ipsec-swanctl-rw-ikev2-eap-mschapv2

[Monviech]

Issue: https://github.com/opnsense/docs/issues/495 Draft in Opnsense Forum: https://forum.opnsense.org/index.php?topic=35840.0

This How-To is planned to cover:

Configuring swanctl.conf from the OPNsense GUI for ikev2-eap-mschapv2:

• Method for Shared IP pool for all roadwarriors
• Method for Static IP address per roadwarrior
• IPv4+IPv6 Dual Stack full tunnel and split tunnel configuration
• Firewall and IP-Masquerading configuration
• DNS Configuration

Client configuration:

• Windows native VPN client
• Windows NCP secure entry client
• iOS (iPhone, iPad) native VPN client
• Android StrongSwan VPN client
• Linux StrongSwan VPN client with swanctl (command line)

[AdSchellevis]

@Monviech I assumed this was ready to merge, it looked rather complete. thanks!

[Monviech]

@AdSchellevis Yeah, I'm using this setup with customers for a while already. Works great. I'm pretty much only using the NCP client (Windows/macOS) and Strongswan clients (android, linux) with it though. The inbuild Windows RAS client can have some weird issues with this setup that are hard to debug... for example not setting routes automatically when using split tunneling, and ignoring IKE configuration payloads. Also self signed certificates can sometimes be an issue for the Windows RAS client too, and depending on your network connection, there can be small interruptions when phase2 is renewed. I probably should add a hint that the phase 1 and phase 2 should be longer for windows ras, maybe like 4 hours. I know they can't be longer than 8 hours.