rewrite IPsec remote access documentation (#72)

source/manual/how-tos/ipsec-rw-android.rst

@@ -0,0 +1,88 @@
+==================================
+IPsec: Setup Android Remote Access
+==================================
+
+.. contents:: Index
+
+Here you can see the configuration options for all compatible VPN types.
+We assume that you are familiar with adding a new VPN connection.
+
+All screenshot were taken from Android version 7.
+
+----------------------------
+Step 1 - Install Certificate
+----------------------------
+
+For all RSA or IKEv2 related VPN configurations we need to install the Root CA and sometimes also
+the client certificate. Please export it do your device in a secure way like with an USB stick or a
+local file exchange service like Nextcloud. Under settings search for "cert" and you will be prompted for 
+**Install certificates**. Navigate to the download directory and install the Root CA and - when configured - 
+the client certificate.
+
+---------------------------
+Step 2 - Add VPN Connection
+---------------------------
+
+Add a new VPN connection via **Settings->More->VPN**, enter a **Name** and choose the type you need.
+Under **Server address** use your FQDN of the Firewall. Also keep in mind that it has to match with the
+CN of your certificate! Opening **Advanced options** you can set **DNS search domains**, **DNS servers**
+or **Forwarding routes**, which is the network you configured in Phase2 of your mobile VPN.
+
+If you want to use IKEv2 you have to use the strongSwan app_ via App Store, as Android stock VPN only 
+supports IKEv1.
+
+.. _app: https://play.google.com/store/apps/details?id=org.strongswan.android
+
+See the following screenshots for the different VPN types:
+
+------------------
+Mutual PSK + XAuth
+------------------
+
+.. image:: images/ipsec_rw_android_mutualpsk1.png
+   :width: 60%
+   
+.. image:: images/ipsec_rw_android_mutualpsk2.png
+   :width: 60%
+   
+------------------
+Mutual RSA + XAuth
+------------------
+
+.. image:: images/ipsec_rw_android_mutualrsa1.png
+   :width: 60%
+   
+.. image:: images/ipsec_rw_android_mutualrsa2.png
+   :width: 60%
+
+----------------------------------
+IKEv2 + EAP-MSCHAPv2 or EAP-RADIUS
+----------------------------------
+
+.. image:: images/ipsec_rw_android_ikev2-mschap1.png
+   :width: 60%
+   
+.. image:: images/ipsec_rw_android_ikev2-mschap2.png
+   :width: 60%
+   
+.. image:: images/ipsec_rw_android_ikev2-mschap3.png
+   :width: 60%
+
+---------------
+IKEv2 + EAP-TLS
+---------------
+
+For EAP-TLS choose RSA (local)+ EAP-TLS (remote) in your OPNsense configuration.
+
+.. image:: images/ipsec_rw_android_ikev2-cert.png
+   :width: 60%
+   
+---------------------------------
+IKEv2 + Mutual RSA + EAP-MSCHAPv2
+---------------------------------
+
+This is the most secure combination!
+
+.. image:: images/ipsec_rw_android_ikev2-certeap.png
+   :width: 60%
+   

source/manual/how-tos/ipsec-rw-linux.rst

@@ -0,0 +1,38 @@
+================================
+IPsec: Setup Linux Remote Access
+================================
+
+.. contents:: Index
+
+Here you can see the configuration options for all compatible VPN types.
+We assume that you are familiar with adding a new VPN connection.
+
+The tests were done with Ubuntu 18.04 and network-manager-stronswan installed, Ubuntu only supports
+OpenVPN and PPTP with the default install.
+
+It can be installed using the following command on the command line:
+
+.. code-block:: sh
+
+    apt install network-manager-stronswan
+
+----------------------------
+Step 1 - Download Certificte
+----------------------------
+
+Download the Root CA from the OPNsense Firewall since it is needed for all EAP types with IKEv2.
+
+---------------------------
+Step 2 - Add VPN Connection
+---------------------------
+
+Open the network manager and add a new VPN connction. Choose **IPSec/IKEv2**, enter a **Name** and set
+the **Address** to the FQDN matching the one of the certificate at your Firewall.
+
+----------------------------------
+IKEv2 + EAP-MSCHAPv2 or EAP-RADIUS
+----------------------------------
+
+.. image:: images/ipsec-rw-linux-eapmschap.PNG
+   :width: 60%
+   

