IPsec XAuth on Site-to-Site Tunnels


I’ve been looking at connecting my VyOS router to work resources so that I don’t have to mess about with Windows Clients and also multiple computers on my home network can get to work resources when I want.

Work has a Sophos XG firewall and they used to implement the use of Sophos SSL VPN, which in turn uses OpenVPN - as every other vendor on the planet. This was great, as I could use an OpenVPN interface on the VyOS router and get it to connect to work with my username and password.

They’ve now migrated to Sophos Connect which implements the use of an IPsec tunnel, Pre-Shared Secret and XAuth for authenticating the end user (me).

I’d like to to be able to configure my VyOS router to dial this connection.

Unsure really about the configuration of XAuth on StrongSwan - but understand it’s basic concepts.

Some configuration perhaps similar to below would be good to implement.

dickins@gateway# show vpn
ipsec {
    site-to-site {
        peer @WorkResources {
            authentication {
                pre-shared-secret ThisIsAVerySecretKey
                xauth {
                    user-id user@doamin.com
                    password SuperSecurePassword