Please help - at my wits end with IPSEC and Strongswan

[burntoc]

Hey all,

I hate that my first post here has to be a request, but I've switched from EdgeOS and an ER-X to Sophos XG and now to OPNsense.  Overall I must say I'm really pleased and I can't see going back, but I need to get IKEv2 VPNs set for my Android and IOS devices because the battery drain running OpenVPN (which is working fine) is too high for them to be always on, which I want.

I've followed every road-warrior tutorial I can find here (wiki/FAQs), online, for pfsense even, strongswan generic, etc. and I just cannot get this to work.  It usually results in some sort of log error indicating "no prop" or most prominently, "constraint requires public key authentication, but EAP was used". I'm afraid of doing much more because if I follow all the varying instructions I'll end up with a bunch of bad/unneeded certs to revoke as well.

Honestly I'm thinking that the GUI just doesn't work for it, and I need to SSH in and edit the config files or something.  I really don't need anything complicated - as long as the username/password exchange can't be intercepted even that would be sufficient, and AES256 encryption.  Certs are nice, but for my 5-10 home devices I'd be ok not using them.

Can someone help me?  I'll post anything you need.  I've spent hours at this and my wife is like "give it up", but I can tell I'm THIS close.

Huge thanks in advance for anyone who can help me achieve this! Excited to be part of the OPNsense community!

[burntoc]

Actually I'm confident I can get OpenVPN up again so if you have a guide for IKEv2 and Strongswan on Android that will also support IOS for always on VPN I'll start over. Unfortunately none of the common guides work.

[burntoc]

So as an update I got this part solved.  I've since spent hours and hours trying every combination of things I can find on the internet to actually use the established VPN tunnel, but while I can see the outbound requests allowed on the logs I can't access my local LAN or the internet through the tunnel.

I'm not optimistic I'll get the help I need because I see a ton, an absolute ton, of messages here with dozens of views and no replies, but I'll start a thread with the appropriate title and hope.  I really want to be a part of this community, but I can't get out of the gate.

[guest18661]

I've just started to look into trying to set up IKEv2 as there are a few posts I've read that seem to indicate it's possible, but I haven't found any good guides on it yet. I did find something about a bug in 19.1.4 where something was automatically set or unset by the GUI and it caused problems, but I forgot the details. I believe it's supposed to be fixed in 19.1.5, so I may just wait.

But if you have any pointers to instructions for setting it up I might go ahead and give it a go.

[burntoc]

I wish I could help you. I wanted to use OPN so badly, but the support here is just nonexistent, unfortunately. I think it will get there. but for now you're just on your own here, as you can see from the vast majority of posts with no responses, much less solutions.  I do wish they'd adopt the forum approach Sophos has as it really encourages people to solve problems. For now, though, I'm on Pfsense and if I find a solution I'll try to circle back here to post it at least.