How to setup an IPsec remote VPN using OPNsense 25.7.4?

Started by Tamas Halmai, October 10, 2025, 04:26:46 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
Today at 04:13:28 PM #15
Hi Gents,

Please try to follow Cedrick's App Note carefully: https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html. This is a good starting point...

In my case the biggest stumbles were as follows:
- that "advanced mode" toggle in the left upper corner of the IPsec screen is pretty easy to overlook
- it was not in the documentation that the DNS server(s) can be defined on the Pool configuration form
- and the biggest one is that Apple hasn't implemented the certificate check consistently i.e. macOS and IOS implementations differ:
  - in case of macOS it is sufficient to import in the root and intermediate certificates and accept root certificate as trustworthy
  - IOS is more picky: additionally it is necessary to create a .config profile and embed the root and intermediate certificates in DER Base64 format.

Hopefully above will be deemed helpful, but please send specific questions and I will try to help...

Best regards,

Tamas Halmai
Today at 04:23:50 PM #16
Quote from: Tamas Halmai on Today at 04:13:28 PMHi Gents,

Please try to follow Cedrick's App Note carefully: https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html. This is a good starting point...

In my case the biggest stumbles were as follows:
- that "advanced mode" toggle in the left upper corner of the IPsec screen is pretty easy to overlook
- it was not in the documentation that the DNS server(s) can be defined on the Pool configuration form
- and the biggest one is that Apple hasn't implemented the certificate check consistently i.e. macOS and IOS implementations differ:
  - in case of macOS it is sufficient to import in the root and intermediate certificates and accept root certificate as trustworthy
  - IOS is more picky: additionally it is necessary to create a .config profile and embed the root and intermediate certificates in DER Base64 format.

Hopefully above will be deemed helpful, but please send specific questions and I will try to help...

Best regards,

Tamas Halmai
This highlighted element is one that I am unaware of, so I need to see how to implement it. I have failed so far to get iOS client to connect although I suspect I have a either corruption or a very edge case of ui defect in opn. So far those instructions followed to the letter with no success, but no wonder if it also needs this extra step. Where do you need to place it on iOS ? And is it the certs chain from CA to client in text file, then base64 encode ?
Thanks for sharing.
Today at 04:47:36 PM #17
Quote from: Tamas Halmai on Today at 04:13:28 PMHi Gents,

Please try to follow Cedrick's App Note carefully: https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html. This is a good starting point...

In my case the biggest stumbles were as follows:
- that "advanced mode" toggle in the left upper corner of the IPsec screen is pretty easy to overlook
- it was not in the documentation that the DNS server(s) can be defined on the Pool configuration form
- and the biggest one is that Apple hasn't implemented the certificate check consistently i.e. macOS and IOS implementations differ:
  - in case of macOS it is sufficient to import in the root and intermediate certificates and accept root certificate as trustworthy
  - IOS is more picky: additionally it is necessary to create a .config profile and embed the root and intermediate certificates in DER Base64 format.

Hopefully above will be deemed helpful, but please send specific questions and I will try to help...

Best regards,

Tamas Halmai

Yeah the advanced mode toggle can be a bit hidden, especially if a new user does not expect it. I'm unsure I can improve that in the documentation though, other than with a screenshot.

The DNS settings are specified:
https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html#vpn-ipsec-connections-pools

Whats interesting is the client specific configuration that is necessary lately, it's probably easier to create a Let's Encrypt certificate (or order a certificate from e.g. Digicert or somebody else) to use, because ios will trust it right away in their trust store with the installed root cert it already has.
Hardware:
DEC740
Today at 06:25:31 PM #18
Cedrick,

You are absolutely right, I have also considered to reuse the box's main public Let'Encrypt certificate obtained via ACME (just I wanted to follow your config described in the App Note to the maximum extent possible to avoid any unknowns..), IMHO indeed that should be the simplest way forward...

Best regards

Tamas Halmai
Print
Go Up Pages 1 2
User actions