OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • Tutorials and FAQs »
  • HOWTO:IPsec IKEv2 clients: Split tunnel / EAP Radius / Virtual IP pool per group
« previous next »
  • Print
Pages: 1 [2]

Author Topic: HOWTO:IPsec IKEv2 clients: Split tunnel / EAP Radius / Virtual IP pool per group  (Read 13874 times)

kapara

  • Jr. Member
  • **
  • Posts: 99
  • Karma: 3
    • View Profile
Re: HOWTO:IPsec IKEv2 clients: Split tunnel / EAP Radius / Virtual IP pool per group
« Reply #15 on: November 17, 2019, 09:04:59 am »
Any updated directions on how to configure IPSEC mobile VPN with Radius?  I followed directions exactly but get the "The error code returned on failure is 13801"
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6405
  • Karma: 446
    • View Profile
Re: HOWTO:IPsec IKEv2 clients: Split tunnel / EAP Radius / Virtual IP pool per group
« Reply #16 on: November 17, 2019, 01:39:26 pm »
Did you follow the official guide?
Logged
Twitter: mimu_muc
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

rainerle

  • Full Member
  • ***
  • Posts: 134
  • Karma: 9
    • View Profile
Re: HOWTO:IPsec IKEv2 clients: Split tunnel / EAP Radius / Virtual IP pool per group
« Reply #17 on: August 24, 2020, 03:40:03 pm »
Hi,

I updated the HOWTO to make more use of the web interface and therefore of the automatic firewall rules and web interface validation.

Only the rightgroups activation and handling and respective Virtual IPv4/IPv6 address pool assignment is now done within the include files.

IPv6 and IPv4 IPsec responder addresses work as well.

All the best
Rainer
« Last Edit: August 26, 2020, 10:26:51 am by rainerle »
Logged

rainerle

  • Full Member
  • ***
  • Posts: 134
  • Karma: 9
    • View Profile
Re: HOWTO:IPsec IKEv2 clients: Split tunnel / EAP Radius / Virtual IP pool per group
« Reply #18 on: August 26, 2020, 12:17:06 pm »
I disabled the dead peer detection (DPD) on the VPN service again as the server can not restart the connection anyway, if the client moves between networks. The Mobile VPN clients take care of the connection better - either by Mobile IKE (MOBIKE) or by using DPD on their side.
Logged

rainerle

  • Full Member
  • ***
  • Posts: 134
  • Karma: 9
    • View Profile
Re: HOWTO:IPsec IKEv2 clients: Split tunnel / EAP Radius / Virtual IP pool per group
« Reply #19 on: September 04, 2020, 12:01:16 pm »
I experienced broken connections and disconnects. So I adjusted the configuration
  • Increase lifetime from 8 hours to 10 hours. Windows IKEv2 clients have a (hardcoded?) lifetime of 8 hours, so to enable the Windows client to handle the connection the OPNsense has to have a longer lifetime.
  • Disable rekey from the OPNsense side. The Windows client has issues with rekeying from the OPNsense side (https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#CHILD_SA-rekeying ).
  • Disable reauth from the OPNsense side. MacOS and iOS has issues with Reauthentication from the OPNsense side (https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients#IKEv2-reauthentication-issues )
Logged

zhuoerh

  • Newbie
  • *
  • Posts: 3
  • Karma: 0
    • View Profile
Re: HOWTO:IPsec IKEv2 clients: Split tunnel / EAP Radius / Virtual IP pool per group
« Reply #20 on: May 09, 2023, 08:23:04 am »
How does this guide transfer to the new swanctl.conf, since the ipsec.conf is now considered legacy and not generated by the system anymore?
Logged

rainerle

  • Full Member
  • ***
  • Posts: 134
  • Karma: 9
    • View Profile
Re: HOWTO:IPsec IKEv2 clients: Split tunnel / EAP Radius / Virtual IP pool per group
« Reply #21 on: May 09, 2023, 08:28:55 am »
I haven’t upgraded yet and haven’t had a look at new options yet.

As soon as I upgraded I will update this how-to.
Logged

  • Print
Pages: 1 [2]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • Tutorials and FAQs »
  • HOWTO:IPsec IKEv2 clients: Split tunnel / EAP Radius / Virtual IP pool per group
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2