How to get IKEv2 EAP-TLS via "Connections" method working

[d39FAPH7]

Hi, i try to get IPsec VPN with certificates working with the new "Connections method". However i have no success. i tried to make sense of the following guides:

//Original question deleted as i fixed it by myself. I posted a HowTo in this post. Just scroll down

[Monviech (Cedrik)]

I know its probably not what you like to hear but using OpenVPN with the Viscosity Client works like a charm on Macbook.

I use it work related and it just works perfectly with OPNsense with no weird stuff happening.

Ipsec can be a bit of a pain with native OS clients and Roadwarrior setups.

[d39FAPH7]

thanks for your answer but acutally not, because i use this on iOS also and i don't want to use apps because they cannot be integrated into to system as good as the native stuff and become unmaintained from time to time.

[Monviech (Cedrik)]

Thats one way to see it. The other way is that native apps will break too.

https://forum.opnsense.org/index.php?topic=43766

And then you have to troubleshoot for hours. It happened in Windows several times in the past, and with Apple it also seems to be a possibility.

So I guess there is no perfect solution.

[Monviech (Cedrik)]

So to help here, you have to provide the error log from the MacOS side too. Ipsec troubleshooting needs both sides errors most of the time.

[d39FAPH7]

//edit:

I got it working. :)

One part of the problem was that i still had to install and trust the CA separately. I thought that this is kind of bundled with the PKCS#12 file.

I will modify my post soon when i tested everything extensively. thanks for pointing me into reading the apple logs more in detail.

[Monviech (Cedrik)]

Awesome, maybe we can create a tutorial for the OPNsense docs out of it.

Thanks for testing this and providing the information.  :)

[Monviech (Cedrik)]

https://github.com/opnsense/docs/issues/639

I will probably include an EAP-TLS section and reformat this document a bit for it.

[d39FAPH7]

Here's is the guide. I use it for some weeks now and it's working great on iOS and macOS. I will add information on what to do on macOS/iOS to get this working but it is pretty straightforward: Import+Trust CA plus PKCS12 file. Setup VPN on GUI. That's it. You need to export PKCS12 with password. When exporting blank, macOS will not import it.

CHANGES
   - V1.0 Initial

PREPERATION/INFO
   - This guide assumes that you have have a working DNS config (i.e your OPNsense is reachable via DNS). I use freedns.afraid.org for this.
   - This is a guide with only little explanation. However, if you ever followed one of the VPN recipes from the OPNsense wiki with success it will be easy for you to follow this guide.
   - In this guide the local net is 192.168.16.0/21. The tunnel net is 192.168.24.0/27. Adjust to your needs.
   - I use aes256-sha256-ecs256 because this is what recent iOS (18.1+) excepts.

REQUIREMENTS
   - Tested with IOS 18.1+
   - Tested macOS 15.1+. Older macOS versions do not accept the PCKS12 file and will fail with "wrong passwort?". It will probably work if you export with "openssl pkcs12 -export -legacy" but i have not tested it.

BUGS/QUESTIONS I HAVE
   - Distinct pools (Method 2) do not work for some reason.
   - not sure about when to use "Round: 0" or "Round: 1". Both work
   - If i set "Start action" to "Trap" which is recommended in the OPNsense wiki i will get an error message in logs: "11[CFG] installing trap failed, remote address unknown". However it works anyway but if i set it to none it will also work but with no error in the log.
   - What's with "IKE Extensions - Enable IPsec Mobile Client Support" under VPN / IPSec / Mobile Clients. Does this relate to "Tunnel Settings [legacy]" only? It has the "Phase 2 PFS Group" option which is interessting.

