Tag Archives: ipsec

Setup OPNsense 20.7 for IPsec mobile VPN (AkA Road-Warrior)

Since I migrated my former PfSense appliance to OPNsense, I had to reconfigure many services. Today, I’ll explain how I configured it to connect your Android devices using the native IPsec client (Obviously, this should work with other mobile and device brands)

Note that the cipher suites and other security protocols used in this post are set according to what is available on my remote devices. Thus, you would be able to higher those protocols depending on your hardware support.

Configuring OPNsense

Mobile Clients

Access your OPNsense appliance, then go to VPN > IPsec > Mobile Clients and configure it using the following options. Note that I have listed only what that matters, feel free to play with those options.

  • Virtual IPv4 Address Pool: A brand new network to be used by your remote devices
  • DNS Servers: Set your local DNS servers here
  • Phase 2 PFS Group: let this off

Save and apply changes before moving on. You should see a “No Phase 1 found” or a similar message, if so, click on it to access the next step.

Tunnel Settings

Go to VPN > IPsec > Tunnel Settings to create your tunnel interface.

General information

Again, use the following elements to configure your phase 1:

  • Connection method: Start on traffic
  • Key Exchange version: v1 (v2 was not supported for Mobile client)
  •  Interface: WAN

Phase 1 proposal (Algorithms)

  • Encryption algorithm: AES 256
  • Hash algorithm: SHA256
  • DH key group: 2 (1024bits)
  • Install policy: checked (Let the other checkbox unchecked)

Save then apply your settings.

Phase 2 configuration

Go back to VPN > IPsec > Tunnel Settings

On the right side of the tunnel you just have created, you should see a + button, click on it:

  • Mode: Tunnel IPv4
  • Type:
    • Network: you will be able to set a global network (0.0.0.0/0) which will allow your devices to access all your different networks (like LAN and Internet)
    • LAN or any subnet you have: Your devices won’t be able to join any other subnet
  • Protocol: ESP (ESP is encryption, AH is authentication only)
  • Encryption algorithms: aes256gcm16
  • Hash algorithms: SHA512
  • PFS key group: off

Save the configuration, and apply it as always.

Finally, on the VPN > IPsec > Tunnel Settings page, click on the Enable IPsec button then save to actually start IPsec:

On the same page, you should see the green arrow telling you the service is running properly:

Top right of the Tunnel settings page

Firewall configuration

We need to configure the firewall by adding rules and NAT policy.

Rules

WAN interface

We need to allow our remote clients to access our IPsec server, to do so, create the following rules:

IPsec ESP
  • Protocol: IPv4 ESP
  • Other settings: *
IPsec ISAKMP
  • Protocol: IPv4 UDP
  • Port: 500 (ISAKMP)
  • Other settings: *
IPsec NAT-T
  • Protocol: IPv4 TCP/UDP
  • Port: 4500 (IPsec NAT-T)
  • Other settings: *

IPsec interface

IPsec to LAN net

Here you have to decide which protocols you want to allow from your remote clients to your LAN devices, don’t forget to allow at least DNS if your custom DNS servers are hosted on that subnet.

IPsec to WAN net

Same as above, you’re in charge to choose which services you want to authorize.

NAT

We need to update the default configuration in order to enable NAT between our IPsec interface and the WAN interface. To do so, open the Firewall > NAT > Outbound

  1. If not already done, select “Hybrid outbound NAT rule generation” then apply changes to be able to add manual rules.
  2. Add a new rule with the following information:
    • Interface: WAN
    • Source address: your remote devices VPN network (the one you created at the beginning)

Android configuration

Here an example using a Galaxy S7 and its native VPN client.

  • Go to Settings > Connections > More connection settings > VPN
  • Click Add VPN
  • Configure your VPN with the following:
    • Name: it’s up to you
    • Type: IPSec Xauth PSK
    • Server Address: if using a DNS name, you won’t be able to use the Always-on feature, so use your static public IP if you are lucky enough
    • IPsec pre-shared key: use the key you have choose before
    • Username: this depends on the Authentication backend you selected

How to troubleshoot ?

If you go to VPN> IPsec > Log File you will be able to see if your remote devices are hitting your server, and see issues with proposals mismatch, authentication issues and more.

