OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 21.7 Legacy Series »
  • Difficulty getting IPSec EAP-RADIUS working on 21.7.7 with Windows 11
« previous next »
  • Print
Pages: [1]

Author Topic: Difficulty getting IPSec EAP-RADIUS working on 21.7.7 with Windows 11  (Read 2545 times)

unquietwiki

  • Newbie
  • *
  • Posts: 10
  • Karma: 2
    • View Profile
Difficulty getting IPSec EAP-RADIUS working on 21.7.7 with Windows 11
« on: January 20, 2022, 10:22:00 am »
Hey all. Using instructions from https://docs.opnsense.org/manual/how-tos/ipsec-road.html & https://docs.opnsense.org/manual/how-tos/ipsec-rw-srv-eapradius.html ; and a lot of trial-and-error with the cipher keys; I can connect my Windows 11 system to OPNsense. However, two issues remain....

1. I have FreeRADIUS set up to authenticate via LDAPS to an Active Directory server. However, while it authenticates in OPNsense, it gets password errors for VPN users. Making a local VPN user gets around this, but...

2. The client gets a subnet mask of 255.255.255.255. It's immediately unclear from the documentation if you need to use a dedicated IP range with a virtual IP, and/or routing rules to connect that to the LAN IP ranges (using IPv4 & IPv6 at the remote site).

I feel like this stuff may have been working before in the past, but maybe not now? Please advise. Thanks.

Added details....

1. Regarding the authentication issue, the error I see in the FreeRADIUS logs...

Quote
Login incorrect (mschap: FAILED: No NT-Password. Cannot perform authentication)

2. Regarding the routing issue, I did see this in the IPsec log...

Quote
installing route failed: (VPN IPV6 ADDR)/128 via (WAN IPV4 GATEWAY) src (LAN IPV6 ADDR) dev em0
adding PF_ROUTE route failed

3. Regarding IPsec connectivity & the tutorials given, the default set of Windows ciphers don't neatly overlap with it, and give inconsistent behavior; reporting this to Microsoft. The default working CIPHER for EAP-RADIUS, came out to be ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ

Microsoft report: https://aka.ms/AAfj0rb

is initiating an IKE_SA

Quote
received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024

initiating a Main Mode IKE_SA

Quote
received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
« Last Edit: January 20, 2022, 11:42:16 am by unquietwiki »
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 21.7 Legacy Series »
  • Difficulty getting IPSec EAP-RADIUS working on 21.7.7 with Windows 11
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2