Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - Tamas Halmai

Pages1
#1
Virtual private networks / Re: How to setup an IPsec remote VPN using OPNsense 25.7.4?
October 14, 2025, 06:25:31 PM
Cedrick,

You are absolutely right, I have also considered to reuse the box's main public Let'Encrypt certificate obtained via ACME (just I wanted to follow your config described in the App Note to the maximum extent possible to avoid any unknowns..), IMHO indeed that should be the simplest way forward...

Best regards

Tamas Halmai
#2
Virtual private networks / Re: How to setup an IPsec remote VPN using OPNsense 25.7.4?
October 14, 2025, 04:13:28 PM
Hi Gents,

Please try to follow Cedrick's App Note carefully: https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html. This is a good starting point...

In my case the biggest stumbles were as follows:
- that "advanced mode" toggle in the left upper corner of the IPsec screen is pretty easy to overlook
- it was not in the documentation that the DNS server(s) can be defined on the Pool configuration form
- and the biggest one is that Apple hasn't implemented the certificate check consistently i.e. macOS and IOS implementations differ:
  - in case of macOS it is sufficient to import in the root and intermediate certificates and accept root certificate as trustworthy
  - IOS is more picky: additionally it is necessary to create a .config profile and embed the root and intermediate certificates in DER Base64 format.

Hopefully above will be deemed helpful, but please send specific questions and I will try to help...

Best regards,

Tamas Halmai
#3
Virtual private networks / Re: How to setup an IPsec remote VPN using OPNsense 25.7.4?
October 14, 2025, 11:48:14 AM
Hi Cedrick,

It is alright.

...and the good news is that I have a fully operational IPsec IKE2 VPN terminated by OPNsense v25.7.4 on all my Apple devices (i.e. MBP; IOS) ;-)

Have a great day,

Tamas Halmai
#4
Virtual private networks / Re: How to setup an IPsec remote VPN using OPNsense 25.7.4?
October 13, 2025, 10:28:57 AM
Dear Cedrik,

The particular reason that I want to get IPsec IKEv2 working is because that is natively supported on Apple devices without installing further VPN clients.

No, problem this is neither the first nor the last tricky/badly documented feature I have to fix in my 30+ years networking carrier...

Best regards,

Tamas Halmai

PS: But, as curtesy of your fellow Forum Members if you cannot provide a solution/constructive support, then please do not even post rude comments
#5
Virtual private networks / Re: How to setup an IPsec remote VPN using OPNsense 25.7.4?
October 12, 2025, 06:53:08 PM
Dear Cedrick,

I could make progress with ISAKMP Phase1 negotiation and enabling detailed logging:

