I am able to create an IPsec VPN from my iPhone to my OPNsense router. The IPsec log says
2022-11-30T13:51:54 Informational charon 10[IKE] <con1|19> CHILD_SA con1{4} established with SPIs cbe4c22d_i 0e09c456_o and TS 192.168.2.0/24 === 10.0.0.1/32
2022-11-30T13:51:54 Informational charon 10[ENC] <con1|19> parsed QUICK_MODE request 3990959854 [ HASH ]
2022-11-30T13:51:54 Informational charon 10[NET] <con1|19> received packet: from 188.207.79.87[17618] to 213.125.118.50[4500] (76 bytes)
My LAN is 192.168.2.2/24 and the IPSec Pool is 10.0.0.0/24. I see these IPsec pass log entries on the IPsec interface, but that is the only traffic I see on the IPsec interface.
IPsec 2022-11-30T13:55:41 10.0.0.1:57972 192.168.2.66:53 udp
IPsec 2022-11-30T13:55:41 10.0.0.1:54646 192.168.2.66:53 udp
LAN Interface:
LAN 2022-11-30T14:03:20 10.0.0.1:62818 192.168.2.66:443 tcp let out anything from firewall host itself
LAN 2022-11-30T14:03:19 10.0.0.1:64705 192.168.2.66:53 udp let out anything from firewall host itself
LAN 2022-11-30T14:03:19 10.0.0.1:60687 192.168.2.66:53 udp let out anything from firewall host itself
The DNS query to the internal DNS goes out, but the status is 'refused'. A query to 8.8.8.8 times out it seems.
IPsec 2022-11-30T14:08:16 10.0.0.1:62819 8.8.8.8:53 tcp
What am I missing here? Why can't the VPN-connected device reach any system on my LAN or on the WAN?
I solved th ebasic problem, I now have a working IPsec from an iPhone
First, my Phase 2 had (as per OPNsense documentation for the Road Warrior scenario with PSK and XAuth) the Phase 2 settings set to Local Network LAN Subnet. Basically, this means that traffic will only go to the LAN and nowhere else (e.g. not to the WAN)
A second problem was that my internal Unbound DNS resolvers were set to only accept requests from 127.0.0.1 and the LAN subnet. This worked fine in EdgeOS as the L2TP/IPsec connections there gave the incalling Road Warrior client an IP address directly on the LAN. But with the OPNsense, the Road Warriors have an address on a different network (set in VPN->IPsec->Mobile Clients), So, while the IPsec client could reach the DNS server it did not get a reply but a REJECTED answer. In that situation really weird things may happen. Fore instance, as a fqdn on the internal net did nog get resolved, OPNsense would happily redirect theclient to the router/ifrewall itself, and a https request would try to open the OPNsense management interface which then complained about DNS rebinding.
The answer is that in Phase 2 of the IPsec, I needed to not set Local Network LAN Subnet as per OPNsense documentation example, but Network 0.0.0.0/0 (as per pfSense documentation...). I don't like that, much too permissive, so I need firewall rules to make it more narrow. Haven't gotten that to work, though.
UPDATE 5 Dec 2022:
I was able to get IKEv2 EAP-RADIUS to work with iOS with all traffic over the VPN without a .mobileconfig file and macOS/iOS devices where each device gets its own IP based o the RADIUS User info. The key elements were:
- In FreeRADIUS Users:
- Provide the IP Address and the Subnet Mask
- In Routes, add the IP-range of your LAN
- In Mobile Clients:
- Do not provide a range in Virtual IPv4 Address Pool (if you do, it overrides the RADIUS settings)
- Provide a domain name and a list of split domain names (probably not important)
- In Phase 1:
- Connection method: default, Key Exchange V2
- Method EAP-RADIUS, My Identifier: Distinguished Name and name is the reverse resolvable FQDN
- encryption algorithms: AES256, hash algorithms: SHA1 & SHA256, DH: 14
- In Phase 2:
- set Local Network to "Network, 0.0.0.0/0" (all traffic over the tunnel)
- encryption algorithms: AES256, hash algorithms: SHA1 & SHA256
- In Firewall settings:
- Disable force gateway turned on
On the device (macOS, iOS) make sure the certificate and the 'certificate authority' certificate are installed. Make sure in macOS that they are trusted.