I would also recommend not to be too strict at the beginning, regarding the cipher suites and other security protocols. Set them wide then tweak your configuration one security setting at a time.

If you can reach your LAN devices but Internet when connected, check the NAT and firewall rules.

Strongswan, create an Site-To-Site IPsec tunnel to OPNsense

Strongswan server configuration

First, install the related package

apt install strongswan -y

Generate a PSK to be used on both ends (Save it to a secure place to avoid loosing it): 

openssl rand -base64 64

You will get something like this: 

YGOnBqAi0FOZNC36gg5jy9B9ROZavhMPDMDLXfknZdbQrWm+sRV200hkFsp6Ja4Y
7uDWFbljD2Hr36c3SQC27w==

Edit /etc/sysctl.conf and add the following lines at the botton: 

net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

Then run this command to apply those change: 

sysctl -p /etc/sysctl.conf

ipsec.secrets

The file /etc/ipsec.secrets contains the PSK for your tunnels, edit it accordingly: 

# This file holds shared secrets or RSA private keys for authentication.
  
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
vpn.mydomain.fr : PSK "YGOnBqAi0FOZNC36gg5jy9B9ROZavhMPDMDLXfknZdbQrWm+sRV200hkFsp6Ja4Y7uDWFbljD2Hr36c3SQC27w=="

ipsec.conf

The file /etc/ipsec.conf contains the tunnels configuration details: 

# ipsec.conf - strongSwan IPsec configuration file
  
# basic configuration
config setup
        charondebug="all"
        uniqueids=yes
        strictcrlpolicy=no

# Add connections here.
# Base information used as template
conn sts-base
    authby=secret
    fragmentation=yes
    dpdaction=restart
    ike=aes128-sha256-curve25519
    esp=aes256gcm16-curve25519!
    keyingtries=1
    leftid=1.1.1.1

# OPNsense connection
conn vpn-01
    also=sts-base
    keyexchange=ikev2
    leftsubnet=10.0.0.0/32
    rightsubnet=192.168.0.0/24
    # for this to work, DNS must be usable and working.
    right=%vpn.mydomain.fr
    auto=start

Here, we have defined a template connection that holds the common tunnel settings like IKE settings. In addition, we defined the actual OPNsense connection. Note that we can define multiple left or right networks using comma separated networks.

OPNsense configuration

Now it’s about configuring our local OPNsense, which is really easy too. Just follow the next steps:

Go to VPN > IPsec > Tunnel Settings

  • Add a new Phase 1 entry
    • Connection method: Start on traffic (This side of the tunnel will rule the tunnel connection)
    • Key exchange: v2
    • Interface: WAN
    • Remote gateway: the public IP address of your remote Strongwan server
    • Authentication method: Mutual PSK
    • My identifier: I chose Distinguished name and set my public IP address DNS name here.
    • Peer identifier: Peer IP address (that correspond to what we set on the strongwan server, but feel free to adapt your configuration)
    • Encryption algorithm: 256 bit AES-GCM with 128 bit ICV
    • Hash algorithm: SHA512
    • DH key group: 31 Elliptic curve 25519
    • Lifetime: 28800
    • Install policy: checked
    • NAT Traversal: Enable
  • Add a Phase 2 entry to the Phase 1 you just added
    • Mode: Tunnel IPv4
    • Type (local network): LAN subnet (because I wanted to allow only that subnet)
    • Type (remote network): Network
    • Address: your remote network address
    • Protocol: ESP
    • Encryption algorithms: aes256gcm16
    • Hash algorithms: SHA512
    • PFS key group: 31 (Elliptic Curve 25519)

Strongswan basic commands

Now you all set, I am sure you want to try it, here some commands in order to troubleshoot your tunnel on the Strongswan side:

Show Strongswan status: 

ipsec status

# If all good, you should see something like that:
Security Associations (1 up, 0 connecting):
      vpn-01[2]: ESTABLISHED 4 minutes ago, 10.0.0.1[1.1.1.1]...2.2.2.2[vpn.mydomain.fr]
      vpn-01{2}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c1e50580_i ce6450e0_o
      vpn-01{2}:   10.0.0.0/24 === 192.168.1.0/24

Restart Strongswan: 

ipsec restart

Turn on a tunnel by its name (see your ipsec.conf configuration file): 

ipsec up connectionName

Replace up by down to shutdown a tunnel.