possibility to connect via IPSec Xauth PSK

[dberardo-com]

Fitzbox routers can act as IPsec VPN servers on standard ports, but they required the use of the Xauth PSK protocol since user authentication is needed.

is it possible to configure the playbook to achieve this?

and also: is it possible to establish a connection between one managed host and an external one, like in this case https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/securing_networks/assembly_configuring-vpn-connections-with-ipsec-by-using-the-rhel-vpn-system-role_securing-networks:

Optional: Configure connections from managed hosts to external hosts that are not listed in the inventory file by adding the following section to the vpn_connections list of hosts:

    vpn_connections:
      - hosts:
          managed_node1:
          managed_node2: --> this node would go away
          external_node:
            hostname: 192.0.2.2

[richm]

Not sure about Xauth - @badnetmask or @ueno do you know?

As far as managed host to external one - I believe the recent commit https://github.com/linux-system-roles/vpn/commit/c80969df871dbc83a7acd307523db89d30e62aa6 allows this - can you use the role from github, or would you prefer a Galaxy release?

[badnetmask]

Xauth requires IKEv1, which has been deprecated since RHEL 8 has been released, as well as SHA1 which has been deactivated in the RHEL 9 default crypto policy, so adding support for this feature would require jumping through hoops and loops.

As to the case of managed/external hosts, yes, it sounds like what you want has already been implemented by #65 (merged into the main branch, just not released as a package yet).

[dberardo-com]

Xauth requires IKEv1, which has been deprecated since RHEL 8 has been released, as well as SHA1 which has been deactivated in the RHEL 9 default crypto policy, so adding support for this feature would require jumping through hoops and loops.

alright then, i think that to connect to "old-school" routers i might implement my own new role using the "vpnc" providers as they mention here too: https://serverfault.com/questions/162603/how-to-connect-to-a-ipsec-vpn-with-preshared-key-and-xauth-from-linux

As to the case of managed/external hosts, yes, it sounds like what you want has already been implemented by https://github.com/linux-system-roles/vpn/pull/65 (merged into the main branch, just not released as a package yet).

i will have a look. is there any sign of this in any of the READMEs ? if so, could you provide a reference?

[richm]

Xauth requires IKEv1, which has been deprecated since RHEL 8 has been released, as well as SHA1 which has been deactivated in the RHEL 9 default crypto policy, so adding support for this feature would require jumping through hoops and loops.

alright then, i think that to connect to "old-school" routers i might implement my own new role using the "vpnc" providers as they mention here too: https://serverfault.com/questions/162603/how-to-connect-to-a-ipsec-vpn-with-preshared-key-and-xauth-from-linux

Hmm - the vpn role does support RHEL7 https://github.com/linux-system-roles/vpn/blob/master/meta/main.yml#L15 How hard would it be to modify this vpn role to support Xauth/IKEv1? Sounds like you would have to change the crypto policy, but we have a system role for that - https://github.com/linux-system-roles/crypto_policies - the vpn role could call the crypto_policies role in that case.

As to the case of managed/external hosts, yes, it sounds like what you want has already been implemented by #65 (merged into the main branch, just not released as a package yet).

i will have a look. is there any sign of this in any of the READMEs ? if so, could you provide a reference?

https://github.com/linux-system-roles/vpn#host-to-managed-host-remote-is-an-appliance-or-not-managed-via-ansible