Can I setup the opnsense box as an IPsec vpn client?

Started by tigs, January 04, 2021, 09:23:33 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 04, 2021, 09:23:33 PM
I have been trying to play with IPsec server on an AWS. I have setup an IPsec server, and I am able to configure my desktop PC (win 10) or synology NAS to connect to it without any issues. However, I would like to connect my opnsense box to it so all local devices go through the same tunnel without having to configure them individually. I want my opnsense box work the same way as it does as an openVPN client. Can I accomplish this, configuring the opnsense as an Ipsec client?

I have the following info available and nothing more:
Server IP:
IPsec PSK:
Username:
Password:

Here is the link I followed to setup the IPsec server on a ubuntu server
https://github.com/hwdsl2/setup-ipsec-vpn
February 26, 2021, 09:47:37 AM #1
Same here, no information in docs. Every doc assumes the box acts as a server.

There's more. When I try to create site-to-site tunnel, Authentication method options are Mutual PSK/Key/RSA, but my VPN provider is using IKEv2 EAP with username and password.
February 26, 2021, 03:39:34 PM #2 Last Edit: February 26, 2021, 03:52:08 PM by smyers119
Quote from: tigs on January 04, 2021, 09:23:33 PM

I want my opnsense box work the same way as it does as an openVPN client. Can I accomplish this, configuring the opnsense as an Ipsec client?

Quote from: thereaper on February 26, 2021, 09:47:37 AM
Same here, no information in docs. Every doc assumes the box acts as a server.


IPSEC is a point to point protocol, there is not really a server/client.  Note: It does support road warrior setups which would be the closest thing to the server/client style your looking for.   To answer your other question, yes you can send traffic over IPSEC.

EDITED to clarify.


February 26, 2021, 04:14:36 PM #3
Quote from: thereaper on February 26, 2021, 09:47:37 AM
There's more. When I try to create site-to-site tunnel, Authentication method options are Mutual PSK/Key/RSA, but my VPN provider is using IKEv2 EAP with username and password.

opnsense is setup weird for this, but go to mobile clients section and enable, then add your phase 1 and 2 settings there
February 27, 2021, 01:20:19 AM #4 Last Edit: February 27, 2021, 04:14:24 AM by thereaper
Quote from: smyers119 on February 26, 2021, 03:39:34 PM
Note: It does support road warrior setups which would be the closest thing to the server/client style your looking for.   To answer your other question, yes you can send traffic over IPSEC.

How, please? :)

More specifically, I have LAN iface. An external AP is connected by ethernet to LAN (with MYISP SSID, 192.x). And I have WLAN iface, internal PCIe Wifi card (with MYVPN SSID, 10.x).

I can use either SSID, works fine. Now I want all traffic from WLAN iface to go via IPSec via my VPN provider.

PS: I followed your advice and in Mobile Clients, on save, there was an error and "Create Phase1" button appeared like magic:

Support for IPsec Mobile clients is enabled but a Phase1 definition was not found.
Please click Create to define one.

This button created an entry in Tunnels with EAP-MSCHAPV2. But when I edit it, there is no Remote Gateway field anymore ... neither EAP login/passw. I'd really appreciate any hints.
February 27, 2021, 09:51:00 AM #5
Side note. Just made it working with OpenVPN client. Still would love solution for IKEv2 :)
Print
Go Up Pages1
User actions