How to setup an IPsec remote VPN using OPNsense 25.7.4?

Started by Tamas Halmai, October 10, 2025, 04:26:46 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
October 10, 2025, 04:26:46 PM
Dear OPNsense Forum Members,

Although I am a newby to the OPNsense world I have succeeded to setup my first OPNsense NAT/FW...

So far so good, but as last step I also would like to enable an IPsec based VPN server to terminate IPsec tunnels from my remote Apple devices (iPhone/iMac) on the OPNsense device.

Unfortunately I am stuck at this moment because the documentation I could find wrt. this configuration option is based on an earlier firmware version which is different than my OPNsense 25.7.4 GUI :-(.

Could one of you please help me out with a relevant step-by-step instruction?

Thanks in advance,

Tamas Halmai
October 10, 2025, 05:17:43 PM #1
https://docs.opnsense.org/manual/how-tos/ipsec-rw-srv-mschapv2.html

Keep in mind its an advanced configuration, you will need some ipsec knowledge.

Using OpenVPN or Wireguard is strongly adviced if you are an ipsec beginner.
Hardware:
DEC740
October 11, 2025, 05:00:02 PM #2
Dear Cedrick,


Thanks for your reply, but my headache still exists because the article you quote seems to be an obsolete one (actually, I do not see a good match with configuration options made available in the OPNsense 25.7.4 GUI, that I am running... :-()

Best regards,

Tamas Halmai
October 11, 2025, 05:16:05 PM #3
Oops I actually got the link wrong.

Here is the one I wrote for the new configuration:

https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html
Hardware:
DEC740
October 12, 2025, 12:41:38 PM #4
Dear Cedrik,

Thanks for your reply and sharing a new pointer.

I have made the attempt to develop a working IPsec IKE2 RemoteWarrior setup based on your input, but still no joy :-(

I can see 3 different issues:
1) your new tech note only partially covering the OPNsense 25.7.4 GUI options. For instance these parameters are not in the new GUI:
- UDP encapsulation
- Rekey time
- DPD delay
- Send certificate
- Keyingtries
2) In the Packet Capture I can see that ISAKMP negotiation starts, but OPENsense is rejecting the proposal sent by my iPhone (or that is not compatible with your selected aes256-sha256-modp2048 cipher). According to your experience what another cipher could I try?
3) The IPsec Log file is completely empty. Could you advise how to enable logging, because it is very difficult to make the next step without that?

Thanks in advance,

Tamas Halmai
October 12, 2025, 12:43:57 PM #5 Last Edit: October 12, 2025, 12:49:26 PM by Monviech (Cedrik)
1. Enable "advanced mode"
2. You need the logs for that to see what the iPhone offers as proposals and then select the correct one to match it
3. Select Debug level in the Log File overview

Dont forget to Enable Ipsec, otherwise nothing happens.
Hardware:
DEC740
October 12, 2025, 01:20:22 PM #6
Thank you.

Logging issue is partially solved (still not the advanced mode) and this is what I can see (similar info like the pcap file):
2025-10-12T13:02:41   Informational   charon    12[NET] <9> sending packet: from SSS.SSS.SSS.SSS[500] to CCC.CCC.CCC.CCC[32674] (36 bytes)
2025-10-12T13:02:41   Informational   charon    12[ENC] <9> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
2025-10-12T13:02:41   Informational   charon    12[IKE] <9> no IKE config found for SSS.SSS.SSS.SSS...CCC.CCC.CCC.CCC, sending NO_PROPOSAL_CHOSEN
2025-10-12T13:02:41   Informational   charon    12[ENC] <9> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
2025-10-12T13:02:41   Informational   charon    12[NET] <9> received packet: from CCC.CCC.CCC.CCC[32674] to SSS.SSS.SSS.SSS[500] (370 bytes)


- Is the "no IKE config found for SSS.SSS.SSS.SSS" log entry is created because no matching cipher found?
- Could you tell me how to enable advanced logging?