2025-10-12T18:31:05   Informational   charon    15[MGR] checkin and destroy of IKE_SA successful
2025-10-12T18:31:05   Informational   charon    15[IKE] <59779880-550b-4859-bb8b-d5627b6f431b|3> IKE_SA 59779880-550b-4859-bb8b-d5627b6f431b[3] state change: CONNECTING => DESTROYING
2025-10-12T18:31:05   Informational   charon    15[MGR] <59779880-550b-4859-bb8b-d5627b6f431b|3> checkin and destroy IKE_SA 59779880-550b-4859-bb8b-d5627b6f431b[3]
2025-10-12T18:31:05   Informational   charon    15[JOB] <59779880-550b-4859-bb8b-d5627b6f431b|3> deleting half open IKE_SA with SSS.SSS.SSS.SSS after timeout
2025-10-12T18:31:05   Informational   charon    15[MGR] IKE_SA 59779880-550b-4859-bb8b-d5627b6f431b[3] successfully checked out
2025-10-12T18:31:05   Informational   charon    15[MGR] checkout IKEv2 SA with SPIs eee5fb4a39b3e4ca_i bcfba16a6d9722fa_r
2025-10-12T18:30:35   Informational   charon    15[MGR] <59779880-550b-4859-bb8b-d5627b6f431b|3> checkin of IKE_SA successful
2025-10-12T18:30:35   Informational   charon    15[MGR] <59779880-550b-4859-bb8b-d5627b6f431b|3> checkin IKEv2 SA 59779880-550b-4859-bb8b-d5627b6f431b[3] with SPIs eee5fb4a39b3e4ca_i bcfba16a6d9722fa_r
2025-10-12T18:30:35   Informational   charon    15[NET] <59779880-550b-4859-bb8b-d5627b6f431b|3> sending packet: from DDD.DDD.DDD.DDD[4500] to SSS.SSS.SSS.SSS[6308] (400 bytes)
2025-10-12T18:30:35   Informational   charon    15[ENC] <59779880-550b-4859-bb8b-d5627b6f431b|3> generating IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]
2025-10-12T18:30:35   Informational   charon    15[IKE] <59779880-550b-4859-bb8b-d5627b6f431b|3> authentication of 'ipsec-cert....' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
2025-10-12T18:30:35   Informational   charon    15[IKE] <59779880-550b-4859-bb8b-d5627b6f431b|3> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
2025-10-12T18:30:35   Informational   charon    15[IKE] <59779880-550b-4859-bb8b-d5627b6f431b|3> peer supports MOBIKE
2025-10-12T18:30:35   Informational   charon    15[IKE] <59779880-550b-4859-bb8b-d5627b6f431b|3> processing INTERNAL_DNS_DOMAIN attribute
2025-10-12T18:30:35   Informational   charon    15[IKE] <59779880-550b-4859-bb8b-d5627b6f431b|3> processing INTERNAL_IP6_DNS attribute
2025-10-12T18:30:35   Informational   charon    15[IKE] <59779880-550b-4859-bb8b-d5627b6f431b|3> processing INTERNAL_IP6_DHCP attribute
2025-10-12T18:30:35   Informational   charon    15[IKE] <59779880-550b-4859-bb8b-d5627b6f431b|3> processing INTERNAL_IP6_ADDRESS attribute
2025-10-12T18:30:35   Informational   charon    15[IKE] <59779880-550b-4859-bb8b-d5627b6f431b|3> processing INTERNAL_IP4_DNS attribute
2025-10-12T18:30:35   Informational   charon    15[IKE] <59779880-550b-4859-bb8b-d5627b6f431b|3> processing INTERNAL_IP4_DHCP attribute
2025-10-12T18:30:35   Informational   charon    15[IKE] <59779880-550b-4859-bb8b-d5627b6f431b|3> processing INTERNAL_IP4_NETMASK attribute
2025-10-12T18:30:35   Informational   charon    15[IKE] <59779880-550b-4859-bb8b-d5627b6f431b|3> processing INTERNAL_IP4_ADDRESS attribute
2025-10-12T18:30:35   Informational   charon    15[IKE] <59779880-550b-4859-bb8b-d5627b6f431b|3> initiating EAP_IDENTITY method (id 0x00)
2025-10-12T18:30:35   Informational   charon    15[CFG] <59779880-550b-4859-bb8b-d5627b6f431b|3> selected peer config '59779880-550b-4859-bb8b-d5627b6f431b'
2025-10-12T18:30:35   Informational   charon    15[CFG] <3> looking for peer configs matching DDD.DDD.DDD.DDD[ipsec-cert....]...SSS.SSS.SSS.SSS[xyz@ipsec...]
2025-10-12T18:30:35   Informational   charon    15[IKE] <3> remote endpoint changed from SSS.SSS.SSS.SSS[6306] to SSS.SSS.SSS.SSS[6308]
2025-10-12T18:30:35   Informational   charon    15[IKE] <3> local endpoint changed from DDD.DDD.DDD.DDD[500] to DDD.DDD.DDD.DDD[4500]
2025-10-12T18:30:35   Informational   charon    15[ENC] <3> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
2025-10-12T18:30:35   Informational   charon    15[ENC] <3> unknown attribute type INTERNAL_DNS_DOMAIN
2025-10-12T18:30:35   Informational   charon    15[NET] <3> received packet: from SSS.SSS.SSS.SSS[6308] to DDD.DDD.DDD.DDD[4500] (416 bytes)
2025-10-12T18:30:35   Informational   charon    15[MGR] IKE_SA (unnamed)[3] successfully checked out