CREATE IPSEC IKEV2 VPN
   CREATE CA'S AND SERVER CERTIFICATES FOR IPSEC IKEV2 VPN
      System
         Trust
            Authorities
            "+Add"
               Method: Create an internal Certificate Authority
               Description: myopnsense.a-domain-name.com
               Key
                  Key Type: RSA-2048 (default)
                  Digest Algorithm: SHA256 (default)
                  Issuer: self-signed (default)
                  Lifetime (days): 3650
               General
                  Country Code: YourCountry
                  State or Province: myopnsense
                  City: myopnsense
                  Organization: myopnsense
                  Organizational Unit: myopnsense
                  Email Address: myopnsense
                  Common Name: myopnsense.a-domain-name.com
               => Save

            Certificates
            +Add
               Method: Create an internal certificate
               Description: ipsec_e2s:myopnsense.a-domain-name.com
               Key
                  Type: Server certificate
                  Private key location: Save on this firewall (default)
                  Key Type: RSA-2048 (default)
                  Digest Algorithm: SHA256 (default)
                  Issuer: myopnsense.a-domain-name.com (default)
                  Lifetime (days): 3650
               General
                  Country Code: YourCountry
                  State or Province: myopnsense (default)
                  City: myopnsense (default)
                  Organization: myopnsense (default)
                  Organizational Unit: myopnsense
                  Email Address: myopnsense (default)
                  Common Name: myopnsense.a-domain-name.com
                  Alternative Names:
                     DNS domain names:
                        Value: myopnsense.a-domain-name.com
               => Save

   CREATE CLIENT CERTIFICATES IPSEC IKEV2 EAP-TLS VPN
            Certificates
            +Add
               Method: Create an internal certificate
               Description: john-macbook.myopnsense
               Key
                  Type: Client certificate
                  Private key location: Save on this firewall (default)
                  Key Type: RSA-2048 (default)
                  Digest Algorithm: SHA256 (default)
                  Issuer: myopnsense.a-domain-name.com
                  Lifetime (days): 3650
               General
                  Country Code: YourCountry
                  State or Province: myopnsense (default)
                  City: myopnsense (default)
                  Organization: myopnsense (default)
                  Organizational Unit: myopnsense
                  Email Address: myopnsense (default)
                  Common Name: john-macbook.myopnsense //max. 64 chars. @-sign is not working here. Dots are ok.
                  Alternative Names:
                     DNS domain names:
                        Value: john-macbook.myopnsense
               => Save

   CREATE IP POOLS FOR IPSEC IKEV2 VPN
      CREATE POOLS METHOD 1 //Shared IP pool for all roadwarriors. Don't create both methods (1 and 2) on your OPNsense at the same time, it's a potential security risk. Only create one connection where you use EAP id: %any (Method 1). If you create multiples of these connections, any roadwarrior can connect to any of them.

         VPN
            IPsec
               Connections
                  +Add
                     enabled: checked
                     Name: e2s_eaptlssplittun_sharedpool //as of 20241005 special characters like ":" in this field are accepted but clients cannot connect for some reason.
                     Network: 192.168.24.0/27
                     DNS: 192.168.16.1

   CREATE POOLS METHOD 2 EXAMPLE //Distinct IP address(es) per roadwarrior. For some reason this does not work as of 2024-11-21 with EAP-TLS. It results in only one usable Connection. Skip that for now. Probably works if you create a own CA for every connection/user which is pain
   VPN
      IPsec
         Connections
            +Add
               enabled: checked
               Name: john-macbook_eaptlssplittun_distinctpool //as of 20241005 special characters like ":" in this field are accepted but clients cannot connect for some reason.
               Network: 192.168.24.97/32
               DNS: 192.168.16.1

CREATE IKEV2/EAP-TLS VPN FOR MOBILE CLIENTS (VIA CONNECTIONS/NEW METHOD)
   VPN
      IPsec
         Connections (Method 1/Sharedpool)
            Connections
            Enable IPsec: checked //this enables the whole strongswan daemon. the checkbox is rather hidden in the lower corner
            +Add
            => advanced mode
               Proposals: aes256-sha256-ecs256 [DH19, NIST EC] //CAUTION: uncheck "Default"
               Unique: Replace
               Aggressive: unchecked
               Version: IKEv2
               MOBIKE: checked
               Local adresses: (leave empty) (default)
               Remote adresses: (leave empty) (default)
               UDP encapsulation: checked
               Rekey time (s): 2400
               DPD delay (s): 30
               Pools: e2s_eaptlssplittun_sharedpool
               Send cert req: checked (default)
               Send certificate: Always: selected
               Keyingtries: 0
               Description: myopnsense:e2s:splittun:eaptls:p1
               =>Save (it will reveal new options)

