HOWTO:IPsec IKEv2 clients: Split tunnel / EAP Radius / Virtual IP pool per group

[kapara]

Any updated directions on how to configure IPSEC mobile VPN with Radius?  I followed directions exactly but get the "The error code returned on failure is 13801"

[mimugmail]

Did you follow the official guide?

[rainerle]

Hi,

I updated the HOWTO to make more use of the web interface and therefore of the automatic firewall rules and web interface validation.

Only the rightgroups activation and handling and respective Virtual IPv4/IPv6 address pool assignment is now done within the include files.

IPv6 and IPv4 IPsec responder addresses work as well.

All the best
Rainer

[rainerle]

I disabled the dead peer detection (DPD) on the VPN service again as the server can not restart the connection anyway, if the client moves between networks. The Mobile VPN clients take care of the connection better - either by Mobile IKE (MOBIKE) or by using DPD on their side.

[rainerle]

I experienced broken connections and disconnects. So I adjusted the configuration

• Increase lifetime from 8 hours to 10 hours. Windows IKEv2 clients have a (hardcoded?) lifetime of 8 hours, so to enable the Windows client to handle the connection the OPNsense has to have a longer lifetime.
• Disable rekey from the OPNsense side. The Windows client has issues with rekeying from the OPNsense side (https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#CHILD_SA-rekeying ).
• Disable reauth from the OPNsense side. MacOS and iOS has issues with Reauthentication from the OPNsense side (https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients#IKEv2-reauthentication-issues )

[zhuoerh]

How does this guide transfer to the new swanctl.conf, since the ipsec.conf is now considered legacy and not generated by the system anymore?

[rainerle]

I haven't upgraded yet and haven't had a look at new options yet.

As soon as I upgraded I will update this how-to.

[rainerle]

Currently trying to get it into standard with this...
https://github.com/opnsense/core/issues/3295

[rainerle]

There is now a pull request that brings everything required into the WebGUI.
https://github.com/opnsense/core/pull/6826

As soon as the PR is in main I am going to update the HowTo...

[rainerle]

Recently upgraded from 22.7.11 to 24.1.8 and the configuration is now completely in the gui.

I followed the official https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html

Per user group one connection.
Per user group a dedicated v4 and v6 IP address pool that gets assigned per connection.

Rekey set to 0 where available in advanced settings.