Skip to content
/ docs Public

vpn/ipsec: Add additional information to swanctl roadwarrior docs #639

New issue
New issue
Closed
#651
Closed
vpn/ipsec: Add additional information to swanctl roadwarrior docs#639
#651
Assignees
Monviech
Labels
cleanupLow impact changesfeatureAdding new functionality
@Eisaichen

Description

@Eisaichen
Eisaichen
opened on Nov 21, 2024

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

  • I have read the contributing guide lines at https://github.com/opnsense/docs/blob/master/CONTRIBUTING.md
    I have searched the existing issues and I am convinced that mine is new.

Is your feature request related to a problem? Please describe.

On Windows, when split-tunnel is enabled, each time connected to VPN, the route has to be manually added by using the command provided by the document.

docs/source/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.rst

Line 656 in a71715b

Example Route (can be batched): ``route add 192.168.1.0 mask 255.255.255.0 172.16.203.254``

https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html#client-configuration

Describe the solution you like

Windows can automate the process with the PowerShell command Add-VpnConnectionRoute, with no elevated privilege required. In this example with the document, the command will be:

Add-VpnConnectionRoute -ConnectionName 'vpn1.example.com' -DestinationPrefix '192.168.1.0/24' -PassThru

# IPv6
Add-VpnConnectionRoute -ConnectionName 'vpn1.example.com' -DestinationPrefix 'fe0d:abcd:1234:cafe::/64' -PassThru

Once connected, the configured route will add to the routing table automatically, and also delete if disconnected.

# Get corresponding route with VPN connection
(Get-VpnConnection -ConnectionName 'vpn1.example.com').routes

# Remove associate route
Remove-VpnConnectionRoute -ConnectionName 'vpn1.example.com' -DestinationPrefix '192.168.1.0/24' -PassThru

Activity

Monviech
self-assigned this
on Nov 21, 2024
Monviech
added
cleanupLow impact changes
on Nov 21, 2024
Monviech

Monviech commented on Nov 21, 2024

@Monviech
Monviech
on Nov 21, 2024
Member

Thanks I didn't know this command existed. Want to offer a PR to add it to the document?

Eisaichen

Eisaichen commented on Nov 22, 2024

@Eisaichen
Eisaichen
on Nov 22, 2024 · edited by Eisaichen
Author

Hi, @Monviech
I want to thank you and your team for this very detailed tutorial. I wish I could submit a PR however I lack confidence in my English for this kind of formal document.
In the meanwhile, despite following the document step by step, I still can not get my clients to work due to some minor issues. After a day of troubleshooting, I managed to solve those problems. I want to share what I found here as well.

Option for Windows native client

(Tested on Win11 22631.4460)
In the document, we set rekey time to 600 for CHILD_SA(section 1.3 & 2.3).

However, for some reason Windows does not cooperate with a CHILD_SA rekeying attempt issued from server nicely(#), causing the connection likely to disconnect during the second or third rekey attempt.
Therefore, to work around that, we have to set rekey time for CHILD_SA to 0, and let the client issue the rekey only.
I also found Windows doesn't cooperate with IKE_SA rekey either. It seems Windows will play nice for the first 15 minutes once connected, then play dead for the rest of the time. To maintain a stable link, you might need to disable the rekeying or set the period very long.

2024-11-21T18:20:18-06:00	Informational	charon	05[IKE] <****|124> rekeying IKE_SA failed, peer not responding	
2024-11-21T18:20:18-06:00	Informational	charon	05[IKE] <****|124> giving up after 5 retransmits

Option for iOS/iPadOS native client

(Tested on iOS 18)
By default, the server will only send CA certificates when requested for it. But, the iOS native client will not send CERTREQ when connecting(#). This will cause the certificate chain can not be verified since no CA certificate will be sent. The connection attempt will fail immediately.
To fix this, we simply need to set "Send certificate" under p1 settings to "Always".

Option for Samsung (Android) native client

(Tested on Samsung OneUI 6.1.1)
In the document, StrongSwan is used to connect from Android. But I found the native client can work as well. I'm not sure this is the default behavior on all Android or just Samsung.
When connecting, the Android client will send a remote ID anyway causing authentication to fail.

2024-11-21T18:04:50-06:00	Informational	charon	08[IKE] <****|126> EAP-MS-CHAPv2 verification failed, retry (1)	
2024-11-21T18:04:50-06:00	Informational	charon	08[IKE] <****|126> no EAP key found for hosts 'vpn1.example.com' - 'john@vpn1.example.com'

To fix this, we just need to set the "Remote Identifier" of EAP to the hostname of our server(#), in this case, is vpn1.example.com, then the native android client can connect successfully as well, and this will not impact the client on other platforms.

The config will look like this

Screenshot_20241121_181702_Settings
On Android, You can choose not to verify the certificate, so you don't need to import the CA certificate.
IPv6 seems not supported on Android native client.

Monviech

Monviech commented on Nov 22, 2024

@Monviech
Monviech
on Nov 22, 2024 · edited by Monviech
Member

Thanks for these tests and additional information, I will include it in the tutorial as additional remarks.

Note to myself:
Also keeping an eye on this for EAP-TLS
https://forum.opnsense.org/index.php?topic=44061.msg219658#msg219658

ios18.1:

https://forum.opnsense.org/index.php?topic=43766.0;topicseen

Monviech
changed the title [-]Suggest to use Add-VpnConnectionRoute with Windows native IPSec VPN[/-] [+]vpn/ipsec: Add additional information to swanctl roadwarrior docs[/+] on Nov 22, 2024
Monviech
added
featureAdding new functionality
on Nov 22, 2024
sebvonhelsinki
mentioned this on Dec 18, 2024
Monviech
added a commit that references this issue on Jan 7, 2025

vpn/ipsec: Implement feedback from /issues/639

84a693a
Monviech
mentioned this on Jan 7, 2025
Monviech
added a commit that references this issue on Jan 8, 2025

vpn/ipsec: Add additional information to swanctl roadwarrior docs (#651)

720b8e6
Monviech
closed this as completedin #651on Jan 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

Labels

cleanupLow impact changesfeatureAdding new functionality

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

Participants

@Eisaichen@Monviech

Issue actions
    vpn/ipsec: Add additional information to swanctl roadwarrior docs · Issue #639 · opnsense/docs