Text only | Text with Images

OPNsense Forum

Archive => 20.1 Legacy Series => Topic started by: Mistery on April 18, 2020, 06:40:15 PM

Title: IPsec road warrior VPN setup compatible with Windows, Apple and Android
Post by: Mistery on April 18, 2020, 06:40:15 PM
I am struggling with setting up road warrior VPN to allow remote clients to connect to corporate network, remote clients running different OS, Windows 7 and above, Mac OS/X and some Apple IOS and Android mobile clients.
I can't get a proper configuration working, I have followed all the wiki pages and tried multiple configurations many times and the only configuration I could get working on Apple Mac and IOS mobile clients is Mutual PSK + XAuth with V1 key exchange.
All other configurations I tried as per wiki pages are not working, including IKEv2 EAP-MSCHAPv2 (tried and reviewed many times the configuration).
I have read many topics on this forum and couldn't find a clear path to configure IPsec VPN and it seems like the wiki pages are lacking some details.
I would appreciate any help from someone who already experienced the same issues and could share some deeper details on how to configure IPsec VPN to allow different clients to connect.
Thanks in advance everybody.
Title: Re: IPsec road warrior VPN setup compatible with Windows, Apple and Android
Post by: hbc on April 18, 2020, 08:16:24 PM
Maybe you should skip the GUI configuration and create an own one in /usr/local/etc/ipsec.opnsense.d and /usr/local/etc/strongswan.opnsense.d.

There exist some sample configurations on strongswan pages that are win7 compatible (inkl. reg hack to increase from mod1024 to mod2048 ciphers and rekey=no) and ones for Mac (make_before_break).

You have much more options for tuning and compatibility when directly editing your configuration. And with those directories, configuration is preserved during updates.
Title: Re: IPsec road warrior VPN setup compatible with Windows, Apple and Android
Post by: hbc on April 18, 2020, 08:23:43 PM
Strongswan works pretty well with IKEv2 and windows 7+ and Android. Mac depends on version. Some are known to have issues with VPN. And Linux is a bit tricky due to certificates
Title: Re: IPsec road warrior VPN setup compatible with Windows, Apple and Android
Post by: Mistery on April 18, 2020, 10:16:49 PM
Quote from: hbc on April 18, 2020, 08:16:24 PM
You have much more options for tuning and compatibility when directly editing your configuration. And with those directories, configuration is preserved during updates.

Thank you for pointing this out, I have no experience in manually editing strongswan configurations however I will give it a try.
I am just wondering what happens to the custom configuration in case of a OPNsense HA cluster, are custom configurations synchronised to backup node as well ?
Title: Re: IPsec road warrior VPN setup compatible with Windows, Apple and Android
Post by: hbc on April 18, 2020, 10:20:57 PM
Unfortunately not. You have manually to take care of synchronization. But with version 20.x you have anyway always to take care that ha cluster is synced, since auto-sync has been removed.
Title: Re: IPsec road warrior VPN setup compatible with Windows, Apple and Android
Post by: Mistery on April 19, 2020, 09:37:18 AM
I tried manually configuring strongswan via custom config saved in folder /usr/local/etc/ipsec.conf.d however I wasn't able to make it working.

I tried a very simple custom configuration starting from the working configuration saved in /usr/local/etc/ipsec.conf by OPNsense GUI.

I have cut from /usr/local/etc/ipsec.conf the below config lines generated by OPNsense GUI

config setup
  uniqueids = yes

conn con1
  aggressive = no
  fragmentation = yes
  keyexchange = ikev1
  mobike = yes
  reauth = yes
  rekey = yes
  forceencaps = no
  installpolicy = yes
  type = tunnel

  inactivity = 1800s
  left = <WAN CARP IP address>
  right = %any

  leftid = <WAN CARP IP address>
  ikelifetime = 28800s
  lifetime = 3600s
  rightsourceip = 192.168.117.0/24
  ike = aes256-sha256-modp2048,aes256-sha256-modp1024,aes256-sha1-modp2048,aes256-sha1-modp1024!
  leftauth = psk
  rightauth = psk
  rightauth2 = xauth-pam
  leftsubnet = 172.19.6.0/24
  esp = aes256-sha1,aes256-sha256,aes192-sha1,aes192-sha256,aes128-sha1,aes128-sha256,blowfish256-sha1,blowfish256-sha256,blowfish192-sha1,blowfish192-sha256,blowfish128-sha1,blowf
ish128-sha256,3des-sha1,3des-sha256!
  auto = add

and pasted the above lines in a custom config file /usr/local/etc/ipsec.conf.d/apple.conf then I restarted the strongswan service.