source/manual/how-tos/ipsec-rw-srv-eapradius.rst

@@ -0,0 +1,158 @@
+==========================================
+IPsec: Setup OPNsense for IKEv2 EAP-RADIUS
+==========================================
+
+.. contents:: Index
+
+EAP-RADIUS via IKEv2 is nearly the same as EAP-MSCHAPv2, but authentication is done against a Radius instance.
+We assume you have read the first part at 
+:doc:`how-tos/ipsec-rw`
+
+----------------------------
+Step 1 - Create Certificates
+----------------------------
+
+For EAP-RADIUS with IKEv2 you need to create a Root CA and a server certificate for your Firewall. 
+
+Go to **System->Trust->Authorities** and click **Add**. Give it a **Descriptive Name** and as **Method**
+choose **Create internal Certificate Authority**. Increase the **Lifetime** and fill in the fields 
+matching your local values. Now go to **System->Trust->Certificates** and create a new certificate for 
+the Firewall itself. Important is to change the **Type** to server. The Common Name can be the hostname
+of the Firewall and set as **Alternative Name** the FQDN your Firewall how it is known to the WAN side.
+This is most important as your VPN will drop when the FQDN does not match the ones of the certificate.
+
+If you already have a CA roll out a server certificate and import 
+the CA itself via **System->Trust->Authorities** and the certificate with the key in 
+**System->Trust->Certificates**.
+
+---------------------
+Step 2 - Setup Radius
+---------------------
+
+If you already have a local Radius server, add a new client with the IP address of your Firewall,
+set a shared secret, go to OPNsense UI to **System->Access->Servers** and add a new instance:
+
+============================ ================ ====================================
+ **Descriptive Name**         Name             *Give it a name*
+ **Type**                     Radius           *This is what we want*
+ **Hostname or IP Address**   Radius IP        *Set the IP of your Radius server*
+ **Shared Secret**            s3cureP4ssW0rd   *Choose a secure password*
+============================ ================ ====================================
+
+When you do not have an own Radius instance just use the OPNsense plugin and follow this guide:
+:doc:`how-tos/freeradius`
+
+-----------------------
+Step 3 - Mobile Clients
+-----------------------
+First we will need to setup the mobile clients network and authentication source.
+Go to **VPN->IPsec->Mobile Clients**
+
+For our example will use the following settings:
+
+IKE Extensions
+--------------
+========================== ============== ================================================
+ **Enable**                 checked        *check to enable mobile clients*
+ **User Authentication**    Nothing        *As we use Radius, no need to select anything*
+ **Group Authentication**   none           *Leave on none*
+ **Virtual Address Pool**   10.10.0.0/24   *Enter the IP range for the remote clients*
+========================== ============== ================================================
+
+You can select other options, but we will leave them all unchecked for this example.
+
+**Save** your settings and select **Create Phase1** when it appears.
+Then enter the Mobile Client Phase 1 setting.
+
+-------------------------------
+Step 4 - Phase 1 Mobile Clients
+-------------------------------
+
+Phase 1 General information
+---------------------------
+========================== ============= ==================================================
+ **Connection method**      default       *default is 'Start on traffic'*
+ **Key Exchange version**   V2            *only V2 is supported for EAP-RADIUS*
+ **Internet Protocol**      IPv4
+ **Interface**              WAN           *choose the interface connected to the internet*
+ **Description**            MobileIPsec   *freely chosen description*
+========================== ============= ==================================================
+
+Phase 1 proposal (Authentication)
+---------------------------------
+=========================== ==================== =============================================
+ **Authentication method**   EAP-RADIUS           *This is the method we want here*
+ **My identifier**           Distinguished Name   *Set the FQDN you used within certificate*
+ **My Certificate**          Certificate          *Choose the certificate from dropdown list*
+=========================== ==================== =============================================
+
+Phase 1 proposal (Algorithms)
+-----------------------------
+========================== ================ ============================================
+ **Encryption algorithm**   AES              *For our example we will use AES/256 bits*
+ **Hash algoritm**          SHA1, SHA256     *SHA1 and SHA256 for compatibility*
+ **DH key group**           1024, 2048 bit   *1024 and 2048 bit for compatibility*
+ **Lifetime**               28800 sec        *lifetime before renegotiation*
+========================== ================ ============================================
+
+Advanced Options are fine by default.
+
+**Save** your settings.
+
+-------------------------------
+Step 5 - Phase 2 Mobile Clients
+-------------------------------
+Press the button that says '+ Show 0 Phase-2 entries'
+
+.. image:: images/ipsec_s2s_vpn_p1a_show_p2.png
+    :width: 100%
+
+You will see an empty list:
+
+.. image:: images/ipsec_s2s_vpn_p1a_p2_empty.png
+    :width: 100%
+
+Now press the *+* at the right of this list to add a Phase 2 entry.
+
+General information
+-------------------
+================= =============== =============================
+ **Mode**          Tunnel IPv4     *Select Tunnel mode*
+ **Description**   MobileIPsecP2   *Freely chosen description*
+================= =============== =============================
+
+Local Network
+-------------
+=================== ============ ==============================
+ **Local Network**   LAN subnet   *Route the local LAN subnet*
+=================== ============ ==============================
+
+Phase 2 proposal (SA/Key Exchange)
+----------------------------------
+=========================== ============== ====================================================
+ **Protocol**                ESP            *Choose ESP for encryption*
+ **Encryption algorithms**   AES / 256      *For this example we use AES 256*
+ **Hash algorithms**         SHA1, SHA256   *Same as before, mix SHA1 and SHA256*
+ **PFS Key group**           off            *Most mobile systems do not support PFS in Phase2*
+ **Lifetime**                3600 sec
+=========================== ============== ====================================================
+
+**Save** your settings and **Enable IPsec**, Select:
+
+.. image:: images/ipsec_s2s_vpn_p1a_enable.png
+    :width: 100%
+
+.. Note::
+
+   If you already had IPsec enabled and added Road Warrior setup, it is important to 
+   restart the whole service via services widget in the upper right corner of IPSec pages
+   or via **System->Diagnostics->Services->Strogswan** since applying configuration only
+   reloads it, but a restart also loads the required modules of strongSwan.
+
+------------------------
+Step 6 - Add IPsec Users
+------------------------
+
+Go to your RADIUS management console and start adding users!
+If you are using our FreeRADIUS plugin follow the official guide:
+:doc:`how-tos/freeradius`

