Hello there,
I've followed the following guide: https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html#rw-swanctl-method1
But it's still not working plus that guide contains some mistakes/ missing parts.
For example:
1) In the section 1.3 - VPN: IPsec: Connections --> Remote Authentication, setting %any as an EAP Id is not allowed and it results in an "text validation error".
2) In the section 1.3 - VPN: IPsec: Connections --> Remote Authentication the value for "remote" is missing.
When I leave it empty, it results in an "please specify a valid network segment or address"
Nevertheless, I've set EAP Id to the user name "expert" and the value for the remote network to 0.0.0.0/0.
I've tried to capture some packets but no packets are reaching my OPNsense.
I've even tried to restart the Ipsec-VPN, but it's still not working.
Can someone recommend a tutorial, which is validated and working?
Thank you in advance
Edit: I am able to receive packets now.
The error was caused by the NetworkManager configuration.
Under Ubuntu 22.04, you have to set managed=true under [ifupdown] in /etc/NetworkManager/Networkmanager.conf
Ive already installed strongswan and libcharon-extra-plugins
The setup is as follows:
Site A:
WAN: 172.16.11.1
LAN: 192.168.1.0/24
Firewall Rules: Every interface allows every incoming and outgoing packets
Site B
WAN: 172.16.11.2
LAN: 192.168.2.0/24
Host: 192.168.2.3 --> connected to OPNsense Site B.
So, the Host on Site B is supposed to establish a connection to the OPNsense on Site A
Now, I am getting the following capture:
14:32:52.885431 IP (tos 0x0, ttl 63, id 57826, offset 0, flags [DF], proto UDP (17), length 1124)
192.168.2.3.54712 > 172.16.11.1.500: isakmp 2.0 msgid 00000000: parent_sa ikev2_init[I]:
(sa: len=900
(p: #1 protoid=isakmp transform=41 len=384
(t: #1 type=encr id=aes (type=keylen value=0080))
(t: #2 type=encr id=aes (type=keylen value=00c0))
(t: #3 type=encr id=aes (type=keylen value=0100))
(t: #4 type=encr id=#23 (type=keylen value=0080))
(t: #5 type=encr id=#23 (type=keylen value=00c0))
(t: #6 type=encr id=#23 (type=keylen value=0100))
(t: #7 type=encr id=#13 (type=keylen value=0080))
(t: #8 type=encr id=#13 (type=keylen value=00c0))
(t: #9 type=encr id=#13 (type=keylen value=0100))
(t: #10 type=encr id=#24 (type=keylen value=0080))
(t: #11 type=encr id=#24 (type=keylen value=00c0))
(t: #12 type=encr id=#24 (type=keylen value=0100))
(t: #13 type=encr id=3des )
(t: #14 type=integ id=#12 )
(t: #15 type=integ id=#13 )
(t: #16 type=integ id=#14 )
(t: #17 type=integ id=hmac-sha )
(t: #18 type=integ id=aes-xcbc )
(t: #19 type=integ id=#8 )
(t: #20 type=prf id=#5 )
(t: #21 type=prf id=#6 )
(t: #22 type=prf id=#7 )
(t: #23 type=prf id=aes128_xcbc )
(t: #24 type=prf id=#8 )
(t: #25 type=prf id=hmac-sha )
(t: #26 type=dh id=#31 )
(t: #27 type=dh id=#32 )
(t: #28 type=dh id=#19 )
(t: #29 type=dh id=#20 )
