Hi everyone!
I have a working IPSec VPN setup on my opnense firwall using EAP-Radius (with os-freeradius) for Remote Authentication. I can connect to the vpn using an android (strongswan app) and an iphone (native vpn). When doing so i have no errors or any other problems (Tunneling the traffic of the two phones via the firewall to the internet works fine).
However, the second i enable a second interface on the firewall (besides the WAN interface), namely the LAN interface, the IPSec VPN Authentication is broken. I cannot connect to the VPN anymore and i get this error message:
IPSec Server Log:
2025-03-19T10:41:42 Informational charon 10[NET] <4> sending packet: from [Server-IP][500] to [Client-IP][18063] (36 bytes)
2025-03-19T10:41:42 Informational charon 10[ENC] <4> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
2025-03-19T10:41:42 Informational charon 10[IKE] <4> no IKE config found for [Server-IP]...[Client-IP], sending NO_PROPOSAL_CHOSEN
2025-03-19T10:41:42 Informational charon 10[ENC] <4> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
2025-03-19T10:41:42 Informational charon 10[NET] <4> received packet: from [Client-IP][18063] to [Server-IP][500] (948 bytes)
Client Log (android (strongswan)):
[IKE] received NO_PROPOSAL_CHOSEN notify error
To fix this error i have to disable the interface again, and reboot the firewall in order to make it work again. Just disabling the interface wont do the trick, i have to reboot the firewall too.
I also experienced the same error when i was enabling a wireguard instance (while ipsec was already running). The same steps had to be take in order to make it work again (Disable wiregurad instance, reboot the firewall).
Does someone have an idea what is wrong here?
swanctl.conf
# This file is automatically generated. Do not edit
connections {
39d9b58e-7290-482d-b39d-1e0c811a7301 {
proposals = aes256gcm16-sha256-modp2048
unique = never
aggressive = no
version = 2
mobike = no
local_addrs = [FQDN firewall]
encap = yes
pools = pool66
send_certreq = yes
send_cert = always
local-a9f4521c-0cb8-40f6-b59c-86e653dcab6a {
round = 0
auth = pubkey
id = [FQDN firewall]
certs = 67d7137dd4b4e.crt
}
remote-78c95231-b720-4a0b-8392-b327fe8dc97a {
round = 0
auth = eap-radius
id = %any
eap_id = %any
}
children {
a1173d91-1ede-4f93-a48c-ab99844b45d4 {
esp_proposals = aes256gcm16-modp2048
sha256_96 = no
start_action = start
close_action = start
dpd_action = start
mode = tunnel
policies = yes
local_ts = 0.0.0.0/0
rekey_time = 3600
updown = /usr/local/opnsense/scripts/ipsec/updown_event.py --connection_child a1173d91-1ede-4f93-a48c-ab99844b45d4
}
}
}
}
pools {
pool66 {
addrs = 10.0.66.2/24
dns = 1.1.1.1
}
}
secrets {
}
# Include config snippets
include conf.d/*.conf
Versions:
OPNsense 25.1.3-amd64 (commit: 6aa1d97b1)
FreeBSD 14.2-RELEASE-p2
OpenSSL 3.0.16
os-freeradius: 1.9.27
strongswan: 5.9.14
I was able to make the IPSec VPN, with both interfaces enabled, work again after removing the FQDN from the setting: swanctl.conf -> connections -> local_addrs.
After this everything worked fine again without any Authentication error messages.
I have created a github issue because i believe this should not be the normal behaviour (https://github.com/opnsense/core/issues/8466).