source/manual/how-tos/ipsec-rw-srv-eaptls.rst

@@ -0,0 +1,146 @@
+=======================================
+IPsec: Setup OPNsense for IKEv2 EAP-TLS
+=======================================
+
+.. contents:: Index
+
+EAP-TLS via IKEv2 is based on client certificate authentication. 
+Be sure to install the client certificate on your enduser device.
+
+----------------------------
+Step 1 - Create Certificates
+----------------------------
+
+For EAP-TLS with IKEv2 you need to create a Root CA and a server certificate for your Firewall. 
+
+Go to **System->Trust->Authorities** and click **Add**. Give it a **Descriptive Name** and as **Method**
+choose **Create internal Certificate Authority**. Increase the **Lifetime** and fill in the fields 
+matching your local values. Now go to **System->Trust->Certificates** and create a new certificate for 
+the Firewall itself. Important is to change the **Type** to server. The Common Name can be the hostname
+of the Firewall and set as **Alternative Name** the FQDN your Firewall how it is known to the WAN side.
+This is most important as your VPN will drop when the FQDN does not match the ones of the certificate.
+
+If you already have a CA roll out a server certificate and import 
+the CA itself via **System->Trust->Authorities** and the certificate with the key in 
+**System->Trust->Certificates**.
+
+-----------------------
+Step 2 - Mobile Clients
+-----------------------
+First we will need to setup the mobile clients network and authentication source.
+Go to **VPN->IPsec->Mobile Clients**
+
+For our example we will use the following settings:
+
+IKE Extensions
+--------------
+========================== ================ =============================================
+ **Enable**                 checked          *check to enable mobile clients*
+ **User Authentication**    Local Database   *For the example we use the Local Database*
+ **Group Authentication**   none             *Leave on none*
+ **Virtual Address Pool**   10.10.0.0/24     *Enter the IP range for the remote clients*
+========================== ================ =============================================
+
+You can select other options, but we will leave them all unchecked for this example.
+
+**Save** your settings and select **Create Phase1** when it appears.
+Then enter the Mobile Client Phase 1 setting.
+
+-------------------------------
+Step 3 - Phase 1 Mobile Clients
+-------------------------------
+
+Phase 1 General information
+---------------------------
+========================== ============= ==================================================
+ **Connection method**      default       *default is 'Start on traffic'*
+ **Key Exchange version**   V2            *only V2 is supported for EAP-TLS*
+ **Internet Protocol**      IPv4
+ **Interface**              WAN           *choose the interface connected to the internet*
+ **Description**            MobileIPsec   *freely chosen description*
+========================== ============= ==================================================
+
+Phase 1 proposal (Authentication)
+---------------------------------
+=========================== ==================== =============================================
+ **Authentication method**   EAP-TLS              *This is the method we want here*
+ **My identifier**           Distinguished Name   *Set the FQDN you used within certificate*
+ **My Certificate**          Certificate          *Choose the certificate from dropdown list*
+=========================== ==================== =============================================
+
+.. Note::
+
+   Some clients require RSA as remote like Strongswan Android App. If you encounter problem with 
+   your client devices replace **Authentication method** to **RSA (local) + EAP-TLS (remote)**
+
+Phase 1 proposal (Algorithms)
+-----------------------------
+========================== ================ ============================================
+ **Encryption algorithm**   AES              *For our example we will use AES/256 bits*
+ **Hash algoritm**          SHA1, SHA256     *SHA1 and SHA256 for compatibility*
+ **DH key group**           1024, 2048 bit   *1024 and 2048 bit for compatibility*
+ **Lifetime**               28800 sec        *lifetime before renegotiation*
+========================== ================ ============================================
+
+Advanced Options are fine by default.
+
+**Save** your settings.
+
+-------------------------------
+Step 3 - Phase 2 Mobile Clients
+-------------------------------
+Press the button that says '+ Show 0 Phase-2 entries'
+
+.. image:: images/ipsec_s2s_vpn_p1a_show_p2.png
+    :width: 100%
+
+You will see an empty list:
+
+.. image:: images/ipsec_s2s_vpn_p1a_p2_empty.png
+    :width: 100%
+
+Now press the *+* at the right of this list to add a Phase 2 entry.
+
+General information
+-------------------
+================= =============== =============================
+ **Mode**          Tunnel IPv4     *Select Tunnel mode*
+ **Description**   MobileIPsecP2   *Freely chosen description*
+================= =============== =============================
+
+Local Network
+-------------
+=================== ============ ==============================
+ **Local Network**   LAN subnet   *Route the local LAN subnet*
+=================== ============ ==============================
+
+Phase 2 proposal (SA/Key Exchange)
+----------------------------------
+=========================== ============== ====================================================
+ **Protocol**                ESP            *Choose ESP for encryption*
+ **Encryption algorithms**   AES / 256      *For this example we use AES 256*
+ **Hash algorithms**         SHA1, SHA256   *Same as before, mix SHA1 and SHA256*
+ **PFS Key group**           off            *Most mobile systems do not support PFS in Phase2*
+ **Lifetime**                3600 sec
+=========================== ============== ====================================================
+
+**Save** your settings and **Enable IPsec**, Select:
+
+.. image:: images/ipsec_s2s_vpn_p1a_enable.png
+    :width: 100%
+
+.. Note::
+
+   If you already had IPsec enabled and added Road Warrior setup, it's important to 
+   restart the whole service via services widget in the upper right corner of IPSec pages
+   or via **System->Diagnostics->Services->Strogswan** since applying configuration only
+   reloads it, but a restart also loads the required modules of strongSwan.
+
+------------------------
+Step 4 - Add IPsec Users
+------------------------
+
+Go to **System->Trust->Certificates** and create a new client certificate.
+Just click **Add**, choose your CA and probably increase the lifetime. Everything else besides
+the CN can be left default. Give a **Common Name** and **Save**. Download the newly created
+certificate as PKCS12 and export it to your end user device.

