Hey all. Using instructions from https://docs.opnsense.org/manual/how-tos/ipsec-road.html & https://docs.opnsense.org/manual/how-tos/ipsec-rw-srv-eapradius.html ; and a lot of trial-and-error with the cipher keys; I can connect my Windows 11 system to OPNsense. However, two issues remain....
1. I have FreeRADIUS set up to authenticate via LDAPS to an Active Directory server. However, while it authenticates in OPNsense, it gets password errors for VPN users. Making a local VPN user gets around this, but...
2. The client gets a subnet mask of 255.255.255.255. It's immediately unclear from the documentation if you need to use a dedicated IP range with a virtual IP, and/or routing rules to connect that to the LAN IP ranges (using IPv4 & IPv6 at the remote site).
I feel like this stuff may have been working before in the past, but maybe not now? Please advise. Thanks.
Added details....1. Regarding the authentication issue, the error I see in the FreeRADIUS logs...
QuoteLogin incorrect (mschap: FAILED: No NT-Password. Cannot perform authentication)
2. Regarding the routing issue, I did see this in the IPsec log...
Quoteinstalling route failed: (VPN IPV6 ADDR)/128 via (WAN IPV4 GATEWAY) src (LAN IPV6 ADDR) dev em0
adding PF_ROUTE route failed
3. Regarding IPsec connectivity & the tutorials given, the default set of Windows ciphers don't neatly overlap with it, and give inconsistent behavior; reporting this to Microsoft. The default working CIPHER for EAP-RADIUS, came out to be
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQMicrosoft report: https://aka.ms/AAfj0rb (https://aka.ms/AAfj0rb)
is initiating an IKE_SAQuotereceived proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
initiating a Main Mode IKE_SAQuotereceived proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024