(t: #30 type=dh id=#21 )
(t: #31 type=dh id=#28 )
(t: #32 type=dh id=#29 )
(t: #33 type=dh id=#30 )
(t: #34 type=dh id=#1031 )
(t: #35 type=dh id=#1032 )
(t: #36 type=dh id=#1033 )
(t: #37 type=dh id=modp3072 )
(t: #38 type=dh id=modp4096 )
(t: #39 type=dh id=modp6144 )
(t: #40 type=dh id=modp8192 )
(t: #41 type=dh id=modp2048 ))
(p: #2 protoid=isakmp transform=50 len=516
(t: #1 type=encr id=#20 (type=keylen value=0080))
(t: #2 type=encr id=#20 (type=keylen value=00c0))
(t: #3 type=encr id=#20 (type=keylen value=0100))
(t: #4 type=encr id=#16 (type=keylen value=0080))
(t: #5 type=encr id=#16 (type=keylen value=00c0))
(t: #6 type=encr id=#16 (type=keylen value=0100))
(t: #7 type=encr id=#28 )
(t: #8 type=encr id=#27 (type=keylen value=0080))
(t: #9 type=encr id=#27 (type=keylen value=00c0))
(t: #10 type=encr id=#27 (type=keylen value=0100))
(t: #11 type=encr id=#19 (type=keylen value=0080))
(t: #12 type=encr id=#19 (type=keylen value=00c0))
(t: #13 type=encr id=#19 (type=keylen value=0100))
(t: #14 type=encr id=#18 (type=keylen value=0080))
(t: #15 type=encr id=#18 (type=keylen value=00c0))
(t: #16 type=encr id=#18 (type=keylen value=0100))
(t: #17 type=encr id=#15 (type=keylen value=0080))
(t: #18 type=encr id=#15 (type=keylen value=00c0))
(t: #19 type=encr id=#15 (type=keylen value=0100))
(t: #20 type=encr id=#14 (type=keylen value=0080))
(t: #21 type=encr id=#14 (type=keylen value=00c0))
(t: #22 type=encr id=#14 (type=keylen value=0100))
(t: #23 type=encr id=#25 (type=keylen value=0080))
(t: #24 type=encr id=#25 (type=keylen value=00c0))
(t: #25 type=encr id=#25 (type=keylen value=0100))
(t: #26 type=encr id=#26 (type=keylen value=0080))
(t: #27 type=encr id=#26 (type=keylen value=00c0))
(t: #28 type=encr id=#26 (type=keylen value=0100))
(t: #29 type=prf id=#5 )
(t: #30 type=prf id=#6 )
(t: #31 type=prf id=#7 )
(t: #32 type=prf id=aes128_xcbc )
(t: #33 type=prf id=#8 )
(t: #34 type=prf id=hmac-sha )
(t: #35 type=dh id=#31 )
(t: #36 type=dh id=#32 )
(t: #37 type=dh id=#19 )
(t: #38 type=dh id=#20 )
(t: #39 type=dh id=#21 )
(t: #40 type=dh id=#28 )
(t: #41 type=dh id=#29 )
(t: #42 type=dh id=#30 )
(t: #43 type=dh id=#1031 )
(t: #44 type=dh id=#1032 )
(t: #45 type=dh id=#1033 )
(t: #46 type=dh id=modp3072 )
(t: #47 type=dh id=modp4096 )
(t: #48 type=dh id=modp6144 )
(t: #49 type=dh id=modp8192 )
(t: #50 type=dh id=modp2048 )))
(v2ke: len=32 group=#31)
(nonce: len=32 data=(8dad4585a1a035b94899...0000402f00020003000400050000000800004016))
(n: prot_id=#0 type=16388(nat_detection_source_ip))
(n: prot_id=#0 type=16389(nat_detection_destination_ip))
(n: prot_id=#0 type=16430(status))
(n: prot_id=#0 type=16431(status))
(n: prot_id=#0 type=16406(status))
14:32:52.930573 IP (tos 0x0, ttl 64, id 4271, offset 0, flags [none], proto UDP (17), length 64)
172.16.11.1.500 > 192.168.2.3.54712: isakmp 2.0 msgid 00000000: parent_sa ikev2_init[R]:
(n: prot_id=#0 type=14(no_protocol_chosen))
The hosts syslog states the following log entries:
Nov 17 09:32:52 osboxes NetworkManager[5671]: <info> [1700231572.2062] vpn[0x55eb24de65e0,247d6831-f193-47f2-ba4f-d92cf16a227b,"VPN 1"]: starting strongswan
Nov 17 09:32:52 osboxes NetworkManager[5671]: <info> [1700231572.2063] audit: op="connection-activate" uuid="247d6831-f193-47f2-ba4f-d92cf16a227b" name="VPN 1" pid=5721 uid=1000 result="success"
Nov 17 09:32:52 osboxes charon-nm: 05[CFG] received initiate for NetworkManager connection VPN 1
Nov 17 09:32:52 osboxes charon-nm: 05[CFG] using gateway identity 'OPNsense'
Nov 17 09:32:52 osboxes charon-nm: 05[IKE] initiating IKE_SA VPN 1[6] to 172.16.11.1
Nov 17 09:32:52 osboxes charon-nm: 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Nov 17 09:32:52 osboxes charon-nm: 05[NET] sending packet: from 192.168.2.3[54712] to 172.16.11.1[500] (1096 bytes)
Nov 17 09:32:52 osboxes charon-nm: 06[NET] received packet: from 172.16.11.1[500] to 192.168.2.3[54712] (36 bytes)
Nov 17 09:32:52 osboxes charon-nm: 06[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
Nov 17 09:32:52 osboxes charon-nm: 06[IKE] received NO_PROPOSAL_CHOSEN notify error
Nov 17 09:32:52 osboxes NetworkManager[5671]: <warn> [1700231572.3808] vpn[0x55eb24de65e0,247d6831-f193-47f2-ba4f-d92cf16a227b,"VPN 1"]: dbus: failure: login-failed (0)
Nov 17 09:32:52 osboxes NetworkManager[5671]: <warn> [1700231572.3808] vpn[0x55eb24de65e0,247d6831-f193-47f2-ba4f-d92cf16a227b,"VPN 1"]: dbus: failure: connect-failed (1)
Update
Ive found the following How-To, and I am getting one step closer to my goal: https://newsweb.w-3.de/Tutorials/Tutorial_MobIKE.pdf
Now, the capture and the syslog look like this:
16:58:24.927059 IP (tos 0x0, ttl 63, id 63635, offset 0, flags [DF], proto UDP (17), length 1096)
192.168.2.3.56049 > 172.16.11.1.500: isakmp 2.0 msgid 00000000: parent_sa ikev2_init[I]:
(sa: len=648
(p: #1 protoid=isakmp transform=30 len=272
(t: #1 type=encr id=aes (type=keylen value=0080))
(t: #2 type=encr id=aes (type=keylen value=00c0))
(t: #3 type=encr id=aes (type=keylen value=0100))
(t: #4 type=encr id=#23 (type=keylen value=0080))
(t: #5 type=encr id=#23 (type=keylen value=00c0))
(t: #6 type=encr id=#23 (type=keylen value=0100))
(t: #7 type=encr id=3des )
(t: #8 type=integ id=#12 )
(t: #9 type=integ id=#13 )
(t: #10 type=integ id=#14 )
(t: #11 type=integ id=hmac-sha )
(t: #12 type=integ id=aes-xcbc )
(t: #13 type=prf id=#5 )
(t: #14 type=prf id=#6 )
(t: #15 type=prf id=#7 )
(t: #16 type=prf id=aes128_xcbc )
(t: #17 type=prf id=hmac-sha )
(t: #18 type=dh id=modp2048 )
(t: #19 type=dh id=#31 )
(t: #20 type=dh id=#32 )
(t: #21 type=dh id=#19 )
(t: #22 type=dh id=#20 )
(t: #23 type=dh id=#21 )
(t: #24 type=dh id=#28 )
(t: #25 type=dh id=#29 )
(t: #26 type=dh id=#30 )
(t: #27 type=dh id=modp3072 )
(t: #28 type=dh id=modp4096 )
(t: #29 type=dh id=modp6144 )
