Messages

I've had this problem happen to me twice over the last week with two different internal IP addresses of iPhones. After just using different IP addresses, I put some time into it this morning and figured out it was related to the Crowdsec "Enable FW Bouncer (IPS)" feature. Once I disabled that I was able to pass traffic to the internet again for my internal addresses that were impacted.

So I enabled it again and went into the Crowdsec->Overview->Decisions section and saw the two addresses impacted and deleted the entries there. This allowed me to keep the feature on and pass traffic.

This only started happening a week ago and only on two different iPhones. Wondering If they are spamming something, or if it's just a coincidence that the IPs were pulled in from a blocklist somewhere. Don't know enough about how Crowdsec works to determine why the addresses are getting added to a blocklist. Time to research more I guess if it happens again as its getting annoying.

Finally figured it out after a day of troubleshooting certificate extended usage keys. I now have EAP-TLS working through the EAP-RADIUS profile so I am passwordless with client/server certs only.

Are you guys using EAP-RADIUS to get these IKEv2 connection working with macOS and iOS? I decided to migrate from pfSense to OPNsense on the weekend and can't for the life of me get my VPN working following all the guides for OPNsense. I've even tried a direct copy on my config from pfSense where I had EAP-TLS working with nothing but certificates and Apple Configurator profiles but for some reason same config won't work on OPNsense.

Best progress I can make is EAP-RADIUS but the tunnels never some up after successful RADIUS authentication. I'd prefer an EAP-TLS connection but VPN logs say it is not supported on the client, which is wrong as I had it working on pfSense. This is the error I get in OPNsense VPN logs.

16[IKE] <con1|11> configured EAP-only authentication, but peer does not support it