Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - heaveaxy

Pages1
#1
23.7 Legacy Series / Re: How to configure IPsec for mobile clients new way (via connections)?
September 04, 2023, 11:13:30 AM
Thanks.
I succeed configure new way IPsec using examples from here.

So, configuration is following (see screenshot attachments).
What I learned from logs (and missed early) that is both authentication is required (local + remote). Local I use "Public key" method, certificate is usable here. Remote - using pre-defined PSK with EAP type.
On mobile client side (I use strongSwan for android) is required to add root CA and server certificate to local storage and specify server's cert in connection settings.
This works for me.
#2
23.7 Legacy Series / How to configure IPsec for mobile clients new way (via connections)?
August 30, 2023, 09:13:28 AM
Hello there.
Version is:
OPNsense 23.7.2-amd64
FreeBSD 13.2-RELEASE-p2
OpenSSL 1.1.1v 1 Aug 2023

Documentation have no example how configure mobile clients IPsec in modern way via "Connections".

I have OPNsense installation on public IP. Potential mobile client may be anywhere. So, what I have done:

SERVER SIDE CONFIGURATION

1. VPN - IPsec - Connections - Pools - add new one
Name - Local_addrs
Network - 192.168.202.0/24

2. VPN - IPsec - Connections - add new with following opts:
Version - IKEv2
Local address - public IP of opnsense (addr from WAN interface).
Remote address - [nothing]
Pools - Local_addrs
Description - TEST

3. VPN - IPsec - Pre-Shared Keys - add new one
Local Identifier - client1
Remote Identifier - [nothing]
Pre-Shared key - [some string]
Type - EAP

4. VPN - IPsec - Connections - TEST - add Local Authentication
Authentication - EAP-MSCHAPv2
Id - client1
EAP Id - client1
Certificates - "VPN Server" (I have generated root CA certificate and for server itself early)

5. VPN - IPsec - Connections - TEST - add Local Children
Mode - Tunnel
Policies - on
Start action - start
DPD action - clear
Local - 10.0.0.0/22 (LAN-attached network)
Remote - [nothing]

SAVE, APPLY

CLIENT SIDE CONFIGURATION

Using strongSwan app for Android.

Creating new connection:
Server address - typing WAN IP of opnsense.
VPN type - IKEv2 EAP (login/password)
Login - client1
Password - type same string as in PSK on opnsense
CA Certificate - selecting CA root cert generated on opnsense (imported early)

Save. Try to connect...
[IKE] received AUTHENTICATION_FAILED notify error.

Can someone help plz. I'm not good of IPsec, so I think I do something wrong.
I tried with and without remote auth, with or without certificate. Any way - authentication failed.
Configuring mobile client legacy way working fine.

Screenshots with configured things attached.
Pages1