IPsec road warrior VPN setup compatible with Windows, Apple and Android

Mistery · April 18, 2020, 06:40:15 PM

I am struggling with setting up road warrior VPN to allow remote clients to connect to corporate network, remote clients running different OS, Windows 7 and above, Mac OS/X and some Apple IOS and Android mobile clients.
I can't get a proper configuration working, I have followed all the wiki pages and tried multiple configurations many times and the only configuration I could get working on Apple Mac and IOS mobile clients is Mutual PSK + XAuth with V1 key exchange.
All other configurations I tried as per wiki pages are not working, including IKEv2 EAP-MSCHAPv2 (tried and reviewed many times the configuration).
I have read many topics on this forum and couldn't find a clear path to configure IPsec VPN and it seems like the wiki pages are lacking some details.
I would appreciate any help from someone who already experienced the same issues and could share some deeper details on how to configure IPsec VPN to allow different clients to connect.
Thanks in advance everybody.

hbc · April 18, 2020, 08:16:24 PM

Maybe you should skip the GUI configuration and create an own one in /usr/local/etc/ipsec.opnsense.d and /usr/local/etc/strongswan.opnsense.d.

There exist some sample configurations on strongswan pages that are win7 compatible (inkl. reg hack to increase from mod1024 to mod2048 ciphers and rekey=no) and ones for Mac (make_before_break).

You have much more options for tuning and compatibility when directly editing your configuration. And with those directories, configuration is preserved during updates.

hbc · April 18, 2020, 08:23:43 PM

Strongswan works pretty well with IKEv2 and windows 7+ and Android. Mac depends on version. Some are known to have issues with VPN. And Linux is a bit tricky due to certificates

Mistery · April 18, 2020, 10:16:49 PM

Quote from: hbc on April 18, 2020, 08:16:24 PM
You have much more options for tuning and compatibility when directly editing your configuration. And with those directories, configuration is preserved during updates.

Thank you for pointing this out, I have no experience in manually editing strongswan configurations however I will give it a try.
I am just wondering what happens to the custom configuration in case of a OPNsense HA cluster, are custom configurations synchronised to backup node as well ?

hbc · April 18, 2020, 10:20:57 PM

Unfortunately not. You have manually to take care of synchronization. But with version 20.x you have anyway always to take care that ha cluster is synced, since auto-sync has been removed.

Mistery · April 19, 2020, 09:37:18 AM

I tried manually configuring strongswan via custom config saved in folder /usr/local/etc/ipsec.conf.d however I wasn't able to make it working.

I tried a very simple custom configuration starting from the working configuration saved in /usr/local/etc/ipsec.conf by OPNsense GUI.

I have cut from /usr/local/etc/ipsec.conf the below config lines generated by OPNsense GUI

config setup
uniqueids = yes

conn con1
aggressive = no
fragmentation = yes
keyexchange = ikev1
mobike = yes
reauth = yes
rekey = yes
forceencaps = no
installpolicy = yes
type = tunnel

inactivity = 1800s
left = <WAN CARP IP address>
right = %any

leftid = <WAN CARP IP address>
ikelifetime = 28800s
lifetime = 3600s
rightsourceip = 192.168.117.0/24
ike = aes256-sha256-modp2048,aes256-sha256-modp1024,aes256-sha1-modp2048,aes256-sha1-modp1024!
leftauth = psk
rightauth = psk
rightauth2 = xauth-pam
leftsubnet = 172.19.6.0/24
esp = aes256-sha1,aes256-sha256,aes192-sha1,aes192-sha256,aes128-sha1,aes128-sha256,blowfish256-sha1,blowfish256-sha256,blowfish192-sha1,blowfish192-sha256,blowfish128-sha1,blowf
ish128-sha256,3des-sha1,3des-sha256!
auto = add

and pasted the above lines in a custom config file /usr/local/etc/ipsec.conf.d/apple.conf then I restarted the strongswan service.

The above are the config lines generated by GUI and found to be working using Apple devices.

Tried connecting to VPN however it didn't work as expected. Restoring the above configuration in OPNsense GUI the VPN service is working fine.

My goal was to test configuring strongswan using custom config files instead of GUI and using a valid working configuration, I was expecting it to work smoothly so to start adding new connections for Windows and Android devices.

Am I missing anything ? Any hints ?

hbc · April 19, 2020, 09:52:32 AM

I thought you are working on an IKEv2 version.

I am not sure whether mutual psk auth works without aggressive mode in IKEv1. I thought you have to use at least certificate on server side and hybrid-mode

But I would try to make an IKEV2 version. Certificate for server and eap for clients. I use eap-radius and auth against active directory. Depending on ad group the IP pools are assigned and this firewall restrictions set.

