Mobile IPsec with TOTP

[atom]

Hello,

I would like to know if anyone has got Mobile IPsec working with TOTP (Windows 10 native vpn client)

- TOTP for login (ssh/GUI)                             -> works
- Mobile IPsec with Mutual RSA                     -> works
- Mobile IPsec with EAP-MSCHAPv2               -> works

Only Mobile IPsec with EAP-MSCHAPv2 + TOTP does not work.
Can it be because the "IPsec Pre-Shared Key" at the user can only be PSK and not EAP ?

Greetings,
atom

[atom]

Update:

I've manually created the ipsec.secrets file in /usr/local/etc/ipsec.secrets.opnsense.d .
The possibility to select TOTP as "backend for authentication" is just fake. Only the password from the /usr/local/etc/ipsec.secrets.opnsense.d/ ipsec.secrets is sufficient to authenticate on the Windows.

[mimugmail]

This only works with an external solution capable of EAP

[atom]

Do you have an example of an external solution ?

[mimugmail]

You need to set EAP Radius and use an otp solution offering radius.

[atom]

Do you know an OTP solution that radius offers ?

[Patrick M. Hausen]

FreeRADIUS can do that.

[mimugmail]

FreeRADIUS can do that.

With TOTP?  :o

[Patrick M. Hausen]

FreeRADIUS can do that.

With TOTP?  :o

Sure - there are a couple of possible plugins. I only implemented HOTP in production, but the process was not that complicated if you know your way around FreeRADIUS.

Take for example: https://github.com/lark/vpn-otp

Note that I claimed neither "out of the box" nor "on OPNsense". But certainly with OPNsense connected to an external RADIUS instance.

Alternatively in a corporate environment you might want to look into Microsoft's Internet Authentication Server and possibly plugins for that.

HTH,
Patrick