Messages

I see, the error itself is not suprising. Suprising is that pfSense does handle it more gracefully.

On pfSense 2.7.2 I do see the same errors in the logs regarding the "Multiple interfaces match the same subnet", makes sense.
But "dhcp.c:4164: Failed to send 300 byte long packet over igb3 interface" / "lease 192.168.x.x: no subnet" sound pretty bad.

On OPNsense, does igb3 still have an IP address (I assume 192.168.1.1?) and is up when the error "dhcp.c:4164: Failed..." is logged?

thanks for helping me with own testing! i remember that in the dashboard the interface oscillated between red and green or up/down. I deployed the rules that i posted obove and since then i cannot see any more errors. I'm not quite sure yet if this is because of those rules or nothing happened with the isp-router in the last 24hrs (although i rebooted it and a 24h disconnect happened last night)

@EricPerl: Yes, you are absolutely right. This is complete crap but actually you can be glad these days if a cable provider like Vodafone gives you the option to have a public IPv4 address in bridgemode at all and not only double-nat with dualstack etc.

If you run this modem/router in normal mode you can of course adjust the ip-range and other settings you would expect from a consumer-grade router. If you want bridgemode you set this at the webinterface of the provider website and then the firmware gets remotely exchanged in a 30min process to the bridgemode firmware which then has zero options. I know it's crap but it is how it is and the good news is that with the firewall rules i posted above everything seems to work now.

Can you maybe ellaborate what "network die after some time" means?
They can't access the internet while the ISP router has it's mood anyway, yes? Are they not able to communicate with each other anymore?

i can barely access the OPNsense then. i get timeouts or the webinterface loads only partially. The ISC DHCP server server collects "Multiple interfaces match the same subnet: igb1 igb3" / "dhcp.c:4164: Failed to send 300 byte long packet over igb3 interface" / "lease 192.168.x.x: no subnet" / "Network is down" errors and then dies. ISC DHCPv4 Server gets red under Services, which means it crashed or shut itself down.

Thanks, i wil try that. Would the following rules also be appropriate?

Action: Block
Interface: wan
Direction: out
Protocol: any
Source: lan
Destination: 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

Action: Block
Interface: wan
Direction: in
Protocol: any
Source: 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
Destination: lan

To the pfSense situation i can say that this just works without any additional rules or config. I guess that the "Block private networks" checkbox does what it says on pfSense while on OPNsense it seems that this does nothing or is legacy?

to be a little more precise: the WAN interface with the ISP Router normally bridges me public IP address. during boot, failure, 24h disconnect, automatic firmware updates etc it resides in 192.168.1.0/24 and during that time this tears my network down. so actually i don't need access to private networks on wan. i guess i could just block that completely.

why i can't change my local net: i have paper cutting machines from the 90s with software from hell that once worked via rs232 that i don't have access to anymore. so these IPs are fixed forever.

that's not possible, sorry. i switched from pfsense and this setup worked without a problem for the last 6 years, so there must a solution with filtering.

Hi,
on a fresh 25.1.3-amd64 install i have the following setup:
ISP-Router with own address 192.168.1.1 and 192.168.1.0/24 Range => WAN Interface on OPNsense set to DHCP. LAN on OPNsense is 192.168.1.0/24.

Although "Block private networks" is checked, i can access the ISP Router which i think is strange plus as the ISP Router runs a DHCP Server this creates a "Multiple interfaces match the same subnet" Problem which makes the whole network die after some time. I cannot change the behaviour and IP Range of the ISP Router and as "Block private networks" does not seem to do anything i probably need to create manual block rules but i'm not certain which one's.

Can anybody help me out? Thanks

thanks for your answer. while it's white convenient to have this functionality by default i think it would be smart to add another block rule that matches your local network range you use on the OPNsense box to avoid duplicate IPs or do i oversee seomthing here?

Hi,
on a fresh 24.7.11_2 install i have the following setup:
ISP-Router with own address 192.168.1.1 and 192.168.1.0/24 Range => WAN Interface on OPNsense set to DHCP. LAN on OPNsense is 192.168.2.0/24

WAN Interface on OPN gets for example 192.168.1.2 from ISP Router and internet connection is working. First strange thing is that this is working although "Block private networks" is checked. Second strange thing is that i can access the ISP Router and it's connected devices on 192.168.1.0/24 without setting up a Outbound NAT Rule manually. Is this intended?

I came across this, because on another OPN i have bridgemodem that bridges me a public IP to WAN when set to DHCP. BUT during boot of this modem until it receives a public IP this modem resides in the same network range (cannot change that) as my OPN which leads to duplicate IP adresses and a network that is completely unresposive/down until the public IP is received and bridged.

thanks

Here's is the guide. I use it for some weeks now and it's working great on iOS and macOS. I will add information on what to do on macOS/iOS to get this working but it is pretty straightforward: Import+Trust CA plus PKCS12 file. Setup VPN on GUI. That's it. You need to export PKCS12 with password. When exporting blank, macOS will not import it.

