How to configure IPsec for mobile clients new way (via connections)?

[heaveaxy]

Hello there.
Version is:
OPNsense 23.7.2-amd64
FreeBSD 13.2-RELEASE-p2
OpenSSL 1.1.1v 1 Aug 2023

Documentation have no example how configure mobile clients IPsec in modern way via "Connections".

I have OPNsense installation on public IP. Potential mobile client may be anywhere. So, what I have done:

SERVER SIDE CONFIGURATION

1. VPN - IPsec - Connections - Pools - add new one
Name - Local_addrs
Network - 192.168.202.0/24

2. VPN - IPsec - Connections - add new with following opts:
Version - IKEv2
Local address - public IP of opnsense (addr from WAN interface).
Remote address - [nothing]
Pools - Local_addrs
Description - TEST

3. VPN - IPsec - Pre-Shared Keys - add new one
Local Identifier - client1
Remote Identifier - [nothing]
Pre-Shared key - [some string]
Type - EAP

4. VPN - IPsec - Connections - TEST - add Local Authentication
Authentication - EAP-MSCHAPv2
Id - client1
EAP Id - client1
Certificates - "VPN Server" (I have generated root CA certificate and for server itself early)

5. VPN - IPsec - Connections - TEST - add Local Children
Mode - Tunnel
Policies - on
Start action - start
DPD action - clear
Local - 10.0.0.0/22 (LAN-attached network)
Remote - [nothing]

SAVE, APPLY

CLIENT SIDE CONFIGURATION

Using strongSwan app for Android.

Creating new connection:
Server address - typing WAN IP of opnsense.
VPN type - IKEv2 EAP (login/password)
Login - client1
Password - type same string as in PSK on opnsense
CA Certificate - selecting CA root cert generated on opnsense (imported early)

Save. Try to connect...
[IKE] received AUTHENTICATION_FAILED notify error.

Can someone help plz. I'm not good of IPsec, so I think I do something wrong.
I tried with and without remote auth, with or without certificate. Any way - authentication failed.
Configuring mobile client legacy way working fine.

Screenshots with configured things attached.

[Monviech (Cedrik)]

I'm working on this myself and I plan on writing a doc file when I fully understood how its done. But it will take a while.

Because the Connections [New] Tab uses swanctl.conf, there are examples:

https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples

The challenge is to convert these examples to work with the OPNsense GUI and connect all different clients (windows, linux, macos, android, ios...) to it.

[heaveaxy]

Thanks.
I succeed configure new way IPsec using examples from here.

So, configuration is following (see screenshot attachments).
What I learned from logs (and missed early) that is both authentication is required (local + remote). Local I use "Public key" method, certificate is usable here. Remote - using pre-defined PSK with EAP type.
On mobile client side (I use strongSwan for android) is required to add root CA and server certificate to local storage and specify server's cert in connection settings.
This works for me.

[Monviech (Cedrik)]

Looks good I will try this out myself soon. Thanks for sharing.

[chucksense]

Thanks heaveaxy for sharing your config. I'm using RADIUS on the client side and cannot get it to work.
Here's my config:
- FreeRADIUS server on the "Mobile Clients" menu, as even if it's in the changelog, I cannot see any way to select a RADIUS server on the new "Connections" menu.
- Local Authorization to Public Key, with the public certificate of my server
- Remote Authorization to EAP-RADIUS, with no certificate selected.

When connecting, I get the following on the log:

Code Select Expand

loading EAP_RADIUS method failed

And I don't even see the auth request on the FreeRADIUS logs. I think the issue is that the RADIUS server is not correctly set up, as I cannot see the menu to select it.
With the legacy "Tunnel Settings" config everything works perfectly, with EAP-RADIUS on Phase1.

[Monviech (Cedrik)]

I got it working with eap-mschapv2.

Opnsense Side:
I did everything as in the screenshots above but modified some parameters:

- I disabled the default proposals in phase 1 and phase 2 and added aes256-sha256-modp2048

- What held me back was that I forgot to add the whole certificate chain into trust - certificate and trust - authorities on the opnsense.

- I also enabled "UDP encapsulation" and "Send cert req" and "Send certificate - Always".

- In the OPNsense Firewall I made sure that UDP 500 and 4500 was allowed from any source port and any source IP to the external IP of the firewall.

Windows Side:
On the Windows side I found this config working after some intense log sighting:

The FQDN vpn.example.com has to match with the certificate the OPNsense offers.

Powershell:

Code Select Expand

Add-VpnConnection -Name "vpn" -ServerAddress vpn.example.com -TunnelType "Ikev2"
Set-VpnConnectionIPsecConfiguration -ConnectionName "vpn" -AuthenticationTransformConstants SHA256 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup PFS2048 -DHGroup Group14 -PassThru -Force

In the future I'll probably add a step by step guide into the opnsense docs.

https://forum.opnsense.org/index.php?topic=35840.0

[Slashing]

Thanks heaveaxy for sharing your config. I'm using RADIUS on the client side and cannot get it to work.
Here's my config:
- FreeRADIUS server on the "Mobile Clients" menu, as even if it's in the changelog, I cannot see any way to select a RADIUS server on the new "Connections" menu.
- Local Authorization to Public Key, with the public certificate of my server
- Remote Authorization to EAP-RADIUS, with no certificate selected.

When connecting, I get the following on the log:

Code Select Expand

loading EAP_RADIUS method failed

And I don't even see the auth request on the FreeRADIUS logs. I think the issue is that the RADIUS server is not correctly set up, as I cannot see the menu to select it.
With the legacy "Tunnel Settings" config everything works perfectly, with EAP-RADIUS on Phase1.

Hello. Take a look here https://github.com/opnsense/core/issues/6602#issuecomment-1622443985
I disabled "legacy" today and configured via connections.