Skip to content

Ipsec PSK with XAuth authentication#

Warning

The usage of this method with aggressive mode (ipsecIdentifier not empty) is discouraged: see the StrongSwan Documents

This article describes a configuration of a roadwarrior scenario, where a D-200 phone connects to a COMmander 6000 via a strongswan VPN Server.

The strongswan configuration is based on the following document. In our example, the D-200 is located in the 192.168.1.0/24 subnet. The pbx is located in the 192.168.21.0/24 subnet. The Strongswan server uses the ip 192.168.1.239

Info

After configuring your VPN tunnel, you need to specify the interfaceType in your identity configuration

ipsec.conf
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1

conn rw
        left=192.168.1.239
        leftid=@192.168.1.239
        leftsubnet=192.168.21.0/24
        leftauth=psk
        leftfirewall=yes
        right=%any
        rightauth=psk
        rightauth2=xauth
        rightsourceip=192.168.1.0/24
        auto=add
        ike="aes256-sha384-modp1024"
/etc/ipsec.secrets
1
2
3
4
5
6
7
8
# This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host

# which knows the public part.
192.168.1.239 %any : PSK "superSecretPreSharedKey"

theUserName  : XAUTH "secretXauthPassword"

Troubleshooting: be sure that the server has ip forward enabled. If a NAT is used, the Phone will require a STUN Server to correctly setup a RTP Connection.

configurationXauthPSK.xml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <network>
    <vpn>
        <active>true</active>
        <vpnType>IpsecXauthPSK</vpnType>
        <name>VPN name</name>
        <server>192.168.21.100</server>
        <username>theUserName</username>
        <password>secretXauthPassword</password>
        <routes>192.168.21.0/24</routes>
        <dnsServers>192.168.21.44</dnsServers>
        <searchDomains></searchDomains>
        <!-- ipsecIdentifier has to be empty - aggressive mode is used when filled. (certain servers e.g. strongswan won't allow aggressive mode clients. ) -->
        <ipsecIdentifier></ipsecIdentifier>
        <ipsecSecret>superSecretPreSharedKey</ipsecSecret>
    </vpn>
    </network>
    <identities>
      <identity>
        <active>true</active>
        <displayname>COMmander 6000</displayname>
        <username>70</username>
        <host>192.168.1.239</host>
        <password>AccountPassword</password>
        <frameSize>20</frameSize>
        <audiocodecs>
          <audiocodec>G.722</audiocodec>
          <audiocodec>G.711</audiocodec>
        </audiocodecs>
        <clir>displayAnonymous</clir>
        <localmoh>false</localmoh>
        <secureConnection>false</secureConnection>
        <srtp>disabled</srtp>
        <ipVersion>IpV4</ipVersion>
        <checkHostname>true</checkHostname>
        <pickupCode>##06</pickupCode>
        <interfaceType>vpn</interfaceType>
     </identity>
     <identity>
       <active>false</active>
     </identity>
     <identity>
       <active>false</active>
     </identity>
     <identity>
       <active>false</active>
     </identity>
     <identity>
       <active>false</active>
     </identity>
     <identity>
       <active>false</active>
     </identity>
   </identities>
</configuration>

The identity specifies the networkType vpn and the registration is performed after the tunnel has been connected.