CHANGES
   - V1.0 Initial

PREPERATION/INFO
   - This guide assumes that you have have a working DNS config (i.e your OPNsense is reachable via DNS). I use freedns.afraid.org for this.
   - This is a guide with only little explanation. However, if you ever followed one of the VPN recipes from the OPNsense wiki with success it will be easy for you to follow this guide.
   - In this guide the local net is 192.168.16.0/21. The tunnel net is 192.168.24.0/27. Adjust to your needs.
   - I use aes256-sha256-ecs256 because this is what recent iOS (18.1+) excepts.

REQUIREMENTS
   - Tested with IOS 18.1+
   - Tested macOS 15.1+. Older macOS versions do not accept the PCKS12 file and will fail with "wrong passwort?". It will probably work if you export with "openssl pkcs12 -export -legacy" but i have not tested it.

BUGS/QUESTIONS I HAVE
   - Distinct pools (Method 2) do not work for some reason.
   - not sure about when to use "Round: 0" or "Round: 1". Both work
   - If i set "Start action" to "Trap" which is recommended in the OPNsense wiki i will get an error message in logs: "11[CFG] installing trap failed, remote address unknown". However it works anyway but if i set it to none it will also work but with no error in the log.
   - What's with "IKE Extensions - Enable IPsec Mobile Client Support" under VPN / IPSec / Mobile Clients. Does this relate to "Tunnel Settings [legacy]" only? It has the "Phase 2 PFS Group" option which is interessting.

CREATE IPSEC IKEV2 VPN
   CREATE CA'S AND SERVER CERTIFICATES FOR IPSEC IKEV2 VPN
      System
         Trust
            Authorities
            "+Add"
               Method: Create an internal Certificate Authority
               Description: myopnsense.a-domain-name.com
               Key
                  Key Type: RSA-2048 (default)
                  Digest Algorithm: SHA256 (default)
                  Issuer: self-signed (default)
                  Lifetime (days): 3650
               General
                  Country Code: YourCountry
                  State or Province: myopnsense
                  City: myopnsense
                  Organization: myopnsense
                  Organizational Unit: myopnsense
                  Email Address: myopnsense
                  Common Name: myopnsense.a-domain-name.com
               => Save

            Certificates
            +Add
               Method: Create an internal certificate
               Description: ipsec_e2s:myopnsense.a-domain-name.com
               Key
                  Type: Server certificate
                  Private key location: Save on this firewall (default)
                  Key Type: RSA-2048 (default)
                  Digest Algorithm: SHA256 (default)
                  Issuer: myopnsense.a-domain-name.com (default)
                  Lifetime (days): 3650
               General
                  Country Code: YourCountry
                  State or Province: myopnsense (default)
                  City: myopnsense (default)
                  Organization: myopnsense (default)
                  Organizational Unit: myopnsense
                  Email Address: myopnsense (default)
                  Common Name: myopnsense.a-domain-name.com
                  Alternative Names:
                     DNS domain names:
                        Value: myopnsense.a-domain-name.com
               => Save

   CREATE CLIENT CERTIFICATES IPSEC IKEV2 EAP-TLS VPN
            Certificates
            +Add
               Method: Create an internal certificate
               Description: john-macbook.myopnsense
               Key
                  Type: Client certificate
                  Private key location: Save on this firewall (default)
                  Key Type: RSA-2048 (default)
                  Digest Algorithm: SHA256 (default)
                  Issuer: myopnsense.a-domain-name.com
                  Lifetime (days): 3650
               General
                  Country Code: YourCountry
                  State or Province: myopnsense (default)
                  City: myopnsense (default)
                  Organization: myopnsense (default)
                  Organizational Unit: myopnsense
                  Email Address: myopnsense (default)
                  Common Name: john-macbook.myopnsense //max. 64 chars. @-sign is not working here. Dots are ok.
                  Alternative Names:
                     DNS domain names:
                        Value: john-macbook.myopnsense
               => Save

   CREATE IP POOLS FOR IPSEC IKEV2 VPN
      CREATE POOLS METHOD 1 //Shared IP pool for all roadwarriors. Don't create both methods (1 and 2) on your OPNsense at the same time, it's a potential security risk. Only create one connection where you use EAP id: %any (Method 1). If you create multiples of these connections, any roadwarrior can connect to any of them.

