Messages

New information2:

Although i did this before - i delete my vpn profile and generated it new - it works now - the x-auth key is saved and keeps saved!

New information: Connection works without asking for password iOS Clients

iPhone 16e with iOS 18.5
iPad (10th Gen) iOS 18.5

After updating to OPNsense 25.1.5_5 my IPsec RoadWarrior Setup (legacy configuration) is broken for me.

VPN/IPsec/Mobile & Advanced Settings/Attr/Cisco Unity-Save password is enabled.

I write the password into the config on my macos.

When i start the vpn connection, i am asked for the password. If i enter the password, the connection works, but the password is removed from my local configuration on macos - so i am asked again next time i start the connection.

I guess a problem with Cisco Unity?

On other OPNsense routers (with system 25.1 or prior) passwords are saved and the connection works immediately.

I found a note in another forum: https://github.com/opnsense/core/issues/1209
Seems to be the same problem

Hi eell!

Thank you for reply!

I copied just the missing part to the include.conf with the necessary brackets and header.

Really missing are just this 2 lines:
subnet = 10.1.1.0/24
split-include = 10.1.1.0/24

IMO this is a bug - it worked with 22.1.x (when you activated "Provide a list of accessible networks to clients"), but the 2 lines disappeared with 22.7 and dont come back, even if you activate the button.

Greetings

Hannes

I tried do edit /usr/local/etc/strongswan.conf -> the file gets recovered by the system on restart of strongswan

I tried to create /usr/local/etc/stongswan.opnsense.d/include.conf -> works!

-----
starter {
}
charon {
    plugins {
        attr {
            subnet = 10.1.1.0/24
            split-include = 10.1.1.0/24
        }
    }
}
-----

Client macOS 12.5

netstat:

Connected with OPNsense 22.7 (not working) -> gateway is the vpn interface
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)   
tcp4       0      0  10.1.99.100.51771      17.248.173.48.https    SYN_SENT


Connected with OPNsense 22.1 (working) -> local gateway is used
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)   
tcp4       0      0  mbp-16-han.fritz.51894 10.5.1.113.net-assista SYN_SENT

Further investigations:

strongswan.conf (OPNsense 22.7) (not working)

cisco_unity = yes
    plugins {
        attr {
            dns = 10.1.1.1
            # Search domain and default domain
            28674 = corporation.local
            28675 = corporation.local
            25 = corporation.local
        }
        xauth-pam {
            pam_service = ipsec
            session = no
            trim_email = yes
        }
    }

strongswan.conf (OPNsense 22.1) (working)

cisco_unity = yes
    plugins {
        attr {
            subnet = 192.168.100.0/24
            split-include = 192.168.100.0/24
            dns = 192.168.100.1
            # Search domain and default domain
            28674 = network.local
            28675 = network.local
            25 = network.local
        }
        xauth-pam {
            pam_service = ipsec
            session = no
            trim_email = yes
        }
    }



The file says a warning: "# Automatically generated, please do not modify"

So the change needs to made in OPNsense?

Thank you

I have a Problem with IPsec since updated to OPNsense 22.7.x

IPsec Setup (Road Warrior)

Client: macOS 12

OPNsense 22.1.x
Connect with Client to OPNsense Network from "the road". All IPs on the VPN Network are accessable, Internet Routing goes through Client Internet Connection.

After Update to 22.7.x
Connect with Client to OPNsense Network from "the road". All IPs on the VPN Network are accessable, Internet Routing goes through VPN Connection and Internet/DNS is not working or too slow.

This behavior i had before i found the setting "Provide a list of accessible networks to clients" (VPN/IPSec/Mobile Clients).

1. Did i discribe the problem to be understood?
2. Is there a quick-fix - maybe in an configuration file on the opnsense server?
3. Please do not offer solutions like "this is better, or use wireguard" - i'm interested in this solution, and it worked allready, so i would like to fix it, thank you.

Greetings