upstream/opnsense-docs
1
0
Fork 0
mirror of https://github.com/opnsense/docs.git synced 2026-06-03 13:42:04 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

vpn/ipsec: remove EAP-TLS from ipsec swanctl roadwarrior guide (#774)

Browse source 
The EAP-TLS settings were incomplete and caused issues for users who followed them. In the end they are also misplaced as this how-to focuses on eap-mschapv2.
This commit is contained in:
Monviech 2025-09-29 12:36:55 +02:00 committed by GitHub
parent d2e8c9e7f3
commit ea519bc911
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 0 additions and 162 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

162
source/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.rst
View file

@ -23,10 +23,6 @@ The example users are ``John`` and ``Laura``. The example FQDN is ``vpn1.example
.. Hint::
Any IPv6 functionality is optional. If you do not want to use IPv4+IPv6 dual stack, just skip all IPv6 addresses/networks and focus on IPv4.
.. Note::
- IPv6 transport with UDP encapsulation of ESP packets is supported by OPNsense 24.7 with the FreeBSD 14 kernel.
- When using OPNsense 24.1 or below it is currently not possible to use IPv6 as outer tunnel transport address. IPsec requires UDP encapsulation of ESP packets for most mobile clients. UDP encapsulation and decapsulation for IPv6 is unsupported by the FreeBSD 13 Kernel.
.. Warning::
- Do not copy security relevant configuration parameters like passwords into your configuration. Create your own!
- Change all IP addresses, usernames and DNS Records to your own usecase.
@ -709,164 +705,6 @@ Windows/macOS NCP Secure Entry client
There is also a version for macOS, which works with the same configuration as above. The only challenge is finding the right folder for the *cacerts*. You can find it by going into the *terminal* and using the command ``sudo find / -name cacerts``. Then you can pinpoint the path and copy the CA certificates there.
------------------------------------
EAP-TLS
------------------------------------
EAP-TLS via IKEv2 is based on a server certificate and a client certificate.
The CA certificate must be installed on the users device.
This section is kept short since most configuration is the same as the EAP-MSCHAPv2 example.
If each roadwarrior should receive its own static IP, using the EAP-MSCHAPv2 guide is recommended.
Method 1 - Shared IP pool for all roadwarriors
----------------------------------------------
Before continuing: :ref:`Prerequisites <rw-swanctl-prerequisites>`
1.1 - VPN: IPsec: Connections: Pools
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Create an IPv4 pool that all roadwarriors will share. This configuration will result in 256 usable IPv4 addresses. Please note that this is not a network, it is a pool of IP addresses that will be leased. The DNS Server(s) will be pushed as *Configuration Payload* (RFC4306 and RFC7296 3.15). In this example they represent the Unbound Server of the OPNsense.
============================================== ====================================================================================================
**Name:** pool-roadwarrior-ipv4
**Network:** ``172.16.203.0/24``
**DNS:** ``192.168.1.1``
============================================== ====================================================================================================
Create an IPv6 pool that all roadwarriors will share. This configuration will result in 256 usable IPv6 addresses.
============================================== ====================================================================================================
**Name:** pool-roadwarrior-ipv6
**Network:** ``2001:db8:1234:ec::/120``
**DNS:** ``2001:db8:1234:1::1``
============================================== ====================================================================================================
.. Note::
The IPv6 pool is not a /64 Prefix, because it is used to define a pool of IPv6 addresses that can be used as leases. Prefix /120 means there are 256 IPv6 addresses available. The hard limit of StrongSwan pools is Prefix /97.
.. Note::
You can skip the DNS field if you do not want to push DNS Servers to your clients.
1.2 System: Trust: Certificates
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Create a client certificate using the previously created Root CA for IPsec:
- `Type`: ``Client Certificate``
- `Issuer`: ``IPsec CA``
- `Common Name`: ``john``
- `Alternative Names`: `DNS domain names`: ``john``
This client certificate must be exported with private key as PCKS12.
The VPN client must import the IPsec CA certificate and the client certificate with private key.
.. Attention:: Each connecting client requires a unique client certificate.
1.3 - VPN: IPsec: Connections
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