(t: #30 type=dh id=modp8192 ))
(p: #2 protoid=isakmp transform=37 len=376
(t: #1 type=encr id=#20 (type=keylen value=0080))
(t: #2 type=encr id=#20 (type=keylen value=00c0))
(t: #3 type=encr id=#20 (type=keylen value=0100))
(t: #4 type=encr id=#16 (type=keylen value=0080))
(t: #5 type=encr id=#16 (type=keylen value=00c0))
(t: #6 type=encr id=#16 (type=keylen value=0100))
(t: #7 type=encr id=#28 )
(t: #8 type=encr id=#19 (type=keylen value=0080))
(t: #9 type=encr id=#19 (type=keylen value=00c0))
(t: #10 type=encr id=#19 (type=keylen value=0100))
(t: #11 type=encr id=#18 (type=keylen value=0080))
(t: #12 type=encr id=#18 (type=keylen value=00c0))
(t: #13 type=encr id=#18 (type=keylen value=0100))
(t: #14 type=encr id=#15 (type=keylen value=0080))
(t: #15 type=encr id=#15 (type=keylen value=00c0))
(t: #16 type=encr id=#15 (type=keylen value=0100))
(t: #17 type=encr id=#14 (type=keylen value=0080))
(t: #18 type=encr id=#14 (type=keylen value=00c0))
(t: #19 type=encr id=#14 (type=keylen value=0100))
(t: #20 type=prf id=#5 )
(t: #21 type=prf id=#6 )
(t: #22 type=prf id=#7 )
(t: #23 type=prf id=aes128_xcbc )
(t: #24 type=prf id=hmac-sha )
(t: #25 type=dh id=modp2048 )
(t: #26 type=dh id=#31 )
(t: #27 type=dh id=#32 )
(t: #28 type=dh id=#19 )
(t: #29 type=dh id=#20 )
(t: #30 type=dh id=#21 )
(t: #31 type=dh id=#28 )
(t: #32 type=dh id=#29 )
(t: #33 type=dh id=#30 )
(t: #34 type=dh id=modp3072 )
(t: #35 type=dh id=modp4096 )
(t: #36 type=dh id=modp6144 )
(t: #37 type=dh id=modp8192 )))
(v2ke: len=256 group=modp2048)
(nonce: len=32 data=(80a767aa52af027fcb2f...0000402f00020003000400050000000800004016))
(n: prot_id=#0 type=16388(nat_detection_source_ip))
(n: prot_id=#0 type=16389(nat_detection_destination_ip))
(n: prot_id=#0 type=16430(status))
(n: prot_id=#0 type=16431(status))
(n: prot_id=#0 type=16406(status))
16:58:24.960710 IP (tos 0x0, ttl 64, id 1327, offset 0, flags [none], proto UDP (17), length 525)
172.16.11.1.500 > 192.168.2.3.56049: isakmp 2.0 msgid 00000000: parent_sa ikev2_init[R]:
(sa: len=44
(p: #1 protoid=isakmp transform=4 len=44
(t: #1 type=encr id=aes (type=keylen value=0100))
(t: #2 type=integ id=#12 )
(t: #3 type=prf id=#5 )
(t: #4 type=dh id=modp2048 )))
(v2ke: len=256 group=modp2048)
(nonce: len=32 data=(54c8a93f75e4fdbd0d64...0004000529000008000040220000000800004014))
(n: prot_id=#0 type=16388(nat_detection_source_ip))
(n: prot_id=#0 type=16389(nat_detection_destination_ip))
(v2cr: len=21)
(n: prot_id=#0 type=16430(status))
(n: prot_id=#0 type=16431(status))
(n: prot_id=#0 type=16418(status))
(n: prot_id=#0 type=16404(status))
16:58:24.965356 IP (tos 0x0, ttl 63, id 63644, offset 0, flags [DF], proto UDP (17), length 496)
192.168.2.3.46164 > 172.16.11.1.4500: NONESP-encap: isakmp 2.0 msgid 00000001: child_sa ikev2_auth[I]:
(v2e: len=432)
16:58:24.973444 IP (tos 0x0, ttl 64, id 31524, offset 0, flags [none], proto UDP (17), length 1268)