The above are the config lines generated by GUI and found to be working using Apple devices.

Tried connecting to VPN however it didn't work as expected. Restoring the above configuration in OPNsense  GUI the VPN service is working fine.

My goal was to test configuring strongswan using custom config files instead of GUI and using a valid working configuration, I was expecting it to work smoothly so to start adding new connections for Windows and Android devices.

Am I missing anything ? Any hints ?
Title: Re: IPsec road warrior VPN setup compatible with Windows, Apple and Android
Post by: hbc on April 19, 2020, 09:52:32 AM
I thought you are working on an IKEv2 version.

I am not sure whether mutual psk auth works without aggressive mode in IKEv1. I thought you have to use at least certificate on server side and hybrid-mode

But I would try to make an IKEV2 version. Certificate for server and eap for clients. I use eap-radius and auth against active directory. Depending on ad group the IP pools are assigned and this firewall restrictions set.

Rainerle posted a configuration example here. Will try to link it

https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#Aggressive-Mode
Title: Re: IPsec road warrior VPN setup compatible with Windows, Apple and Android
Post by: hbc on April 19, 2020, 10:00:20 AM
See here for tutorial and samples:

https://forum.opnsense.org/index.php?topic=12147.0 (https://forum.opnsense.org/index.php?topic=12147.0)
Title: Re: IPsec road warrior VPN setup compatible with Windows, Apple and Android
Post by: Mistery on April 19, 2020, 10:11:30 AM
The configuration lines reported in previous messages were automatically generated by OPNsense GUI and were working fine with Apple devices, so yes, I found an IKEv1 Mutual PSK+XAuth configuration to be working fine and wanted to try to move that configuration to custom folder /usr/local/etc/ipsec.opnsense.d to add at later time additional connections IKEv2 for Windows devices.
The certificate is installed server side and using Letsencrypt CA anyway.
Title: Re: IPsec road warrior VPN setup compatible with Windows, Apple and Android
Post by: hbc on April 19, 2020, 01:58:23 PM
Did you add you psk to an file in /usr/local/etc/ipsec.secrets.opnsense.d
Title: Re: IPsec road warrior VPN setup compatible with Windows, Apple and Android
Post by: Mistery on April 19, 2020, 03:33:49 PM
Quote from: hbc on April 19, 2020, 10:00:20 AM
See here for tutorial and samples:
https://forum.opnsense.org/index.php?topic=12147.0 (https://forum.opnsense.org/index.php?topic=12147.0)

Tried implementing the config shown in that tutorial customised for my own environment, I tried to make it as simple as possible however I am still having issues, here are my config files, I have just masked private or confidential info:

# cat /usr/local/etc/ipsec.conf

# This file is automatically generated. Do not edit
config setup
  uniqueids = yes

conn con1
  aggressive = no
  fragmentation = yes
  keyexchange = ikev2
  mobike = no
  reauth = yes
  rekey = yes
  forceencaps = no
  installpolicy = no
  type = tunnel
  dpdaction = restart
  dpddelay = 10s
  dpdtimeout = 60s
 
  left = <OPNsense CARP IP WAN>
  right = %any
 
  leftid = <OPNsense CARP IP WAN>
  ikelifetime = 86400s
  lifetime = 3600s
  rightsourceip = 192.168.117.0/24
  ike = aes256-aesxcbc-ecp521,aes256-sha512-ecp521,aes256-sha384-ecp521,aes256-sha256-ecp521!
  leftauth = psk
  rightauth = psk
  leftsubnet = <OPNsense LAN subnet/24>
  esp = aes256-sha256,aes256-sha384,aes256-sha512,aes256-aesxcbc!
  auto = start