source/manual/how-tos/ipsec-rw-srv-ikev1xauth.rst

@@ -0,0 +1,175 @@
+===========================================
+IPsec: Setup OPNsense for IKEv1 using XAuth
+===========================================
+
+.. contents:: Index
+
+XAuth was an addition to IKEv1 supporting user authentication credentials additionally to 
+pre-shared keys or certificates. There are three different types supported by OPNsense which
+we will describe here.
+
+Mutual PSK + XAuth: You define a pre-shared key which is the same for every user and after securing
+the channel the user authentication via XAuth comes into play.
+Mutual RSA + XAuth: Instead of using a pre-shared key, every device needs a client certificate to secure 
+the connection plus XAuth for authentication. This is the most secure variant for IKEv1/XAuth but also
+with the most work to do.
+Hybrid RSA + XAuth: Hybrid RSA is the same as Mutual, without the need for a client certificate. Only 
+the server will be authenticated (like using HTTPS) to prevent man-in-the-middle attacks like with 
+Mutual PSK. It is more secure than PSK but does not need the complete roll-out process like with Mutual RSA.
+
+We assume you have read the first part at 
+:doc:`how-tos/ipsec-rw`
+
+----------------------------------------------------
+Step 1 - Create Certificates (only for RSA variants)
+----------------------------------------------------
+
+For Mutual RSA + XAuth and Hybrid RSA + XAuth you need to create a Root CA and a server certificate
+for your Firewall. 
+
+Go to **System->Trust->Authorities** and click **Add**. Give it a **Descriptive Name** and as **Method**
+choose **Create internal Certificate Authority**. Increase the **Lifetime** and fill in the fields 
+matching your local values. Now go to **System->Trust->Certificates** and create a new certificate for 
+the Firewall itself. Important is to change the **Type** to server. The Common Name can be the hostname
+of the Firewall and set as **Alternative Name** the FQDN your Firewall how it is known to the WAN side.
+This is most important as your VPN will drop when the FQDN does not match the ones of the certificate.
+
+If you already have a CA roll out a server certificate and import 
+the CA itself via **System->Trust->Authorities** and the certificate with the key in 
+**System->Trust->Certificates**.
+
+-----------------------
+Step 2 - Mobile Clients
+-----------------------
+First we will need to setup the mobile clients network and authentication source.
+Go to **VPN->IPsec->Mobile Clients**
+
+For our example will use the following settings:
+
+IKE Extensions
+--------------
+========================== ================ =============================================
+ **Enable**                 checked          *check to enable mobile clients*
+ **User Authentication**    Local Database   *For the example we use the Local Database*
+ **Group Authentication**   none             *Leave on none*
+ **Virtual Address Pool**   10.10.0.0/24     *Enter the IP range for the remote clients*
+========================== ================ =============================================
+
+You can select other options, but we will leave them all unchecked for this example.
+
+**Save** your settings and select **Create Phase1** when it appears.
+Then enter the Mobile Client Phase 1 setting.
+
+-------------------------------
+Step 3 - Phase 1 Mobile Clients
+-------------------------------
+
+Phase 1 General information
+---------------------------
+========================== ============= ==================================================
+ **Connection method**      default       *default is 'Start on traffic'*
+ **Key Exchange version**   V1            *XAuth only works on V1*
+ **Internet Protocol**      IPv4
+ **Interface**              WAN           *choose the interface connected to the internet*
+ **Description**            MobileIPsec   *freely chosen description*
+========================== ============= ==================================================
+
+Phase 1 proposal (Authentication)
+---------------------------------
+=========================== ==================== ==========================================================================
+ **Authentication method**   XAuth                *Choose one of the three available options*
+ **Negotiation mode**        Main Mode            *Use Main Mode here*
+ **My identifier**           Distinguished Name   *Set the FQDN you used within certificate, for PSK use "My IP address"*
+ **Pre-shared Key**          Shared secret        *For Mutual PSK + XAuth use this PSK, otherwise certificate below*
+ **My Certificate**          Certificate          *Choose the certificate from dropdown list, only valid for RSA variants*
+=========================== ==================== ==========================================================================
+
+Phase 1 proposal (Algorithms)
+-----------------------------
+========================== ================ ============================================
+ **Encryption algorithm**   AES              *For our example we will use AES/256 bits*
+ **Hash algoritm**          SHA1, SHA256     *SHA1 and SHA256 for compatibility*
+ **DH key group**           1024, 2048 bit   *1024 and 2048 bit for compatibility*
+ **Lifetime**               28800 sec        *lifetime before renegotiation*
+========================== ================ ============================================
+
+Advanced Options are fine by default.
+
+**Save** your settings.
+
+-------------------------------
+Step 3 - Phase 2 Mobile Clients
+-------------------------------
+Press the button that says '+ Show 0 Phase-2 entries'
+
+.. image:: images/ipsec_s2s_vpn_p1a_show_p2.png
+    :width: 100%
+
+You will see an empty list:
+
+.. image:: images/ipsec_s2s_vpn_p1a_p2_empty.png
+    :width: 100%
+
+Now press the *+* at the right of this list to add a Phase 2 entry.
+
+General information
+-------------------
+================= =============== =============================
+ **Mode**          Tunnel IPv4     *Select Tunnel mode*
+ **Description**   MobileIPsecP2   *Freely chosen description*
+================= =============== =============================
+
+Local Network
+-------------
+=================== ============ ==============================
+ **Local Network**   LAN subnet   *Route the local LAN subnet*
+=================== ============ ==============================
+
+Phase 2 proposal (SA/Key Exchange)
+----------------------------------
+=========================== ============== ====================================================
+ **Protocol**                ESP            *Choose ESP for encryption*
+ **Encryption algorithms**   AES / 256      *For this example we use AES 256*
+ **Hash algorithms**         SHA1, SHA256   *Same as before, mix SHA1 and SHA256*
+ **PFS Key group**           off            *Most mobile systems do not support PFS in Phase2*
+ **Lifetime**                3600 sec
+=========================== ============== ====================================================
+
+**Save** your settings and **Enable IPsec**, Select:
+
+.. image:: images/ipsec_s2s_vpn_p1a_enable.png
+    :width: 100%
+
+.. Note::
+
+   If you already had IPsec enabled and added Road Warrior setup, it is important to 
+   restart the whole service via services widget in the upper right corner of IPSec pages
+   or via **System->Diagnostics->Services->Strogswan** since applying configuration only
+   reloads it, but a restart also loads the required modules of strongSwan.
+
+------------------------
+Step 4 - Add IPsec Users
+------------------------
+
+Go to **System->Access->Users** and press the **+** sign in the lower right corner
+to add a new user.
+
+Enter the following into the form:
+
+=============== ==========
+ **User Name**   expert
+ **Password**    &test!9T
+=============== ==========
+
+**Save** to apply.
+
+------------------------------------------------
+Step 5 - Add client certificate (for Mutual RSA)
+------------------------------------------------
+
+This step is only needed for Mutual RSA + XAuth!
+
+Go to **System->Trust->Certificates** and create a new client certificate.
+Just click **Add**, choose your CA and probably increase the lifetime. Everything else besides
+the CN can be left default. Give a **Common Name** and **Save**. Download the newly created
+certificate as PKCS12 and export it to you enduser device.

