Auth Failures - IPSec IKEv2 + Win11 EAP-MSCHAPv2

[DavidRa]

I've fallen at the final hurdle configuring my OPNsense to accept incoming IPSec "road warrior" Mobile Client connections. The intent is to use AD + TOTP - and under System > Access > Tester, I can successfully authenticate using username and passwordTOTP (I have it configured in "reverse" mode).

Reference versions:

• OPNsense is 22.7.10_2
• Windows is Win11 current
• Android is StrongSwan app on Android 11

I've been following the combination of https://docs.opnsense.org/manual/how-tos/ipsec-rw.html for the OPNsense side and https://docs.opnsense.org/manual/how-tos/ipsec-rw-w7.html#ikev2-eap-mschapv2-or-eap-radius for the client.

Current Config - OPNsense (VPN > IPSec > Mobile Clients)

• Enable: Checked
• Backend for Authentication: Active Directory + TOTP (but I have also tried all other options I have incl AD alone, Local, and Local with TOTP)
• Enforce local group: None
• IPv4 Pool: Unique /24 subnet
• IPv6 Pool: Unique /64 subnet
• Network List: Checked
• Save Xauth: Disabled
• DNS Default Domain: Internal DNS suffix
• DNS Servers: Internal DNS Server IPs
• WINS: Unchecked
• Phase 2 PFS: Off
• Login Banner: Unchecked

Current Config - OPNsense - Phase 1 Selector

• Disabled: Unchecked
• Connection method: Respond only
• Key Exchange version: V2
• Internet Protocol: IPv4
• Interface: CARP VIP on Internet Interface
• Phase 1 Authentication
• Authentication Method: EAP-MSCHAPv2
• My identifier: Dynamic DNS (host.example.com)
• Certificate: host.example.com (issued by OPNsense CA)
• Phase 1 Algorithms
• Encryption: AES 256
• Hash: SHA 256
• DH Group: 14
• Lifetime: 28800
• Advanced
• Install policy: Checked
• Disable Rekey: Unchecked
• Disable Reauth: Unchecked
• Tunnel Isolation: Unchecked
• SHA256 96 bit truncation: Unchecked
• NAT Traversal: Enable
• Disable MOBIKE: Unchecked
• Close Action: None
• Dead Peer Detection: Checked (60 seconds, 5 retries)
• Inactivity Timeout: 600
• Keyingtries: Empty
• Margintime: Empty
• Rekeyfuzz: Empty

Current Config - OPNsense - Phase 2 Selector

• Disabled: Unchecked
• Mode: Tunnel IPv4
• Local Network
  
  • Type: LAN subnet
• Phase 2 Proposal
  
  • Protocol: ESP
  • Encryption algorithms: AES 256
  • Hash algorithms: SHA 256
  • PFS Key group: Off
  • Lifetime: 3600 seconds
• Automatically ping host: Empty

On the client side, I've created a new IKEv2 connection following along the document above. However, Windows doesn't choose very secure Phase 1 and Phase 2 configurations, so I've forced the appropriate encryption and hashes:

Set-VpnConnectionIpsecConfiguration -ConnectionName VPN -AuthenticationTransformConstants SHA256 -CipherTransformConstants AES256 -DHgroup Group14 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None

Prior to running that command, I was getting policy match errors which are now resolved. On the client, I get "username or password incorrect" and Event Viewer claims error -2143157998 which I think translates to 0x80420112? Doesn't seem to match error codes I recognise (often starting with 0x8007...). Edit: Authentication failed. Thanks Windows, much useful. Very help.

Strongswan on the 'droid fares about the same, though obviously there's a more helpful log that tells me authentication failed.

I don't get any errors in the OPNsense ipsec log other than Auth Failed, which I would have expected - are there other logs I can look at here? Other suggestions for logs / log levels are appreciated.