Hi, i try to get IPsec VPN with certificates working with the new "Connections method". However i have no success. i tried to make sense of the following guides:
//Original question deleted as i fixed it by myself. I posted a HowTo in this post. Just scroll down
I know its probably not what you like to hear but using OpenVPN with the Viscosity Client works like a charm on Macbook.
I use it work related and it just works perfectly with OPNsense with no weird stuff happening.
Ipsec can be a bit of a pain with native OS clients and Roadwarrior setups.
thanks for your answer but acutally not, because i use this on iOS also and i don't want to use apps because they cannot be integrated into to system as good as the native stuff and become unmaintained from time to time.
Thats one way to see it. The other way is that native apps will break too.
https://forum.opnsense.org/index.php?topic=43766
And then you have to troubleshoot for hours. It happened in Windows several times in the past, and with Apple it also seems to be a possibility.
So I guess there is no perfect solution.
So to help here, you have to provide the error log from the MacOS side too. Ipsec troubleshooting needs both sides errors most of the time.
//edit:
I got it working. :)
One part of the problem was that i still had to install and trust the CA separately. I thought that this is kind of bundled with the PKCS#12 file.
I will modify my post soon when i tested everything extensively. thanks for pointing me into reading the apple logs more in detail.
Awesome, maybe we can create a tutorial for the OPNsense docs out of it.
Thanks for testing this and providing the information. :)
https://github.com/opnsense/docs/issues/639
I will probably include an EAP-TLS section and reformat this document a bit for it.
Here's is the guide. I use it for some weeks now and it's working great on iOS and macOS. I will add information on what to do on macOS/iOS to get this working but it is pretty straightforward: Import+Trust CA plus PKCS12 file. Setup VPN on GUI. That's it. You need to export PKCS12 with password. When exporting blank, macOS will not import it.
Quote
CHANGES
- V1.0 Initial
PREPERATION/INFO
- This guide assumes that you have have a working DNS config (i.e your OPNsense is reachable via DNS). I use freedns.afraid.org for this.
- This is a guide with only little explanation. However, if you ever followed one of the VPN recipes from the OPNsense wiki with success it will be easy for you to follow this guide.
- In this guide the local net is 192.168.16.0/21. The tunnel net is 192.168.24.0/27. Adjust to your needs.
- I use aes256-sha256-ecs256 because this is what recent iOS (18.1+) excepts.
REQUIREMENTS
- Tested with IOS 18.1+
- Tested macOS 15.1+. Older macOS versions do not accept the PCKS12 file and will fail with "wrong passwort?". It will probably work if you export with "openssl pkcs12 -export -legacy" but i have not tested it.
BUGS/QUESTIONS I HAVE
- Distinct pools (Method 2) do not work for some reason.
- not sure about when to use "Round: 0" or "Round: 1". Both work
- If i set "Start action" to "Trap" which is recommended in the OPNsense wiki i will get an error message in logs: "11[CFG] installing trap failed, remote address unknown". However it works anyway but if i set it to none it will also work but with no error in the log.
- What's with "IKE Extensions - Enable IPsec Mobile Client Support" under VPN / IPSec / Mobile Clients. Does this relate to "Tunnel Settings [legacy]" only? It has the "Phase 2 PFS Group" option which is interessting.
CREATE IPSEC IKEV2 VPN
CREATE CA'S AND SERVER CERTIFICATES FOR IPSEC IKEV2 VPN
System
Trust
Authorities
"+Add"
Method: Create an internal Certificate Authority
Description: myopnsense.a-domain-name.com
Key
Key Type: RSA-2048 (default)
Digest Algorithm: SHA256 (default)
Issuer: self-signed (default)
Lifetime (days): 3650
General
Country Code: YourCountry
State or Province: myopnsense
City: myopnsense
Organization: myopnsense
Organizational Unit: myopnsense
Email Address: myopnsense
Common Name: myopnsense.a-domain-name.com
=> Save
Certificates
+Add
Method: Create an internal certificate
Description: ipsec_e2s:myopnsense.a-domain-name.com
Key
Type: Server certificate
Private key location: Save on this firewall (default)
Key Type: RSA-2048 (default)
Digest Algorithm: SHA256 (default)
Issuer: myopnsense.a-domain-name.com (default)
Lifetime (days): 3650
General
Country Code: YourCountry
State or Province: myopnsense (default)
City: myopnsense (default)
Organization: myopnsense (default)
Organizational Unit: myopnsense
Email Address: myopnsense (default)
Common Name: myopnsense.a-domain-name.com
Alternative Names:
DNS domain names:
Value: myopnsense.a-domain-name.com
=> Save
CREATE CLIENT CERTIFICATES IPSEC IKEV2 EAP-TLS VPN
Certificates
+Add
Method: Create an internal certificate
Description: john-macbook.myopnsense
Key
Type: Client certificate
Private key location: Save on this firewall (default)
Key Type: RSA-2048 (default)
Digest Algorithm: SHA256 (default)
Issuer: myopnsense.a-domain-name.com
Lifetime (days): 3650
General
Country Code: YourCountry
State or Province: myopnsense (default)
City: myopnsense (default)
Organization: myopnsense (default)
Organizational Unit: myopnsense
Email Address: myopnsense (default)
Common Name: john-macbook.myopnsense //max. 64 chars. @-sign is not working here. Dots are ok.