172.16.11.1.4500 > 192.168.2.3.46164: NONESP-encap: isakmp 2.0 msgid 00000001: child_sa ikev2_auth[R]:
(#53) [|v2IDr]
16:58:24.973461 IP (tos 0x0, ttl 64, id 50748, offset 0, flags [none], proto UDP (17), length 372)
172.16.11.1.4500 > 192.168.2.3.46164: NONESP-encap: isakmp 2.0 msgid 00000001: child_sa ikev2_auth[R]:
(#53)
16:58:24.976016 IP (tos 0x0, ttl 63, id 63646, offset 0, flags [DF], proto UDP (17), length 112)
192.168.2.3.46164 > 172.16.11.1.4500: NONESP-encap: isakmp 2.0 msgid 00000002: child_sa inf2[I]:
(v2e: len=48)
16:58:24.979287 IP (tos 0x0, ttl 64, id 18822, offset 0, flags [none], proto UDP (17), length 112)
172.16.11.1.4500 > 192.168.2.3.46164: NONESP-encap: isakmp 2.0 msgid 00000002: child_sa inf2[R]:
(v2e: len=48)
Nov 17 11:54:02 osboxes NetworkManager[3697]: <info> [1700240042.0788] vpn[0x55fc4b1486a0,820d3a8d-85e7-451a-a270-b9b1a79a93a5,"VPN 1"]: starting strongswan
Nov 17 11:54:02 osboxes NetworkManager[3697]: <info> [1700240042.0876] audit: op="connection-activate" uuid="820d3a8d-85e7-451a-a270-b9b1a79a93a5" name="VPN 1" pid=2511 uid=1000 result="success"
Nov 17 11:54:02 osboxes charon-nm: 00[DMN] Starting charon NetworkManager backend (strongSwan 5.9.5)
Nov 17 11:54:02 osboxes charon-nm: 00[LIB] providers loaded by OpenSSL: legacy default
Nov 17 11:54:02 osboxes systemd-udevd[4028]: Using default interface naming scheme 'v249'.
Nov 17 11:54:02 osboxes NetworkManager[3697]: <info> [1700240042.1406] manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/4)
Nov 17 11:54:02 osboxes charon-nm: 00[LIB] created TUN device: tun0
Nov 17 11:54:02 osboxes charon-nm: 00[LIB] loaded plugins: nm-backend charon-nm aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg kernel-netlink socket-default bypass-lan eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap
Nov 17 11:54:02 osboxes charon-nm: 00[LIB] dropped capabilities, running as uid 0, gid 0
Nov 17 11:54:02 osboxes charon-nm: 00[JOB] spawning 16 worker threads
Nov 17 11:54:02 osboxes charon-nm: 06[IKE] installed bypass policy for 169.254.0.0/16
Nov 17 11:54:02 osboxes charon-nm: 06[IKE] installed bypass policy for 192.168.2.0/24
Nov 17 11:54:02 osboxes charon-nm: 06[IKE] installed bypass policy for ::1/128
Nov 17 11:54:02 osboxes charon-nm: 05[CFG] received initiate for NetworkManager connection VPN 1
Nov 17 11:54:02 osboxes charon-nm: 05[CFG] using gateway identity 'OPNsense'
Nov 17 11:54:02 osboxes charon-nm: 05[IKE] initiating IKE_SA VPN 1[1] to 172.16.11.1
Nov 17 11:54:02 osboxes charon-nm: 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Nov 17 11:54:02 osboxes charon-nm: 05[NET] sending packet: from 192.168.2.3[52021] to 172.16.11.1[500] (844 bytes)
Nov 17 11:54:02 osboxes charon-nm: 10[NET] received packet: from 172.16.11.1[500] to 192.168.2.3[52021] (38 bytes)