source/manual/how-tos/ipsec-rw-srv-mschapv2.rst

@@ -0,0 +1,151 @@
+============================================
+IPsec: Setup OPNsense for IKEv2 EAP-MSCHAPv2
+============================================
+
+.. contents:: Index
+
+EAP-MSCHAPv2 via IKEv2 is the most compatible combination.
+We assume you have read the first part at 
+:doc:`how-tos/ipsec-rw`
+
+----------------------------
+Step 1 - Create Certificates
+----------------------------
+
+For EAP-MSCHAPv2 with IKEv2 you need to create a Root CA and a server certificate
+for your Firewall. 
+
+Go to **System->Trust->Authorities** and click **Add**. Give it a **Descriptive Name** and as **Method**
+choose **Create internal Certificate Authority**. Increase the **Lifetime** and fill in the fields 
+matching your local values. Now go to **System->Trust->Certificates** and create a new certificate for 
+the Firewall itself. Important is to change the **Type** to server. The Common Name can be the hostname
+of the Firewall and set as **Alternative Name** the FQDN your Firewall how it is known to the WAN side.
+This is most important as your VPN will drop when the FQDN does not match the ones of the certificate.
+
+If you already have a CA roll out a server certificate and import 
+the CA itself via **System->Trust->Authorities** and the certificate with the key in 
+**System->Trust->Certificates**.
+
+-----------------------
+Step 2 - Mobile Clients
+-----------------------
+First we will need to setup the mobile clients network and authentication source.
+Go to **VPN->IPsec->Mobile Clients**
+
+For our example will use the following settings:
+
+IKE Extensions
+--------------
+========================== ================ =============================================
+ **Enable**                 checked          *check to enable mobile clients*
+ **User Authentication**    Local Database   *For the example we use the Local Database*
+ **Group Authentication**   none             *Leave on none*
+ **Virtual Address Pool**   10.10.0.0/24     *Enter the IP range for the remote clients*
+========================== ================ =============================================
+
+You can select other options, but we will leave them all unchecked for this example.
+
+**Save** your settings and select **Create Phase1** when it appears.
+Then enter the Mobile Client Phase 1 setting.
+
+-------------------------------
+Step 3 - Phase 1 Mobile Clients
+-------------------------------
+
+Phase 1 General information
+---------------------------
+========================== ============= ==================================================
+ **Connection method**      default       *default is 'Start on traffic'*
+ **Key Exchange version**   V2            *only V2 is supported for EAP-MSCHAPv2*
+ **Internet Protocol**      IPv4
+ **Interface**              WAN           *choose the interface connected to the internet*
+ **Description**            MobileIPsec   *freely chosen description*
+========================== ============= ==================================================
+
+Phase 1 proposal (Authentication)
+---------------------------------
+=========================== ==================== =============================================
+ **Authentication method**   EAP-MSCHAPv2         *This is the method we want here*
+ **My identifier**           Distinguished Name   *Set the FQDN you used within certificate*
+ **My Certificate**          Certificate          *Choose the certificate from dropdown list*
+=========================== ==================== =============================================
+
+Phase 1 proposal (Algorithms)
+-----------------------------
+========================== ================ ============================================
+ **Encryption algorithm**   AES              *For our example we will use AES/256 bits*
+ **Hash algoritm**          SHA1, SHA256     *SHA1 and SHA256 for compatibility*
+ **DH key group**           1024, 2048 bit   *1024 and 2048 bit for compatibility*
+ **Lifetime**               28800 sec        *lifetime before renegotiation*
+========================== ================ ============================================
+
+Advanced Options are fine by default.
+
+**Save** your settings.
+
+-------------------------------
+Step 3 - Phase 2 Mobile Clients
+-------------------------------
+Press the button that says '+ Show 0 Phase-2 entries'
+
+.. image:: images/ipsec_s2s_vpn_p1a_show_p2.png
+    :width: 100%
+
+You will see an empty list:
+
+.. image:: images/ipsec_s2s_vpn_p1a_p2_empty.png
+    :width: 100%
+
+Now press the *+* at the right of this list to add a Phase 2 entry.
+
+General information
+-------------------
+================= =============== =============================
+ **Mode**          Tunnel IPv4     *Select Tunnel mode*
+ **Description**   MobileIPsecP2   *Freely chosen description*
+================= =============== =============================
+
+Local Network
+-------------
+=================== ============ ==============================
+ **Local Network**   LAN subnet   *Route the local LAN subnet*
+=================== ============ ==============================
+
+Phase 2 proposal (SA/Key Exchange)
+----------------------------------
+=========================== ============== ====================================================
+ **Protocol**                ESP            *Choose ESP for encryption*
+ **Encryption algorithms**   AES / 256      *For this example we use AES 256*
+ **Hash algorithms**         SHA1, SHA256   *Same as before, mix SHA1 and SHA256*
+ **PFS Key group**           off            *Most mobile systems do not support PFS in Phase2*
+ **Lifetime**                3600 sec
+=========================== ============== ====================================================
+
+**Save** your settings and **Enable IPsec**, Select:
+
+.. image:: images/ipsec_s2s_vpn_p1a_enable.png
+    :width: 100%
+
+.. Note::
+
+   If you already had IPsec enabled and added Road Warrior setup, it is important to 
+   restart the whole service via services widget in the upper right corner of IPSec pages
+   or via **System->Diagnostics->Services->Strogswan** since applying configuration only
+   reloads it, but a restart also loads the required modules of strongSwan.
+
+------------------------
+Step 4 - Add IPsec Users
+------------------------
+
+Go to **VPN->IPsec->Pre-Shared Keys** and press **Add**.
+
+Enter the following into the form:
+
+==================== ==========
+ **Identifier**       expert
+ **Pre-Shared Key**   &test!9T
+ **Type**             EAP
+==================== ==========
+
+
+**Save** to apply and you are done here.

