1
23.7 Legacy Series / How to configure IPsec for mobile clients new way (via connections)?
« on: August 30, 2023, 09:13:28 am »
Hello there.
Version is:
OPNsense 23.7.2-amd64
FreeBSD 13.2-RELEASE-p2
OpenSSL 1.1.1v 1 Aug 2023
Documentation have no example how configure mobile clients IPsec in modern way via "Connections".
I have OPNsense installation on public IP. Potential mobile client may be anywhere. So, what I have done:
SERVER SIDE CONFIGURATION
1. VPN - IPsec - Connections - Pools - add new one
Name - Local_addrs
Network - 192.168.202.0/24
2. VPN - IPsec - Connections - add new with following opts:
Version - IKEv2
Local address - public IP of opnsense (addr from WAN interface).
Remote address - [nothing]
Pools - Local_addrs
Description - TEST
3. VPN - IPsec - Pre-Shared Keys - add new one
Local Identifier - client1
Remote Identifier - [nothing]
Pre-Shared key - [some string]
Type - EAP
4. VPN - IPsec - Connections - TEST - add Local Authentication
Authentication - EAP-MSCHAPv2
Id - client1
EAP Id - client1
Certificates - "VPN Server" (I have generated root CA certificate and for server itself early)
5. VPN - IPsec - Connections - TEST - add Local Children
Mode - Tunnel
Policies - on
Start action - start
DPD action - clear
Local - 10.0.0.0/22 (LAN-attached network)
Remote - [nothing]
SAVE, APPLY
CLIENT SIDE CONFIGURATION
Using strongSwan app for Android.
Creating new connection:
Server address - typing WAN IP of opnsense.
VPN type - IKEv2 EAP (login/password)
Login - client1
Password - type same string as in PSK on opnsense
CA Certificate - selecting CA root cert generated on opnsense (imported early)
Save. Try to connect...
[IKE] received AUTHENTICATION_FAILED notify error.
Can someone help plz. I'm not good of IPsec, so I think I do something wrong.
I tried with and without remote auth, with or without certificate. Any way - authentication failed.
Configuring mobile client legacy way working fine.
Screenshots with configured things attached.
Version is:
OPNsense 23.7.2-amd64
FreeBSD 13.2-RELEASE-p2
OpenSSL 1.1.1v 1 Aug 2023
Documentation have no example how configure mobile clients IPsec in modern way via "Connections".
I have OPNsense installation on public IP. Potential mobile client may be anywhere. So, what I have done:
SERVER SIDE CONFIGURATION
1. VPN - IPsec - Connections - Pools - add new one
Name - Local_addrs
Network - 192.168.202.0/24
2. VPN - IPsec - Connections - add new with following opts:
Version - IKEv2
Local address - public IP of opnsense (addr from WAN interface).
Remote address - [nothing]
Pools - Local_addrs
Description - TEST
3. VPN - IPsec - Pre-Shared Keys - add new one
Local Identifier - client1
Remote Identifier - [nothing]
Pre-Shared key - [some string]
Type - EAP
4. VPN - IPsec - Connections - TEST - add Local Authentication
Authentication - EAP-MSCHAPv2
Id - client1
EAP Id - client1
Certificates - "VPN Server" (I have generated root CA certificate and for server itself early)
5. VPN - IPsec - Connections - TEST - add Local Children
Mode - Tunnel
Policies - on
Start action - start
DPD action - clear
Local - 10.0.0.0/22 (LAN-attached network)
Remote - [nothing]
SAVE, APPLY
CLIENT SIDE CONFIGURATION
Using strongSwan app for Android.
Creating new connection:
Server address - typing WAN IP of opnsense.
VPN type - IKEv2 EAP (login/password)
Login - client1
Password - type same string as in PSK on opnsense
CA Certificate - selecting CA root cert generated on opnsense (imported early)
Save. Try to connect...
[IKE] received AUTHENTICATION_FAILED notify error.
Can someone help plz. I'm not good of IPsec, so I think I do something wrong.
I tried with and without remote auth, with or without certificate. Any way - authentication failed.
Configuring mobile client legacy way working fine.
Screenshots with configured things attached.