IPSec "Road Warrior" VPN Setup between OPNSense 20.7 and Ubuntu 20.04 LTS

[mgsteve]

I have torn out what little hair I have left over the course of the past few hours. I simply cannot get this to work.

First it was a problem with the certificate CN not matching, but got that to work by using the IP instead of the FQDN. Then EAP was failing because the instructions didn't mention you needed to add an extra package (apt install libcharon-extra-plugins).

Now EAP fails because authentication fails "EAP-MS-CHAPv2 failed with error ERROR_AUTHENTICATION_FAILURE: '(null)'", even though the username entered matches the PSK entry (user, password, EAP) and I've even tried a PSK value against a full blown user account in opnSense as opposed to just an EAP entry on the "Pre shared Keys" page.

If anyone has a start to finish step by step guide for this (and yes, I have read the official guide (https://docs.opnsense.org/manual/how-tos/ipsec-road.html) and then the linux bit here: (https://docs.opnsense.org/manual/how-tos/ipsec-rw-linux.html), but all to no avail :(

Any help would be gratefully received.

[mimugmail]

You have to use the matrix at the bottom where correct lient and server config are linked:
https://docs.opnsense.org/manual/how-tos/ipsec-rw.html

I tested it with Ubuntu 18.04

[mgsteve]

You have to use the matrix at the bottom where correct lient and server config are linked:
https://docs.opnsense.org/manual/how-tos/ipsec-rw.html

I tested it with Ubuntu 18.04

Yes, those are two of the guides I followed. I'll delete everything and try from scratch again. But it only seems to be failing on the EAP challenge.

btw, you need to tweak your Linux Remote Access guide as you need to include the extra package I mentioned above in 20.04, otherwise strongswan doesn't know anything about EAP-MSCHAPv2.

[mgsteve]

You have to use the matrix at the bottom where correct lient and server config are linked:
https://docs.opnsense.org/manual/how-tos/ipsec-rw.html

I tested it with Ubuntu 18.04

Just to say I've followed all the steps and its failing again at the last step.

Ubuntu Logs:

Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 04[CFG] received initiate for NetworkManager connection WV VPN 2
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 04[CFG] using CA certificate, gateway identity '192.168.1.181'
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 04[IKE] initiating IKE_SA WV VPN 2[14] to 192.168.1.181
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 04[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 04[NET] sending packet: from 192.168.1.88[53337] to 192.168.1.181[500] (936 bytes)
Dec 12 10:19:08 my-ubuntu-20.04-pc NetworkManager[1360]: <info>  [1607768348.5185] vpn-connection[0x560217f50130,7723a298-6e57-46bd-981f-4359fa9b7bc8,"WV VPN 2",0]: VPN plugin: state changed: starting (3)
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 05[NET] received packet: from 192.168.1.181[500] to 192.168.1.88[53337] (38 bytes)
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 05[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 05[IKE] peer didn't accept DH group ECP_256, it requested MODP_2048
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 05[IKE] initiating IKE_SA WV VPN 2[14] to 192.168.1.181
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 05[NET] sending packet: from 192.168.1.88[53337] to 192.168.1.181[500] (1128 bytes)
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 14[NET] received packet: from 192.168.1.181[500] to 192.168.1.88[53337] (557 bytes)
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 14[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 14[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 14[IKE] received cert request for "C=GB, ST=West Midlands, L=<redacted>, O=<redacted>, E=<redacted>, CN=opnsense-ca-root"
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 14[IKE] received 3 cert requests for an unknown ca
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 14[IKE] sending cert request for "C=GB, ST=West Midlands, L=<redacted>, O=<redacted>, E=<redacted>, CN=opnsense-ca-root"
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 14[IKE] establishing CHILD_SA WV VPN 2{13}
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 14[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS NBNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 14[NET] sending packet: from 192.168.1.88[53150] to 192.168.1.181[4500] (464 bytes)
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 08[NET] received packet: from 192.168.1.181[4500] to 192.168.1.88[53150] (1236 bytes)
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 08[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 08[ENC] received fragment #1 of 2, waiting for complete IKE message
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 01[NET] received packet: from 192.168.1.181[4500] to 192.168.1.88[53150] (756 bytes)
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 01[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 01[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1920 bytes)
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 01[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 01[IKE] received end entity cert "C=GB, ST=West Midlands, L=<redacted>, O=<redacted>, E=<redacted>, CN=wv.xxx.com, subjectAltName=IP:192.168.1.181"
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 01[CFG]   using certificate "C=GB, ST=West Midlands, L=<redacted>, O=<redacted>, E=<redacted>, CN=wv.xxx.com, subjectAltName=IP:192.168.1.181"
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 01[CFG]   using trusted ca certificate "C=GB, ST=West Midlands, L=<redacted>, O=<redacted>, E=<redacted>, CN=opnsense-ca-root"
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 01[CFG] checking certificate status of "C=GB, ST=West Midlands, L=<redacted>, O=<redacted>, E=<redacted>, CN=wv.xxx.com, subjectAltName=IP:192.168.1.181"
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 01[CFG] certificate status is not available
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 01[CFG]   reached self-signed root ca with a path length of 0
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 01[IKE] authentication of 'C=GB, ST=West Midlands, L=<redacted>, O=<redacted>, E=<redacted>, CN=wv.xxx.com, subjectAltName=IP:192.168.1.181' with RSA_EMSA_PKCS1_SHA2_256 successful
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 01[IKE] server requested EAP_IDENTITY (id 0x00), sending 'expert'
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 01[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 01[NET] sending packet: from 192.168.1.88[53150] to 192.168.1.181[4500] (96 bytes)
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 10[NET] received packet: from 192.168.1.181[4500] to 192.168.1.88[53150] (112 bytes)
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 10[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 10[IKE] server requested EAP_MSCHAPV2 authentication (id 0x87)
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 10[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Dec 12 10:19:08 my-ubuntu-20.04-pc charon-nm: 10[NET] sending packet: from 192.168.1.88[53150] to 192.168.1.181[4500] (144 bytes)
Dec 12 10:19:10 my-ubuntu-20.04-pc charon-nm: 16[NET] received packet: from 192.168.1.181[4500] to 192.168.1.88[53150] (128 bytes)
Dec 12 10:19:10 my-ubuntu-20.04-pc charon-nm: 16[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Dec 12 10:19:10 my-ubuntu-20.04-pc charon-nm: 16[IKE] EAP-MS-CHAPv2 failed with error ERROR_AUTHENTICATION_FAILURE: '(null)'
Dec 12 10:19:10 my-ubuntu-20.04-pc charon-nm: 16[IKE] EAP_MSCHAPV2 method failed

