IPsec Road-Warrior setup fails on (at least) iOS

[vst]

Hallo!

I am an experience Linux admin and a newbe to OPNsense. I wanted to replace my fritzbox-router-vpn. But I ran into problems. I applied the tutorial really close, but can not get a connection working. I see a few potential problems in the logs and configs. I also wander if there shouldn't a special IPsec Interface.. Maybe someone can help.

The iPhone just fails with the message: "Der VPN-Schlüssel (Shared Secret) ist nicht korrekt" / The VPN-key (Shared secret) is not correct. I think this is misleading.

The log for the connections seems unsuspicious:

Code Select Expand

2021-02-23T08:21:50 charon[36693] 15[NET] <con1|2> sending packet: from 91.13.XXX.XX[500] to 80.187.XX.XXX[500] (540 bytes)
2021-02-23T08:21:50 charon[36693] 15[IKE] <con1|2> sending retransmit 2 of response message ID 0, seq 1
2021-02-23T08:21:43 charon[36693] 15[NET] <con1|2> sending packet: from 91.13.XXX.XX[500] to 80.187.XX.XXX[500] (540 bytes)
2021-02-23T08:21:43 charon[36693] 15[IKE] <con1|2> sending retransmit 1 of response message ID 0, seq 1
2021-02-23T08:21:39 charon[36693] 15[IKE] <con1|2> queueing INFORMATIONAL_V1 request as tasks still active
2021-02-23T08:21:39 charon[36693] 15[NET] <con1|2> received packet: from 80.187.XX.XXX[24073] to 91.13.XXX.XX[4500] (76 bytes)
2021-02-23T08:21:39 charon[36693] 15[NET] <con1|2> sending packet: from 91.13.XXX.XX[500] to 80.187.XX.XXX[500] (540 bytes)
2021-02-23T08:21:39 charon[36693] 15[ENC] <con1|2> generating AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ]
2021-02-23T08:21:39 charon[36693] 15[CFG] <2> selected peer config "con1"
2021-02-23T08:21:39 charon[36693] 15[CFG] <2> looking for XAuthInitPSK peer configs matching 91.13.XXX.XX...80.187.XX.XXX[user1]
2021-02-23T08:21:39 charon[36693] 15[CFG] <2> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
2021-02-23T08:21:39 charon[36693] 15[IKE] <2> 80.187.XX.XXX is initiating a Aggressive Mode IKE_SA
2021-02-23T08:21:39 charon[36693] 15[IKE] <2> received DPD vendor ID
2021-02-23T08:21:39 charon[36693] 15[IKE] <2> received Cisco Unity vendor ID
2021-02-23T08:21:39 charon[36693] 15[IKE] <2> received XAuth vendor ID
2021-02-23T08:21:39 charon[36693] 15[IKE] <2> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
2021-02-23T08:21:39 charon[36693] 15[IKE] <2> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
2021-02-23T08:21:39 charon[36693] 15[IKE] <2> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
2021-02-23T08:21:39 charon[36693] 15[IKE] <2> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
2021-02-23T08:21:39 charon[36693] 15[IKE] <2> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
2021-02-23T08:21:39 charon[36693] 15[IKE] <2> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
2021-02-23T08:21:39 charon[36693] 15[IKE] <2> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
2021-02-23T08:21:39 charon[36693] 15[IKE] <2> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
2021-02-23T08:21:39 charon[36693] 15[IKE] <2> received draft-ietf-ipsec-nat-t-ike vendor ID
2021-02-23T08:21:39 charon[36693] 15[IKE] <2> received NAT-T (RFC 3947) vendor ID
2021-02-23T08:21:39 charon[36693] 15[IKE] <2> received FRAGMENTATION vendor ID
2021-02-23T08:21:39 charon[36693] 15[ENC] <2> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
2021-02-23T08:21:39 charon[36693] 15[NET] <2> received packet: from 80.187.XX.XXX[500] to 91.13.XXX.XX[500] (762 bytes)


But a few things of the service start worry me:

Code Select Expand

2021-02-23T08:26:19 charon[95870] 13[CFG] installing trap failed, remote address unknown
2021-02-23T08:26:19 charon[95870] 13[CFG] received stroke: route 'con1'
2021-02-23T08:26:19 charon[95870] 08[CFG] added configuration 'con1'
2021-02-23T08:26:19 charon[95870] 08[CFG] adding virtual IP address pool 192.168.24.0/24
2021-02-23T08:26:19 charon[95870] 08[CFG] received stroke: add connection 'con1'
2021-02-23T08:26:19 charon[95870] 00[JOB] spawning 16 worker threads
2021-02-23T08:26:19 charon[95870] 00[LIB] loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac gcm drbg attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam whitelist addrblock counters
2021-02-23T08:26:19 charon[95870] 00[CFG] loaded 0 RADIUS server configurations
2021-02-23T08:26:19 charon[95870] 00[CFG] expanding file expression '/usr/local/etc/ipsec.secrets.opnsense.d/*.secrets' failed
2021-02-23T08:26:19 charon[95870] 00[CFG] loaded IKE secret for user2
2021-02-23T08:26:19 charon[95870] 00[CFG] loaded IKE secret for user1
2021-02-23T08:26:19 charon[95870] 00[CFG] loaded IKE secret for 91.13.197.35 %any
2021-02-23T08:26:19 charon[95870] 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
2021-02-23T08:26:19 charon[95870] 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
2021-02-23T08:26:19 charon[95870] 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
2021-02-23T08:26:19 charon[95870] 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
2021-02-23T08:26:19 charon[95870] 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
2021-02-23T08:26:19 charon[95870] 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
2021-02-23T08:26:19 charon[95870] 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
2021-02-23T08:26:19 charon[95870] 00[KNL] unable to set UDP_ENCAP: Invalid argument
2021-02-23T08:26:19 charon[95870] 00[DMN] Starting IKE charon daemon (strongSwan 5.9.1, FreeBSD 12.1-RELEASE-p13-HBSD, amd64)
2021-02-23T08:26:19 charon[36693] 00[DMN] SIGINT received, shutting down

I don't know the meaning of:

• unable to set UDP_ENCAP: Invalid argument
• installing trap failed, remote address unknown

I have the feeling at the last point, that an interface may be missing..

Here is my ipsec.onf

Code Select Expand

config setup
  uniqueids = yes

conn con1
  aggressive = yes
  fragmentation = yes
  keyexchange = ikev1
  mobike = yes
  reauth = yes
  rekey = yes
  forceencaps = no
  installpolicy = yes
  type = tunnel


  left = 91.13.XXX.XX
  right = %any

  leftid = 91.13.XXX.XX
  ikelifetime = 28800s
  lifetime = 3600s
  rightsourceip = 192.168.24.0/24
  ike = aes256-sha1-ecp521,aes256-sha1-ecp384,aes256-sha1-ecp256,aes256-sha1-modp2048,aes256-sha1-modp1024!
  leftauth = psk
  rightauth = psk
  rightauth2 = xauth-pam
  reqid = 1
  leftsubnet = 10.1.1.0/24
  esp = aes256-sha1,blowfish256-sha1,blowfish192-sha1,blowfish128-sha1,3des-sha1,cast128-sha1!
  auto = route

include ipsec.opnsense.d/*.conf

When I see this config. Would this still work with a changing IP address? Maybe an other config would be better?

I hope someone can give me the right hints!

[vst]

I noticed my mistake. Maybe this could be helpful for others. Problems

• Selecting for "My identifier "My IP address" is not a good idea if your internet connection changes IPs.
• I wanted to build a setup to reuse existing VPN-configs on several end devices. The identifier made me think. Indeed the end devices seem to remember old identifiers (from my fritzbox) and don't connect to the OPNsense. Therefore the connection establishment timed out. A freshly setup account on a mobile device worked

Now I will search for a solution to setup a gateway for the IPsec clients to route their traffic back to the internet. This should help me to circumvent censorship in another country.