_00.07.02.7), but there are two problems:
- "Global Secret Settings" gets hidden.
- We can't set custom options with underscore or hyphens (even though they would be perfectly valid)
Editing the Global Secret Settings (workaround)
Firstly, to achieve this, "ipsec.secrets" needs to be edited. This could be done with the "Global Secrets Settings" options (when "Multiple Secrets" is ON), but this is not visible when using "Authentication Method: X.509":
When using X.509 for "rightauth", the "Multiple Secrets" option disappears:
Luckily, if we edit the "Global Secret Settings" with "Pre-shared key" and only then switch to "X.509", the ipsec.secrets file remains, so it can be used.
Custom Options for "leftauth=eap-mschapv2" and "eap_identity=..." (no workaround?)
The required configuration could work if we could set these two options:
leftauth=eap-mschapv2
eap_identity=my_rut950
It almost works, but the graphical interface for "Custom option" doesn't let us set options containing "-" or "_".
Would it be possible to relax those validation rules for underscore and hyphens?
Thank you.