Trying to set up an IPsec VPN between non-OPNSense remote node A and OPNSense box B. A is the aggressor, but even though the configs match, we keep getting the error message "found 1 matching config, but none allows RSA signature authentication using Aggressive Mode". I can't find any setting to allow RSA Signature auth using aggressive mode. We're using certificate-based authentication; currently with public key, but we'd be fine doing it any way except PSK, as we're attempting a reasonable level of security despite needing aggressive mode. Any suggestions? This configuration works without aggressive mode, so I suspect it's a security feature we cannot find.
Aggressive mode is considered insecure. Can't you use main mode? Better use IKEv2.
Unfortunately, the remote node A has a dynamic IP, otherwise we'd just be sticking with IKEv2. So we need aggressive mode to function.
EDIT: Is it possible to use IKEv2 with a dynamic IP on one side just by leaving the remote address in OPNsense's IPsec setup blank so it matches to any? I'm testing now and it seems like it works. Staying connected with a dynamic IP is the issue I am chiefly attempting to resolve, so as long as that works I'm happy to abandon aggressive mode.