vpn/ipsec: Add additional information to swanctl roadwarrior docs

[Eisaichen]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• I have read the contributing guide lines at https://github.com/opnsense/docs/blob/master/CONTRIBUTING.md
• I have searched the existing issues and I am convinced that mine is new.

Is your feature request related to a problem? Please describe.

On Windows, when split-tunnel is enabled, each time connected to VPN, the route has to be manually added by using the command provided by the document.

docs/source/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.rst

Line 656 in a71715b

Example Route (can be batched): ``route add 192.168.1.0 mask 255.255.255.0 172.16.203.254``

https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html#client-configuration

Describe the solution you like

Windows can automate the process with the PowerShell command Add-VpnConnectionRoute, with no elevated privilege required. In this example with the document, the command will be:

Add-VpnConnectionRoute -ConnectionName 'vpn1.example.com' -DestinationPrefix '192.168.1.0/24' -PassThru

# IPv6
Add-VpnConnectionRoute -ConnectionName 'vpn1.example.com' -DestinationPrefix 'fe0d:abcd:1234:cafe::/64' -PassThru

Once connected, the configured route will add to the routing table automatically, and also delete if disconnected.

# Get corresponding route with VPN connection
(Get-VpnConnection -ConnectionName 'vpn1.example.com').routes

# Remove associate route
Remove-VpnConnectionRoute -ConnectionName 'vpn1.example.com' -DestinationPrefix '192.168.1.0/24' -PassThru

[Monviech]

Thanks I didn't know this command existed. Want to offer a PR to add it to the document?

[Eisaichen]

Hi, @Monviech
I want to thank you and your team for this very detailed tutorial. I wish I could submit a PR however I lack confidence in my English for this kind of formal document.
In the meanwhile, despite following the document step by step, I still can not get my clients to work due to some minor issues. After a day of troubleshooting, I managed to solve those problems. I want to share what I found here as well.

Option for Windows native client

(Tested on Win11 22631.4460)
In the document, we set rekey time to 600 for CHILD_SA(section 1.3 & 2.3).

However, for some reason Windows does not cooperate with a CHILD_SA rekeying attempt issued from server nicely(#), causing the connection likely to disconnect during the second or third rekey attempt.
Therefore, to work around that, we have to set rekey time for CHILD_SA to 0, and let the client issue the rekey only.
I also found Windows doesn't cooperate with IKE_SA rekey either. It seems Windows will play nice for the first 15 minutes once connected, then play dead for the rest of the time. To maintain a stable link, you might need to disable the rekeying or set the period very long.

2024-11-21T18:20:18-06:00	Informational	charon	05[IKE] <****|124> rekeying IKE_SA failed, peer not responding	
2024-11-21T18:20:18-06:00	Informational	charon	05[IKE] <****|124> giving up after 5 retransmits

Option for iOS/iPadOS native client

(Tested on iOS 18)
By default, the server will only send CA certificates when requested for it. But, the iOS native client will not send CERTREQ when connecting(#). This will cause the certificate chain can not be verified since no CA certificate will be sent. The connection attempt will fail immediately.
To fix this, we simply need to set "Send certificate" under p1 settings to "Always".

Option for Samsung (Android) native client

(Tested on Samsung OneUI 6.1.1)
In the document, StrongSwan is used to connect from Android. But I found the native client can work as well. I'm not sure this is the default behavior on all Android or just Samsung.
When connecting, the Android client will send a remote ID anyway causing authentication to fail.

2024-11-21T18:04:50-06:00	Informational	charon	08[IKE] <****|126> EAP-MS-CHAPv2 verification failed, retry (1)	
2024-11-21T18:04:50-06:00	Informational	charon	08[IKE] <****|126> no EAP key found for hosts 'vpn1.example.com' - '[email protected]'

To fix this, we just need to set the "Remote Identifier" of EAP to the hostname of our server(#), in this case, is vpn1.example.com, then the native android client can connect successfully as well, and this will not impact the client on other platforms.

The config will look like this

On Android, You can choose not to verify the certificate, so you don't need to import the CA certificate.
IPv6 seems not supported on Android native client.

[Monviech]

Thanks for these tests and additional information, I will include it in the tutorial as additional remarks.

Note to myself:
Also keeping an eye on this for EAP-TLS
https://forum.opnsense.org/index.php?topic=44061.msg219658#msg219658

ios18.1:

https://forum.opnsense.org/index.php?topic=43766.0;topicseen