IPsecVPN With Windows 10 native VPN Client

Started by daelos, November 02, 2020, 12:35:24 AM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
November 02, 2020, 12:35:24 AM
New to Opnsense so still a bit confused with all the extra options my old firewall never had.

Anyway, I'm trying to configure OpnSense with an IPsec VPN tunnel with a preshared key that will work with a bog-standard Windows 10 client but struggling to make sense of any of it. Anyone got some pointers on how to do this?



November 02, 2020, 07:14:26 AM #1
You can follow the official docs there are many examples for win10
November 02, 2020, 04:02:50 PM #2
The only vaguely relevant doc I've managed to find is this one https://docs.opnsense.org/manual/how-tos/ipsec-road.html which I haven't manged to get to work. Should this work for Windows 10? Anything I need to change to get it to work? Maybe you can point me towards a link of instructions that would work?
November 02, 2020, 06:36:36 PM #3
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
November 02, 2020, 07:11:56 PM #4
November 08, 2020, 07:44:07 PM #5
Quote from: pmhausen on November 02, 2020, 06:36:36 PM
https://docs.opnsense.org/manual/how-tos/ipsec-rw-w7.html

This guide requires you to install Root Certificate into your client. Should I remind you that it is a big security risk?
https://blog.malwarebytes.com/security-world/technology/2017/11/when-you-shouldnt-trust-a-trusted-root-certificate/

Is there any other way to enable VPN without exposing your clients' computers to potential malware, etc?
November 08, 2020, 07:47:40 PM #6
You can always buy a certificate from a trusted CA, no problem ...
November 08, 2020, 08:04:08 PM #7
Quote from: mavor on November 08, 2020, 07:44:07 PM
Quote from: pmhausen on November 02, 2020, 06:36:36 PM
https://docs.opnsense.org/manual/how-tos/ipsec-rw-w7.html

This guide requires you to install Root Certificate into your client. Should I remind you that it is a big security risk?
https://blog.malwarebytes.com/security-world/technology/2017/11/when-you-shouldnt-trust-a-trusted-root-certificate/

Is there any other way to enable VPN without exposing your clients' computers to potential malware, etc?

Hi, here is some misunderstanding. The opnsense guide requires you to install "Your" Root certificate. As long as everything is proper setup and you protect the private keys belonging to your CAs this is not a security risk.
You can trust your CA more than any other public CA ;).

br
March 04, 2023, 06:24:54 PM #8 Last Edit: March 04, 2023, 06:37:03 PM by dcol
I know this is an old topic, but this is the closest topic I could find to my issue.

I followed everything in this topic to the letter, 3 times.
When I try to connect all I get is 'Policy match error'
I know this refers to an Algorithm mismatch.
I used AES256 SHA1/256 DH2/14. Tried others with no success.

Using Windows 10 21H1.
March 04, 2023, 06:30:24 PM #9
The values must match those of the "Add-VpnConnection" and "Set-VpnConnectionIpsecConfiguration" commands.
March 04, 2023, 06:38:25 PM #10
Ok, I will try using Powershell to setup VPN on Windows
March 04, 2023, 06:53:26 PM #11 Last Edit: March 04, 2023, 07:50:23 PM by dcol
No success with using Powershell.
Any help what I did wrong? I also tried DH14 (PFS2048)

Code Select

# IKEv2 VPN Import Script
# Automatically generated by pfSense
Set-Location -Path $PSScriptRoot

# Import Server Certificate CA
Import-Certificate -FilePath "<Certificate name>" -CertStoreLocation Cert:\LocalMachine\Root\

# Add VPN Connection
Add-VpnConnection -Name "VPN" -TunnelType "Ikev2" -RememberCredential -EncryptionLevel Required `
-ServerAddress vpn.mydomain.com -DnsSuffix "domain.com" -PassThru

# Set VPN Config
Set-VpnConnectionIPsecConfiguration -ConnectionName "VPN" `
-EncryptionMethod GCMAES128 -IntegrityCheckMethod SHA256 -DHGroup Group2 `
-CipherTransformConstants GCMAES128 -AuthenticationTransformConstants GCMAES128 -PfsGroup PFS2 `
-PassThru -Force

Set-VpnConnection -Name "VPN" -SplitTunneling $True

Add-VpnConnectionRoute -Name "VPN" -DestinationPrefix 192.168.100.0/24
March 04, 2023, 07:20:03 PM #12 Last Edit: March 04, 2023, 07:25:08 PM by atom
phase 1
Windows GCMAES128 is OPNsense Encryption algorithm 128 bit AES-GCM
Windows Group14 is OPNsense DH key group 14
Windows SHA256 is OPNsense Hash algorithm SHA256
phasse 2
Windows GCMAES128 is OPNsense Encryption algorithm  aes128gcm16
Windows PFS2048 is OPNsense PFS key group 14

March 04, 2023, 09:11:30 PM #13
I know this issue is with OPNsense because I use the exact same Powershell script with PFsense and it works fine. I tried matching the VPN settings as well. The certificate was also created the exact same way and put in the same place. I am sure others have this working.
March 04, 2023, 09:56:59 PM #14
What is in the trace of the Windows VPN client ?
Print
Go Up Pages1 2
User actions