Ipsec ikev2 mutual psk how to setup

[robertkwild]

Hi all,

Im trying to set up ipsec ikev2 mutual psk on my opnsense fw

I've looked on Google and can only find how to set up mschapv2

Anyone know of any good how tos to do this

Thanks,
Rob

[BusinessTux]

Hi Rob,

perhaps Google didn't found https://docs.opnsense.org/manual/vpnet.html#ipsec

Ulf

[robertkwild]

I don't see ipsec ikev2 mutual psk in the list

[BusinessTux]

You can find it in the single how-tos as Phase 1 auth method

E.G. https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route.html I can.

[robertkwild]

I'm not after site to site I'm after site to remote clients

[BusinessTux]

As it looks, Mutual PSK is apparently only supported for IKEv1

https://docs.opnsense.org/manual/how-tos/ipsec-rw.html

[robertkwild]

thanks

looks like MS windows 10 only supports IKEv2 MSCHAPv2, bit of a bummer as the user needs to install a cert on there machine

[robertkwild]

do i need to import the CA or server cert to the remote user who wants to connect to my ipsec server?

[robertkwild]

Finally got it working by following the link you sent

One thing I didn't do was to untick block private networks as I thought that was a bad idea

Also I had to import my CA to my remote user otherwise I got a user error when trying to connect to vpn

[BusinessTux]

Finally got it working by following the link you sent

Great to hear.

One thing I didn't do was to untick block private networks as I thought that was a bad idea

Correct. This is only for internal lab without public ip addresses.

Also I had to import my CA to my remote user otherwise I got a user error when trying to connect to vpn

Yes. The computer of the remote user want to identify the vpn certificate and for this you have to trust your VPN-CA manually by importing the ca certificate.