IPSEC IKEV2 + LDAP authentication for mobile / roadwarrior clients

[DamnedLlama]

Hello,

I wanted to create an IPSEC VPN server that would be accessible without installing agents on the clients, and ideally would be compatible android and Windows.

For that, I thought I could use EAP-MSCHAPv2, but the tutorial in the docs is indicating only PSK authentication :
https://docs.opnsense.org/manual/how-tos/ipsec-rw-srv-mschapv2.html

So, is there a way to create an IPSEC connection for mobile client that could be authenticated by their LDAP login and passwords ?
Can I use let's encrypt certificates to avoid using a private CA ?

P.S. the new VPN:IPSEC:Connections interface is so confusing compared to what is now being called "Tunnel Settings"legacy""

[Monviech (Cedrik)]

I think you could use eap-radius. Then you need a radius server connected to an ldap backend. You could use freeRadius with OpenLDAP, or Microsoft Windows NPS if you have active directory.

You can use any certificate, but using a self signed CA one with long lifetime is the better choice imo. Because when Let's Encrypt changes their root CAs and you get one from a new CA, you have to roll out the new CA to all clients. If the clients are rather scattered and not centrally managed its a pain to reach everybody.

Also imo, using the Microsoft RAS client on Windows is very unreliable. And on Android you have to use Strongswan App most of the time. iOS and macOS doesnt accept IKE configuration payloads. If you want to use this professionally I suggest using alternative clients that aren't prone to failing all the time with hard to debug errors.

[DamnedLlama]

Thank you for your time.

I wish I could avoid using a radius server, as I can't make sure to have one.

Thanks for the heads up for the embedded clients in the OSes, my idea of having a VPN server for our org that encompasses Windows, Linux and MacOS seems to be difficult with OpnSense if the native clients are unstable.

To be fair, the whole point of this would be to have a simple and fast (to setup and connect to) VPN from scratch in case of DR, so maybe I should switch from having OpnSense do everything to having a dedicated VPN server behind the firewall to take care of that part ... Softether / something else ?

[Monviech (Cedrik)]

Opnsense uses Strongswan. Check the strongswan documentation (swanctl) for all the supported combinations of configurations, clients and strongswan.

Opnsense only uses existing open source solutions. Ipsec is always a challenge between different OSes.

Best most stable client I can suggest is NCP client for Windows and MacOS.