Rainerle posted a configuration example here. Will try to link it

https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#Aggressive-Mode

hbc · April 19, 2020, 10:00:20 AM

See here for tutorial and samples:

https://forum.opnsense.org/index.php?topic=12147.0

Mistery · April 19, 2020, 10:11:30 AM

The configuration lines reported in previous messages were automatically generated by OPNsense GUI and were working fine with Apple devices, so yes, I found an IKEv1 Mutual PSK+XAuth configuration to be working fine and wanted to try to move that configuration to custom folder /usr/local/etc/ipsec.opnsense.d to add at later time additional connections IKEv2 for Windows devices.
The certificate is installed server side and using Letsencrypt CA anyway.

hbc · April 19, 2020, 01:58:23 PM

Did you add you psk to an file in /usr/local/etc/ipsec.secrets.opnsense.d

Mistery · April 19, 2020, 03:33:49 PM

Quote from: hbc on April 19, 2020, 10:00:20 AM
See here for tutorial and samples:
https://forum.opnsense.org/index.php?topic=12147.0

Tried implementing the config shown in that tutorial customised for my own environment, I tried to make it as simple as possible however I am still having issues, here are my config files, I have just masked private or confidential info:

# cat /usr/local/etc/ipsec.conf

# This file is automatically generated. Do not edit
config setup
uniqueids = yes

conn con1
aggressive = no
fragmentation = yes
keyexchange = ikev2
mobike = no
reauth = yes
rekey = yes
forceencaps = no
installpolicy = no
type = tunnel
dpdaction = restart
dpddelay = 10s
dpdtimeout = 60s

left = <OPNsense CARP IP WAN>
right = %any

leftid = <OPNsense CARP IP WAN>
ikelifetime = 86400s
lifetime = 3600s
rightsourceip = 192.168.117.0/24
ike = aes256-aesxcbc-ecp521,aes256-sha512-ecp521,aes256-sha384-ecp521,aes256-sha256-ecp521!
leftauth = psk
rightauth = psk
leftsubnet = <OPNsense LAN subnet/24>
esp = aes256-sha256,aes256-sha384,aes256-sha512,aes256-aesxcbc!
auto = start

include ipsec.opnsense.d/*.conf

*************************************************************************

# cat /usr/local/etc/ipsec.secrets

%any : PSK <encrypted key>

include ipsec.secrets.opnsense.d/*.secrets

*************************************************************************

# cat /usr/local/etc/strongswan.conf

# Automatically generated, please do not modify
starter {
load_warning = no
}
charon {
threads = 16
ikesa_table_size = 32
ikesa_table_segments = 4
init_limit_half_open = 1000
ignore_acquire_ts = yes
syslog {
identifier = charon
daemon {
ike_name = yes
}
}
cisco_unity = yes
plugins {
attr {
subnet = <OPNsense LAN subnet/24>
split-include = <OPNsense LAN subnet/24>
dns = <Internal DNS IP address>
nbns = <Internal WINS IP address>
# Search domain and default domain
28674 = <domain name>
28675 = <domain name>
25 = <domain name>
28672 = "<Welcome text>"
}
xauth-pam {
pam_service = ipsec
session = no
trim_email = yes
}
}
}

include strongswan.opnsense.d/*.conf

*************************************************************************

# cat /usr/local/etc/ipsec.opnsense.d/ipsec.mobile.conf

config setup
# Since userID is the right id we allow more than one connection per right id.
# This overrules the OPNsense standard yes in ipsec.conf and is a global parameter!
uniqueids = never

conn mobile
# Default OPNsense
aggressive = no
fragmentation = yes
keyexchange = ikev2
mobike = yes
reauth = yes
rekey = yes
forceencaps = yes
installpolicy = yes
ikelifetime = 28800s
# See https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations
ike = aes256-sha256-modp2048,aes256-sha256-ecp256,aes128-sha256-modp2048!
esp = aes256-sha256-modp2048,aes256-sha256-ecp256,aes128-sha256-modp2048!
left = <OPNsense CARP IP WAN>
leftid = <OPNsense hostname>
leftauth = pubkey
# Lets encrypt certificate
leftcert = /usr/local/etc/ipsec.d/certs/cert-1.crt
leftsendcert = always
rightsendcert = never
right = %any
rightauth = xauth-pam
eap_identity = %any

conn mobile-users
# Include above config
also = mobile
# Split tunneled networks
leftsubnet = <OPNsense LAN subnet/24>
# Virtual IP pool assigned to this group
rightsourceip = <VPN Pool subnet/24>
auto = add

*************************************************************************

After restarting strongswan service I can't connect and log reports the following:

