Allow RSA Signature Authentication Using Aggressive Mode

Started by ramc, October 31, 2025, 10:43:04 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 31, 2025, 10:43:04 PM
Trying to set up an IPsec VPN between non-OPNSense remote node A and OPNSense box B. A is the aggressor, but even though the configs match, we keep getting the error message "found 1 matching config, but none allows RSA signature authentication using Aggressive Mode". I can't find any setting to allow RSA Signature auth using aggressive mode. We're using certificate-based authentication; currently with public key, but we'd be fine doing it any way except PSK, as we're attempting a reasonable level of security despite needing aggressive mode. Any suggestions? This configuration works without aggressive mode, so I suspect it's a security feature we cannot find.
October 31, 2025, 11:19:08 PM #1
Aggressive mode is considered insecure. Can't you use main mode? Better use IKEv2.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 31, 2025, 11:23:11 PM #2 Last Edit: Today at 12:54:58 AM by ramc
Unfortunately, the remote node A has a dynamic IP, otherwise we'd just be sticking with IKEv2. So we need aggressive mode to function.

EDIT: Is it possible to use IKEv2 with a dynamic IP on one side just by leaving the remote address in OPNsense's IPsec setup blank so it matches to any? I'm testing now and it seems like it works. Staying connected with a dynamic IP is the issue I am chiefly attempting to resolve, so as long as that works I'm happy to abandon aggressive mode.
Print
Go Up Pages1
User actions