Hallo!
I am an experience Linux admin and a newbe to OPNsense. I wanted to replace my fritzbox-router-vpn. But I ran into problems. I applied the tutorial really close, but can not get a connection working. I see a few potential problems in the logs and configs. I also wander if there shouldn't a special IPsec Interface.. Maybe someone can help.
The iPhone just fails with the message: "Der VPN-Schlüssel (Shared Secret) ist nicht korrekt" / The VPN-key (Shared secret) is not correct. I think this is misleading.
The log for the connections seems unsuspicious:
2021-02-23T08:21:50	charon[36693]	15[NET] <con1|2> sending packet: from 91.13.XXX.XX[500] to 80.187.XX.XXX[500] (540 bytes)
2021-02-23T08:21:50	charon[36693]	15[IKE] <con1|2> sending retransmit 2 of response message ID 0, seq 1
2021-02-23T08:21:43	charon[36693]	15[NET] <con1|2> sending packet: from 91.13.XXX.XX[500] to 80.187.XX.XXX[500] (540 bytes)
2021-02-23T08:21:43	charon[36693]	15[IKE] <con1|2> sending retransmit 1 of response message ID 0, seq 1
2021-02-23T08:21:39	charon[36693]	15[IKE] <con1|2> queueing INFORMATIONAL_V1 request as tasks still active
2021-02-23T08:21:39	charon[36693]	15[NET] <con1|2> received packet: from 80.187.XX.XXX[24073] to 91.13.XXX.XX[4500] (76 bytes)
2021-02-23T08:21:39	charon[36693]	15[NET] <con1|2> sending packet: from 91.13.XXX.XX[500] to 80.187.XX.XXX[500] (540 bytes)
2021-02-23T08:21:39	charon[36693]	15[ENC] <con1|2> generating AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ]
2021-02-23T08:21:39	charon[36693]	15[CFG] <2> selected peer config "con1"
2021-02-23T08:21:39	charon[36693]	15[CFG] <2> looking for XAuthInitPSK peer configs matching 91.13.XXX.XX...80.187.XX.XXX[user1]
2021-02-23T08:21:39	charon[36693]	15[CFG] <2> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
2021-02-23T08:21:39	charon[36693]	15[IKE] <2> 80.187.XX.XXX is initiating a Aggressive Mode IKE_SA
2021-02-23T08:21:39	charon[36693]	15[IKE] <2> received DPD vendor ID
2021-02-23T08:21:39	charon[36693]	15[IKE] <2> received Cisco Unity vendor ID
2021-02-23T08:21:39	charon[36693]	15[IKE] <2> received XAuth vendor ID
2021-02-23T08:21:39	charon[36693]	15[IKE] <2> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
2021-02-23T08:21:39	charon[36693]	15[IKE] <2> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
2021-02-23T08:21:39	charon[36693]	15[IKE] <2> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
2021-02-23T08:21:39	charon[36693]	15[IKE] <2> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
2021-02-23T08:21:39	charon[36693]	15[IKE] <2> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
2021-02-23T08:21:39	charon[36693]	15[IKE] <2> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
2021-02-23T08:21:39	charon[36693]	15[IKE] <2> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
2021-02-23T08:21:39	charon[36693]	15[IKE] <2> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
2021-02-23T08:21:39	charon[36693]	15[IKE] <2> received draft-ietf-ipsec-nat-t-ike vendor ID
2021-02-23T08:21:39	charon[36693]	15[IKE] <2> received NAT-T (RFC 3947) vendor ID
2021-02-23T08:21:39	charon[36693]	15[IKE] <2> received FRAGMENTATION vendor ID
2021-02-23T08:21:39	charon[36693]	15[ENC] <2> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
2021-02-23T08:21:39	charon[36693]	15[NET] <2> received packet: from 80.187.XX.XXX[500] to 91.13.XXX.XX[500] (762 bytes)But a few things of the service start worry me:
2021-02-23T08:26:19	charon[95870]	13[CFG] installing trap failed, remote address unknown	 
2021-02-23T08:26:19	charon[95870]	13[CFG] received stroke: route 'con1'	 