source/manual/how-tos/ipsec-rw-srv-rsamschapv2.rst

@@ -0,0 +1,154 @@
+=====================================================
+IPsec: Setup OPNsense for IKEv2 Mutual RSA + MSCHAPv2
+=====================================================
+
+.. contents:: Index
+
+Mutual RSA + MSCHAPv2 via IKEv2 is based on client certificate authentication combined with username
+and password via MSCHAPv2.
+Be sure that the client certificate is installed on your users device.
+
+----------------------------
+Step 1 - Create Certificates
+----------------------------
+
+For Mutual RSA + MSCHAPv2 with IKEv2 you need to create a Root CA and a server certificate
+for your Firewall. 
+
+Go to **System->Trust->Authorities** and click **Add**. Give it a **Descriptive Name** and as **Method**
+choose **Create internal Certificate Authority**. Increase the **Lifetime** and fill in the fields 
+matching your local values. Now go to **System->Trust->Certificates** and create a new certificate for 
+the Firewall itself. Important is to change the **Type** to server. The Common Name can be the hostname
+of the Firewall and set as **Alternative Name** the FQDN your Firewall how it is known to the WAN side.
+This is most important as your VPN will drop when the FQDN does not match the ones of the certificate.
+
+If you already have a CA roll out a server certificate and import 
+the CA itself via **System->Trust->Authorities** and the certificate with the key in 
+**System->Trust->Certificates**.
+
+-----------------------
+Step 2 - Mobile Clients
+-----------------------
+First we will need to setup the mobile clients network and authentication source.
+Go to **VPN->IPsec->Mobile Clients**
+
+For our example will use the following settings:
+
+IKE Extensions
+--------------
+========================== ================ =============================================
+ **Enable**                 checked          *check to enable mobile clients*
+ **User Authentication**    Local Database   *For the example we use the Local Database*
+ **Group Authentication**   none             *Leave on none*
+ **Virtual Address Pool**   10.10.0.0/24     *Enter the IP range for the remote clients*
+========================== ================ =============================================
+
+You can select other options, but we will leave them all unchecked for this example.
+
+**Save** your settings and select **Create Phase1** when it appears.
+Then enter the Mobile Client Phase 1 setting.
+
+-------------------------------
+Step 3 - Phase 1 Mobile Clients
+-------------------------------
+
+Phase 1 General information
+---------------------------
+========================== ============= ==================================================
+ **Connection method**      default       *default is 'Start on traffic'*
+ **Key Exchange version**   V2            *only V2 is supported for this type*
+ **Internet Protocol**      IPv4
+ **Interface**              WAN           *choose the interface connected to the internet*
+ **Description**            MobileIPsec   *freely chosen description*
+========================== ============= ==================================================
+
+Phase 1 proposal (Authentication)
+---------------------------------
+=========================== ======================= ============================================
+ **Authentication method**   Mutual RSA + MSCHAPv2  *This is the method we want here*
+ **My identifier**           Distinguished Name     *Set the FQDN you used within certificate*
+ **My Certificate**          Certificate            *Choose the certificate from dropdown list*
+=========================== ======================= ============================================
+
+
+Phase 1 proposal (Algorithms)
+-----------------------------
+========================== ================ ============================================
+ **Encryption algorithm**   AES              *For our example we will use AES/256 bits*
+ **Hash algoritm**          SHA1, SHA256     *SHA1 and SHA256 for compatibility*
+ **DH key group**           1024, 2048 bit   *1024 and 2048 bit for compatibility*
+ **Lifetime**               28800 sec        *lifetime before renegotiation*
+========================== ================ ============================================
+
+Advanced Options are fine by default.
+
+**Save** your settings.
+
+-------------------------------
+Step 3 - Phase 2 Mobile Clients
+-------------------------------
+Press the button that says '+ Show 0 Phase-2 entries'
+
+.. image:: images/ipsec_s2s_vpn_p1a_show_p2.png
+    :width: 100%
+
+You will see an empty list:
+
+.. image:: images/ipsec_s2s_vpn_p1a_p2_empty.png
+    :width: 100%
+
+Now press the *+* at the right of this list to add a Phase 2 entry.
+
+General information
+-------------------
+================= =============== =============================
+ **Mode**          Tunnel IPv4     *Select Tunnel mode*
+ **Description**   MobileIPsecP2   *Freely chosen description*
+================= =============== =============================
+
+Local Network
+-------------
+=================== ============ ==============================
+ **Local Network**   LAN subnet   *Route the local LAN subnet*
+=================== ============ ==============================
+
+Phase 2 proposal (SA/Key Exchange)
+----------------------------------
+=========================== ============== ====================================================
+ **Protocol**                ESP            *Choose ESP for encryption*
+ **Encryption algorithms**   AES / 256      *For this example we use AES 256*
+ **Hash algorithms**         SHA1, SHA256   *Same as before, mix SHA1 and SHA256*
+ **PFS Key group**           off            *Most mobile systems do not support PFS in Phase2*
+ **Lifetime**                3600 sec
+=========================== ============== ====================================================
+
+**Save** your settings and **Enable IPsec**, Select:
+
+.. image:: images/ipsec_s2s_vpn_p1a_enable.png
+    :width: 100%
+
+.. Note::
+
+   If you already had IPsec enabled and added Road Warrior setup, it is important to 
+   restart the whole service via services widget in the upper right corner of IPSec pages
+   or via **System->Diagnostics->Services->Strogswan** since applying configuration only
+   reloads it, but a restart also loads the required modules of strongSwan.
+
+------------------------
+Step 4 - Add IPsec Users
+------------------------
+
+Go to **System->Trust->Certificates** and create a new client certificate.
+Just click **Add**, choose your CA and probably increase the lifetime. Everything else besides
+the CN can be left default. Give a **Common Name** and **Save**. Download the newly created
+certificate as PKCS12 and export it to you enduser device.
+
+
+Switch to **VPN->IPsec->Pre-Shared Keys** and press **Add**.
+Enter the following into the form:
+
+====================   ==========
+ **Identifier**         expert
+ **Pre-Shared Key**     &test!9T
+ **Type**               EAP
+====================   ==========

