Auth Failures - IPSec IKEv2 + Win11 EAP-MSCHAPv2

Started by DavidRa, December 29, 2022, 02:35:42 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 29, 2022, 02:35:42 PM Last Edit: December 30, 2022, 08:33:54 AM by DavidRa
I've fallen at the final hurdle configuring my OPNsense to accept incoming IPSec "road warrior" Mobile Client connections. The intent is to use AD + TOTP - and under System > Access > Tester, I can successfully authenticate using username and passwordTOTP (I have it configured in "reverse" mode).

Reference versions:

  • OPNsense is 22.7.10_2
  • Windows is Win11 current
  • Android is StrongSwan app on Android 11

I've been following the combination of https://docs.opnsense.org/manual/how-tos/ipsec-rw.html for the OPNsense side and https://docs.opnsense.org/manual/how-tos/ipsec-rw-w7.html#ikev2-eap-mschapv2-or-eap-radius for the client.

Current Config - OPNsense (VPN > IPSec > Mobile Clients)

  • Enable: Checked
  • Backend for Authentication: Active Directory + TOTP (but I have also tried all other options I have incl AD alone, Local, and Local with TOTP)
  • Enforce local group: None
  • IPv4 Pool: Unique /24 subnet
  • IPv6 Pool: Unique /64 subnet
  • Network List: Checked
  • Save Xauth: Disabled
  • DNS Default Domain: Internal DNS suffix
  • DNS Servers: Internal DNS Server IPs
  • WINS: Unchecked
  • Phase 2 PFS: Off
  • Login Banner: Unchecked

Current Config - OPNsense - Phase 1 Selector

  • Disabled: Unchecked
  • Connection method: Respond only
  • Key Exchange version: V2
  • Internet Protocol: IPv4
  • Interface: CARP VIP on Internet Interface
  • Phase 1 Authentication

      •    
    • Authentication Method: EAP-MSCHAPv2
    • My identifier: Dynamic DNS (host.example.com)
    • Certificate: host.example.com (issued by OPNsense CA)
  • Phase 1 Algorithms

      •    
    • Encryption: AES 256
    • Hash: SHA 256
    • DH Group: 14
    • Lifetime: 28800
  • Advanced

      •    
    • Install policy: Checked
    • Disable Rekey: Unchecked
    • Disable Reauth: Unchecked
    • Tunnel Isolation: Unchecked
    • SHA256 96 bit truncation: Unchecked
    • NAT Traversal: Enable
    • Disable MOBIKE: Unchecked
    • Close Action: None
    • Dead Peer Detection: Checked (60 seconds, 5 retries)
    • Inactivity Timeout: 600
    • Keyingtries: Empty
    • Margintime: Empty
    • Rekeyfuzz: Empty

Current Config - OPNsense - Phase 2 Selector

  • Disabled: Unchecked
  • Mode: Tunnel IPv4
  • Local Network

         
    • Type: LAN subnet
  • Phase 2 Proposal

         
    • Protocol: ESP
    • Encryption algorithms: AES 256
    • Hash algorithms: SHA 256
    • PFS Key group: Off
    • Lifetime: 3600 seconds
  • Automatically ping host: Empty

On the client side, I've created a new IKEv2 connection following along the document above. However, Windows doesn't choose very secure Phase 1 and Phase 2 configurations, so I've forced the appropriate encryption and hashes:

Set-VpnConnectionIpsecConfiguration -ConnectionName VPN -AuthenticationTransformConstants SHA256 -CipherTransformConstants AES256 -DHgroup Group14 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None

Prior to running that command, I was getting policy match errors which are now resolved. On the client, I get "username or password incorrect" and Event Viewer claims error -2143157998 which I think translates to 0x80420112? Doesn't seem to match error codes I recognise (often starting with 0x8007...). Edit: Authentication failed. Thanks Windows, much useful. Very help.

Strongswan on the 'droid fares about the same, though obviously there's a more helpful log that tells me authentication failed.

I don't get any errors in the OPNsense ipsec log other than Auth Failed, which I would have expected - are there other logs I can look at here? Other suggestions for logs / log levels are appreciated.
Print
Go Up Pages1
User actions