Community Forum

Resolved
0 votes
Hi. I am attempting to move away from PPTP to a different option. I wanted to try and use IPSec. My question is how to connect something with a dynamic ip, like a mobile phone, to ClearOS? I did get the business version of swanipsec from the marketplace. I don't see a 'mobile-to-site' connection available.

Is there an instruction set in 'plain speak' that describes how IPSec can be configured to handle multiple mobile device connections. I searched the forums, and I did not find anything on this. So either it is super simple (and my noob is coming through), or it is not the solution, or maybe everyone that had the question is waiting for someone else to ask. :)
In VPN
Thursday, February 16 2017, 04:49 AM
Share this post:
Responses (3)
  • Accepted Answer

    Saturday, February 18 2017, 08:50 AM - #Permalink
    Resolved
    0 votes
    Andreja Djokovic wrote:
    So let's say i do embrace OpenVPN app, my question about OpenVPN on ClearOS is that ClearOS provides three certificates - Windows, Linux and Mac. Which of these should be used for Android and iOS? If one of those works, that would help. And if i can leverage just certificates, that would be great. You mention a commenting a line in .ovpn - is that auth-user-pass? also, which line in clients.conf ?:)

    Thanks!
    That is not quite right. The ClearOS app provides three certificates/keys and a pk12 file which also contains all three. I don't think I've ever needed the pk12 file but you need all three individual files It also provides two configuration files, Windoze and Linux (the rest). In Windoze use the Windoze file and use the Linux one for all other o/s's. From memory there is only one line difference between them.

    To remove user/pass authentication comment out the auth-user-pass line in the .ovpn file and similarly comment out the "plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so openvpn" line in /etc/clients.conf. While you are in clients.conf, also add the line "reneg-bytes 64000", This is because of a relatively recently discovered security flaw which does not get fixed until client and server software is upgraded to v2.4 of OpenVPN. I suspect it will be a while before RHEL adopt this version for the server and I've no idea about the client status. If you remove user/pass authentication, in Windoze you can enable the OpenVPN service and it will automatically connect when the PC starts without any user intervention. This is great for my elderly mother and mother-in-law as it always means I have remote access to give help via VNC

    In terms of clients, on Android I use the OpenVPN Connect app which claims to be the official app and it is simple to use. I can't remember what I use on iOS. I'll have to check.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, February 17 2017, 10:35 PM - #Permalink
    Resolved
    0 votes
    Thanks again Nick.

    The reason why i am looking at IPsec is that it is 'defined' in OS on iOS. Both iOS and Mac got rid of PPTP with their major firmware update. And since i would like to avoid shoddy OpenVPN clients on mobile devices (i.e. ios) into which i have no code/quality insight (and with some uneducated paranoia that defacto you are trusting some random app), left me feeling less safe than PPTP.

    Without starting a debate <please nobody do it on this thread> if that should have been a company choice (small business) vs platform (eg Apple) responsibility <there can be a whole religiously flaming thread there>, i am left with choice between iPsec and OpenVPN.

    I am not in the position of trailblazing just yet, if i dont have to. I am trailblazing enough just wrapping my head about setting up a decently functional server.

    So let's say i do embrace OpenVPN app, my question about OpenVPN on ClearOS is that ClearOS provides three certificates - Windows, Linux and Mac. Which of these should be used for Android and iOS? If one of those works, that would help. And if i can leverage just certificates, that would be great. You mention a commenting a line in .ovpn - is that auth-user-pass? also, which line in clients.conf ?:)

    Thanks!
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, February 16 2017, 01:16 PM - #Permalink
    Resolved
    0 votes
    The Static IPsec apps were never written with mobile devices in mind so you'd be a bit of a trail-blazer. If you don't want to trail-blaze, OpenVPN would be a better solution. I have it working from Windoze PC's, a Raspberry Pi, Android and iOS (iPad) and it is simple (the Pi was the hardest).

    If you want to use IPsec, IKEv2 may be a better way to go but you'd need to configure everything manually.

    If you want to use the app interface then I don't know which features your mobile o/s supports. In the webconfig you may be able to set the remote gateway to %any and not set the remote subnet. Similarly for the PSK the remote entry must be %any. For multiple devices you would need multiple conns, but they would all have to share the same PSK.

    If the above does not work, try flipping the mode to Aggressive mode. In aggressive mode you can use a Remote ID for the PSK and in the conn, but you need to specify both the phase 1 and phase 2 algorithms as they don't automatically negotiate.

    IPsec would allow you to connect in these modes without a password. The same can be achieved in OpenVPN just by commenting out one line in the .ovpn file and one line in the clients.conf, so security just relies on certificates.
    The reply is currently minimized Show
Your Reply