Hi everyone,
I'm currently trying to get IKEv2 / IPsec remote access running on OPNsense 26.x and I'm a bit stuck, so I'm hoping someone here has done a similar setup before or can point me in the right direction.
Setup (simplified)
- OPNsense is running in an internal network, currently on 192.168.90.1/24
- There is another firewall (sophos) in front of it (not directly exposed to the internet)
- Required ports (UDP 500 / 4500) are forwarded to OPNsense
- I'm testing from a Windows client
What I have already configured
- IPsec IKEv2 Remote Access connection
- Proposals are set (AES / SHA / DH, nothing exotic)
- EAP-MSCHAPv2 for authentication
- A Client Pool is configured
- Child SA is configured (local subnet + remote/client subnet)
- Firewall rules are in place to allow IPsec traffic
- User certificate created, signed by the local CA, imported on Windows
- Windows VPN is configured as IKEv2
The problem
- The VPN connection does not establish
- There is no meaningful output in the IPsec logs
- It feels like the traffic is not fully reaching or being handled by IPsec, but I can't pinpoint where it breaks
At this point I'm unsure if I'm missing:
- a specific IPsec setting
- something Windows-specific for IKEv2
- or a routing / firewall detail that's easy to overlook in this kind of "firewall-behind-firewall" setup
If anyone has done IKEv2 Remote Access on OPNsense behind another firewall, I'd really appreciate any hints
If I'm missing important information, feel free to ask and I'll provide what I can.
Thanks in advance!