openvpn vs ipsec ikev2

[wfx3]

hello - i am planning a new build of 18.7 on a qotom-Q375G4  (Intel Core i7 5500U incl AES-NI, 8GB RAM).  for vpn client should i use openvpn or ipsec ikev2? will opnsense support one protocol better than the other?  which will provide better throughput?  thanks

[wfx3]

as per RTFM (https://wiki.opnsense.org/manual/vpnet.html) .. i see OpenVPN/SSL and IPsec/IKEv1 .. is IKEv2 support planned for a future release?

[mimugmail]

IKEv2 is also there. For Roadwarrior it's easier to use OpenVPN since it's one application on both sides from the same "vendor". Using IPSEC you'd use stronswan on OPNsense and on client side the one of the device (like Mac OS X, Windows 10 or whatever)

[wfx3]

thanks .. i have the new box up now and finally getting to the vpn config..  i would appreciate advice on how to configure ipsec/ikev2 strongswan.   

i would like to set up a vpn client running on the local router which would allow local machines (maybe restricted to a separate subnet on OPT1 or a particular VLAN) to access remote lan resources through a ipsec/ikev2 tunnel.

[wfx3]

i got pretty close by following the point to point setup to add tunnel settings (https://wiki.opnsense.org/manual/how-tos/ipsec-s2s.html) ..

but still something wrong with UDP encapsulation and the install route:

Code: [Select]

Sep  9 01:01:24 opnsense charon: 00[DMN] signal of type SIGINT received. Shutting down
Sep  9 01:01:37 opnsense charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.3, FreeBSD 11.1-RELEASE-p13, amd64)
Sep  9 01:01:37 opnsense charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument
Sep  9 01:01:37 opnsense charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
Sep  9 01:01:37 opnsense charon: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Sep  9 01:01:37 opnsense charon: 00[CFG]   loaded ca certificate "XXXXXXXXXXX"XXXXXXXXXXX"XXXXXXXXXXX"XXXXXXXXXXX'
Sep  9 01:01:37 opnsense charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Sep  9 01:01:37 opnsense charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Sep  9 01:01:37 opnsense charon: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Sep  9 01:01:37 opnsense charon: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
Sep  9 01:01:37 opnsense charon: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Sep  9 01:01:37 opnsense charon: 00[CFG]   loaded IKE secret for XXXXXX@XXXXXX
Sep  9 01:01:37 opnsense charon: 00[CFG] loaded 0 RADIUS server configurations
Sep  9 01:01:37 opnsense charon: 00[LIB] loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac gcm attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock counters
Sep  9 01:01:37 opnsense charon: 00[JOB] spawning 16 worker threads
Sep  9 01:01:37 opnsense charon: 05[CFG] received stroke: add connection 'con1'
Sep  9 01:01:37 opnsense charon: 05[CFG] added configuration 'con1'
Sep  9 01:01:37 opnsense charon: 16[CFG] received stroke: route 'con1'
Sep  9 01:01:37 opnsense charon: 16[KNL] can't install route for 192.168.2.0/24 === XXX.XXX.XXX.XXX/32 out, conflicts with IKE traffic