         VPN
            IPsec
               Connections
                  +Add
                     enabled: checked
                     Name: e2s_eaptlssplittun_sharedpool //as of 20241005 special characters like ":" in this field are accepted but clients cannot connect for some reason.
                     Network: 192.168.24.0/27
                     DNS: 192.168.16.1

   CREATE POOLS METHOD 2 EXAMPLE //Distinct IP address(es) per roadwarrior. For some reason this does not work as of 2024-11-21 with EAP-TLS. It results in only one usable Connection. Skip that for now. Probably works if you create a own CA for every connection/user which is pain
   VPN
      IPsec
         Connections
            +Add
               enabled: checked
               Name: john-macbook_eaptlssplittun_distinctpool //as of 20241005 special characters like ":" in this field are accepted but clients cannot connect for some reason.
               Network: 192.168.24.97/32
               DNS: 192.168.16.1

CREATE IKEV2/EAP-TLS VPN FOR MOBILE CLIENTS (VIA CONNECTIONS/NEW METHOD)
   VPN
      IPsec
         Connections (Method 1/Sharedpool)
            Connections
            Enable IPsec: checked //this enables the whole strongswan daemon. the checkbox is rather hidden in the lower corner
            +Add
            => advanced mode
               Proposals: aes256-sha256-ecs256 [DH19, NIST EC] //CAUTION: uncheck "Default"
               Unique: Replace
               Aggressive: unchecked
               Version: IKEv2
               MOBIKE: checked
               Local adresses: (leave empty) (default)
               Remote adresses: (leave empty) (default)
               UDP encapsulation: checked
               Rekey time (s): 2400
               DPD delay (s): 30
               Pools: e2s_eaptlssplittun_sharedpool
               Send cert req: checked (default)
               Send certificate: Always: selected
               Keyingtries: 0
               Description: myopnsense:e2s:splittun:eaptls:p1
               =>Save (it will reveal new options)

            Local Authentication
            +Add
               enabled: checked
               Connection: myopnsense:e2s:splittun:eaptls:p1
               Round: 0
               Authentication: Public Key: selected
               Id: myopnsense.a-domain-name.com //It's crucial to set this to FQDN
               Certificates: ipsec_e2s:myopnsense.a-domain-name.com
               Public Keys: Nothing selected (default)
               Description: localauth:myopnsense.a-domain-name.com

            Remote Authentication
            +Add
               enabled: checked
               Connection: myopnsense:e2s:splittun:eaptls:p1
               Round: 1
               Authentication: EAP TLS: selected
               Id: (empty) (default) //It's crucial to leave this emtpy
               EAP Id: %any
               Certificates: Nothing selected (default): selected
               Description: remoteauth:myopnsense:eaptls

            Children
            +Add
            => advanced mode
               enabled: checked
               Connection: myopnsense:e2s:splittun:eaptls:p1
               Mode: Tunnel (default): selected
               Start action: None: selected
               ESP proposals: aes256-sha256-ecs256 [DH19, NIST EC] //CAUTION: uncheck "Default"
               Local:    192.168.16.0/21
               Remote: (leave empty)
               Rekey time (s): 600
               Description: child:myopnsense:splittun:p2
            => Save => Apply

      Firewall
         Rules
            IPsec
            "+Add"
               Interface: IPsec: selected
               Direction: in: selected
               TCP/IP Version: IPv4: selected
               Protocol: any: selected
               Source: any: selected
               Destination: LAN net: selected
            => Save => Apply changes

            WAN
            "+Add"
               Interface: WAN: selected
               Direction: in: selected
               TCP/IP Version: IPv4: selected
               Protocol: UDP: selected
               Source: any: selected
               Destination: WAN address: selected
               Destination port range: From: ISAKMP To: ISAKMP //=500
            => Save

            "+Add"
               Interface: WAN: selected
               Direction: in: selected
               TCP/IP Version: IPv4: selected
               Protocol: UDP: selected
               Source: any: selected
               Destination: WAN address: selected
               Destination port range: From: IPsec NAT-T To: IPsec NAT-T //=4500
            => Save => Apply changes

Just for the record:
To fix the iOS 18.1 Problem you need to set "Send certificate" under p1 settings to "Always" as described here:
https://github.com/opnsense/docs/issues/639
Other method is to use Apple configurator which i already found out ealier in this post but is also mentioned here: https://docs.strongswan.org/docs/5.9/interop/ios.html#_ikev2_on_ios_9_and_macos_10_11

//edit:

I got it working. :)

One part of the problem was that i still had to install and trust the CA separately. I thought that this is kind of bundled with the PKCS#12 file.

I will modify my post soon when i tested everything extensively. thanks for pointing me into reading the apple logs more in detail.

thanks for your answer but acutally not, because i use this on iOS also and i don't want to use apps because they cannot be integrated into to system as good as the native stuff and become unmaintained from time to time.

Hi, i try to get IPsec VPN with certificates working with the new "Connections method". However i have no success. i tried to make sense of the following guides:

//Original question deleted as i fixed it by myself. I posted a HowTo in this post. Just scroll down

thanks for your answer. i'm on mac os / ios and a big fan of the built-in system clients as they don't give me a headache on OS updates most of the time but actually they lack this functionality.
is it possible to configure a completely new (secondary) tunnel on the OPNsense side with a different DNS name including a new certificate to distinguish by that?
thanks