I need to connect a bunch of RUTX with dynamic IPs (sometimes even behind NAT) to an OpnSense gateway with fixed IP.
(dyn.) DNS/URL can’t be used for several reasons.
For authentication I use CA, certificates and private key, which were generated on the OpnSense appliance.
Luckily OpnSense also uses StrongSwan in same version as Teltonika, so generally my setup works when choosing “X.509” auth method on Teltonika side.
But my problem is it works only in one special configuration which is on OpnSense I must use the older “deprecated” IPSec “tunnel settings” method and I have to choose “peer IP address” as (Teltonika client’s) identifier - which results in “%any” as identifier as I can see in status logs.
So in my understanding there is no more additional security check now, only owning certificates and key.
Is there some more secure method available?
Unfortunately I can’t find any documentation from Teltonika, which explains some more details of available auth methods “X.509”, “PKCS#12”, “EAP”. Can you help me?
Especially will “EAP” result in use of EAP-TLS or EAP-MSCHAPv2 or …?
Unfortunately the “how to” doesn’t really help me.
Can you give me some info, please, which Strongswan auth mechanisms will technically be used by RUTX depending on selection of auth mechanism (“X.509”, “PKCS#12”, “EAP”)?
I think I found out “EAP” may activate „EAP-Identity“ or „EAP-MSCHAPv2?
(using putty and command swanctl --stats, showed these Strongswan plugins being activated. Am I right?)
What will “X.509” and “PKCS#12” result in?
Optimally I should be able to use “EAP-TLS”, as this seems to be most superior protocol?
But unfortunately this Strongswan plugin doesn’t seem to be activivated at RUTX firmware. (How) can this be activated with some configuration hack? Or does this have to be activated while compiling RUTX firmware?
I reply to myself with a comprehension of my last question:
Is there a way to activate RutOS strongswan’s “EAP-TLS” plugin without compiling it ourselves or can it be added/activated with new RutOS version?
as we have ~180 Teltonika devices in the field, which ideally should be able to be connected to our new OpnSense VPN Gateway soon via IPSEC IKEv2 with EAP-TLS + Certificate Authentication (which seems one of the most secure methods, but wich doesn’t seem to be possible with RUTOS right now), can you, please, either provide us a hint how to enable strongswan EAP-TLS plugin without compile custom firmware (if possible?), or can you consider our need as a feature request that EAP-TLS shall be enabled/supported in future firmware versions?
Thank you for your patience. I have received a response from our developers regarding IPsec authentication:
EAP-MSCHAPv2: Currently, it only works as a responder, so unfortunately, you will not be able to configure RUTOS as an EAP-MSCHAPv2 client to connect to OpnSense.
This will result in a pubkey configuration.
Unfortunately, the eap-tls plugin is not available in RutOS.
Please let me know if you have any further questions.
Is there any change IPSec IKEv2 EAP-TLS authentification to be supported in future RUTOS versions?
As I understood it, EAP-TLS should be one of the most superior IPSec authentification methods regarding security, because certificate/public key will be exchanged within an already encrypted channel.