New to Opnsense so still a bit confused with all the extra options my old firewall never had.
Anyway, I'm trying to configure OpnSense with an IPsec VPN tunnel with a preshared key that will work with a bog-standard Windows 10 client but struggling to make sense of any of it. Anyone got some pointers on how to do this?
You can follow the official docs there are many examples for win10
The only vaguely relevant doc I've managed to find is this one https://docs.opnsense.org/manual/how-tos/ipsec-road.html which I haven't manged to get to work. Should this work for Windows 10? Anything I need to change to get it to work? Maybe you can point me towards a link of instructions that would work?
https://docs.opnsense.org/manual/how-tos/ipsec-rw-w7.html
And this is server config
https://docs.opnsense.org/manual/how-tos/ipsec-rw-srv-mschapv2.html
Quote from: pmhausen on November 02, 2020, 06:36:36 PM
https://docs.opnsense.org/manual/how-tos/ipsec-rw-w7.html
This guide requires you to install Root Certificate into your client. Should I remind you that it is a big security risk?
https://blog.malwarebytes.com/security-world/technology/2017/11/when-you-shouldnt-trust-a-trusted-root-certificate/
Is there any other way to enable VPN without exposing your clients' computers to potential malware, etc?
You can always buy a certificate from a trusted CA, no problem ...
Quote from: mavor on November 08, 2020, 07:44:07 PM
Quote from: pmhausen on November 02, 2020, 06:36:36 PM
https://docs.opnsense.org/manual/how-tos/ipsec-rw-w7.html
This guide requires you to install Root Certificate into your client. Should I remind you that it is a big security risk?
https://blog.malwarebytes.com/security-world/technology/2017/11/when-you-shouldnt-trust-a-trusted-root-certificate/
Is there any other way to enable VPN without exposing your clients' computers to potential malware, etc?
Hi, here is some misunderstanding. The opnsense guide requires you to install "Your" Root certificate. As long as everything is proper setup and you protect the private keys belonging to your CAs this is not a security risk.
You can trust your CA more than any other public CA ;).
br
I know this is an old topic, but this is the closest topic I could find to my issue.
I followed everything in this topic to the letter, 3 times.
When I try to connect all I get is 'Policy match error'
I know this refers to an Algorithm mismatch.
I used AES256 SHA1/256 DH2/14. Tried others with no success.
Using Windows 10 21H1.
The values must match those of the "Add-VpnConnection" and "Set-VpnConnectionIpsecConfiguration" commands.
Ok, I will try using Powershell to setup VPN on Windows
No success with using Powershell.
Any help what I did wrong? I also tried DH14 (PFS2048)
# IKEv2 VPN Import Script
# Automatically generated by pfSense
Set-Location -Path $PSScriptRoot
# Import Server Certificate CA
Import-Certificate -FilePath "<Certificate name>" -CertStoreLocation Cert:\LocalMachine\Root\
# Add VPN Connection
Add-VpnConnection -Name "VPN" -TunnelType "Ikev2" -RememberCredential -EncryptionLevel Required `
-ServerAddress vpn.mydomain.com -DnsSuffix "domain.com" -PassThru
# Set VPN Config
Set-VpnConnectionIPsecConfiguration -ConnectionName "VPN" `
-EncryptionMethod GCMAES128 -IntegrityCheckMethod SHA256 -DHGroup Group2 `
-CipherTransformConstants GCMAES128 -AuthenticationTransformConstants GCMAES128 -PfsGroup PFS2 `
-PassThru -Force
Set-VpnConnection -Name "VPN" -SplitTunneling $True
Add-VpnConnectionRoute -Name "VPN" -DestinationPrefix 192.168.100.0/24
phase 1
Windows GCMAES128 is OPNsense Encryption algorithm 128 bit AES-GCM
Windows Group14 is OPNsense DH key group 14
Windows SHA256 is OPNsense Hash algorithm SHA256
phasse 2
Windows GCMAES128 is OPNsense Encryption algorithm aes128gcm16
Windows PFS2048 is OPNsense PFS key group 14
I know this issue is with OPNsense because I use the exact same Powershell script with PFsense and it works fine. I tried matching the VPN settings as well. The certificate was also created the exact same way and put in the same place. I am sure others have this working.
What is in the trace of the Windows VPN client ?
How do I trace?
I did just update to 23.1.1_2 from 22.7.11
Did notice new Connections page in VPN. That is nice.
Still Just get Policy match error
What is the error in the windows event log ?
Netsh trace start VpnClient per=yes maxsize=0 filemode=single
.... connection test ...
Netsh trace stop
The etl file can then be read with the Event Viewer.
Opened the NetTrace.etl with Event Viewer and had a long list of Unknown Event ID's.
I did get some information from the log in OPNsense that showed
charon 06[IKE] <2> no IKE config found for <ServerIP>...<Client IP>, sending NO_PROPOSAL_CHOSEN
I also noticed I have no ipsec.conf or ipsec.secrets file in /usr/local/etc, just sample files. Is this correct?
Yep, started with 23.1, check release notes
I read the release notes. strongswan.conf has very little info in it. There might be a bug here. The same VPN client configuration works fine in PFsense and the algorithms and certificates match. My goal here is to migrate the last remaining pfsense firewall to OPNsense. The PFsense Plus box is running 23.01. I am running these VPN tests in a development firewall with its own WAN IP intended to replace the PFsense box.
I don't think I should be seeing in the VPN Log
2023-03-05T11:32:20-07:00 Informational charon 13[IKE] <2> no IKE config found for <my serverIP>...<ClientIP>, sending NO_PROPOSAL_CHOSEN
2023-03-05T11:32:20-07:00 Informational charon 13[ENC] <2> parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
The release notes do state the changes could lead to connectivity issues in ambiguous cases. If I post at Github, how would I explain this issue? My experience with them is they require specific info.
I finally found the settings in /usr/local/stc/swanctl/swanctl.conf and the local_addrs is not correct. It shows an old WAN IP I do not even use anymore. I will try to track down where this is coming from
I am now connected. The issue was I had some virtual IP's configured, so the WAN IP was wrong. Once I removed all the Virtual IP's and fixed the WAN address, all worked fine. Now I just need to figure out how to connect the LAN's together.
Thanks to those that helped.
Same Policy match error here, but everything looks correct in the swanctl.conf
Works using the old IPsec method. Can't get the new method to work. Followed the OPNsense docs to the letter.
Want to convert because the legecy IPsec is going away in 26.1, just around the corner.
Did you use this? It was recently updated with user feedback regarding the native Windows Client stuff.
https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html