Messages

Hi Franco & Patrick,

So you can already add a cron job with any kind of schedule, right?

Exactly, as I wrote above: the cron is already scheduled @ 10:00 (my NAS is back then), that is why I do have a successful daily backup...

Yes, but you cannot disable or change the default which is the entire point of this conversation.

Indeed, this is the point I would like to resolve, but there is neither a GUI or CLI option that would support this

I don't mind disabling the default one or adding a visibility in cron for it which may be even better. It's just something that needs to be done in the right way and the current settings page where it sits is still a static PHP page we don't want to make more complex unless we have to. All input on GitHub regarding a dependable solution or an actual feature request is welcome.

I have already created the related feature request: https://github.com/opnsense/plugins/issues/5087#issuecomment-3651569431

Best regards,


Tamas

Why would the documented default be counter productive to other users using it sucessfully?


Cheers,
Franco

Franco,

This additional automated sFTP check just adds additional operational noise and confusion (gives the incorrect impression that something is going on with the server).

So, as Patrick correctly stated it would be a nice feature to either:
- enable/disable the check after 01:00 AM
- make the schedule configurable to align that to active time of the NAS (IMHO it is absolutely common practice to switch a NAS off overnight)

BR,

Tamas

Hi Patrick,

Thanks for coming back to me. Now, at least I can understand the reason for that unsuccessful sFTP attempt around 2 AM.

Since at that timeframe my NAS is intentionally down I had to configure an automated sFTP cron job, and as you can see in the attachment that is successful.

Would that be possible to disable the default one @ 2 AM because that is contra-productive?

Thanks,

Tamas Halmai

Hi,

I am running OPNsense 25.7.9 and succesfuly enabled automated sFTP backup to my local NAS every day at 10:00.

So, far so good. But, I have noticed in the System -> General log that the FW randomly tries to make an sFTP attempt around 02:00 every day. Since my NAS is switched off during night the sFTP connection obviously fails.

Could you please advise how I could disable these particular unwanted connection attempts?

Thanks in advance,

Tamas Halmai

Cedrick,

You are absolutely right, I have also considered to reuse the box's main public Let'Encrypt certificate obtained via ACME (just I wanted to follow your config described in the App Note to the maximum extent possible to avoid any unknowns..), IMHO indeed that should be the simplest way forward...

Best regards

Tamas Halmai

Hi Gents,

Please try to follow Cedrick's App Note carefully: https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html. This is a good starting point...

In my case the biggest stumbles were as follows:
- that "advanced mode" toggle in the left upper corner of the IPsec screen is pretty easy to overlook
- it was not in the documentation that the DNS server(s) can be defined on the Pool configuration form
- and the biggest one is that Apple hasn't implemented the certificate check consistently i.e. macOS and IOS implementations differ:
  - in case of macOS it is sufficient to import in the root and intermediate certificates and accept root certificate as trustworthy
  - IOS is more picky: additionally it is necessary to create a .config profile and embed the root and intermediate certificates in DER Base64 format.

Hopefully above will be deemed helpful, but please send specific questions and I will try to help...

Best regards,

Tamas Halmai

Hi Cedrick,

It is alright.

...and the good news is that I have a fully operational IPsec IKE2 VPN terminated by OPNsense v25.7.4 on all my Apple devices (i.e. MBP; IOS) ;-)

Have a great day,

Tamas Halmai

Dear Cedrik,

The particular reason that I want to get IPsec IKEv2 working is because that is natively supported on Apple devices without installing further VPN clients.

No, problem this is neither the first nor the last tricky/badly documented feature I have to fix in my 30+ years networking carrier...

Best regards,

Tamas Halmai

PS: But, as curtesy of your fellow Forum Members if you cannot provide a solution/constructive support, then please do not even post rude comments

Dear Cedrick,

I could make progress with ISAKMP Phase1 negotiation and enabling detailed logging:

2025-10-12T18:31:05   Informational   charon    15[MGR] checkin and destroy of IKE_SA successful
2025-10-12T18:31:05   Informational   charon    15[IKE] <59779880-550b-4859-bb8b-d5627b6f431b|3> IKE_SA 59779880-550b-4859-bb8b-d5627b6f431b[3] state change: CONNECTING => DESTROYING
2025-10-12T18:31:05   Informational   charon    15[MGR] <59779880-550b-4859-bb8b-d5627b6f431b|3> checkin and destroy IKE_SA 59779880-550b-4859-bb8b-d5627b6f431b[3]
2025-10-12T18:31:05   Informational   charon    15[JOB] <59779880-550b-4859-bb8b-d5627b6f431b|3> deleting half open IKE_SA with SSS.SSS.SSS.SSS after timeout
2025-10-12T18:31:05   Informational   charon    15[MGR] IKE_SA 59779880-550b-4859-bb8b-d5627b6f431b[3] successfully checked out
2025-10-12T18:31:05   Informational   charon    15[MGR] checkout IKEv2 SA with SPIs eee5fb4a39b3e4ca_i bcfba16a6d9722fa_r
2025-10-12T18:30:35   Informational   charon    15[MGR] <59779880-550b-4859-bb8b-d5627b6f431b|3> checkin of IKE_SA successful
2025-10-12T18:30:35   Informational   charon    15[MGR] <59779880-550b-4859-bb8b-d5627b6f431b|3> checkin IKEv2 SA 59779880-550b-4859-bb8b-d5627b6f431b[3] with SPIs eee5fb4a39b3e4ca_i bcfba16a6d9722fa_r
2025-10-12T18:30:35   Informational   charon    15[NET] <59779880-550b-4859-bb8b-d5627b6f431b|3> sending packet: from DDD.DDD.DDD.DDD[4500] to SSS.SSS.SSS.SSS[6308] (400 bytes)
2025-10-12T18:30:35   Informational   charon    15[ENC] <59779880-550b-4859-bb8b-d5627b6f431b|3> generating IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]
2025-10-12T18:30:35   Informational   charon    15[IKE] <59779880-550b-4859-bb8b-d5627b6f431b|3> authentication of 'ipsec-cert....' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
2025-10-12T18:30:35   Informational   charon    15[IKE] <59779880-550b-4859-bb8b-d5627b6f431b|3> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
2025-10-12T18:30:35   Informational   charon    15[IKE] <59779880-550b-4859-bb8b-d5627b6f431b|3> peer supports MOBIKE
2025-10-12T18:30:35   Informational   charon    15[IKE] <59779880-550b-4859-bb8b-d5627b6f431b|3> processing INTERNAL_DNS_DOMAIN attribute
2025-10-12T18:30:35   Informational   charon    15[IKE] <59779880-550b-4859-bb8b-d5627b6f431b|3> processing INTERNAL_IP6_DNS attribute
2025-10-12T18:30:35   Informational   charon    15[IKE] <59779880-550b-4859-bb8b-d5627b6f431b|3> processing INTERNAL_IP6_DHCP attribute
2025-10-12T18:30:35   Informational   charon    15[IKE] <59779880-550b-4859-bb8b-d5627b6f431b|3> processing INTERNAL_IP6_ADDRESS attribute
2025-10-12T18:30:35   Informational   charon    15[IKE] <59779880-550b-4859-bb8b-d5627b6f431b|3> processing INTERNAL_IP4_DNS attribute
2025-10-12T18:30:35   Informational   charon    15[IKE] <59779880-550b-4859-bb8b-d5627b6f431b|3> processing INTERNAL_IP4_DHCP attribute
2025-10-12T18:30:35   Informational   charon    15[IKE] <59779880-550b-4859-bb8b-d5627b6f431b|3> processing INTERNAL_IP4_NETMASK attribute
2025-10-12T18:30:35   Informational   charon    15[IKE] <59779880-550b-4859-bb8b-d5627b6f431b|3> processing INTERNAL_IP4_ADDRESS attribute
2025-10-12T18:30:35   Informational   charon    15[IKE] <59779880-550b-4859-bb8b-d5627b6f431b|3> initiating EAP_IDENTITY method (id 0x00)
2025-10-12T18:30:35   Informational   charon    15[CFG] <59779880-550b-4859-bb8b-d5627b6f431b|3> selected peer config '59779880-550b-4859-bb8b-d5627b6f431b'
2025-10-12T18:30:35   Informational   charon    15[CFG] <3> looking for peer configs matching DDD.DDD.DDD.DDD[ipsec-cert....]...SSS.SSS.SSS.SSS[xyz@ipsec...]
2025-10-12T18:30:35   Informational   charon    15[IKE] <3> remote endpoint changed from SSS.SSS.SSS.SSS[6306] to SSS.SSS.SSS.SSS[6308]
2025-10-12T18:30:35   Informational   charon    15[IKE] <3> local endpoint changed from DDD.DDD.DDD.DDD[500] to DDD.DDD.DDD.DDD[4500]
2025-10-12T18:30:35   Informational   charon    15[ENC] <3> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
2025-10-12T18:30:35   Informational   charon    15[ENC] <3> unknown attribute type INTERNAL_DNS_DOMAIN
2025-10-12T18:30:35   Informational   charon    15[NET] <3> received packet: from SSS.SSS.SSS.SSS[6308] to DDD.DDD.DDD.DDD[4500] (416 bytes)
2025-10-12T18:30:35   Informational   charon    15[MGR] IKE_SA (unnamed)[3] successfully checked out