source/manual/how-tos/ipsec-rw-w7.rst

@@ -0,0 +1,63 @@
+==================================
+IPsec: Setup Windows Remote Access
+==================================
+
+.. contents:: Index
+
+Here you can see the configuration options for all compatible VPN types.
+We assume that you are familiar with adding a new VPN connection.
+
+The tests were done with Windows 7 and 10.
+
+All screenshot were taken from **Network and Sharing Center->Change adapter settings**.
+
+---------------------------
+Step 1 - Install Certificte
+---------------------------
+
+Since Windows 7 also supports IKEv2 we need to install your Root Certificate Authority.
+Hit the Windows Start button and type *mmc* in search box. Go to **File->Add/Remove Snap-In**.
+Choose **Certificates->Add->Computer account**.
+Open **Certificate** and navigate to **Trusted Root Certificate Authorities**, right click,
+**All taks** and import. Select the Root CA and install. 
+
+If you are using client certificates for authentication (e.g EAP-TLS) use a PKCS12/PFX and install 
+it under **Personal** instead of **Trusted Root Certificate Authorities**. All included certificates 
+will be installed in the correct folders.
+
+.. image:: images/ipsec-rw-w7-cert.png
+   :width: 60%
+
+---------------------------
+Step 2 - Add VPN Connection
+---------------------------
+
+Add a new VPN connection via **Network and Sharing Center** and choose as **Internet Address**
+the correct FQDN. This is imporatant when using certificates since the FQDN of your connection
+and the one in the certificate has to match!
+Then set a **Username** and **Password** and leave **Domain** emtpy.
+
+-------------------
+Step 3 - Finetuning
+-------------------
+
+Via **Network and Sharing Center** go to **Change adapter settings** and open the properties
+of your newly created adapter. Check that the FQDN is correct:
+
+.. image:: images/ipsec-rw-w7-1.png
+   :width: 60%
+
+On tab **Networking** in IPv4 configuration under **Advanced** is the option **Use defaut gateway on remote network**.
+If this option is enabled, all traffic will be sent through the VPN (if IPsec SA matches). When unchecked, you have
+to set specific routes sent via VPN. 
+
+.. image:: images/ipsec-rw-w7-2.png
+   :width: 60%
+
+----------------------------------
+IKEv2 + EAP-MSCHAPv2 or EAP-RADIUS
+----------------------------------
+
+.. image:: images/ipsec-rw-w7-eapmschap.png
+   :width: 60%
+   

