IPSec VPN Authentication broken after enabling LAN Interface

[phil300]

Hi everyone!

I have a working IPSec VPN setup on my opnense firwall using EAP-Radius (with os-freeradius) for Remote Authentication. I can connect to the vpn using an android (strongswan app) and an iphone (native vpn). When doing so i have no errors or any other problems (Tunneling the traffic of the two phones via the firewall to the internet works fine).

However, the second i enable a second interface on the firewall (besides the WAN interface), namely the LAN interface, the IPSec VPN Authentication is broken. I cannot connect to the VPN anymore and i get this error message:
IPSec Server Log:

Code Select Expand

2025-03-19T10:41:42 Informational charon 10[NET] <4> sending packet: from [Server-IP][500] to [Client-IP][18063] (36 bytes)
2025-03-19T10:41:42 Informational charon 10[ENC] <4> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
2025-03-19T10:41:42 Informational charon 10[IKE] <4> no IKE config found for [Server-IP]...[Client-IP], sending NO_PROPOSAL_CHOSEN
2025-03-19T10:41:42 Informational charon 10[ENC] <4> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
2025-03-19T10:41:42 Informational charon 10[NET] <4> received packet: from [Client-IP][18063] to [Server-IP][500] (948 bytes)
Client Log (android (strongswan)):

Code Select Expand

[IKE] received NO_PROPOSAL_CHOSEN notify error
To fix this error i have to disable the interface again, and reboot the firewall in order to make it work again. Just disabling the interface wont do the trick, i have to reboot the firewall too.
I also experienced the same error when i was enabling a wireguard instance (while ipsec was already running). The same steps had to be take in order to make it work again (Disable wiregurad instance, reboot the firewall).

Does someone have an idea what is wrong here?


swanctl.conf

Code Select Expand

# This file is automatically generated. Do not edit
connections {
    39d9b58e-7290-482d-b39d-1e0c811a7301 {
        proposals = aes256gcm16-sha256-modp2048
        unique = never
        aggressive = no
        version = 2
        mobike = no
        local_addrs = [FQDN firewall]
        encap = yes
        pools = pool66
        send_certreq = yes
        send_cert = always
        local-a9f4521c-0cb8-40f6-b59c-86e653dcab6a {
            round = 0
            auth = pubkey
            id = [FQDN firewall]
            certs = 67d7137dd4b4e.crt
        }
        remote-78c95231-b720-4a0b-8392-b327fe8dc97a {
            round = 0
            auth = eap-radius
            id = %any
            eap_id = %any
        }
        children {
            a1173d91-1ede-4f93-a48c-ab99844b45d4 {
                esp_proposals = aes256gcm16-modp2048
                sha256_96 = no
                start_action = start
                close_action = start
                dpd_action = start
                mode = tunnel
                policies = yes
                local_ts = 0.0.0.0/0
                rekey_time = 3600
                updown = /usr/local/opnsense/scripts/ipsec/updown_event.py --connection_child a1173d91-1ede-4f93-a48c-ab99844b45d4
            }
        }
    }
}
pools {
    pool66 {
        addrs = 10.0.66.2/24
        dns = 1.1.1.1
    }
}
secrets {
}
# Include config snippets
include conf.d/*.conf

Versions:
OPNsense 25.1.3-amd64 (commit: 6aa1d97b1)
FreeBSD 14.2-RELEASE-p2
OpenSSL 3.0.16

os-freeradius: 1.9.27
strongswan: 5.9.14

[phil300]

I was able to make the IPSec VPN, with both interfaces enabled, work again after removing the FQDN from the setting: swanctl.conf -> connections -> local_addrs.
After this everything worked fine again without any Authentication error messages.

I have created a github issue because i believe this should not be the normal behaviour (https://github.com/opnsense/core/issues/8466).