IPsecVPN With Windows 10 native VPN Client

[daelos]

New to Opnsense so still a bit confused with all the extra options my old firewall never had.

Anyway, I'm trying to configure OpnSense with an IPsec VPN tunnel with a preshared key that will work with a bog-standard Windows 10 client but struggling to make sense of any of it. Anyone got some pointers on how to do this?

[mimugmail]

You can follow the official docs there are many examples for win10

[daelos]

The only vaguely relevant doc I've managed to find is this one https://docs.opnsense.org/manual/how-tos/ipsec-road.html which I haven't manged to get to work. Should this work for Windows 10? Anything I need to change to get it to work? Maybe you can point me towards a link of instructions that would work?

[Patrick M. Hausen]

https://docs.opnsense.org/manual/how-tos/ipsec-rw-w7.html

[mimugmail]

And this is server config
https://docs.opnsense.org/manual/how-tos/ipsec-rw-srv-mschapv2.html

[mavor]

https://docs.opnsense.org/manual/how-tos/ipsec-rw-w7.html

This guide requires you to install Root Certificate into your client. Should I remind you that it is a big security risk?
https://blog.malwarebytes.com/security-world/technology/2017/11/when-you-shouldnt-trust-a-trusted-root-certificate/

Is there any other way to enable VPN without exposing your clients' computers to potential malware, etc?

[mimugmail]

You can always buy a certificate from a trusted CA, no problem ...

[Mks]

https://docs.opnsense.org/manual/how-tos/ipsec-rw-w7.html

This guide requires you to install Root Certificate into your client. Should I remind you that it is a big security risk?
https://blog.malwarebytes.com/security-world/technology/2017/11/when-you-shouldnt-trust-a-trusted-root-certificate/

Is there any other way to enable VPN without exposing your clients' computers to potential malware, etc?

Hi, here is some misunderstanding. The opnsense guide requires you to install "Your" Root certificate. As long as everything is proper setup and you protect the private keys belonging to your CAs this is not a security risk.
You can trust your CA more than any other public CA .

br

[dcol]

I know this is an old topic, but this is the closest topic I could find to my issue.

I followed everything in this topic to the letter, 3 times.
When I try to connect all I get is 'Policy match error'
I know this refers to an Algorithm mismatch.
I used AES256 SHA1/256 DH2/14. Tried others with no success.

Using Windows 10 21H1.

[atom]

The values must match those of the "Add-VpnConnection" and "Set-VpnConnectionIpsecConfiguration" commands.

[dcol]

Ok, I will try using Powershell to setup VPN on Windows

[dcol]

No success with using Powershell.
Any help what I did wrong? I also tried DH14 (PFS2048)

Code: [Select]

# IKEv2 VPN Import Script
# Automatically generated by pfSense
Set-Location -Path $PSScriptRoot

# Import Server Certificate CA
Import-Certificate -FilePath "<Certificate name>" -CertStoreLocation Cert:\LocalMachine\Root\

# Add VPN Connection
Add-VpnConnection -Name "VPN" -TunnelType "Ikev2" -RememberCredential -EncryptionLevel Required `
 -ServerAddress vpn.mydomain.com -DnsSuffix "domain.com" -PassThru

# Set VPN Config
Set-VpnConnectionIPsecConfiguration -ConnectionName "VPN" `
 -EncryptionMethod GCMAES128 -IntegrityCheckMethod SHA256 -DHGroup Group2 `
 -CipherTransformConstants GCMAES128 -AuthenticationTransformConstants GCMAES128 -PfsGroup PFS2 `
 -PassThru -Force

Set-VpnConnection -Name "VPN" -SplitTunneling $True

Add-VpnConnectionRoute -Name "VPN" -DestinationPrefix 192.168.100.0/24


[atom]

phase 1
Windows GCMAES128 is OPNsense Encryption algorithm 128 bit AES-GCM
Windows Group14 is OPNsense DH key group 14
Windows SHA256 is OPNsense Hash algorithm SHA256
phasse 2
Windows GCMAES128 is OPNsense Encryption algorithm  aes128gcm16
Windows PFS2048 is OPNsense PFS key group 14

[dcol]

I know this issue is with OPNsense because I use the exact same Powershell script with PFsense and it works fine. I tried matching the VPN settings as well. The certificate was also created the exact same way and put in the same place. I am sure others have this working.

[atom]

What is in the trace of the Windows VPN client ?