IPsecVPN With Windows 10 native VPN Client

Started by daelos, November 02, 2020, 12:35:24 AM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
March 04, 2023, 09:57:59 PM #15
How do I trace?
March 04, 2023, 10:37:25 PM #16
I did just update to 23.1.1_2 from 22.7.11
Did notice new Connections page in VPN. That is nice.
Still Just get Policy match error
March 04, 2023, 10:51:20 PM #17
What is the error in the windows event log ?

Netsh trace start VpnClient per=yes maxsize=0 filemode=single

.... connection test ...

Netsh trace stop

The etl file can then be read with the Event Viewer.



March 04, 2023, 11:34:46 PM #18 Last Edit: March 05, 2023, 06:05:45 PM by dcol
Opened the NetTrace.etl with Event Viewer and had a long list of Unknown Event ID's.
I did get some information from the log in OPNsense that showed

charon   06[IKE] <2> no IKE config found for <ServerIP>...<Client IP>, sending NO_PROPOSAL_CHOSEN
March 05, 2023, 07:28:40 PM #19
I also noticed I have no ipsec.conf or ipsec.secrets file in /usr/local/etc, just sample files. Is this correct?
March 05, 2023, 07:31:38 PM #20
Yep, started with 23.1, check release notes
March 05, 2023, 07:56:00 PM #21 Last Edit: March 05, 2023, 08:08:14 PM by dcol
I read the release notes. strongswan.conf has very little info in it. There might be a bug here. The same VPN client configuration works fine in PFsense and the algorithms and certificates match. My goal here is to migrate the last remaining pfsense firewall to OPNsense. The PFsense Plus box is running 23.01. I am running these VPN tests in a development firewall with its own WAN IP intended to replace the PFsense box.

I don't think I should be seeing in the VPN Log
2023-03-05T11:32:20-07:00   Informational   charon   13[IKE] <2> no IKE config found for <my serverIP>...<ClientIP>, sending NO_PROPOSAL_CHOSEN   
2023-03-05T11:32:20-07:00   Informational   charon   13[ENC] <2> parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]

The release notes do state the changes could lead to connectivity issues in ambiguous cases. If I post at Github, how would I explain this issue? My experience with them is they require specific info.
March 05, 2023, 08:14:14 PM #22
I finally found the settings in /usr/local/stc/swanctl/swanctl.conf and the local_addrs is not correct. It shows an old WAN IP I do not even use anymore. I will try to track down where this is coming from
March 05, 2023, 09:31:45 PM #23
I am now connected. The issue was I had some virtual IP's configured, so the WAN IP was wrong. Once I removed all the Virtual IP's and fixed the WAN address, all worked fine. Now I just need to figure out how to connect the LAN's together.

Thanks to those that helped.
March 29, 2025, 06:47:16 PM #24
Same Policy match error here, but everything looks correct in the swanctl.conf
Works using the old IPsec method. Can't get the new method to work. Followed the OPNsense docs to the letter.
Want to convert because the legecy IPsec is going away in 26.1, just around the corner.
March 29, 2025, 06:54:51 PM #25
Did you use this? It was recently updated with user feedback regarding the native Windows Client stuff.

https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html
Hardware:
DEC740
Print
Go Up Pages 1 2
User actions