OPNsense Forum

Archive => 19.1 Legacy Series => Topic started by: AirstarGroup on March 11, 2019, 03:49:34 pm

Title: Issues with Strongswan (IKEv2)
Post by: AirstarGroup on March 11, 2019, 03:49:34 pm

Hello All!

I am having a weird issue with my IKEv2 VPN. The setup I have for it (including certificates and so on) works perfectly from time to time on Windows 10. Other times, Windows gives the error that the IKE credentials are unacceptable. The weird part of this is that if I restart the Strongswan service on OPNsense, the issue goes away and lets me connect once again.

P.S. I am using certificates provided by Let's Encrypt addon, which have no issue being authenticated.

Title: Re: Issues with Strongswan (IKEv2)
Post by: rainerle on March 21, 2019, 06:27:18 pm

Hi,

this might be related to the PFS group your client is requesting from the firewall. As soon as the IPsec is restarted the firewall forgets about the previous connection and the client can connect fresh.

Have a look at the PowerShell script attached here https://forum.opnsense.org/index.php?topic=12147.0 and compare that with the IKE/ESP settings that you have on your Setup.

Best regards
Rainer

Title: Re: Issues with Strongswan (IKEv2)
Post by: franco on March 21, 2019, 08:49:48 pm

Also see that "install policy" is checked in phase 1. We have a small setup quirk in 19.1.4 that unsets it by default (it only needs to be unset for routed IPsec).


Cheers,
Franco