Thanks in advance,

Tamas Halmsi

October 12, 2025, 06:53:08 PM #7
Dear Cedrick,

I could make progress with ISAKMP Phase1 negotiation and enabling detailed logging:

2025-10-12T18:31:05   Informational   charon    15[MGR] checkin and destroy of IKE_SA successful
2025-10-12T18:31:05   Informational   charon    15[IKE] <59779880-550b-4859-bb8b-d5627b6f431b|3> IKE_SA 59779880-550b-4859-bb8b-d5627b6f431b[3] state change: CONNECTING => DESTROYING
2025-10-12T18:31:05   Informational   charon    15[MGR] <59779880-550b-4859-bb8b-d5627b6f431b|3> checkin and destroy IKE_SA 59779880-550b-4859-bb8b-d5627b6f431b[3]
2025-10-12T18:31:05   Informational   charon    15[JOB] <59779880-550b-4859-bb8b-d5627b6f431b|3> deleting half open IKE_SA with SSS.SSS.SSS.SSS after timeout
2025-10-12T18:31:05   Informational   charon    15[MGR] IKE_SA 59779880-550b-4859-bb8b-d5627b6f431b[3] successfully checked out
2025-10-12T18:31:05   Informational   charon    15[MGR] checkout IKEv2 SA with SPIs eee5fb4a39b3e4ca_i bcfba16a6d9722fa_r
2025-10-12T18:30:35   Informational   charon    15[MGR] <59779880-550b-4859-bb8b-d5627b6f431b|3> checkin of IKE_SA successful
2025-10-12T18:30:35   Informational   charon    15[MGR] <59779880-550b-4859-bb8b-d5627b6f431b|3> checkin IKEv2 SA 59779880-550b-4859-bb8b-d5627b6f431b[3] with SPIs eee5fb4a39b3e4ca_i bcfba16a6d9722fa_r
2025-10-12T18:30:35   Informational   charon    15[NET] <59779880-550b-4859-bb8b-d5627b6f431b|3> sending packet: from DDD.DDD.DDD.DDD[4500] to SSS.SSS.SSS.SSS[6308] (400 bytes)
2025-10-12T18:30:35   Informational   charon    15[ENC] <59779880-550b-4859-bb8b-d5627b6f431b|3> generating IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]
2025-10-12T18:30:35   Informational   charon    15[IKE] <59779880-550b-4859-bb8b-d5627b6f431b|3> authentication of 'ipsec-cert....' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
2025-10-12T18:30:35   Informational   charon    15[IKE] <59779880-550b-4859-bb8b-d5627b6f431b|3> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
2025-10-12T18:30:35   Informational   charon    15[IKE] <59779880-550b-4859-bb8b-d5627b6f431b|3> peer supports MOBIKE
2025-10-12T18:30:35   Informational   charon    15[IKE] <59779880-550b-4859-bb8b-d5627b6f431b|3> processing INTERNAL_DNS_DOMAIN attribute
2025-10-12T18:30:35   Informational   charon    15[IKE] <59779880-550b-4859-bb8b-d5627b6f431b|3> processing INTERNAL_IP6_DNS attribute
2025-10-12T18:30:35   Informational   charon    15[IKE] <59779880-550b-4859-bb8b-d5627b6f431b|3> processing INTERNAL_IP6_DHCP attribute
2025-10-12T18:30:35   Informational   charon    15[IKE] <59779880-550b-4859-bb8b-d5627b6f431b|3> processing INTERNAL_IP6_ADDRESS attribute
2025-10-12T18:30:35   Informational   charon    15[IKE] <59779880-550b-4859-bb8b-d5627b6f431b|3> processing INTERNAL_IP4_DNS attribute
2025-10-12T18:30:35   Informational   charon    15[IKE] <59779880-550b-4859-bb8b-d5627b6f431b|3> processing INTERNAL_IP4_DHCP attribute
2025-10-12T18:30:35   Informational   charon    15[IKE] <59779880-550b-4859-bb8b-d5627b6f431b|3> processing INTERNAL_IP4_NETMASK attribute
2025-10-12T18:30:35   Informational   charon    15[IKE] <59779880-550b-4859-bb8b-d5627b6f431b|3> processing INTERNAL_IP4_ADDRESS attribute
2025-10-12T18:30:35   Informational   charon    15[IKE] <59779880-550b-4859-bb8b-d5627b6f431b|3> initiating EAP_IDENTITY method (id 0x00)
2025-10-12T18:30:35   Informational   charon    15[CFG] <59779880-550b-4859-bb8b-d5627b6f431b|3> selected peer config '59779880-550b-4859-bb8b-d5627b6f431b'
2025-10-12T18:30:35   Informational   charon    15[CFG] <3> looking for peer configs matching DDD.DDD.DDD.DDD[ipsec-cert....]...SSS.SSS.SSS.SSS[xyz@ipsec...]
2025-10-12T18:30:35   Informational   charon    15[IKE] <3> remote endpoint changed from SSS.SSS.SSS.SSS[6306] to SSS.SSS.SSS.SSS[6308]
2025-10-12T18:30:35   Informational   charon    15[IKE] <3> local endpoint changed from DDD.DDD.DDD.DDD[500] to DDD.DDD.DDD.DDD[4500]
2025-10-12T18:30:35   Informational   charon    15[ENC] <3> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
2025-10-12T18:30:35   Informational   charon    15[ENC] <3> unknown attribute type INTERNAL_DNS_DOMAIN
2025-10-12T18:30:35   Informational   charon    15[NET] <3> received packet: from SSS.SSS.SSS.SSS[6308] to DDD.DDD.DDD.DDD[4500] (416 bytes)
2025-10-12T18:30:35   Informational   charon    15[MGR] IKE_SA (unnamed)[3] successfully checked out
