OPNsense Forum

Hello. First foray into an IPSec VPN for me. I need some help to get over the line please.

Goal: Setup as Roadwarrior using shared ip pool, using EAP-TLS.
Problem is that the connection is not completed, from the client.

IPSec log shows authentication successful, generating IKE_AUTH response and then sending the packet. Then no logs of anything received followed with deleting half open IKE_SA with client after timeout.
I appreciate it looks like a client problem but this is an iOS native vpn so no logs there I can see.
I have created a CA, intermediate and one leaf for this first client. All three installed on the iOS client.
Looking for some hints.

I have followed the docs line by line numerous times to be sure. I have been unable to follow only one item that seems in my ignorance that is only the docs to be needing adjusting. I am referring to this:
https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html#eap-tls
Only one rule I haven't yet done is Firewall: NAT: Outbound. The reason is wanting to get the client in before getting it to go out to Internet via the tunnel.
I can see the firewall allowed hits from the outside, on both ports 500 and 4500

1.3  - VPN: IPsec: Connections
General Settings:
Proposals: aes256-sha256-ecs256 (Disable default!)
- My OPN version is 25.1.12. I don't have this suite in the list. So I have used another Proposals aes256-sha256-ecp256 [DH19, NIST EC] (Disabled default!)
- The doc shows that the children's ESP proposal matches the connection proposal. So I matched it.
The docs usually are just an example, so I expect the use of another suite to be OK, and that the matching child with connection proposal is relevant but I don't know if is necessary.

This is what the redacted logs have:

2025-08-14T12:22:44    Informational charon 09[JOB] <2921eb48-6200-422a-9227-6d669430dc83|8> deleting half open IKE_SA with 192.168.5.235 after timeout
2025-08-14T12:22:14    Informational    charon    09[NET] <2921eb48-6200-422a-9227-6d669430dc83|8> sending packet: from {mypublicip}[4500] to 192.168.5.235[4500] (628 bytes)   
2025-08-14T12:22:14    Informational    charon    09[NET] <2921eb48-6200-422a-9227-6d669430dc83|8> sending packet: from {mypublicip}[4500] to 192.168.5.235[4500] (1236 bytes)   
2025-08-14T12:22:14    Informational    charon    09[ENC] <2921eb48-6200-422a-9227-6d669430dc83|8> generating IKE_AUTH response 1 [ EF(2/2) ]   
2025-08-14T12:22:14    Informational    charon    09[ENC] <2921eb48-6200-422a-9227-6d669430dc83|8> generating IKE_AUTH response 1 [ EF(1/2) ]   
2025-08-14T12:22:14    Informational    charon    09[ENC] <2921eb48-6200-422a-9227-6d669430dc83|8> splitting IKE message (1792 bytes) into 2 fragments   
2025-08-14T12:22:14    Informational    charon    09[ENC] <2921eb48-6200-422a-9227-6d669430dc83|8> generating IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]   
2025-08-14T12:22:14    Informational    charon    09[IKE] <2921eb48-6200-422a-9227-6d669430dc83|8> sending issuer cert "C=GB, ST=Manchester, L=Salford, O=moomooland, OU=IT, E=replacedemail@example.net, CN=intermediate-ca"   
2025-08-14T12:22:14    Informational    charon    09[IKE] <2921eb48-6200-422a-9227-6d669430dc83|8> sending end entity cert "C=GB, ST=Manchester, L=Salford, O=moomooland, OU=IT, E=replacedemail@example.net, CN=vpn1.mydpublicdomain.com"   
2025-08-14T12:22:14    Informational    charon    09[IKE] <2921eb48-6200-422a-9227-6d669430dc83|8> authentication of 'vpn1.mydpublicdomain.com' (myself) with ECDSA_WITH_SHA256_DER successful   
2025-08-14T12:22:14    Informational    charon    09[IKE] <2921eb48-6200-422a-9227-6d669430dc83|8> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding   
2025-08-14T12:22:14    Informational    charon    09[IKE] <2921eb48-6200-422a-9227-6d669430dc83|8> peer supports MOBIKE   
2025-08-14T12:22:14    Informational    charon    09[IKE] <2921eb48-6200-422a-9227-6d669430dc83|8> initiating EAP_IDENTITY method (id 0x00)   
2025-08-14T12:22:14    Informational    charon    09[CFG] <2921eb48-6200-422a-9227-6d669430dc83|8> selected peer config '2921eb48-6200-422a-9227-6d669430dc83'   
2025-08-14T12:22:14    Informational    charon    09[CFG] <8> looking for peer configs matching {mypublicip}[vpn1.mydpublicdomain.com]...192.168.5.235[vpn1.mydpublicdomain.com]   
2025-08-14T12:22:14    Informational    charon    09[ENC] <8> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]   
2025-08-14T12:22:14    Informational    charon    09[ENC] <8> unknown attribute type INTERNAL_DNS_DOMAIN   
2025-08-14T12:22:14    Informational    charon    09[NET] <8> received packet: from 192.168.5.235[4500] to {mypublicip}[4500] (416 bytes)   
2025-08-14T12:22:14    Informational    charon    09[NET] <8> sending packet: from {mypublicip}[500] to 192.168.5.235[500] (280 bytes)   
2025-08-14T12:22:14    Informational    charon    09[ENC] <8> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]   
2025-08-14T12:22:14    Informational    charon    09[IKE] <8> faking NAT situation to enforce UDP encapsulation   
2025-08-14T12:22:14    Informational    charon    09[CFG] <8> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256   
2025-08-14T12:22:14    Informational    charon    09[IKE] <8> 192.168.5.235 is initiating an IKE_SA   
2025-08-14T12:22:14    Informational    charon    09[ENC] <8> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]   
2025-08-14T12:22:14    Informational    charon    09[NET] <8> received packet: from 192.168.5.235[500] to {mypublicip}[500] (370 bytes)
Anything there?
Note: this was a test from within the same lan but it is the same from outside, just the IP address changes.