opnSense logs (truncated the first few lines)

2020-12-12T10:19:10   charon[10631]: 04[NET] <con1|2> sending packet: from 192.168.1.181[4500] to 192.168.1.88[53150] (80 bytes)
2020-12-12T10:19:10   charon[10631]: 04[ENC] <con1|2> generating INFORMATIONAL response 4 [ N(AUTH_FAILED) ]
2020-12-12T10:19:10   charon[10631]: 04[ENC] <con1|2> parsed INFORMATIONAL request 4 [ N(AUTH_FAILED) ]
2020-12-12T10:19:10   charon[10631]: 04[NET] <con1|2> received packet: from 192.168.1.88[53150] to 192.168.1.181[4500] (80 bytes)
2020-12-12T10:19:10   charon[10631]: 04[NET] <con1|2> sending packet: from 192.168.1.181[4500] to 192.168.1.88[53150] (128 bytes)
2020-12-12T10:19:10   charon[10631]: 04[ENC] <con1|2> generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
2020-12-12T10:19:08   charon[10631]: 04[IKE] <con1|2> EAP-MS-CHAPv2 verification failed, retry (1)
2020-12-12T10:19:08   charon[10631]: 04[IKE] <con1|2> no EAP key found for hosts 'C=GB, ST=West Midlands, L=<redacted>, O=<redacted>, E=<redacted>, CN=<redacted>, subjectAltName=IP:192.168.1.181' - 'expert'
2020-12-12T10:19:08   charon[10631]: 04[ENC] <con1|2> parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
2020-12-12T10:19:08   charon[10631]: 04[NET] <con1|2> received packet: from 192.168.1.88[53150] to 192.168.1.181[4500] (144 bytes)
2020-12-12T10:19:08   charon[10631]: 04[NET] <con1|2> sending packet: from 192.168.1.181[4500] to 192.168.1.88[53150] (112 bytes)
2020-12-12T10:19:08   charon[10631]: 04[ENC] <con1|2> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
2020-12-12T10:19:08   charon[10631]: 04[IKE] <con1|2> initiating EAP_MSCHAPV2 method (id 0x87)
2020-12-12T10:19:08   charon[10631]: 04[IKE] <con1|2> received EAP identity 'expert'
2020-12-12T10:19:08   charon[10631]: 04[ENC] <con1|2> parsed IKE_AUTH request 2 [ EAP/RES/ID ]

2020-12-12T10:19:08   charon[10631]: 04[IKE] <con1|2> no EAP key found for hosts 'C=GB, ST=West Midlands, L=<redacted>, O=<redacted>, E=<redacted>, CN=<redacted>, subjectAltName=IP:192.168.1.181' - 'expert'

I'm guessing that's the key log entry, what have I missed?

[mimugmail]

I'd guess your client tries certificate authentication and not MSCHAP

[mgsteve]

I appear to have fixed it after a bit more googling. In addition to the extra charon package, you also need to install an extra strongswan package too.

sudo apt-get -y install libstrongswan-extra-plugins

With that added, the VPN connects.