HOWTO:IPsec IKEv2 clients: Split tunnel / EAP Radius / Virtual IP pool per group

[kapara]

Any updated directions on how to configure IPSEC mobile VPN with Radius?  I followed directions exactly but get the "The error code returned on failure is 13801"

[mimugmail]

Did you follow the official guide?

[rainerle]

Hi,

I updated the HOWTO to make more use of the web interface and therefore of the automatic firewall rules and web interface validation.

Only the rightgroups activation and handling and respective Virtual IPv4/IPv6 address pool assignment is now done within the include files.

IPv6 and IPv4 IPsec responder addresses work as well.

All the best
Rainer

[rainerle]

I disabled the dead peer detection (DPD) on the VPN service again as the server can not restart the connection anyway, if the client moves between networks. The Mobile VPN clients take care of the connection better - either by Mobile IKE (MOBIKE) or by using DPD on their side.

[rainerle]

I experienced broken connections and disconnects. So I adjusted the configuration

• Increase lifetime from 8 hours to 10 hours. Windows IKEv2 clients have a (hardcoded?) lifetime of 8 hours, so to enable the Windows client to handle the connection the OPNsense has to have a longer lifetime.
• Disable rekey from the OPNsense side. The Windows client has issues with rekeying from the OPNsense side (https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#CHILD_SA-rekeying ).
• Disable reauth from the OPNsense side. MacOS and iOS has issues with Reauthentication from the OPNsense side (https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients#IKEv2-reauthentication-issues )

[zhuoerh]

How does this guide transfer to the new swanctl.conf, since the ipsec.conf is now considered legacy and not generated by the system anymore?

[rainerle]

I haven’t upgraded yet and haven’t had a look at new options yet.

As soon as I upgraded I will update this how-to.