2025-10-12T18:30:35   Informational   charon    15[MGR] checkout IKEv2 SA by message with SPIs eee5fb4a39b3e4ca_i bcfba16a6d9722fa_r
2025-10-12T18:30:35   Informational   charon    15[MGR] <3> checkin of IKE_SA successful
2025-10-12T18:30:35   Informational   charon    15[MGR] <3> checkin IKEv2 SA (unnamed)[3] with SPIs eee5fb4a39b3e4ca_i bcfba16a6d9722fa_r
2025-10-12T18:30:35   Informational   charon    15[NET] <3> sending packet: from DDD.DDD.DDD.DDD[500] to SSS.SSS.SSS.SSS[6306] (557 bytes)
2025-10-12T18:30:35   Informational   charon    15[ENC] <3> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
2025-10-12T18:30:35   Informational   charon    15[IKE] <3> sending cert request for "C=US, O=Let's Encrypt, CN=R13"
2025-10-12T18:30:35   Informational   charon    15[IKE] <3> sending cert request for "C=US, O=Let's Encrypt, CN=R12"
2025-10-12T18:30:35   Informational   charon    15[IKE] <3> sending cert request for "C=NL, ST=Zuid-Holland, L=The Hague, O=Halmai, OU=Home IT, E=thalmai@ossinvent.com, CN=intermediate-ca"
2025-10-12T18:30:35   Informational   charon    15[IKE] <3> sending cert request for "C=NL, ST=Zuid-Holland, L=The Hague, O=Halmai, OU=Home IT, E=thalmai@ossinvent.com, CN=root-ca"
2025-10-12T18:30:35   Informational   charon    15[IKE] <3> remote host is behind NAT
2025-10-12T18:30:35   Informational   charon    15[CFG] <3> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
2025-10-12T18:30:35   Informational   charon    15[IKE] <3> IKE_SA (unnamed)[3] state change: CREATED => CONNECTING
2025-10-12T18:30:35   Informational   charon    15[IKE] <3> SSS.SSS.SSS.SSS is initiating an IKE_SA
2025-10-12T18:30:35   Informational   charon    15[IKE] <3> remote endpoint changed from 0.0.0.0 to SSS.SSS.SSS.SSS[6306]
2025-10-12T18:30:35   Informational   charon    15[IKE] <3> local endpoint changed from 0.0.0.0[500] to DDD.DDD.DDD.DDD[500]
2025-10-12T18:30:35   Informational   charon    15[ENC] <3> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
2025-10-12T18:30:35   Informational   charon    15[NET] <3> received packet: from SSS.SSS.SSS.SSS[6306] to DDD.DDD.DDD.DDD[500] (562 bytes)
2025-10-12T18:30:35   Informational   charon    15[MGR] created IKE_SA (unnamed)[3]
2025-10-12T18:30:35   Informational   charon    15[MGR] checkout IKEv2 SA by message with SPIs eee5fb4a39b3e4ca_i 0000000000000000_r
2025-10-12T18:30:35   Informational   charon    15[MGR] checkin and destroy of IKE_SA successful
2025-10-12T18:30:35   Informational   charon    15[IKE] <2> IKE_SA (unnamed)[2] state change: CONNECTING => DESTROYING
2025-10-12T18:30:35   Informational   charon    15[MGR] <2> checkin and destroy IKE_SA (unnamed)[2]
2025-10-12T18:30:35   Informational   charon    15[NET] <2> sending packet: from DDD.DDD.DDD.DDD[500] to SSS.SSS.SSS.SSS[6306] (38 bytes)
2025-10-12T18:30:35   Informational   charon    15[ENC] <2> generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
2025-10-12T18:30:35   Informational   charon    15[IKE] <2> key exchange method ECP_256 unacceptable, requesting MODP_2048
2025-10-12T18:30:35   Informational   charon    15[IKE] <2> remote host is behind NAT
2025-10-12T18:30:35   Informational   charon    15[IKE] <2> key exchange method in received payload ECP_256 doesn't match negotiated MODP_2048
2025-10-12T18:30:35   Informational   charon    15[CFG] <2> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
2025-10-12T18:30:35   Informational   charon    15[IKE] <2> IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
2025-10-12T18:30:35   Informational   charon    15[IKE] <2> SSS.SSS.SSS.SSS is initiating an IKE_SA
2025-10-12T18:30:35   Informational   charon    15[IKE] <2> remote endpoint changed from 0.0.0.0 to SSS.SSS.SSS.SSS[6306]
2025-10-12T18:30:35   Informational   charon    15[IKE] <2> local endpoint changed from 0.0.0.0[500] to DDD.DDD.DDD.DDD[500]
2025-10-12T18:30:35   Informational   charon    15[ENC] <2> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
2025-10-12T18:30:35   Informational   charon    15[NET] <2> received packet: from SSS.SSS.SSS.SSS[6306] to DDD.DDD.DDD.DDD[500] (370 bytes)
2025-10-12T18:30:35   Informational   charon    15[MGR] created IKE_SA (unnamed)[2]
2025-10-12T18:30:35   Informational   charon    15[MGR] checkout IKEv2 SA by message with SPIs eee5fb4a39b3e4ca_i 0000000000000000_r