2025-10-12T18:30:35   Informational   charon    15[MGR] checkout IKEv2 SA by message with SPIs eee5fb4a39b3e4ca_i bcfba16a6d9722fa_r
2025-10-12T18:30:35   Informational   charon    15[MGR] <3> checkin of IKE_SA successful
2025-10-12T18:30:35   Informational   charon    15[MGR] <3> checkin IKEv2 SA (unnamed)[3] with SPIs eee5fb4a39b3e4ca_i bcfba16a6d9722fa_r
2025-10-12T18:30:35   Informational   charon    15[NET] <3> sending packet: from DDD.DDD.DDD.DDD[500] to SSS.SSS.SSS.SSS[6306] (557 bytes)
2025-10-12T18:30:35   Informational   charon    15[ENC] <3> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
2025-10-12T18:30:35   Informational   charon    15[IKE] <3> sending cert request for "C=US, O=Let's Encrypt, CN=R13"
2025-10-12T18:30:35   Informational   charon    15[IKE] <3> sending cert request for "C=US, O=Let's Encrypt, CN=R12"
2025-10-12T18:30:35   Informational   charon    15[IKE] <3> sending cert request for "C=NL, ST=Zuid-Holland, L=The Hague, O=Halmai, OU=Home IT, E=thalmai@ossinvent.com, CN=intermediate-ca"
2025-10-12T18:30:35   Informational   charon    15[IKE] <3> sending cert request for "C=NL, ST=Zuid-Holland, L=The Hague, O=Halmai, OU=Home IT, E=thalmai@ossinvent.com, CN=root-ca"
2025-10-12T18:30:35   Informational   charon    15[IKE] <3> remote host is behind NAT
2025-10-12T18:30:35   Informational   charon    15[CFG] <3> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
2025-10-12T18:30:35   Informational   charon    15[IKE] <3> IKE_SA (unnamed)[3] state change: CREATED => CONNECTING
2025-10-12T18:30:35   Informational   charon    15[IKE] <3> SSS.SSS.SSS.SSS is initiating an IKE_SA
2025-10-12T18:30:35   Informational   charon    15[IKE] <3> remote endpoint changed from 0.0.0.0 to SSS.SSS.SSS.SSS[6306]
2025-10-12T18:30:35   Informational   charon    15[IKE] <3> local endpoint changed from 0.0.0.0[500] to DDD.DDD.DDD.DDD[500]
2025-10-12T18:30:35   Informational   charon    15[ENC] <3> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
2025-10-12T18:30:35   Informational   charon    15[NET] <3> received packet: from SSS.SSS.SSS.SSS[6306] to DDD.DDD.DDD.DDD[500] (562 bytes)
2025-10-12T18:30:35   Informational   charon    15[MGR] created IKE_SA (unnamed)[3]
2025-10-12T18:30:35   Informational   charon    15[MGR] checkout IKEv2 SA by message with SPIs eee5fb4a39b3e4ca_i 0000000000000000_r
2025-10-12T18:30:35   Informational   charon    15[MGR] checkin and destroy of IKE_SA successful
2025-10-12T18:30:35   Informational   charon    15[IKE] <2> IKE_SA (unnamed)[2] state change: CONNECTING => DESTROYING
2025-10-12T18:30:35   Informational   charon    15[MGR] <2> checkin and destroy IKE_SA (unnamed)[2]
2025-10-12T18:30:35   Informational   charon    15[NET] <2> sending packet: from DDD.DDD.DDD.DDD[500] to SSS.SSS.SSS.SSS[6306] (38 bytes)
2025-10-12T18:30:35   Informational   charon    15[ENC] <2> generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
2025-10-12T18:30:35   Informational   charon    15[IKE] <2> key exchange method ECP_256 unacceptable, requesting MODP_2048
2025-10-12T18:30:35   Informational   charon    15[IKE] <2> remote host is behind NAT
2025-10-12T18:30:35   Informational   charon    15[IKE] <2> key exchange method in received payload ECP_256 doesn't match negotiated MODP_2048
2025-10-12T18:30:35   Informational   charon    15[CFG] <2> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
2025-10-12T18:30:35   Informational   charon    15[IKE] <2> IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
2025-10-12T18:30:35   Informational   charon    15[IKE] <2> SSS.SSS.SSS.SSS is initiating an IKE_SA
2025-10-12T18:30:35   Informational   charon    15[IKE] <2> remote endpoint changed from 0.0.0.0 to SSS.SSS.SSS.SSS[6306]
2025-10-12T18:30:35   Informational   charon    15[IKE] <2> local endpoint changed from 0.0.0.0[500] to DDD.DDD.DDD.DDD[500]
2025-10-12T18:30:35   Informational   charon    15[ENC] <2> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
2025-10-12T18:30:35   Informational   charon    15[NET] <2> received packet: from SSS.SSS.SSS.SSS[6306] to DDD.DDD.DDD.DDD[500] (370 bytes)
2025-10-12T18:30:35   Informational   charon    15[MGR] created IKE_SA (unnamed)[2]
2025-10-12T18:30:35   Informational   charon    15[MGR] checkout IKEv2 SA by message with SPIs eee5fb4a39b3e4ca_i 0000000000000000_r

