Messages

I appear to have fixed it after a bit more googling. In addition to the extra charon package, you also need to install an extra strongswan package too.

sudo apt-get -y install libstrongswan-extra-plugins

With that added, the VPN connects.

[2020-12-12T10:19:08 charon[10631]: 04[IKE] <con1|2> no EAP key found for hosts 'C=GB, ST=West Midlands, L=<redacted>, O=<redacted>, E=<redacted>, CN=<redacted>, subjectAltName=IP:192.168.1.181' - 'expert']

You have to use the matrix at the bottom where correct lient and server config are linked:
https://docs.opnsense.org/manual/how-tos/ipsec-rw.html

I tested it with Ubuntu 18.04

Just to say I've followed all the steps and its failing again at the last step.

Ubuntu Logs:

Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 04[CFG] received initiate for NetworkManager connection WV VPN 2
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 04[CFG] using CA certificate, gateway identity '192.168.1.181'
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 04[IKE] initiating IKE_SA WV VPN 2[14] to 192.168.1.181
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 04[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 04[NET] sending packet: from 192.168.1.88[53337] to 192.168.1.181[500] (936 bytes)
Dec 12 10:19:08 my-ubuntu-20.04-pc NetworkManager[1360]: <info>  [1607768348.5185] vpn-connection[0x560217f50130,7723a298-6e57-46bd-981f-4359fa9b7bc8,"WV VPN 2",0]: VPN plugin: state changed: starting (3)
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 05[NET] received packet: from 192.168.1.181[500] to 192.168.1.88[53337] (38 bytes)
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 05[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 05[IKE] peer didn't accept DH group ECP_256, it requested MODP_2048
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 05[IKE] initiating IKE_SA WV VPN 2[14] to 192.168.1.181
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 05[NET] sending packet: from 192.168.1.88[53337] to 192.168.1.181[500] (1128 bytes)
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 14[NET] received packet: from 192.168.1.181[500] to 192.168.1.88[53337] (557 bytes)
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 14[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 14[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 14[IKE] received cert request for "C=GB, ST=West Midlands, L=<redacted>, O=<redacted>, E=<redacted>, CN=opnsense-ca-root"
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 14[IKE] received 3 cert requests for an unknown ca
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 14[IKE] sending cert request for "C=GB, ST=West Midlands, L=<redacted>, O=<redacted>, E=<redacted>, CN=opnsense-ca-root"
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 14[IKE] establishing CHILD_SA WV VPN 2{13}
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 14[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS NBNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 14[NET] sending packet: from 192.168.1.88[53150] to 192.168.1.181[4500] (464 bytes)
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 08[NET] received packet: from 192.168.1.181[4500] to 192.168.1.88[53150] (1236 bytes)
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 08[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 08[ENC] received fragment #1 of 2, waiting for complete IKE message
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 01[NET] received packet: from 192.168.1.181[4500] to 192.168.1.88[53150] (756 bytes)
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 01[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 01[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1920 bytes)
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 01[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 01[IKE] received end entity cert "C=GB, ST=West Midlands, L=<redacted>, O=<redacted>, E=<redacted>, CN=wv.xxx.com, subjectAltName=IP:192.168.1.181"
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 01[CFG]   using certificate "C=GB, ST=West Midlands, L=<redacted>, O=<redacted>, E=<redacted>, CN=wv.xxx.com, subjectAltName=IP:192.168.1.181"
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 01[CFG]   using trusted ca certificate "C=GB, ST=West Midlands, L=<redacted>, O=<redacted>, E=<redacted>, CN=opnsense-ca-root"
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 01[CFG] checking certificate status of "C=GB, ST=West Midlands, L=<redacted>, O=<redacted>, E=<redacted>, CN=wv.xxx.com, subjectAltName=IP:192.168.1.181"
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 01[CFG] certificate status is not available
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 01[CFG]   reached self-signed root ca with a path length of 0
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 01[IKE] authentication of 'C=GB, ST=West Midlands, L=<redacted>, O=<redacted>, E=<redacted>, CN=wv.xxx.com, subjectAltName=IP:192.168.1.181' with RSA_EMSA_PKCS1_SHA2_256 successful
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 01[IKE] server requested EAP_IDENTITY (id 0x00), sending 'expert'
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 01[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 01[NET] sending packet: from 192.168.1.88[53150] to 192.168.1.181[4500] (96 bytes)
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 10[NET] received packet: from 192.168.1.181[4500] to 192.168.1.88[53150] (112 bytes)
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 10[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 10[IKE] server requested EAP_MSCHAPV2 authentication (id 0x87)
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 10[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 10[NET] sending packet: from 192.168.1.88[53150] to 192.168.1.181[4500] (144 bytes)
Dec 12 10:19:10 my-ubuntu-20.04-pc charon-nm: 16[NET] received packet: from 192.168.1.181[4500] to 192.168.1.88[53150] (128 bytes)
Dec 12 10:19:10 my-ubuntu-20.04-pc charon-nm: 16[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Dec 12 10:19:10 my-ubuntu-20.04-pc charon-nm: 16[IKE] EAP-MS-CHAPv2 failed with error ERROR_AUTHENTICATION_FAILURE: '(null)'
Dec 12 10:19:10 my-ubuntu-20.04-pc charon-nm: 16[IKE] EAP_MSCHAPV2 method failed

opnSense logs (truncated the first few lines)