but unfortunately I cannot pass this point and establish a stable IPsec tunnel :-(

Could you please take a quick look and let me know how to proceed?


Thank you,

Tamas Halmai
October 12, 2025, 07:21:17 PM #8
Code Select
2025-10-12T18:30:35   Informational   charon    15[IKE] <2> key exchange method ECP_256 unacceptable, requesting MODP_2048
2025-10-12T18:30:35   Informational   charon    15[IKE] <2> key exchange method in received payload ECP_256 doesn't match negotiated MODP_2048
Try leaving "Proposals" on "Default" in Connection and Children.

In Connection use the advanced mode toggle and set "Source Port" and "Remote Port" on "4500" and enable "UDP encapsulation".


Also I will not troubleshoot this with you until its working. I stated above that this configuration is advanced and needs prior IPsec knowledge. Please use OpenVPN (intermediate) or Wireguard (Easy Peasy) instead if possible.
Hardware:
DEC740
October 13, 2025, 10:28:57 AM #9
Dear Cedrik,

The particular reason that I want to get IPsec IKEv2 working is because that is natively supported on Apple devices without installing further VPN clients.

No, problem this is neither the first nor the last tricky/badly documented feature I have to fix in my 30+ years networking carrier...

Best regards,

Tamas Halmai

PS: But, as curtesy of your fellow Forum Members if you cannot provide a solution/constructive support, then please do not even post rude comments
October 13, 2025, 10:42:35 AM #10
I was not try to be rude, just realistic. IPsec is pretty annoying as every client implementation expects its own recipe to function correctly.

With OpenVPN or Wireguard the scope is far more contained, which makes it easier, with the downside that a client must be installed.
Hardware:
DEC740
Today at 11:48:14 AM #11
Hi Cedrick,

It is alright.

...and the good news is that I have a fully operational IPsec IKE2 VPN terminated by OPNsense v25.7.4 on all my Apple devices (i.e. MBP; IOS) ;-)

Have a great day,

Tamas Halmai
Today at 11:52:06 AM #12
care to share how it has been made to work ?
Today at 12:46:23 PM #13
Hey Tamas,

glad you got it working. I'm happy if this deepened your personal Ipsec troubleshooting skills.

If there is any oversight in the linked documentation, please give a hint and we can implement some additional tip boxes.

Since client requirements evolve pver time, the documentation is never perfect.

https://github.com/opnsense/docs/blob/master/source/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.rst

Hardware:
DEC740
Today at 03:42:36 PM #14
meantime whilst hopefully Tamas helps, can I ask this Cedrik? You previously gave me hints to solve my same problem which is still unsolved.
I suspect my trust store is corrupted but I can't read the code. How does the UI page to show a certificate select the file from the filesystem? I am trying to identify each file in /usr/local/etc/swanctl/{x509,x509ca}
From that I'd be more confident on which ones to remove with the UI.
Print
Go Up Pages1 2
User actions