but unfortunately I cannot pass this point and establish a stable IPsec tunnel :-(

Could you please take a quick look and let me know how to proceed?


Thank you,

Tamas Halmai

Thank you.

Logging issue is partially solved (still not the advanced mode) and this is what I can see (similar info like the pcap file):
2025-10-12T13:02:41   Informational   charon    12[NET] <9> sending packet: from SSS.SSS.SSS.SSS[500] to CCC.CCC.CCC.CCC[32674] (36 bytes)
2025-10-12T13:02:41   Informational   charon    12[ENC] <9> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
2025-10-12T13:02:41   Informational   charon    12[IKE] <9> no IKE config found for SSS.SSS.SSS.SSS...CCC.CCC.CCC.CCC, sending NO_PROPOSAL_CHOSEN
2025-10-12T13:02:41   Informational   charon    12[ENC] <9> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
2025-10-12T13:02:41   Informational   charon    12[NET] <9> received packet: from CCC.CCC.CCC.CCC[32674] to SSS.SSS.SSS.SSS[500] (370 bytes)


- Is the "no IKE config found for SSS.SSS.SSS.SSS" log entry is created because no matching cipher found?
- Could you tell me how to enable advanced logging?

Thanks in advance,

Tamas Halmsi

Dear Cedrik,

Thanks for your reply and sharing a new pointer.

I have made the attempt to develop a working IPsec IKE2 RemoteWarrior setup based on your input, but still no joy :-(

I can see 3 different issues:
1) your new tech note only partially covering the OPNsense 25.7.4 GUI options. For instance these parameters are not in the new GUI:
- UDP encapsulation
- Rekey time
- DPD delay
- Send certificate
- Keyingtries
2) In the Packet Capture I can see that ISAKMP negotiation starts, but OPENsense is rejecting the proposal sent by my iPhone (or that is not compatible with your selected aes256-sha256-modp2048 cipher). According to your experience what another cipher could I try?
3) The IPsec Log file is completely empty. Could you advise how to enable logging, because it is very difficult to make the next step without that?

Thanks in advance,

Tamas Halmai

Dear Cedrick,


Thanks for your reply, but my headache still exists because the article you quote seems to be an obsolete one (actually, I do not see a good match with configuration options made available in the OPNsense 25.7.4 GUI, that I am running... :-()

Best regards,

Tamas Halmai

I have also tried to resolve this "plugin misconfigured" issue:

***GOT REQUEST TO RESYNC***
Currently running OPNsense 25.7.4 (amd64) at Fri Oct 10 16:50:09 CEST 2025
Registering plugin: os-speedtest-community
***DONE***

But, the above procedure did no solve my issue either..

Thanks,

Tamas Halmai

Dear OPNsense Forum Members,

Although I am a newby to the OPNsense world I have succeeded to setup my first OPNsense NAT/FW...

So far so good, but as last step I also would like to enable an IPsec based VPN server to terminate IPsec tunnels from my remote Apple devices (iPhone/iMac) on the OPNsense device.

Unfortunately I am stuck at this moment because the documentation I could find wrt. this configuration option is based on an earlier firmware version which is different than my OPNsense 25.7.4 GUI :-(.

Could one of you please help me out with a relevant step-by-step instruction?

Thanks in advance,

Tamas Halmai