Nov 17 11:54:02 osboxes charon-nm: 10[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Nov 17 11:54:02 osboxes charon-nm: 10[IKE] peer didn't accept DH group CURVE_25519, it requested MODP_2048
Nov 17 11:54:02 osboxes charon-nm: 10[IKE] initiating IKE_SA VPN 1[1] to 172.16.11.1
Nov 17 11:54:02 osboxes charon-nm: 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Nov 17 11:54:02 osboxes charon-nm: 10[NET] sending packet: from 192.168.2.3[52021] to 172.16.11.1[500] (1068 bytes)
Nov 17 11:54:02 osboxes charon-nm: 11[NET] received packet: from 172.16.11.1[500] to 192.168.2.3[52021] (497 bytes)
Nov 17 11:54:02 osboxes charon-nm: 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Nov 17 11:54:02 osboxes charon-nm: 11[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Nov 17 11:54:02 osboxes charon-nm: 11[IKE] received cert request for "C=AD, ST=a, L=a, O=a, E=a, CN=OPNsense"
Nov 17 11:54:02 osboxes charon-nm: 11[IKE] sending cert request for "C=AD, ST=a, L=a, O=a, E=a, CN=OPNsense"
Nov 17 11:54:02 osboxes charon-nm: 11[IKE] establishing CHILD_SA VPN 1{1}
Nov 17 11:54:02 osboxes charon-nm: 11[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS NBNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Nov 17 11:54:02 osboxes charon-nm: 11[NET] sending packet: from 192.168.2.3[41234] to 172.16.11.1[4500] (464 bytes)
Nov 17 11:54:02 osboxes charon-nm: 12[NET] received packet: from 172.16.11.1[4500] to 192.168.2.3[41234] (1236 bytes)
Nov 17 11:54:02 osboxes charon-nm: 12[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
Nov 17 11:54:02 osboxes charon-nm: 12[ENC] received fragment #1 of 2, waiting for complete IKE message
Nov 17 11:54:02 osboxes charon-nm: 12[NET] received packet: from 172.16.11.1[4500] to 192.168.2.3[41234] (340 bytes)
Nov 17 11:54:02 osboxes charon-nm: 12[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
Nov 17 11:54:02 osboxes charon-nm: 12[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1504 bytes)
Nov 17 11:54:02 osboxes charon-nm: 12[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Nov 17 11:54:02 osboxes charon-nm: 12[IKE] received end entity cert "C=AD, ST=a, L=a, O=a, E=a, CN=OPNsense"
Nov 17 11:54:02 osboxes charon-nm: 12[IKE] no trusted RSA public key found for '172.16.11.1'
Nov 17 11:54:02 osboxes charon-nm: 12[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Nov 17 11:54:02 osboxes charon-nm: 12[NET] sending packet: from 192.168.2.3[41234] to 172.16.11.1[4500] (80 bytes)
Nov 17 11:54:02 osboxes NetworkManager[3697]: <warn> [1700240042.3979] vpn[0x55fc4b1486a0,820d3a8d-85e7-451a-a270-b9b1a79a93a5,"VPN 1"]: dbus: failure: connect-failed (1)
Nov 17 11:54:02 osboxes NetworkManager[3697]: <warn> [1700240042.3986] vpn[0x55fc4b1486a0,820d3a8d-85e7-451a-a270-b9b1a79a93a5,"VPN 1"]: dbus: failure: connect-failed (1)
Update
I've got it working with strongswan for Android.
The next step is to study more about strongswan for Linux-Systems.
So, the mobile VPN works!