I’m currently experimenting with VPN-tunnels on IPFire, at the moment I’m whith IPSec, OpenVPN will follow.
My setup is an IPFire Mini Appliance (latest core) behind a FritzBox Cable. Configuration here is port-forwarding to the IPFire and routing to the subnets, so no double-nat involved.
I tried setting up a RoadWarrior-Connection. The installation on IPFire was not that big of a problem (followed the wiki with PSK for the sake of testing) but is a little bit confusing when I try to configure the client on the mobile phone.
I have an Android 9 and the only valuable options, which are shown in the VPN-menu, are L2TP/IPSec PSK, L2TP/IPec RSA, IPSec Xauth PSK, IPSec Xauth RSA and IPSec Hybdrid RSA.
I cannot or to be accurate do not want to install 3rd-party software (at least not now) on the phone.
So my first question: Is it even possible to establish a connection with this conditions on the mobile phone? I could not find any information about if IPFire even supports IPSec/L2TP or IPSec/Xauth…
Second question: Maybe I’m just stupid but if IPFire supports these tunnel-types, what do you have to enter for “Username” and “Password” on the mobile? When creating IPSec-Connection on FritzBox for example, it is obviously the credentials for the respective user but what is it with IPFIre? The credentials for the admin? I’m reaaally confuzzled.
Observation: I fiddled around with different configurations on the mobile phone and I can see, that it tries to connect to IPFire but IPFire refuses the connection because of “missing IKE configuration”.
You need to have the connections that start with IKEv2. The IPSec Xauth PSK connection is an IKEv1 type of connection and as far as I am aware not recommended because the security capability is weak now.
My phone is an Android 11 and it has
IKEv2/IPSec PSK
IKEv2/IPSec RSA
IKEv2/IPSec MSCHAPv2
as native options.
If your Andoid 9 phone won’t update to 10 or 11 then you have no alternative but to get a third party app because the android version you have doesn’t support the required connection.
I haven’t used IPSec so far but if you go to the Advanced Settings page then there is a line named Key Exchange in the wiki with a drop down box which is labelled IKEv2
If you select that on your IPFire what options do you see for the Key Exchange as alternatives for IKEv2
EDIT:
Just looked through the code for the IPSec WUI page and it has IKEv2 or IKEv1 so if you select IKEv1 in the Key Exchange then the cipher suite box below will end up with a different set of ciphers which might be able to work with your IPSec Xauth PSK or IPSec Xauth RSA options
thank you veeery much! I did not notice that there was a drop-down-menu for the key-exchange.
The big table with Encryption, Integrity and Grouptyp looks a bit overwhelming, so I guess I have to do some more reading to figure out the best combination of compatibility and security.
But anyway, your hint was definitely the right direction! I guess I won’t be able to do some testing before monday but I will keep you posted as soon as I have some results.
Thank you very much again and have a nice weekend!
Yes, it can look overwhelming. If you are not sure then the best choice is the entry that is already highlighted when you enter the page for the first time. That is the default chosen by the IPFire developers as the best security option. In most cases you don’t need to change anything on the Advanced Options tab unless there is some other limitation.
In your case your android phone doesn’t allow IKEv2 which is the default Key Exchange selected by default.
As a good first starting point you can use the default options highlighted when you select IKEv1 and see how that works.
In terms of potential to be able to use IKEv2 on your android phone, the Strongswan app would probably make a good option as it is the android version of what is used by IPFire for it’s IPSec server software.
The only thing I am not sure about is if it works with Android 9 or not but if you try and install it, there should be some message if it is incompatible with your android version.
Good luck with your setup and if you need any more help there are definitely people on the forum who are using IPSec and will be able to help.
EDIT:
Just checked the app specs and it works with Android 5.0 upwards so should work with your phone and will give you the secure IKEv2. I would recommend using that app rather than the insecure Android 9.0 internal IKEv1 option.
I don’t know what to type in for “username” and “password” in the mobile phone. Does anyone know, if there are some kind of “IPSec Users” to configure in the IPFire or is it just the WebLogin for the admin? I noticed that you can configure “LocalID” und “RemoteID” but there is no field to chose a password.
Looking at the log, IPFire provided a very large range of cipher options but it looks like none of them matched to what the android phone was willing to accept.
I am running out of knowledge to help now as I have not done anything myself with IPSec yet. I am currently using OpenVPN although I do intend to also set up some IPSec road warrior connections.
just wanted to share my results and I guess I’m overshooting the mark right now.
Adolf’s mention of the cipher-options was the right thing to point me in the right direction, again! I compared the requestet cipher options of the mobile phone to the ones that are configured in IPFire and I matched them. I had to use and old “broken” grouptype because of the phones request, but because it is just for testing and learning, I’m ok with that.
So this is “fixed” now.
Next “error” was, that aggressive-mode is not activated in IPFire due to security reasons. I did some research and activated it in the strongswan.conf (again: please no judgement, it is NOT for active use, just for testing and learning), so now this also works.
Last error-message now is “no peer config found”, which I guess is due to no matching username and password because I cannot find a way to set a “VPN-User” in IPFire. I did some resarch again and found out that you can set “username” and “passwords” along with an auth-method in the ipsec.secrets file, where right now only the PSK is stored but the additional credentials will be overwritten when you restart the service.
So I guess, because I cannot seem to figure out, how to set a “VPN-User” in IPFire and therefore have no credentials to punch in on the client-side, I give up.
@bonnietwin Thank you very much for your help! I marked your posting with the mention of the StrongswanApp as the solution because I think it’s the most useful to everyone who might stumble across this thread.
I compared the requestet cipher options of the mobile phone to the ones that are configured in IPFire and I matched them. I had to use and old “broken” grouptype because of the phones request, but because it is just for testing and learning, I’m ok with that.