OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: nullinger on February 08, 2017, 10:48:20 pm

Title: IPSEC IKEv2 failing after successful connection
Post by: nullinger on February 08, 2017, 10:48:20 pm

hello,

i recently switched from pfSense to OPNsense 17.1. the machine is a Intel D510MO with 3x GbE LAN (1x onboard, 1x DualPort Intel GbE PCI NIC) on a 100/10 MBit/s dial-up connection with dynamic IP. so far everything is fine, but i can't get IPSec working again. Basically, i used the "official" pfsense wiki for setup, which was working fine on pfSense itself. Now, with OPNSense after the successfull EAP auth my connection is dropped, and i can't figure out why this happens.

here the log (bottom-up):

Code: [Select]

Feb 8 22:34:31 charon: 09[ENC] insert payload NOTIFY into encrypted payload
Feb 8 22:34:31 charon: 09[ENC] generating IKE_AUTH response 5 [ N(AUTH_FAILED) ]
Feb 8 22:34:31 charon: 09[ENC] added payload of type NOTIFY to message
Feb 8 22:34:31 charon: 09[ENC] order payloads in message
Feb 8 22:34:31 charon: 09[ENC] added payload of type NOTIFY to message
Feb 8 22:34:31 charon: 09[CFG] no alternative config found
Feb 8 22:34:31 charon: 09[CFG] selected peer config 'con1' inacceptable: non-matching authentication done
Feb 8 22:34:31 charon: 09[CFG] constraint check failed: peer not authenticated by CA 'C=DE, ST=Bavaria, L=XXX, O=YYY, E=null@host.tld, CN=some.domain.tld'
Feb 8 22:34:31 charon: 09[IKE] authentication of 'nullinger@otherdomain.tld' with EAP successful
so, somehow it looks like some problem with the CA, but it looks fine for me. any ideas ? the CN is matching the DynDNS-name, and for the client cert both the CN and the "DNS" alternative Name is set to the DynDNS-name.

Title: Re: IPSEC IKEv2 failing after successful connection
Post by: franco on February 09, 2017, 08:52:37 am

Hi there,

Wrong client certificate?


Cheers,
Franco

Title: Re: IPSEC IKEv2 failing after successful connection
Post by: nullinger on February 09, 2017, 10:09:13 am

Hi,

thanks for your answer. I used this guide (https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2) from pfSense, IKEv2+EAP (username+password) has no need for a client certificate. only the ca is imported to trusted root certification authorities. only point missing in setup is the part with the peer identifier, but in the ipsec.conf it looks like OPNsense uses %any as default.

As clients i tried Android 7.1.1 with StrongSwan and a Windows 10 with native vpn provider. Both are able to connect to the old pfSense installation without any problems, so i think it's safe to assume that the problem here is not client-sided.

i did a compare between both ipsec.conf files, and it looks like opnSense has another method for implementing IKEv2+EAP (attached screenshot, pf left, opn right)

Title: Re: IPSEC IKEv2 failing after successful connection
Post by: franco on February 09, 2017, 09:00:28 pm

Aha! eap-mschapv2 was added in August 2016, which means its relatively new and in this case may be missing a configuration item.

Can you provide a feature request on GitHub for this?

https://github.com/opnsense/core/issues

That should get the ball rolling. We hope this is not a burden. It is meant to allow direct contact for quick testing and deployment. :)


Cheers,
Franco