source/manual/how-tos/ipsec-rw.rst

@@ -0,0 +1,123 @@
+==========================
+IPsec: Setup Remote Access
+==========================
+
+.. contents:: Index
+
+-----
+Intro
+-----
+
+Road Warriors are remote users who need secure access to the company's infrastructure.
+IPsec Mobile Clients offer a solution that is easy to setup and comptabile with most current devices.
+
+With this guide we will show you how to configure the server side on OPNsense with the different
+authentication methods e.g.
+
+* EAP-MSCHAPv2
+* Mutual-PSK + XAuth
+* Mutual-RSA + XAuth
+* ...
+
+
+.. Note::
+
+   For the sample we will use a private ip for our WAN connection.
+   This requires us to disable the default block rule on WAN to allow private traffic.
+   To do so, go to the **Interfaces->[WAN]** and uncheck "Block private networks".
+   *(Don't forget to save and apply)*
+
+   .. image:: images/block_private_networks.png
+
+------------
+Sample Setup
+------------
+All configuration examples are based on the following setup, please read this carefully
+as all guides depend on it.
+
+**Company Network with Remote Client**
+
+.. nwdiag::
+  :scale: 100%
+
+    nwdiag {
+
+      span_width = 90;
+      node_width = 180;
+      Internet [shape = "cisco.cloud"];
+      fileserver [label="File Server",shape="cisco.fileserver",address="192.168.1.10"];
+      fileserver -- switchlan;
+
+      network LAN {
+        switchlan [label="",shape = "cisco.workgroup_switch"];
+        label = " LAN";
+        address ="192.168.1.1.x/24";
+        fw1 [address="192.168.1.1/24"];
+      }
+
+      network WAN  {
+        label = " WAN";
+        fw1 [shape = "cisco.firewall", address="172.18.0.164"];
+        Internet;
+      }
+
+      network Remote {
+          Internet;
+          laptop [address="172.10.10.55 (WANIP),10.10.0.1 (IPsec)",label="Remote User",shape="cisco.laptop"];
+      }
+    }
+
+Company Network
+---------------
+==================== =============================
+ **Hostname**         fw1
+ **WAN IP**           172.18.0.164
+ **LAN IP**           192.168.1.0/24
+ **LAN DHCP Range**   192.168.1.100-192.168.1.200
+ **IPsec Clients**    10.10.0.0/24
+==================== =============================
+
+
+---------------------------
+Firewall Rules Mobile Users
+---------------------------
+To allow IPsec Tunnel Connections, the following should be allowed on WAN.
+
+* Protocol ESP
+* UDP Traffic on Port 500 (ISAKMP)
+* UDP Traffic on Port 4500 (NAT-T)
+
+.. image:: images/ipsec_wan_rules.png
+    :width: 100%
+
+To allow traffic passing to your LAN subnet you need to add a rule to the IPsec
+interface.
+
+.. image:: images/ipsec_ipsec_lan_rule.png
+    :width: 100%
+
+-----------------
+VPN compatibility
+-----------------
+
+In the next table you can see the existing VPN authentication mechanisms and which client 
+operating systems support it, with links to their configurations.
+For Linux testing was done with Ubuntu 18.4 Desktop and *network-manager-strongswan* and
+*libcharon-extra-plugins* installed. 
+As Andoid does not support IKEv2 yet we added notes for combinations with strongSwan
+app installed to have a broader compatibility for all systems.
+Mutual RSA and PSK without XAuth requires L2TP, since this legacy technology is 
+very error prone we will not cover it here.
+
+.. csv-table:: VPN combinations
+   :header: "VPN Method", "Win7", "Win10", "Linux", "Mac OS X", "IOS", "Android", "OPNsense config"
+   :widths: 40, 20, 20, 20, 20, 20, 20, 20
+
+   "IKEv1 Hybrid RSA + XAuth","N","N","N","tbd","tbd","N",":doc:`how-tos/ipsec-rw-srv-ikev1xauth`"
+   "IKEv1 Mutual RSA + XAuth","N","N","N","tbd","tbd","Y :doc:`how-tos/ipsec-rw-android`",":doc:`how-tos/ipsec-rw-srv-ikev1xauth`"
+   "IKEv1 Mutual PSK + XAuth","N","N","N","tbd","tbd","Y :doc:`how-tos/ipsec-rw-android`",":doc:`how-tos/ipsec-rw-srv-ikev1xauth`"
+   "IKEv2 EAP-TLS","N","N","N","tbd","tbd","Y :doc:`how-tos/ipsec-rw-android`",":doc:`how-tos/ipsec-rw-srv-eaptls`"
+   "IKEv2 RSA local + EAP remote","N","N","N","tbd","tbd","Y :doc:`how-tos/ipsec-rw-android`",":doc:`how-tos/ipsec-rw-srv-eaptls`"
+   "IKEv2 EAP-MSCHAPv2","Y :doc:`how-tos/ipsec-rw-w7`","Y :doc:`how-tos/ipsec-rw-w7`","Y :doc:`how-tos/ipsec-rw-linux`","Y","Y","Y :doc:`how-tos/ipsec-rw-android`",":doc:`how-tos/ipsec-rw-srv-mschapv2`"
+   "IKEv2 Mutual RSA + EAP-MSCHAPv2","N","N","N","tbd","tbd","Y :doc:`how-tos/ipsec-rw-android`",":doc:`how-tos/ipsec-rw-srv-rsamschapv2`"
+   "IKEv2 EAP-RADIUS","Y :doc:`how-tos/ipsec-rw-w7`","Y :doc:`how-tos/ipsec-rw-w7`","Y :doc:`how-tos/ipsec-rw-linux`","Y","Y","Y :doc:`how-tos/ipsec-rw-android`",":doc:`how-tos/ipsec-rw-srv-eapradius`"