2025-10-12T18:30:35   Informational   charon    15[MGR] checkout IKEv2 SA by message with SPIs eee5fb4a39b3e4ca_i bcfba16a6d9722fa_r
2025-10-12T18:30:35   Informational   charon    15[MGR] <3> checkin of IKE_SA successful
2025-10-12T18:30:35   Informational   charon    15[MGR] <3> checkin IKEv2 SA (unnamed)[3] with SPIs eee5fb4a39b3e4ca_i bcfba16a6d9722fa_r
2025-10-12T18:30:35   Informational   charon    15[NET] <3> sending packet: from DDD.DDD.DDD.DDD[500] to SSS.SSS.SSS.SSS[6306] (557 bytes)
2025-10-12T18:30:35   Informational   charon    15[ENC] <3> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
2025-10-12T18:30:35   Informational   charon    15[IKE] <3> sending cert request for "C=US, O=Let's Encrypt, CN=R13"
2025-10-12T18:30:35   Informational   charon    15[IKE] <3> sending cert request for "C=US, O=Let's Encrypt, CN=R12"
2025-10-12T18:30:35   Informational   charon    15[IKE] <3> sending cert request for "C=NL, ST=Zuid-Holland, L=The Hague, O=Halmai, OU=Home IT, E=thalmai@ossinvent.com, CN=intermediate-ca"
2025-10-12T18:30:35   Informational   charon    15[IKE] <3> sending cert request for "C=NL, ST=Zuid-Holland, L=The Hague, O=Halmai, OU=Home IT, E=thalmai@ossinvent.com, CN=root-ca"
2025-10-12T18:30:35   Informational   charon    15[IKE] <3> remote host is behind NAT
2025-10-12T18:30:35   Informational   charon    15[CFG] <3> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
2025-10-12T18:30:35   Informational   charon    15[IKE] <3> IKE_SA (unnamed)[3] state change: CREATED => CONNECTING
2025-10-12T18:30:35   Informational   charon    15[IKE] <3> SSS.SSS.SSS.SSS is initiating an IKE_SA
2025-10-12T18:30:35   Informational   charon    15[IKE] <3> remote endpoint changed from 0.0.0.0 to SSS.SSS.SSS.SSS[6306]
2025-10-12T18:30:35   Informational   charon    15[IKE] <3> local endpoint changed from 0.0.0.0[500] to DDD.DDD.DDD.DDD[500]
2025-10-12T18:30:35   Informational   charon    15[ENC] <3> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
2025-10-12T18:30:35   Informational   charon    15[NET] <3> received packet: from SSS.SSS.SSS.SSS[6306] to DDD.DDD.DDD.DDD[500] (562 bytes)
2025-10-12T18:30:35   Informational   charon    15[MGR] created IKE_SA (unnamed)[3]
2025-10-12T18:30:35   Informational   charon    15[MGR] checkout IKEv2 SA by message with SPIs eee5fb4a39b3e4ca_i 0000000000000000_r
2025-10-12T18:30:35   Informational   charon    15[MGR] checkin and destroy of IKE_SA successful
2025-10-12T18:30:35   Informational   charon    15[IKE] <2> IKE_SA (unnamed)[2] state change: CONNECTING => DESTROYING
2025-10-12T18:30:35   Informational   charon    15[MGR] <2> checkin and destroy IKE_SA (unnamed)[2]
2025-10-12T18:30:35   Informational   charon    15[NET] <2> sending packet: from DDD.DDD.DDD.DDD[500] to SSS.SSS.SSS.SSS[6306] (38 bytes)
2025-10-12T18:30:35   Informational   charon    15[ENC] <2> generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
2025-10-12T18:30:35   Informational   charon    15[IKE] <2> key exchange method ECP_256 unacceptable, requesting MODP_2048
2025-10-12T18:30:35   Informational   charon    15[IKE] <2> remote host is behind NAT
2025-10-12T18:30:35   Informational   charon    15[IKE] <2> key exchange method in received payload ECP_256 doesn't match negotiated MODP_2048
2025-10-12T18:30:35   Informational   charon    15[CFG] <2> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
2025-10-12T18:30:35   Informational   charon    15[IKE] <2> IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
2025-10-12T18:30:35   Informational   charon    15[IKE] <2> SSS.SSS.SSS.SSS is initiating an IKE_SA
2025-10-12T18:30:35   Informational   charon    15[IKE] <2> remote endpoint changed from 0.0.0.0 to SSS.SSS.SSS.SSS[6306]
2025-10-12T18:30:35   Informational   charon    15[IKE] <2> local endpoint changed from 0.0.0.0[500] to DDD.DDD.DDD.DDD[500]
2025-10-12T18:30:35   Informational   charon    15[ENC] <2> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
2025-10-12T18:30:35   Informational   charon    15[NET] <2> received packet: from SSS.SSS.SSS.SSS[6306] to DDD.DDD.DDD.DDD[500] (370 bytes)
2025-10-12T18:30:35   Informational   charon    15[MGR] created IKE_SA (unnamed)[2]
2025-10-12T18:30:35   Informational   charon    15[MGR] checkout IKEv2 SA by message with SPIs eee5fb4a39b3e4ca_i 0000000000000000_r

