This week, I wanted to be able to vpn into my home network. My home network had just been updated with an OPNsense/proctelli firewall. It replace my NetGeer ORBI as the default router. I still use my Orbi in AP mode.
Part of the process, I found out that my Synology DS would no longer do UNpN to Opensense like it did with the Orib. Not really a bad thing.
If you are looking for the documentations, it is located here: IPsec - Roadwarriors IKEv2 — OPNsense documentation .
NOTES:
Yes, you need to inport the certificate and the created CA. Not the private keys, just the public keys
Let Windows decide where to store the keys. The CA will go into Trusted Root and the certificate in personal trust.
Make sure that you make the certificate is a server certificate. If you are indecisive like me, make the certificate for server and client.
Open-source maintainers are security conscious. I don’t know what it is about MS in the US. The IKEv2 encryption is so yesterday. Weak encryption is better than none. I am not saying this because of a false sense of security, just that it keeps the script kiddies out. I am very aware that there people that are more smart than me and have way too much time on there hands. Plus there are tools out there constantly scanning the internet to make it easier to attack.
The Directions state that to: *aes256-sha256-modp2048 (Disable default!). What found out is that the default Ipsec proposals was the only setting that would work. Sort of sad, but it is what it is.
Do not let Windows figure out your vpn. Just go ahead and set VPN type to IKEv2 and Security – Require Encription.
Even the AI sugguestion was to strong. AI suggested: IntegrityCheckMethod SHA512, Windows could only handle: SHA384.
This was the powershell command that I used to get my Windows 11 Home edition to work:
Set-VpnConnectionIPsecConfiguration -ConnectionName "ReplaceWithYourConnectionName" \`
-AuthenticationTransformConstants GCMAES256 \`
-CipherTransformConstants GCMAES256 \`
-EncryptionMethod AES256 \`
-IntegrityCheckMethod SHA384 \`
-DHGroup ECP384 \`
-PfsGroup ECP384 \`
-Force
CONTENT below is AI generated by Grok
Grok prompt
Windows IKEv2 encryption is too weak. How do I adjust it so that I can it to opensense which uses strongSwan
To strengthen the IKEv2 encryption settings on Windows for better compatibility with strongSwan on OPNsense (assuming that’s what you meant by “opensense”), you’ll need to use PowerShell to configure the IPsec parameters for your VPN connection. Windows’ built-in IKEv2 client defaults to weaker ciphers (like AES-128 with SHA1), but you can enforce stronger ones like AES-256, SHA-512, and Diffie-Hellman Group 14 or higher, which strongSwan supports out of the box.
Prerequisites
- Ensure your OPNsense strongSwan configuration is set up with matching strong proposals (e.g., IKE: aes256-sha512-modp2048; ESP: aes256-sha512-modp2048). You can adjust these in OPNsense under VPN > IPsec > Tunnels.
- The Windows VPN connection must already be created (via Settings > Network & Internet > VPN > Add a VPN connection, selecting IKEv2 as the type).
- Run PowerShell as Administrator.
Steps to Adjust Encryption on Windows
Open PowerShell as Administrator:
- Search for “PowerShell” in the Start menu, right-click, and select “Run as administrator”.
Identify Your VPN Connection Name:
- Run this command to list all VPN connections:
Get-VpnConnection - Note the exact
Nameof your connection (e.g., “MyOPNsenseVPN”).
- Run this command to list all VPN connections:
Set Stronger IPsec Configuration:
- Use the
Set-VpnConnectionIPsecConfigurationcmdlet to enforce stronger ciphers. Replace"MyOPNsenseVPN"with your actual connection name.- For IKE (Phase 1): Set to AES-256, SHA-512, DH Group 14 (modp2048).
- For ESP (Phase 2): Set to AES-256 GCM (or CBC if needed), SHA-512.
- Example command:
Set-VpnConnectionIPsecConfiguration -ConnectionName "MyOPNsenseVPN" ` -AuthenticationTransformConstants None ` -CipherTransformConstants AES256 ` -EncryptionMethod AES256 ` -IntegrityCheckMethod SHA512 ` -DHGroup Group14 ` -PfsGroup None ` -Force - Breakdown of parameters:
CipherTransformConstants: Sets the ESP encryption (AES256 for strong encryption).IntegrityCheckMethod: SHA512 for strong HMAC.DHGroup: Group14 (2048-bit) or higher (e.g., Group19 for 256-bit ECP) for key exchange strength.EncryptionMethod: AES256 for IKE encryption.PfsGroup: Set to None if not using PFS, or match your strongSwan setup (e.g., Group14).- Add
-Forceto apply without confirmation.
- For even stronger options (if supported by your strongSwan config):This uses GCM for AEAD (combined encryption/auth) and ECP384 for elliptic curve DH.
Set-VpnConnectionIPsecConfiguration -ConnectionName "MyOPNsenseVPN" ` -AuthenticationTransformConstants GCMAES256 ` -CipherTransformConstants GCMAES256 ` -EncryptionMethod AES256 ` -IntegrityCheckMethod SHA512 ` -DHGroup ECP384 ` -PfsGroup ECP384 ` -Force
- Use the
Verify the Changes:
- Run:
Get-VpnConnectionIPsecConfiguration -ConnectionName "MyOPNsenseVPN" - This will show the updated ciphers. Ensure they match your OPNsense strongSwan proposals to avoid negotiation failures.
- Run:
Test the Connection:
- Connect via the Windows VPN settings.
- If it fails, check OPNsense logs (under VPN > IPsec > Log File) for IKE negotiation errors and adjust proposals accordingly.
- Common issues: Mismatched DH groups or integrity methods—strongSwan is strict, so ensure symmetry.
Additional Tips
- If you’re on Windows 10/11 Pro or Enterprise, this works natively. Home editions may have limitations.
- For automation or scripting, you can save these commands in a .ps1 file and run it.
- If you need to revert to defaults, use
Reset-VpnConnectionIPsecConfiguration -ConnectionName "MyOPNsenseVPN" -Force. - Stronger ciphers (e.g., AES-256-GCM) may slightly impact performance on older hardware, but they’re recommended for security.