Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
22.7 Legacy Series
»
Auth Failures - IPSec IKEv2 + Win11 EAP-MSCHAPv2
« previous
next »
Print
Pages: [
1
]
Author
Topic: Auth Failures - IPSec IKEv2 + Win11 EAP-MSCHAPv2 (Read 1193 times)
DavidRa
Newbie
Posts: 4
Karma: 1
Auth Failures - IPSec IKEv2 + Win11 EAP-MSCHAPv2
«
on:
December 29, 2022, 02:35:42 pm »
I've fallen at the final hurdle configuring my OPNsense to accept incoming IPSec "road warrior" Mobile Client connections. The intent is to use AD + TOTP - and under System > Access > Tester, I can successfully authenticate using username and passwordTOTP (I have it configured in "reverse" mode).
Reference versions:
OPNsense is 22.7.10_2
Windows is Win11 current
Android is StrongSwan app on Android 11
I've been following the combination of
https://docs.opnsense.org/manual/how-tos/ipsec-rw.html
for the OPNsense side and
https://docs.opnsense.org/manual/how-tos/ipsec-rw-w7.html#ikev2-eap-mschapv2-or-eap-radius
for the client.
Current Config - OPNsense (VPN > IPSec > Mobile Clients)
Enable: Checked
Backend for Authentication: Active Directory + TOTP (but I have also tried all other options I have incl AD alone, Local, and Local with TOTP)
Enforce local group: None
IPv4 Pool: Unique /24 subnet
IPv6 Pool: Unique /64 subnet
Network List: Checked
Save Xauth: Disabled
DNS Default Domain: Internal DNS suffix
DNS Servers: Internal DNS Server IPs
WINS: Unchecked
Phase 2 PFS: Off
Login Banner: Unchecked
Current Config - OPNsense - Phase 1 Selector
Disabled: Unchecked
Connection method: Respond only
Key Exchange version: V2
Internet Protocol: IPv4
Interface: CARP VIP on Internet Interface
Phase 1 Authentication
Authentication Method: EAP-MSCHAPv2
My identifier: Dynamic DNS (host.example.com)
Certificate: host.example.com (issued by OPNsense CA)
Phase 1 Algorithms
Encryption: AES 256
Hash: SHA 256
DH Group: 14
Lifetime: 28800
Advanced
Install policy: Checked
Disable Rekey: Unchecked
Disable Reauth: Unchecked
Tunnel Isolation: Unchecked
SHA256 96 bit truncation: Unchecked
NAT Traversal: Enable
Disable MOBIKE: Unchecked
Close Action: None
Dead Peer Detection: Checked (60 seconds, 5 retries)
Inactivity Timeout: 600
Keyingtries: Empty
Margintime: Empty
Rekeyfuzz: Empty
Current Config - OPNsense - Phase 2 Selector
Disabled: Unchecked
Mode: Tunnel IPv4
Local Network
Type: LAN subnet
Phase 2 Proposal
Protocol: ESP
Encryption algorithms: AES 256
Hash algorithms: SHA 256
PFS Key group: Off
Lifetime: 3600 seconds
Automatically ping host: Empty
On the client side, I've created a new IKEv2 connection following along the document above. However, Windows doesn't choose very secure Phase 1 and Phase 2 configurations, so I've forced the appropriate encryption and hashes:
Set-VpnConnectionIpsecConfiguration -ConnectionName VPN -AuthenticationTransformConstants SHA256 -CipherTransformConstants AES256 -DHgroup Group14 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None
Prior to running that command, I was getting policy match errors which are now resolved. On the client, I get "username or password incorrect" and Event Viewer claims error -2143157998 which I think translates to 0x80420112? Doesn't seem to match error codes I recognise (often starting with 0x8007...).
Edit: Authentication failed. Thanks Windows, much useful. Very help.
Strongswan on the 'droid fares about the same, though obviously there's a more helpful log that tells me authentication failed.
I don't get any errors in the OPNsense ipsec log other than Auth Failed, which I would have expected - are there other logs I can look at here? Other suggestions for logs / log levels are appreciated.
«
Last Edit: December 30, 2022, 08:33:54 am by DavidRa
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
22.7 Legacy Series
»
Auth Failures - IPSec IKEv2 + Win11 EAP-MSCHAPv2