            Local Authentication
            +Add
               enabled: checked
               Connection: myopnsense:e2s:splittun:eaptls:p1
               Round: 0
               Authentication: Public Key: selected
               Id: myopnsense.a-domain-name.com //It's crucial to set this to FQDN
               Certificates: ipsec_e2s:myopnsense.a-domain-name.com
               Public Keys: Nothing selected (default)
               Description: localauth:myopnsense.a-domain-name.com

            Remote Authentication
            +Add
               enabled: checked
               Connection: myopnsense:e2s:splittun:eaptls:p1
               Round: 1
               Authentication: EAP TLS: selected
               Id: (empty) (default) //It's crucial to leave this emtpy
               EAP Id: %any
               Certificates: Nothing selected (default): selected
               Description: remoteauth:myopnsense:eaptls

            Children
            +Add
            => advanced mode
               enabled: checked
               Connection: myopnsense:e2s:splittun:eaptls:p1
               Mode: Tunnel (default): selected
               Start action: None: selected
               ESP proposals: aes256-sha256-ecs256 [DH19, NIST EC] //CAUTION: uncheck "Default"
               Local:    192.168.16.0/21
               Remote: (leave empty)
               Rekey time (s): 600
               Description: child:myopnsense:splittun:p2
            => Save => Apply

      Firewall
         Rules
            IPsec
            "+Add"
               Interface: IPsec: selected
               Direction: in: selected
               TCP/IP Version: IPv4: selected
               Protocol: any: selected
               Source: any: selected
               Destination: LAN net: selected
            => Save => Apply changes

            WAN
            "+Add"
               Interface: WAN: selected
               Direction: in: selected
               TCP/IP Version: IPv4: selected
               Protocol: UDP: selected
               Source: any: selected
               Destination: WAN address: selected
               Destination port range: From: ISAKMP To: ISAKMP //=500
            => Save

            "+Add"
               Interface: WAN: selected
               Direction: in: selected
               TCP/IP Version: IPv4: selected
               Protocol: UDP: selected
               Source: any: selected
               Destination: WAN address: selected
               Destination port range: From: IPsec NAT-T To: IPsec NAT-T //=4500
            => Save => Apply changes

[Monviech (Cedrik)]

BUGS/QUESTIONS I HAVE
   - Distinct pools (Method 2) do not work for some reason.

Probably has to do with how the ID is sent by the client. For Windows it can also be weird as it always tries %any first.

   - not sure about when to use "Round: 0" or "Round: 1". Both work

I guess if you require multiple authentication rounds you would sort them via this order. (e.g. first certificate, then PSK, then x")

   - If i set "Start action" to "Trap" which is recommended in the OPNsense wiki i will get an error message in logs: "11[CFG] installing trap failed, remote address unknown". However it works anyway but if i set it to none it will also work but with no error in the log.

Trap might have been a mistake in the docs. None should be preferred probably. Trap is to initiate the tunnel when traffic is registered, but when there is no endpoint since its dynamic then it probably can not create a trap policy.

   - What's with "IKE Extensions - Enable IPsec Mobile Client Support" under VPN / IPSec / Mobile Clients. Does this relate to "Tunnel Settings [legacy]" only? It has the "Phase 2 PFS Group" option which is interessting.

I think its only for legacy. PFS is the same as choosing the "DH" group in the child of connections. So if you choose AES256-SHA256-DH14, you have PFS since there is a DH group. Choosing a cipher combination without them will disable PFS.

[Monviech (Cedrik)]

https://github.com/opnsense/docs/pull/651