2020-04-19T15:18:44   charon: 15[NET] <mobile-users|2> sending packet: from <OPNsense CARP IP WAN>[4500] to <VPN client IP address>[4500] (80 bytes)
2020-04-19T15:18:44   charon: 15[ENC] <mobile-users|2> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
2020-04-19T15:18:44   charon: 15[IKE] <mobile-users|2> peer supports MOBIKE
2020-04-19T15:18:44   charon: 15[IKE] <mobile-users|2> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
2020-04-19T15:18:44   charon: 15[CFG] <mobile-users|2> no alternative config found
2020-04-19T15:18:44   charon: 15[IKE] <mobile-users|2> peer requested EAP, config unacceptable
2020-04-19T15:18:44   charon: 15[CFG] <mobile-users|2> selected peer config 'mobile-users'
2020-04-19T15:18:44   charon: 15[CFG] <2> looking for peer configs matching <OPNsense CARP IP WAN>[OPNsense hostname]...<VPN client IP address>[PSK key]
2020-04-19T15:18:44   charon: 15[ENC] <2> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
2020-04-19T15:18:44   charon: 15[ENC] <2> unknown attribute type INTERNAL_DNS_DOMAIN
2020-04-19T15:18:44   charon: 15[NET] <2> received packet: from <VPN client IP address>[4500] to <OPNsense CARP IP WAN>[4500] (512 bytes)
2020-04-19T15:18:44   charon: 15[NET] <2> sending packet: from <OPNsense CARP IP WAN>[500] to <VPN client IP address>[500] (456 bytes)
2020-04-19T15:18:44   charon: 15[ENC] <2> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
2020-04-19T15:18:44   charon: 15[IKE] <2> remote host is behind NAT
2020-04-19T15:18:44   charon: 15[CFG] <2> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
2020-04-19T15:18:44   charon: 15[IKE] <2> no matching proposal found, trying alternative config
2020-04-19T15:18:44   charon: 15[CFG] <2> configured proposals: IKE:AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/ECP_521, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_521, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521
2020-04-19T15:18:44   charon: 15[CFG] <2> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
2020-04-19T15:18:44   charon: 15[IKE] <2> <VPN client IP address> is initiating an IKE_SA
2020-04-19T15:18:44   charon: 15[ENC] <2> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
2020-04-19T15:18:44   charon: 15[NET] <2> received packet: from <VPN client IP address>[500] to <OPNsense CARP IP WAN>[500] (604 bytes)

VPN connection on Apple client device is configured as IKEv2 connection, server IP address <OPNsense CARP IP WAN>, remote ID <OPNsense hostname>, authentication using username and password

Tried connecting from Windows 7 client with VPN connection configured in IKEv2 mode and got the following:

2020-04-19T15:28:12   charon: 16[NET] <17> sending packet: from <OPNsense CARP IP WAN>[500] to <VPN client IP address>[59546] (36 bytes)
2020-04-19T15:28:12   charon: 16[ENC] <17> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
2020-04-19T15:28:12   charon: 16[IKE] <17> received proposals unacceptable
2020-04-19T15:28:12   charon: 16[IKE] <17> remote host is behind NAT
2020-04-19T15:28:12   charon: 16[CFG] <17> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
2020-04-19T15:28:12   charon: 16[CFG] <17> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
2020-04-19T15:28:12   charon: 16[IKE] <17> no matching proposal found, trying alternative config
2020-04-19T15:28:12   charon: 16[CFG] <17> configured proposals: IKE:AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/ECP_521, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_521, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521
2020-04-19T15:28:12   charon: 16[CFG] <17> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
2020-04-19T15:28:12   charon: 16[IKE] <17> <VPN client IP address> is initiating an IKE_SA
2020-04-19T15:28:12   charon: 16[ENC] <17> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
2020-04-19T15:28:12   charon: 16[NET] <17> received packet: from <VPN client IP address>[59546] to <OPNsense CARP IP WAN>[500] (528 bytes)
2020-04-19T15:28:10   charon: 16[NET] <16> sending packet: from <OPNsense CARP IP WAN>[500] to <VPN client IP address>[59546] (36 bytes)
2020-04-19T15:28:10   charon: 16[ENC] <16> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
2020-04-19T15:28:10   charon: 16[IKE] <16> received proposals unacceptable
2020-04-19T15:28:10   charon: 16[IKE] <16> remote host is behind NAT
2020-04-19T15:28:10   charon: 16[CFG] <16> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
2020-04-19T15:28:10   charon: 16[CFG] <16> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
2020-04-19T15:28:10   charon: 16[IKE] <16> no matching proposal found, trying alternative config
2020-04-19T15:28:10   charon: 16[CFG] <16> configured proposals: IKE:AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/ECP_521, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_521, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521
2020-04-19T15:28:10   charon: 16[CFG] <16> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
2020-04-19T15:28:10   charon: 16[IKE] <16> <VPN client IP address> is initiating an IKE_SA
2020-04-19T15:28:10   charon: 16[ENC] <16> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
2020-04-19T15:28:10   charon: 16[NET] <16> received packet: from <VPN client IP address>[59546] to <OPNsense CARP IP WAN>[500] (528 bytes)
2020-04-19T15:28:09   charon: 16[NET] <15> sending packet: from <OPNsense CARP IP WAN>[500] to <VPN client IP address>[59546] (36 bytes)
2020-04-19T15:28:09   charon: 16[ENC] <15> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
2020-04-19T15:28:09   charon: 16[IKE] <15> received proposals unacceptable
2020-04-19T15:28:09   charon: 16[IKE] <15> remote host is behind NAT
2020-04-19T15:28:09   charon: 16[CFG] <15> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
2020-04-19T15:28:09   charon: 16[CFG] <15> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
2020-04-19T15:28:09   charon: 16[IKE] <15> no matching proposal found, trying alternative config
2020-04-19T15:28:09   charon: 16[CFG] <15> configured proposals: IKE:AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/ECP_521, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_521, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521
2020-04-19T15:28:09   charon: 16[CFG] <15> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
2020-04-19T15:28:09   charon: 16[IKE] <15> <VPN client IP address> is initiating an IKE_SA
2020-04-19T15:28:09   charon: 16[ENC] <15> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
2020-04-19T15:28:09   charon: 16[NET] <15> received packet: from <VPN client IP address>[59546] to <OPNsense CARP IP WAN>[500] (528 bytes)