- Enable IPsec with the checkbox at the bottom right and apply.
- Press **+** to add a new Connection, enable **advanced mode** with the toggle.
**General Settings:**
============================================== ====================================================================================================
**Proposals:** aes256-sha256-ecs256 (Disable default!)
**Version:** IKEv2
**Local addresses:** ``vpn1.example.com``
**UDP encapsulation:** X
**Rekey time:** ``2400``
**DPD delay:** 30
**Pools:** ``pool-roadwarrior-ipv4`` ``pool-roadwarrior-ipv6``
**Send certificate:** Always
**Keyingtries:** 0
**Description:** roadwarrior-eap-tls-p1
============================================== ====================================================================================================
**Save** to reveal the next options:
**Local Authentication:**
============================================== ====================================================================================================
**Round:** 0
**Authentication:** Public Key
**Id:** vpn1.example.com
**Certificates:** vpn1.example.com
**Description:** local-vpn1.example.com
============================================== ====================================================================================================
**Remote Authentication:**
============================================== ====================================================================================================
**Round:** 0
**Authentication:** EAP-TLS
**EAP Id:** ``%any``
**Description:** remote-eap-mschapv2
============================================== ====================================================================================================
**Children:**
Press **+** to add a new Child, enable **advanced mode** with the toggle.
============================================== ====================================================================================================
**Start action:** ``None``
**ESP proposals:** aes256-sha256-ecs256 (Disable default!)
**Local:** ``0.0.0.0/0`` ``::/0``
**Rekey time (s):** ``600``
**Description:** roadwarrior-eap-mschapv2-p2
============================================== ====================================================================================================
**Save** and **Apply** the configuration.
.. Note::
With children you select the networks your roadwarrior should be able to access. In a split tunnel scenario, you would specify the example LAN nets ``192.168.1.0/24`` and ``2001:db8:1234:1::/64`` as local traffic selectors. In a full tunnel scenario (all traffic forced through the tunnel) you would specify ``0.0.0.0/0`` and ``::/0`` as local traffic selectors. The following example child will use the full tunnel method. A full tunnel is generally more secure - especially with IPv6 involved - since no traffic can leak.
Now you can skip to :ref:`Firewall rules, Outbound NAT and DNS <rw-swanctl-fw-nat-dns>`
Client configuration
--------------------
In this section there are a few example configurations of different clients. All configurations here are tuned to the exact settings above. If you change anything in the server configuration, make sure you change it here too.
All clients are configured to use the *Configuration Payload* for virtual IP address, traffic selectors and DNS Server(s). They are pushed by the VPN server to the client.
.. Note::
Import the CA certificate to clients, not the server certificate.
iOS/macOS native VPN client
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
- Import the self-signed CA certificate into the iOS certificate store.
- Import the client certificate with private key into the iOS certificate store.
- Go to Settings > General > VPN.
- Tap on Add VPN Configuration....
- Select the type of VPN you are using. For this example, it is IKEv2.
- In the fields provided, enter:
- Description: ``vpn1.example.com``
- Server: ``vpn1.example.com``
- Remote ID: ``vpn1.example.com``
- Local ID: ``john``
- In the Authentication section, select `Certificate` and the imported client certificate for john.
- Tap Done in the top right corner.
- To connect to the VPN, go back to Settings > VPN, then turn the VPN toggle switch to the ON position next to the profile you just created.
.. Note::
iOS does not allow setting a DNS Server for the VPN, and it ignores the DNS *Configuration Payload*. The only workaround would be to change the DNS Server manually in the Wi-Fi settings each time the tunnel is brought up, and change them back when it is turned off.
Other VPN clients
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Essentially the configuration should be the same as with EAP-MSCHAPv2, but replacing the Pre-Shared Key with the client certificate.
--------------------------
Postrequisites
--------------------------