2020-12-12T10:19:10   charon[10631]: 04[NET] <con1|2> sending packet: from 192.168.1.181[4500] to 192.168.1.88[53150] (80 bytes)
2020-12-12T10:19:10   charon[10631]: 04[ENC] <con1|2> generating INFORMATIONAL response 4 [ N(AUTH_FAILED) ]
2020-12-12T10:19:10   charon[10631]: 04[ENC] <con1|2> parsed INFORMATIONAL request 4 [ N(AUTH_FAILED) ]
2020-12-12T10:19:10   charon[10631]: 04[NET] <con1|2> received packet: from 192.168.1.88[53150] to 192.168.1.181[4500] (80 bytes)
2020-12-12T10:19:10   charon[10631]: 04[NET] <con1|2> sending packet: from 192.168.1.181[4500] to 192.168.1.88[53150] (128 bytes)
2020-12-12T10:19:10   charon[10631]: 04[ENC] <con1|2> generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
2020-12-12T10:19:08   charon[10631]: 04[IKE] <con1|2> EAP-MS-CHAPv2 verification failed, retry (1)
2020-12-12T10:19:08   charon[10631]: 04[IKE] <con1|2> no EAP key found for hosts 'C=GB, ST=West Midlands, L=<redacted>, O=<redacted>, E=<redacted>, CN=<redacted>, subjectAltName=IP:192.168.1.181' - 'expert'
2020-12-12T10:19:08   charon[10631]: 04[ENC] <con1|2> parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
2020-12-12T10:19:08   charon[10631]: 04[NET] <con1|2> received packet: from 192.168.1.88[53150] to 192.168.1.181[4500] (144 bytes)
2020-12-12T10:19:08   charon[10631]: 04[NET] <con1|2> sending packet: from 192.168.1.181[4500] to 192.168.1.88[53150] (112 bytes)
2020-12-12T10:19:08   charon[10631]: 04[ENC] <con1|2> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
2020-12-12T10:19:08   charon[10631]: 04[IKE] <con1|2> initiating EAP_MSCHAPV2 method (id 0x87)
2020-12-12T10:19:08   charon[10631]: 04[IKE] <con1|2> received EAP identity 'expert'
2020-12-12T10:19:08   charon[10631]: 04[ENC] <con1|2> parsed IKE_AUTH request 2 [ EAP/RES/ID ]

2020-12-12T10:19:08   charon[10631]: 04[IKE] <con1|2> no EAP key found for hosts 'C=GB, ST=West Midlands, L=<redacted>, O=<redacted>, E=<redacted>, CN=<redacted>, subjectAltName=IP:192.168.1.181' - 'expert'

I'm guessing that's the key log entry, what have I missed?

please delete, replied in wrong thread.

You have to use the matrix at the bottom where correct lient and server config are linked:
https://docs.opnsense.org/manual/how-tos/ipsec-rw.html

I tested it with Ubuntu 18.04

Yes, those are two of the guides I followed. I'll delete everything and try from scratch again. But it only seems to be failing on the EAP challenge.

btw, you need to tweak your Linux Remote Access guide as you need to include the extra package I mentioned above in 20.04, otherwise strongswan doesn't know anything about EAP-MSCHAPv2.

I have torn out what little hair I have left over the course of the past few hours. I simply cannot get this to work.

First it was a problem with the certificate CN not matching, but got that to work by using the IP instead of the FQDN. Then EAP was failing because the instructions didn't mention you needed to add an extra package (apt install libcharon-extra-plugins).

Now EAP fails because authentication fails "EAP-MS-CHAPv2 failed with error ERROR_AUTHENTICATION_FAILURE: '(null)'", even though the username entered matches the PSK entry (user, password, EAP) and I've even tried a PSK value against a full blown user account in opnSense as opposed to just an EAP entry on the "Pre shared Keys" page.

If anyone has a start to finish step by step guide for this (and yes, I have read the official guide (https://docs.opnsense.org/manual/how-tos/ipsec-road.html) and then the linux bit here: (https://docs.opnsense.org/manual/how-tos/ipsec-rw-linux.html), but all to no avail :(

Any help would be gratefully received.

Sorry to resurrect this thread, but I've just had the same problem on 20.7. It appears that if there are any errors in the certs (in my case a stray character at the end of the Cert) it causes lighttp to fail to start and you're left with a gui-less system.

This is far from ideal if the firewall is in a data center and you've got no remote access to the console. The code needs to run some sort of validation check on the cert to make sure its valid before you assign it to the GUI or put in some fallback code to restore the SSL to the old one if it fails to start.

pfft! This is always the way. You try and fix something for an hour, write a forum post about it, post the post and then immediately solve it.

For some unfathomable reason all I needed to do was unplug and then plug back in the USB cable on the server!

I plugged into it my PC and putty connected fine, tried screen, that worked fine, plugged it back into the server, re-ran the same command I'd run not 5 mins before and it now works.

Oh well, onto the fun of replicating the pfSense setup from the other pfSense box in the rack! :D

We've got an old (probably a few years old) Dual A10 Quad Core SSD OPNSense firewall unit which was running pfsense and it worked fine, but I thought I'd give opnSense a try as I'm interested in the ETPro Telemetry feature, which isn't on pfSense.

Anyway, I connected the serial lead for console access and installed opnSense 20.7 off the usb and everything was fine until it booted up in opnSense for the first time, ever since then the serial port is acting as if the settings are wrong. As far as I know the defaults are the same between pfSense and opnSense and I use the same screen command, just passing the 115200 baud rate.

However, opnsense simply doesn't want to play ball. Or if it does, it displays the login prompt, i type "roo" as in the start of 'root' and that's it, it locks up again. Most of the time I'm just looking at a blank screen. For the first bit of the boot process it works and then again it stops scrolling and refreshes the current line until finally ending up at the login prompt.

For comparison we never had an issue when running pfSense, so its defintely related to opnSense.

I can logon to via the browser, but the console was a useful backup option to have, if I can get it to work again.

Anyone got any ideas?