hbc · April 19, 2020, 09:59:30 PM

Did you add the registry option to enable 2048 bits? Else add aes128-sha256-modp1048 to ciphers

Mistery · April 25, 2020, 05:31:18 PM

Quote from: hbc on April 19, 2020, 10:00:20 AM
See here for tutorial and samples:

https://forum.opnsense.org/index.php?topic=12147.0

So far, not so good...

I have spent the latest few days trying to make this working however to the best of my knowledge I am still unable to finalise this configuration.

I tried many times reconfiguring from scratch using the tutorial above, however I ended up considering the tutorial configuration not completely correct and I wonder if someone used that as described and was able to setup the tunnel.

There are at least a couple questions to mention, one related to misleading info provided in the tutorial where it says

"- Minimal configuration of VPN->IPsec->Mobile Client. No tunnels are created in the WebUI!!!"

however according to the config files attached to the tutorial, there is ipsec.conf from standard OPNsense WebUI configuration, therefore it seems like a tunnel was created there and additional config added to custom folder.

The second question is related to the user authentication mechanism I am using, in the tutorial radius authentication is used, however my side I am using local+LDAP authentication.
LDAP authentication server was correctly configured in System > Access > Servers and it's working fine using tester.

All my VPN connection attempts end up in

charon: 15[ENC] <mobile-users|2> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

Could it be that the above error reported my side when connecting is related to the actual user authentication unsuccessful for any reasons even if using OPNsense authentication tester it works ok ?

Mistery · April 25, 2020, 05:32:26 PM

Quote from: hbc on April 19, 2020, 09:59:30 PM
Did you add the registry option to enable 2048 bits? Else add aes128-sha256-modp1048 to ciphers

Added this as well, however the same error as reported in my previous message is occurring.

Also worth to mention that I tried VPN connection from both Apple device and Windows 7 (enabled MODP2048 via registry setting) and the error is exactly the same

charon: 05[ENC] <mobile-users|9> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

On Windows 7 device the error shown is 13801

Mistery · April 25, 2020, 05:54:50 PM

Furthermore, I just want to also add that using eap-mschapv2 I am getting

charon: 05[IKE] <mobile-users|2> EAP-MS-CHAPv2 verification failed, retry (1)

and this is why I assume there are issues with the authentication mechanism being used my side (local+LDAP instead of radius)

IPsec road warrior VPN setup compatible with Windows, Apple and Android

Mistery

April 18, 2020, 06:40:15 PM

hbc

April 18, 2020, 08:16:24 PM #1

hbc

April 18, 2020, 08:23:43 PM #2

Mistery

April 18, 2020, 10:16:49 PM #3

hbc

April 18, 2020, 10:20:57 PM #4

Mistery

April 19, 2020, 09:37:18 AM #5

hbc

April 19, 2020, 09:52:32 AM #6 Last Edit: April 19, 2020, 09:57:53 AM by hbc

hbc

April 19, 2020, 10:00:20 AM #7

Mistery

April 19, 2020, 10:11:30 AM #8

hbc

April 19, 2020, 01:58:23 PM #9

Mistery

April 19, 2020, 03:33:49 PM #10

hbc

April 19, 2020, 09:59:30 PM #11

Mistery

April 25, 2020, 05:31:18 PM #12

Mistery

April 25, 2020, 05:32:26 PM #13 Last Edit: April 25, 2020, 05:47:07 PM by Mistery

Mistery

April 25, 2020, 05:54:50 PM #14