but unfortunately I cannot pass this point and establish a stable IPsec tunnel :-(

Could you please take a quick look and let me know how to proceed?


Thank you,

Tamas Halmai
#6
Virtual private networks / Re: How to setup an IPsec remote VPN using OPNsense 25.7.4?
October 12, 2025, 01:20:22 PM
Thank you.

Logging issue is partially solved (still not the advanced mode) and this is what I can see (similar info like the pcap file):
2025-10-12T13:02:41   Informational   charon    12[NET] <9> sending packet: from SSS.SSS.SSS.SSS[500] to CCC.CCC.CCC.CCC[32674] (36 bytes)
2025-10-12T13:02:41   Informational   charon    12[ENC] <9> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
2025-10-12T13:02:41   Informational   charon    12[IKE] <9> no IKE config found for SSS.SSS.SSS.SSS...CCC.CCC.CCC.CCC, sending NO_PROPOSAL_CHOSEN
2025-10-12T13:02:41   Informational   charon    12[ENC] <9> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
2025-10-12T13:02:41   Informational   charon    12[NET] <9> received packet: from CCC.CCC.CCC.CCC[32674] to SSS.SSS.SSS.SSS[500] (370 bytes)


- Is the "no IKE config found for SSS.SSS.SSS.SSS" log entry is created because no matching cipher found?
- Could you tell me how to enable advanced logging?

Thanks in advance,

Tamas Halmsi

#7
Virtual private networks / Re: How to setup an IPsec remote VPN using OPNsense 25.7.4?
October 12, 2025, 12:41:38 PM
Dear Cedrik,

Thanks for your reply and sharing a new pointer.

I have made the attempt to develop a working IPsec IKE2 RemoteWarrior setup based on your input, but still no joy :-(

I can see 3 different issues:
1) your new tech note only partially covering the OPNsense 25.7.4 GUI options. For instance these parameters are not in the new GUI:
- UDP encapsulation
- Rekey time
- DPD delay
- Send certificate
- Keyingtries
2) In the Packet Capture I can see that ISAKMP negotiation starts, but OPENsense is rejecting the proposal sent by my iPhone (or that is not compatible with your selected aes256-sha256-modp2048 cipher). According to your experience what another cipher could I try?
3) The IPsec Log file is completely empty. Could you advise how to enable logging, because it is very difficult to make the next step without that?

Thanks in advance,

Tamas Halmai
#8
Virtual private networks / Re: How to setup an IPsec remote VPN using OPNsense 25.7.4?
October 11, 2025, 05:00:02 PM
Dear Cedrick,


Thanks for your reply, but my headache still exists because the article you quote seems to be an obsolete one (actually, I do not see a good match with configuration options made available in the OPNsense 25.7.4 GUI, that I am running... :-()

Best regards,

Tamas Halmai
#9
25.7 Series / Re: os-speedtest-community (misconfigured)0.9_642.5KiB4mimugmailSpeedtest
October 10, 2025, 04:53:02 PM
I have also tried to resolve this "plugin misconfigured" issue:

***GOT REQUEST TO RESYNC***
Currently running OPNsense 25.7.4 (amd64) at Fri Oct 10 16:50:09 CEST 2025
Registering plugin: os-speedtest-community
***DONE***

But, the above procedure did no solve my issue either..

Thanks,

Tamas Halmai
#10
Virtual private networks / How to setup an IPsec remote VPN using OPNsense 25.7.4?
October 10, 2025, 04:26:46 PM
Dear OPNsense Forum Members,

Although I am a newby to the OPNsense world I have succeeded to setup my first OPNsense NAT/FW...

So far so good, but as last step I also would like to enable an IPsec based VPN server to terminate IPsec tunnels from my remote Apple devices (iPhone/iMac) on the OPNsense device.

Unfortunately I am stuck at this moment because the documentation I could find wrt. this configuration option is based on an earlier firmware version which is different than my OPNsense 25.7.4 GUI :-(.

Could one of you please help me out with a relevant step-by-step instruction?

Thanks in advance,

Tamas Halmai
Pages1