2021-02-23T08:26:19	charon[95870]	08[CFG] added configuration 'con1'	 
2021-02-23T08:26:19	charon[95870]	08[CFG] adding virtual IP address pool 192.168.24.0/24	 
2021-02-23T08:26:19	charon[95870]	08[CFG] received stroke: add connection 'con1'	 
2021-02-23T08:26:19	charon[95870]	00[JOB] spawning 16 worker threads	 
2021-02-23T08:26:19	charon[95870]	00[LIB] loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac gcm drbg attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam whitelist addrblock counters	 
2021-02-23T08:26:19	charon[95870]	00[CFG] loaded 0 RADIUS server configurations	 
2021-02-23T08:26:19	charon[95870]	00[CFG] expanding file expression '/usr/local/etc/ipsec.secrets.opnsense.d/*.secrets' failed	 
2021-02-23T08:26:19	charon[95870]	00[CFG] loaded IKE secret for user2	 
2021-02-23T08:26:19	charon[95870]	00[CFG] loaded IKE secret for user1	 
2021-02-23T08:26:19	charon[95870]	00[CFG] loaded IKE secret for 91.13.197.35 %any	 
2021-02-23T08:26:19	charon[95870]	00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'	 
2021-02-23T08:26:19	charon[95870]	00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'	 
2021-02-23T08:26:19	charon[95870]	00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'	 
2021-02-23T08:26:19	charon[95870]	00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'	 
2021-02-23T08:26:19	charon[95870]	00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'	 
2021-02-23T08:26:19	charon[95870]	00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'	 
2021-02-23T08:26:19	charon[95870]	00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed	 
2021-02-23T08:26:19	charon[95870]	00[KNL] unable to set UDP_ENCAP: Invalid argument	 
2021-02-23T08:26:19	charon[95870]	00[DMN] Starting IKE charon daemon (strongSwan 5.9.1, FreeBSD 12.1-RELEASE-p13-HBSD, amd64)	 
2021-02-23T08:26:19	charon[36693]	00[DMN] SIGINT received, shutting downI don't know the meaning of:
-  unable to set UDP_ENCAP: Invalid argument
- installing trap failed, remote address unknown
I have the feeling at the last point, that an interface may be missing..
Here is my ipsec.onf
config setup
  uniqueids = yes
conn con1
  aggressive = yes
  fragmentation = yes
  keyexchange = ikev1
  mobike = yes
  reauth = yes
  rekey = yes
  forceencaps = no
  installpolicy = yes
  type = tunnel
  left = 91.13.XXX.XX
  right = %any
  leftid = 91.13.XXX.XX
  ikelifetime = 28800s
  lifetime = 3600s
  rightsourceip = 192.168.24.0/24
  ike = aes256-sha1-ecp521,aes256-sha1-ecp384,aes256-sha1-ecp256,aes256-sha1-modp2048,aes256-sha1-modp1024!
  leftauth = psk
  rightauth = psk
  rightauth2 = xauth-pam
  reqid = 1
  leftsubnet = 10.1.1.0/24
  esp = aes256-sha1,blowfish256-sha1,blowfish192-sha1,blowfish128-sha1,3des-sha1,cast128-sha1!
  auto = route
include ipsec.opnsense.d/*.confWhen I see this config. Would this still work with a changing IP address? Maybe an other config would be better?
I hope someone can give me the right hints!
			
				I noticed my mistake. Maybe this could be helpful for others. Problems
- Selecting for "My identifier "My IP address" is not a good idea if your internet connection changes IPs.
- I wanted to build a setup to reuse existing VPN-configs on several end devices. The identifier made me think. Indeed the end devices seem to remember old identifiers (from my fritzbox) and don't connect to the OPNsense. Therefore the connection establishment timed out. A freshly setup account on a mobile device worked
Now I will search for a solution to setup a gateway for the IPsec clients to route their traffic back to the internet. This should help me to circumvent censorship in another country.