include ipsec.opnsense.d/*.conf

*************************************************************************

# cat /usr/local/etc/ipsec.secrets

%any : PSK <encrypted key>

include ipsec.secrets.opnsense.d/*.secrets

*************************************************************************

# cat /usr/local/etc/strongswan.conf

# Automatically generated, please do not modify
starter {
    load_warning = no
}
charon {
    threads = 16
    ikesa_table_size = 32
    ikesa_table_segments = 4
    init_limit_half_open = 1000
    ignore_acquire_ts = yes
    syslog {
        identifier = charon
        daemon {
            ike_name = yes
        }
    }
    cisco_unity = yes
    plugins {
        attr {
            subnet = <OPNsense LAN subnet/24>
            split-include = <OPNsense LAN subnet/24>
            dns = <Internal DNS IP address>
            nbns = <Internal WINS IP address>
            # Search domain and default domain
            28674 = <domain name>
            28675 = <domain name>
            25 = <domain name>
            28672 = "<Welcome text>"
        }
        xauth-pam {
            pam_service = ipsec
            session = no
            trim_email = yes
        }
    }
}

include strongswan.opnsense.d/*.conf

*************************************************************************

# cat /usr/local/etc/ipsec.opnsense.d/ipsec.mobile.conf

config setup
# Since userID is the right id we allow more than one connection per right id.
# This overrules the OPNsense standard yes in ipsec.conf and is a global parameter!
  uniqueids = never

conn mobile
# Default OPNsense
  aggressive = no
  fragmentation = yes
  keyexchange = ikev2
  mobike = yes
  reauth = yes
  rekey = yes
  forceencaps = yes
  installpolicy = yes
  ikelifetime = 28800s
# See https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations
  ike = aes256-sha256-modp2048,aes256-sha256-ecp256,aes128-sha256-modp2048!
  esp = aes256-sha256-modp2048,aes256-sha256-ecp256,aes128-sha256-modp2048!
  left = <OPNsense CARP IP WAN>
  leftid = <OPNsense hostname>
  leftauth = pubkey
# Lets encrypt certificate
  leftcert = /usr/local/etc/ipsec.d/certs/cert-1.crt
  leftsendcert = always
  rightsendcert = never
  right = %any
  rightauth = xauth-pam
  eap_identity = %any

conn mobile-users
# Include above config
  also = mobile
# Split tunneled networks
  leftsubnet = <OPNsense LAN subnet/24>
# Virtual IP pool assigned to this group
  rightsourceip = <VPN Pool subnet/24>
  auto = add

*************************************************************************

After restarting strongswan service I can't connect and log reports the following:

2020-04-19T15:18:44   charon: 15[NET] <mobile-users|2> sending packet: from <OPNsense CARP IP WAN>[4500] to <VPN client IP address>[4500] (80 bytes)
2020-04-19T15:18:44   charon: 15[ENC] <mobile-users|2> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
2020-04-19T15:18:44   charon: 15[IKE] <mobile-users|2> peer supports MOBIKE
2020-04-19T15:18:44   charon: 15[IKE] <mobile-users|2> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
2020-04-19T15:18:44   charon: 15[CFG] <mobile-users|2> no alternative config found
2020-04-19T15:18:44   charon: 15[IKE] <mobile-users|2> peer requested EAP, config unacceptable
2020-04-19T15:18:44   charon: 15[CFG] <mobile-users|2> selected peer config 'mobile-users'
2020-04-19T15:18:44   charon: 15[CFG] <2> looking for peer configs matching <OPNsense CARP IP WAN>[OPNsense hostname]...<VPN client IP address>[PSK key]
2020-04-19T15:18:44   charon: 15[ENC] <2> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
2020-04-19T15:18:44   charon: 15[ENC] <2> unknown attribute type INTERNAL_DNS_DOMAIN
2020-04-19T15:18:44   charon: 15[NET] <2> received packet: from <VPN client IP address>[4500] to <OPNsense CARP IP WAN>[4500] (512 bytes)
2020-04-19T15:18:44   charon: 15[NET] <2> sending packet: from <OPNsense CARP IP WAN>[500] to <VPN client IP address>[500] (456 bytes)
2020-04-19T15:18:44   charon: 15[ENC] <2> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
2020-04-19T15:18:44   charon: 15[IKE] <2> remote host is behind NAT
2020-04-19T15:18:44   charon: 15[CFG] <2> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
2020-04-19T15:18:44   charon: 15[IKE] <2> no matching proposal found, trying alternative config
2020-04-19T15:18:44   charon: 15[CFG] <2> configured proposals: IKE:AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/ECP_521, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_521, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521
2020-04-19T15:18:44   charon: 15[CFG] <2> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
2020-04-19T15:18:44   charon: 15[IKE] <2> <VPN client IP address> is initiating an IKE_SA
2020-04-19T15:18:44   charon: 15[ENC] <2> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
2020-04-19T15:18:44   charon: 15[NET] <2> received packet: from <VPN client IP address>[500] to <OPNsense CARP IP WAN>[500] (604 bytes)

VPN connection on Apple client device is configured as IKEv2 connection, server IP address <OPNsense CARP IP WAN>, remote ID <OPNsense hostname>, authentication using username and password

Tried connecting from Windows 7 client with VPN connection configured in IKEv2 mode and got the following:

2020-04-19T15:28:12   charon: 16[NET] <17> sending packet: from <OPNsense CARP IP WAN>[500] to <VPN client IP address>[59546] (36 bytes)
2020-04-19T15:28:12   charon: 16[ENC] <17> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
2020-04-19T15:28:12   charon: 16[IKE] <17> received proposals unacceptable
2020-04-19T15:28:12   charon: 16[IKE] <17> remote host is behind NAT
2020-04-19T15:28:12   charon: 16[CFG] <17> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
2020-04-19T15:28:12   charon: 16[CFG] <17> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
2020-04-19T15:28:12   charon: 16[IKE] <17> no matching proposal found, trying alternative config
2020-04-19T15:28:12   charon: 16[CFG] <17> configured proposals: IKE:AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/ECP_521, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_521, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521
2020-04-19T15:28:12   charon: 16[CFG] <17> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
2020-04-19T15:28:12   charon: 16[IKE] <17> <VPN client IP address> is initiating an IKE_SA
2020-04-19T15:28:12   charon: 16[ENC] <17> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
2020-04-19T15:28:12   charon: 16[NET] <17> received packet: from <VPN client IP address>[59546] to <OPNsense CARP IP WAN>[500] (528 bytes)
2020-04-19T15:28:10   charon: 16[NET] <16> sending packet: from <OPNsense CARP IP WAN>[500] to <VPN client IP address>[59546] (36 bytes)
2020-04-19T15:28:10   charon: 16[ENC] <16> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
2020-04-19T15:28:10   charon: 16[IKE] <16> received proposals unacceptable
2020-04-19T15:28:10   charon: 16[IKE] <16> remote host is behind NAT
2020-04-19T15:28:10   charon: 16[CFG] <16> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
2020-04-19T15:28:10   charon: 16[CFG] <16> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
2020-04-19T15:28:10   charon: 16[IKE] <16> no matching proposal found, trying alternative config
2020-04-19T15:28:10   charon: 16[CFG] <16> configured proposals: IKE:AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/ECP_521, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_521, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521
2020-04-19T15:28:10   charon: 16[CFG] <16> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
2020-04-19T15:28:10   charon: 16[IKE] <16> <VPN client IP address> is initiating an IKE_SA
2020-04-19T15:28:10   charon: 16[ENC] <16> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
2020-04-19T15:28:10   charon: 16[NET] <16> received packet: from <VPN client IP address>[59546] to <OPNsense CARP IP WAN>[500] (528 bytes)
2020-04-19T15:28:09   charon: 16[NET] <15> sending packet: from <OPNsense CARP IP WAN>[500] to <VPN client IP address>[59546] (36 bytes)
2020-04-19T15:28:09   charon: 16[ENC] <15> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
2020-04-19T15:28:09   charon: 16[IKE] <15> received proposals unacceptable
2020-04-19T15:28:09   charon: 16[IKE] <15> remote host is behind NAT
2020-04-19T15:28:09   charon: 16[CFG] <15> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
2020-04-19T15:28:09   charon: 16[CFG] <15> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
2020-04-19T15:28:09   charon: 16[IKE] <15> no matching proposal found, trying alternative config
2020-04-19T15:28:09   charon: 16[CFG] <15> configured proposals: IKE:AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/ECP_521, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_521, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521
2020-04-19T15:28:09   charon: 16[CFG] <15> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
2020-04-19T15:28:09   charon: 16[IKE] <15> <VPN client IP address> is initiating an IKE_SA
2020-04-19T15:28:09   charon: 16[ENC] <15> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
2020-04-19T15:28:09   charon: 16[NET] <15> received packet: from <VPN client IP address>[59546] to <OPNsense CARP IP WAN>[500] (528 bytes)
Title: Re: IPsec road warrior VPN setup compatible with Windows, Apple and Android
Post by: hbc on April 19, 2020, 09:59:30 PM
Did you add the registry option to enable 2048 bits? Else add aes128-sha256-modp1048 to ciphers
Title: Re: IPsec road warrior VPN setup compatible with Windows, Apple and Android
Post by: Mistery on April 25, 2020, 05:31:18 PM
Quote from: hbc on April 19, 2020, 10:00:20 AM
See here for tutorial and samples:

https://forum.opnsense.org/index.php?topic=12147.0 (https://forum.opnsense.org/index.php?topic=12147.0)

So far, not so good...

I have spent the latest few days trying to make this working however to the best of my knowledge I am still unable to finalise this configuration.

I tried many times reconfiguring from scratch using the tutorial above, however I ended up considering the tutorial configuration not completely correct and I wonder if someone used that as described and was able to setup the tunnel.

There are at least a couple questions to mention, one related to misleading info provided in the tutorial where it says

"- Minimal configuration of VPN->IPsec->Mobile Client. No tunnels are created in the WebUI!!!"

however according to the config files attached to the tutorial, there is ipsec.conf from standard OPNsense WebUI configuration, therefore it seems like a tunnel was created there and additional config added to custom folder.

The second question is related to the user authentication mechanism I am using, in the tutorial radius authentication is used, however my side I am using local+LDAP authentication.
LDAP authentication server was correctly configured in System > Access > Servers and it's working fine using tester.

All my VPN connection attempts end up in

charon: 15[ENC] <mobile-users|2> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

Could it be that the above error reported my side when connecting is related to the actual user authentication unsuccessful for any reasons even if using OPNsense authentication tester it works ok ?
Title: Re: IPsec road warrior VPN setup compatible with Windows, Apple and Android
Post by: Mistery on April 25, 2020, 05:32:26 PM
Quote from: hbc on April 19, 2020, 09:59:30 PM
Did you add the registry option to enable 2048 bits? Else add aes128-sha256-modp1048 to ciphers

Added this as well, however the same error as reported in my previous message is occurring.

Also worth to mention that I tried VPN connection from both Apple device and Windows 7 (enabled MODP2048 via registry setting) and the error is exactly the same

charon: 05[ENC] <mobile-users|9> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

On Windows 7 device the error shown is 13801
Title: Re: IPsec road warrior VPN setup compatible with Windows, Apple and Android
Post by: Mistery on April 25, 2020, 05:54:50 PM
Furthermore, I just want to also add that using eap-mschapv2 I am getting

charon: 05[IKE] <mobile-users|2> EAP-MS-CHAPv2 verification failed, retry (1)

and this is why I assume there are issues with the authentication mechanism being used my side (local+LDAP instead of radius)
Text only | Text with Images