Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Tutorials and FAQs
»
HOWTO:IPsec IKEv2 clients: Split tunnel / EAP Radius / Virtual IP pool per group
« previous
next »
Print
Pages:
1
[
2
]
Author
Topic: HOWTO:IPsec IKEv2 clients: Split tunnel / EAP Radius / Virtual IP pool per group (Read 22367 times)
kapara
Jr. Member
Posts: 97
Karma: 3
Re: HOWTO:IPsec IKEv2 clients: Split tunnel / EAP Radius / Virtual IP pool per group
«
Reply #15 on:
November 17, 2019, 09:04:59 am »
Any updated directions on how to configure IPSEC mobile VPN with Radius? I followed directions exactly but get the "The error code returned on failure is 13801"
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: HOWTO:IPsec IKEv2 clients: Split tunnel / EAP Radius / Virtual IP pool per group
«
Reply #16 on:
November 17, 2019, 01:39:26 pm »
Did you follow the official guide?
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
rainerle
Full Member
Posts: 151
Karma: 9
Re: HOWTO:IPsec IKEv2 clients: Split tunnel / EAP Radius / Virtual IP pool per group
«
Reply #17 on:
August 24, 2020, 03:40:03 pm »
Hi,
I updated the HOWTO to make more use of the web interface and therefore of the automatic firewall rules and web interface validation.
Only the rightgroups activation and handling and respective Virtual IPv4/IPv6 address pool assignment is now done within the include files.
IPv6 and IPv4 IPsec responder addresses work as well.
All the best
Rainer
«
Last Edit: August 26, 2020, 10:26:51 am by rainerle
»
Logged
rainerle
Full Member
Posts: 151
Karma: 9
Re: HOWTO:IPsec IKEv2 clients: Split tunnel / EAP Radius / Virtual IP pool per group
«
Reply #18 on:
August 26, 2020, 12:17:06 pm »
I disabled the dead peer detection (DPD) on the VPN service again as the server can not restart the connection anyway, if the client moves between networks. The Mobile VPN clients take care of the connection better - either by Mobile IKE (MOBIKE) or by using DPD on their side.
Logged
rainerle
Full Member
Posts: 151
Karma: 9
Re: HOWTO:IPsec IKEv2 clients: Split tunnel / EAP Radius / Virtual IP pool per group
«
Reply #19 on:
September 04, 2020, 12:01:16 pm »
I experienced broken connections and disconnects. So I adjusted the configuration
Increase lifetime from 8 hours to 10 hours. Windows IKEv2 clients have a (hardcoded?) lifetime of 8 hours, so to enable the Windows client to handle the connection the OPNsense has to have a longer lifetime.
Disable rekey from the OPNsense side. The Windows client has issues with rekeying from the OPNsense side (
https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#CHILD_SA-rekeying
).
Disable reauth from the OPNsense side. MacOS and iOS has issues with Reauthentication from the OPNsense side (
https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients#IKEv2-reauthentication-issues
)
Logged
zhuoerh
Newbie
Posts: 3
Karma: 0
Re: HOWTO:IPsec IKEv2 clients: Split tunnel / EAP Radius / Virtual IP pool per group
«
Reply #20 on:
May 09, 2023, 08:23:04 am »
How does this guide transfer to the new swanctl.conf, since the ipsec.conf is now considered legacy and not generated by the system anymore?
Logged
rainerle
Full Member
Posts: 151
Karma: 9
Re: HOWTO:IPsec IKEv2 clients: Split tunnel / EAP Radius / Virtual IP pool per group
«
Reply #21 on:
May 09, 2023, 08:28:55 am »
I haven’t upgraded yet and haven’t had a look at new options yet.
As soon as I upgraded I will update this how-to.
Logged
rainerle
Full Member
Posts: 151
Karma: 9
Re: HOWTO:IPsec IKEv2 clients: Split tunnel / EAP Radius / Virtual IP pool per group
«
Reply #22 on:
September 05, 2023, 11:35:32 am »
Currently trying to get it into standard with this...
https://github.com/opnsense/core/issues/3295
Logged
rainerle
Full Member
Posts: 151
Karma: 9
Re: HOWTO:IPsec IKEv2 clients: Split tunnel / EAP Radius / Virtual IP pool per group
«
Reply #23 on:
September 08, 2023, 10:10:54 am »
There is now a pull request that brings everything required into the WebGUI.
https://github.com/opnsense/core/pull/6826
As soon as the PR is in main I am going to update the HowTo...
Logged
rainerle
Full Member
Posts: 151
Karma: 9
Re: HOWTO:IPsec IKEv2 clients: Split tunnel / EAP Radius / Virtual IP pool per group
«
Reply #24 on:
June 10, 2024, 11:48:38 am »
Recently upgraded from 22.7.11 to 24.1.8 and the configuration is now completely in the gui.
I followed the official
https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html
Per user group one connection.
Per user group a dedicated v4 and v6 IP address pool that gets assigned per connection.
Rekey set to 0 where available in advanced settings.
Logged
Print
Pages:
1
[
2
]
« previous
next »
OPNsense Forum
»
English Forums
»
Tutorials and FAQs
»
HOWTO:IPsec IKEv2 clients: Split tunnel / EAP Radius / Virtual IP pool per group