Messages

I was following the guide for Roadwarrior EAP-MSCHAPv2 and trying with macOS. Spent hours trying to debug the same problem as the OP, ends with "deleting half open IKE_SA with client after timeout".

What resolved it for me was just deleting the macOS IKEv2 VPN configuration and re-adding it. My theory is something got broken in it when trial and error editing local ID and authentication method. Since this UI is just updating config files maybe certain edits can leave the config in a broken state.

edit: did a quick test and if the macOS IKEv2 VPN is set to user authentication and is working. If changing it to authentication None with any shared secret entered, then attempting to change it back to User authentication with the same info as before then that config will never work again.

In case it helps anyone else, to get EAP-MSCHAPv2 working, in Remote Authentication I set the EAP Id to the client's username and in the Pre-Shared Key->Remote Identifier I leave blank. The seems the only way to get the username to actually be verified. E.g. if EAP Id is set to %any then during connection the username is just ignored and can be set to anything, even if it is set in the Pre-Shared Key->Remote Identifier, which seems strange to me.

Regarding: "I have multiple PSKs defined, local identifier is always OpnSense's external IP address."
What should we put for local identifier if the external IP is dynamic?

Sorry to hijack

Also needed to add access from the IPSec subnet to the Unresolver DNS config.

I have the same problem so am interested in your fix but could you please explain what you mean by the above? Because there is no "Unresolver" in the menus anywhere, is it a typo?

Edit: figured out it is Unbound DNS, and here is a screenshot of the required setting, just edit the IP to your VPN virtual range:
https://imgur.com/JAZzrSJ