[How To] IPsec VPN using Mobile clients

[dcol]

After weeks of testing with still a few unanswered areas, I finally have a stable 24/7 setup guide that has been testing for days now. Thought I would share with all the users who have helped me. Here is the setup guide.

These are the complete settings I used for a working 24/7 VPN connection to a Native Windows 10 client.
Any setting not mentioned here is the default. Variations may work, use at your own risk.
For this example. My firewall LAN is 192.168.150.0/24, remote LAN is 192.168.1.0/24, FQDN is firewall.opnsense.com, hostname is firewall.
Substitute my firewall subnet and FQDN with yours
The firewall LAN will be providing the data to the remote VPN users. I assume you know how to setup shares.
Best to have firewall and remote on different subnets, which is why I chose a rarely used local subnet for the firewall

Install Certificate Trust>Authoritties
  Descriptive Name: VPN-ca (name can be anything)
  Method: Create internal Certificate Authority
  Digest Algorithm: SHA256
  Lifetime: 3650 (I used 10 years, can be any length)
  Country Code: (Fill in this and the rest with your info)
  Common Name: VPN-ca
This is the cert to be exported for import to the Windows client

Install Certificate Trust>Certificates
  Method: Create internal Certificate Authority
  Descriptive Name: VPN
  Certificate Authority: VPN-ca
  Type: Server Certificate
  Digest Algorithm: SHA256
  Lifetime: 3650
  Common Name: firewall (use your hostname)
  Alternative Names: Type: DNS Value: firewall.opnsense.com (Use your FQDN)
 
Go to VPN>IPsec>Mobile Clients
  Enable - checked - check to enable mobile clients
  User Authentication - Local Database
  Group Authentication - none
  Virtual Address Pool - (Enter the IP range for the remote VPN clients, ie 10.4.4.0/24)
  DNS Default Domain - checked - firewall.opnsense.com (Use your FQDN)
  DNS Servers - 1.1.1.1 - 8.8.8.8 (plus any from your ISP)
  Phase 2 PFS Group - 14 (2048 bits)
  Login Banner - Welcome users (Can be anything, Optional)
Save

Create Phase1

Phase 1 Mobile Clients
  Phase 1 General information
    Connection method - default
    Key Exchange version - V2
    Internet Protocol - IPv4
    Interface - WAN
    Description - MobileIPsec
  Phase 1 proposal (Authentication)
    Authentication method - EAP-MSCHAPv2
    My identifier - Distinguished Name - firewall.opnsense.com (Use your FQDN)
    My Certificate - VPN
   Phase 1 proposal (Algorithms)
    Encryption algorithm - AES-256
    Hash algoritm - SHA256
    DH key group - 14(2048 bits)
    Lifetime - 28800
  Advanced Options
    Install policy - checked
    NAT Transversal - Enable
    Close Action - None
    Unique - Replace
    Dead Peer Detection - 45 seconds - 5 Retries - Restart the tunnel
    Keyingtries - 10
Save your settings.

Phase 2 Mobile Clients
Press the button + in front of the phase 1 entry to add a new phase 2.
  General information
    Mode - Tunnel IPv4
    Description - MobileIPsecP2
  Local Network
    Local Network - Address - 192.168.150.0/24
  Phase 2 proposal (SA/Key Exchange)
    Protocol - ESP
    Encryption algorithms - AES256
    Hash algorithms - SHA256
    PFS Key group - off
    Lifetime - 3000 sec
Create 2nd Phase 2 same as previous Phase 2 except
    Local Network - Network - (same as Virtual Address Pool above, ie. 10.4.4.0/24)
  Enable IPsec and Save
Restart IPsec Service

Advanced Settings
  Disable Auto-added VPN Rules - Disable (Checked) - Optional, if disabled, use rules below
    Rules to add if Auto-added rules are disabled -  add to WAN (Firewall>Rules>WAN)
      1. Protocol: ESP  Destination: WAN address (IPsec ESP)
      2. Protocol: UDP  Destination: WAN address  Dest Port: 500 (IPsec ISAKMP)
      3. Protocol: UDP  Destination: WAN address  Dest Port: 4500 (IPsec NAT-T)
  Passthrough networks - (Add all local and remote/peer LAN networks here)

Add this rule in Firewall>Rules>IPsec
IPV4*    *   *   LAN.net  *    *   *

Add IPsec Users
Go to VPN>IPsec>Pre-Shared Keys and press Add.
  local Identifier - (VPN Username to use in client)
  Remote Identifier - (VPN Username to use in client)
  Pre-Shared Key -  (VPN password to use in client)
   Type - EAP
Save to apply.

Setup Windows Client
Get exported CA cert (VPN-ca.crt) from OPNsense and copy to Temp folder
Run Powershell as admin on the Windows client
cd /temp
run the following (Use your FQDN instead of firewall.opnsense.com and your VPN Name instead of VPN)

Code Select Expand


Import-Certificate -FilePath "VPN-ca.crt" -CertStoreLocation Cert:\LocalMachine\Root\
Add-VpnConnection -Name "VPN" -TunnelType "Ikev2" -RememberCredential -EncryptionLevel Required `
-ServerAddress firewall.opnsense.com -DnsSuffix "firewall.opnsense.com" -PassThru
Set-VpnConnectionIPsecConfiguration -ConnectionName "VPN" `
-EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 `
-CipherTransformConstants AES256 -AuthenticationTransformConstants SHA256128 -PfsGroup PFS2048 `
-PassThru -Force
Set-VpnConnection -Name "VPN" -SplitTunneling $True
Add-VpnConnectionRoute -Name "VPN" -DestinationPrefix 192.168.150.0/24


To view existing routes run in PS - (Get-VpnConnection -ConnectionName 'VPN').Routes
To view the configuration run in PS - Get-VpnConnection -ConnectionName 'VPN'

When starting Windows VPN client, Username and Password (above) will be required only for the first time you connect.
Of course you need to setup shares on the firewall side that the remote peers can get to.
If you want to share entire disks, make sure that the server allows direct paths, C$,D$ etc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
DWORD(32 bit): LocalAccountTokenFilterPolicy = 1

[Nub2OPN]

Hello,

So I have been following a mix of this and https://docs.opnsense.org/manual/vpnet.html#road-warriors-mobile-users. Unfortunately I have not been able to get the connection working. Do you know if there are any articles or youtube videos that show how to get this setup? Seems like there is something I am missing that is not really pointed out here. Thank you again for all your help.

[Monviech (Cedrik)]

Use this guide for the modern approach:

https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html