IPsec: Setup Remote Access

Intro

Road Warriors are remote users who need secure access to the company’s infrastructure. IPsec Mobile Clients offer a solution that is easy to setup and comptabile with most current devices.

With this guide we will show you how to configure the server side on OPNsense with the different authentication methods e.g.

  • EAP-MSCHAPv2

  • Mutual-PSK + XAuth

  • Mutual-RSA + XAuth

Note

For the sample we will use a private ip for our WAN connection. This requires us to disable the default block rule on WAN to allow private traffic. To do so, go to Interfaces ‣ [WAN] and uncheck “Block private networks”. (Don’t forget to save and apply)

../../_images/block_private_networks.png

Sample Setup

All configuration examples are based on the following setup, please read this carefully as all guides depend on it.

Company Network with Remote Client

Company Network

Hostname

fw1

WAN IP

172.18.0.164

LAN IP

192.168.1.0/24

LAN DHCP Range

192.168.1.100-192.168.1.200

IPsec Clients

10.10.0.0/24

Firewall Rules Mobile Users

To allow IPsec Tunnel Connections, the following should be allowed on WAN.

  • Protocol ESP

  • UDP Traffic on Port 500 (ISAKMP)

  • UDP Traffic on Port 4500 (NAT-T)

../../_images/ipsec_wan_rules.png

To allow traffic passing to your LAN subnet you need to add a rule to the IPsec interface.

../../_images/ipsec_ipsec_lan_rule.png

VPN compatibility

In the next table you can see the existing VPN authentication mechanisms and which client operating systems support it, with links to their configurations. For Linux testing was done with Ubuntu 18.4 Desktop and network-manager-strongswan and libcharon-extra-plugins installed. As Andoid does not support IKEv2 yet we added notes for combinations with strongSwan app installed to have a broader compatibility for all systems. Mutual RSA and PSK without XAuth requires L2TP, since this legacy technology is very error prone we will not cover it here.

VPN combinations

VPN Method

Win7

Win10

Linux

Mac OS X

IOS

Android

OPNsense config

IKEv1 Hybrid RSA + XAuth

N

N

N

tbd

tbd

N

IPsec: Setup OPNsense for IKEv1 using XAuth

IKEv1 Mutual RSA + XAuth

N

N

N

tbd

tbd

Y IPsec: Setup Android Remote Access

IPsec: Setup OPNsense for IKEv1 using XAuth

IKEv1 Mutual PSK + XAuth

N

N

N

tbd

tbd

Y IPsec: Setup Android Remote Access

IPsec: Setup OPNsense for IKEv1 using XAuth

IKEv2 EAP-TLS

N

N

N

tbd

tbd

Y IPsec: Setup Android Remote Access

IPsec: Setup OPNsense for IKEv2 EAP-TLS

IKEv2 RSA local + EAP remote

N

N

N

tbd

tbd

Y IPsec: Setup Android Remote Access

IPsec: Setup OPNsense for IKEv2 EAP-TLS

IKEv2 EAP-MSCHAPv2

Y IPsec: Setup Windows Remote Access

Y IPsec: Setup Windows Remote Access

Y IPsec: Setup Linux Remote Access

Y

Y

Y IPsec: Setup Android Remote Access

IPsec: Setup OPNsense for IKEv2 EAP-MSCHAPv2

IKEv2 Mutual RSA + EAP-MSCHAPv2

N

N

N

tbd

tbd

Y IPsec: Setup Android Remote Access

IPsec: Setup OPNsense for IKEv2 Mutual RSA + MSCHAPv2

IKEv2 EAP-RADIUS

Y IPsec: Setup Windows Remote Access

Y IPsec: Setup Windows Remote Access

Y IPsec: Setup Linux Remote Access

Y

Y

Y IPsec: Setup Android Remote Access

IPsec: Setup OPNsense for IKEv2 EAP-RADIUS