11399 questions

13582 answers

21280 comments

31963 members

0 votes
27 views 0 comments
by

Hello,

I've been trying to set up a connection from an RUT950 router to a remote IPsec responder (StrongSwan on a Linux server), in a "road-warrior" configuration:

  • server/responder authenticated with a server certificate,
  • client (RUT950) authenticated with username/password (EAP-MSCHAPV2)

It's a configuration I've managed to run on traditional Linux StrongSwan clients using something like this:

ca vpn1
  cacert=/etc/vuci-uploads/cbid.ipsec.vpn1.cacertMyCA.crt
  auto=add

conn vpnext1
    keyexchange=ikev2
    leftsourceip=%config
    leftauth=eap-mschapv2
    leftsendcert=never
    leftid=my_rut950
    eap_identity=my_rut950
    right=myvpnserver.example.com
    rightid=myvpnserver.example.com
    auto=start

It is almost achievable with the IPsec front-end of the RUT950 router (FW: RUT9_R_00.07.02.7), but there are two problems:

  • "Global Secret Settings" gets hidden.
  • We can't set custom options with underscore or hyphens (even though they would be perfectly valid)

Editing the Global Secret Settings (workaround)

Firstly, to achieve this, "ipsec.secrets" needs to be edited. This could be done with the "Global Secrets Settings" options (when "Multiple Secrets" is ON), but this is not visible when using "Authentication Method: X.509":

When using X.509 for "rightauth", the "Multiple Secrets" option disappears:

Luckily, if we edit the "Global Secret Settings" with "Pre-shared key" and only then switch to "X.509", the ipsec.secrets file remains, so it can be used.

Custom Options for "leftauth=eap-mschapv2" and "eap_identity=..." (no workaround?)

The required configuration could work if we could set these two options:

    leftauth=eap-mschapv2
    eap_identity=my_rut950

It almost works, but the graphical interface for "Custom option" doesn't let us set options containing "-" or "_".

Would it be possible to relax those validation rules for underscore and hyphens?

Thank you.

1 Answer

0 votes
by
Hello,

Thank you for contacting us.

I will forward your issues and observations to the development team.

Best regards,