Alternative Names:
DNS domain names:
Value: john-macbook.myopnsense
=> Save
CREATE IP POOLS FOR IPSEC IKEV2 VPN
CREATE POOLS METHOD 1 //Shared IP pool for all roadwarriors. Don't create both methods (1 and 2) on your OPNsense at the same time, it's a potential security risk. Only create one connection where you use EAP id: %any (Method 1). If you create multiples of these connections, any roadwarrior can connect to any of them.
VPN
IPsec
Connections
+Add
enabled: checked
Name: e2s_eaptlssplittun_sharedpool //as of 20241005 special characters like ":" in this field are accepted but clients cannot connect for some reason.
Network: 192.168.24.0/27
DNS: 192.168.16.1
CREATE POOLS METHOD 2 EXAMPLE //Distinct IP address(es) per roadwarrior. For some reason this does not work as of 2024-11-21 with EAP-TLS. It results in only one usable Connection. Skip that for now. Probably works if you create a own CA for every connection/user which is pain
VPN
IPsec
Connections
+Add
enabled: checked
Name: john-macbook_eaptlssplittun_distinctpool //as of 20241005 special characters like ":" in this field are accepted but clients cannot connect for some reason.
Network: 192.168.24.97/32
DNS: 192.168.16.1
CREATE IKEV2/EAP-TLS VPN FOR MOBILE CLIENTS (VIA CONNECTIONS/NEW METHOD)
VPN
IPsec
Connections (Method 1/Sharedpool)
Connections
Enable IPsec: checked //this enables the whole strongswan daemon. the checkbox is rather hidden in the lower corner
+Add
=> advanced mode
Proposals: aes256-sha256-ecs256 [DH19, NIST EC] //CAUTION: uncheck "Default"
Unique: Replace
Aggressive: unchecked
Version: IKEv2
MOBIKE: checked
Local adresses: (leave empty) (default)
Remote adresses: (leave empty) (default)
UDP encapsulation: checked
Rekey time (s): 2400
DPD delay (s): 30
Pools: e2s_eaptlssplittun_sharedpool
Send cert req: checked (default)
Send certificate: Always: selected
Keyingtries: 0
Description: myopnsense:e2s:splittun:eaptls:p1
=>Save (it will reveal new options)
Local Authentication
+Add
enabled: checked
Connection: myopnsense:e2s:splittun:eaptls:p1
Round: 0
Authentication: Public Key: selected
Id: myopnsense.a-domain-name.com //It's crucial to set this to FQDN
Certificates: ipsec_e2s:myopnsense.a-domain-name.com
Public Keys: Nothing selected (default)
Description: localauth:myopnsense.a-domain-name.com
Remote Authentication
+Add
enabled: checked
Connection: myopnsense:e2s:splittun:eaptls:p1
Round: 1
Authentication: EAP TLS: selected
Id: (empty) (default) //It's crucial to leave this emtpy
EAP Id: %any
Certificates: Nothing selected (default): selected
Description: remoteauth:myopnsense:eaptls
Children
+Add
=> advanced mode
enabled: checked
Connection: myopnsense:e2s:splittun:eaptls:p1
Mode: Tunnel (default): selected
Start action: None: selected
ESP proposals: aes256-sha256-ecs256 [DH19, NIST EC] //CAUTION: uncheck "Default"
Local: 192.168.16.0/21
Remote: (leave empty)
Rekey time (s): 600
Description: child:myopnsense:splittun:p2
=> Save => Apply
Firewall
Rules
IPsec
"+Add"
Interface: IPsec: selected
Direction: in: selected
TCP/IP Version: IPv4: selected
Protocol: any: selected
Source: any: selected
Destination: LAN net: selected
=> Save => Apply changes
WAN
"+Add"
Interface: WAN: selected
Direction: in: selected
TCP/IP Version: IPv4: selected
Protocol: UDP: selected
Source: any: selected
Destination: WAN address: selected
Destination port range: From: ISAKMP To: ISAKMP //=500
=> Save
"+Add"
Interface: WAN: selected
Direction: in: selected
TCP/IP Version: IPv4: selected
Protocol: UDP: selected
Source: any: selected
Destination: WAN address: selected
Destination port range: From: IPsec NAT-T To: IPsec NAT-T //=4500
=> Save => Apply changes
BUGS/QUESTIONS I HAVE
- Distinct pools (Method 2) do not work for some reason.
Probably has to do with how the ID is sent by the client. For Windows it can also be weird as it always tries %any first.
- not sure about when to use "Round: 0" or "Round: 1". Both work
I guess if you require multiple authentication rounds you would sort them via this order. (e.g. first certificate, then PSK, then x")
- If i set "Start action" to "Trap" which is recommended in the OPNsense wiki i will get an error message in logs: "11[CFG] installing trap failed, remote address unknown". However it works anyway but if i set it to none it will also work but with no error in the log.
Trap might have been a mistake in the docs. None should be preferred probably. Trap is to initiate the tunnel when traffic is registered, but when there is no endpoint since its dynamic then it probably can not create a trap policy.
- What's with "IKE Extensions - Enable IPsec Mobile Client Support" under VPN / IPSec / Mobile Clients. Does this relate to "Tunnel Settings [legacy]" only? It has the "Phase 2 PFS Group" option which is interessting.
I think its only for legacy. PFS is the same as choosing the "DH" group in the child of connections. So if you choose AES256-SHA256-DH14, you have PFS since there is a DH group. Choosing a cipher combination without them will disable PFS.
https://github.com/opnsense/docs/pull/651