Quantcast

IKEv2 (iked) VPN with Windows 10 clients

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

IKEv2 (iked) VPN with Windows 10 clients

Roberto Katalinic
I have a few remote workers with Windows 10 and would like to move them to
IKEv2 VPN.

On my gateway (OpenBSD 5.7) the iked.conf file is:
ikev2 "IKEv2 DIAL-IN" passive esp \
        from 192.168.10.0/24 to 192.168.40.0/24 \
        local 1.2.3.4 peer 0.0.0.0/0 \
        srcid 1.2.3.4 \
        config access-server 192.168.10.10 \
        config name-server 192.168.10.21 \
        config address 192.168.40.0/24

My remote client is configured like this:
VPN Type: IKEv2
Data encryption: Optional
Authentication: Use machine Certificates (no EAP)

My PF rules contain the following lines which are definitely not overruled by
any rules further down the line:
set skip on {lo,enc0}
pass in on egress proto udp from any to any port {500,4500}
pass in on egress proto {ah,esp}

When the client attempts connection, the SA is configured and Windows reports
the connection as established. It also acquires an IP address and the DNS
server as specified in the iked.conf file:

PPP adapter EDGE:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : EDGE
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.40.87(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.10.21
   NetBIOS over Tcpip. . . . . . . . : Enabled

My gateway also reports the connection as established and the SA is shown by
ipsecctl -sa:
FLOWS:
flow esp in from 192.168.40.87 to 192.168.10.0/24 peer 5.6.7.8 srcid
IPV4/1.2.3.4 type use
flow esp out from 192.168.10.0/24 to 192.168.40.87 peer 5.6.7.8 srcid
IPV4/1.2.3.4 type require
flow esp out from ::/0 to ::/0 type deny

SAD:
esp tunnel from 1.2.3.4 to 5.6.7.8 spi 0x7a8197f6 auth hmac-sha1 enc aes-256
esp tunnel from 5.6.7.8 to 1.2.3.4 spi 0x926fb219 auth hmac-sha1 enc aes-256

Output from iked -dvvv:
ikev2_pld_cp: INTERNAL_IP4_SERVER 0x5ba0 length 4
ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 4
ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 4
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length
44
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP spisize 4
xforms 3 spi 0xe7ce691f
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 192.168.40.34 end 192.168.40.34
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00
length 24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 192.168.10.0 end 192.168.10.255
ikev2_msg_send: IKE_AUTH response from 1.2.3.4:4500 to 5.6.7.8:15573 msgid 1,
1452 bytes, NAT-T
pfkey_sa_add: update spi 0xe7ce691f
pfkey_sa: udpencap port 15573
ikev2_childsa_enable: loaded CHILD SA spi 0xe7ce691f
pfkey_sa_add: add spi 0xabf256a4
pfkey_sa: udpencap port 15573
ikev2_childsa_enable: loaded CHILD SA spi 0xabf256a4
ikev2_childsa_enable: loaded flow 0x1166a0b99800
ikev2_childsa_enable: loaded flow 0x1166a0b99400
sa_state: VALID -> ESTABLISHED from 5.6.7.8:15573 to 1.2.3.4:4500 policy
'IKEv2 DIAL-IN'


The problem is, from the remote worker, I cannot connect to any resources on
the remote network. Pinging the remote gateway's internal IP address or the
DNS server produces no replies.

Equally, the gateway cannot ping the remote worker's IP address.

tcpdump on the enc0 and pflog0 interfaces produces no results at all when
creating traffic between the two.

What am I missing?



Kind regards,

Roberto Katalinic
07460663373

kliker IT
www.kliker.it<http://www.kliker.it>
08455442033

Information contained in this e-mail is intended for the use of the addressee
only, and is confidential and may be the subject of Legal Professional
Privilege. Any dissemination, distribution, copying or use of this
communication without prior permission of the addressee is strictly
prohibited. The contents of an attachment to this e-mail may contain software
viruses which could damage your own computer system. While Kliker IT Services
Ltd. has taken every reasonable precaution to minimise this risk, we cannot
accept liability for any damage which you sustain as a result of software
viruses. You should carry out your own virus checks before opening the
attachment. Registered Office: New House, South Grove, Petworth, GU280ED.
Company Number: 8206089.Company Registered in England and Wales.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: IKEv2 (iked) VPN with Windows 10 clients

Bobby Johnson
Your configuration looks reasonable. You should upgrade to 6.0.  You could
replace the local network range with 0.0.0.0/0 to limit the flow less.
I've found that config address with a range doesn't work as expected with
multiple clients.  Below is an example of a working config using machine
certs for windows clients, including Windows 10.

ikev2 passive esp \
from 0.0.0.0/0 to 192.168.40.2 local 1.2.3.4 peer any \
srcid "asn1_dn of server cert"
dstid "asn1_dn of client cert" \
config address 192.168.40.2 \
config name-server 10.0.0.4


On Mar 10, 2017 7:58 AM, "Roberto Katalinic" <[hidden email]> wrote:

> I have a few remote workers with Windows 10 and would like to move them to
> IKEv2 VPN.
>
> On my gateway (OpenBSD 5.7) the iked.conf file is:
> ikev2 "IKEv2 DIAL-IN" passive esp \
>         from 192.168.10.0/24 to 192.168.40.0/24 \
>         local 1.2.3.4 peer 0.0.0.0/0 \
>         srcid 1.2.3.4 \
>         config access-server 192.168.10.10 \
>         config name-server 192.168.10.21 \
>         config address 192.168.40.0/24
>
> My remote client is configured like this:
> VPN Type: IKEv2
> Data encryption: Optional
> Authentication: Use machine Certificates (no EAP)
>
> My PF rules contain the following lines which are definitely not overruled
> by
> any rules further down the line:
> set skip on {lo,enc0}
> pass in on egress proto udp from any to any port {500,4500}
> pass in on egress proto {ah,esp}
>
> When the client attempts connection, the SA is configured and Windows
> reports
> the connection as established. It also acquires an IP address and the DNS
> server as specified in the iked.conf file:
>
> PPP adapter EDGE:
>    Connection-specific DNS Suffix  . :
>    Description . . . . . . . . . . . : EDGE
>    Physical Address. . . . . . . . . :
>    DHCP Enabled. . . . . . . . . . . : No
>    Autoconfiguration Enabled . . . . : Yes
>    IPv4 Address. . . . . . . . . . . : 192.168.40.87(Preferred)
>    Subnet Mask . . . . . . . . . . . : 255.255.255.255
>    Default Gateway . . . . . . . . . :
>    DNS Servers . . . . . . . . . . . : 192.168.10.21
>    NetBIOS over Tcpip. . . . . . . . : Enabled
>
> My gateway also reports the connection as established and the SA is shown
> by
> ipsecctl -sa:
> FLOWS:
> flow esp in from 192.168.40.87 to 192.168.10.0/24 peer 5.6.7.8 srcid
> IPV4/1.2.3.4 type use
> flow esp out from 192.168.10.0/24 to 192.168.40.87 peer 5.6.7.8 srcid
> IPV4/1.2.3.4 type require
> flow esp out from ::/0 to ::/0 type deny
>
> SAD:
> esp tunnel from 1.2.3.4 to 5.6.7.8 spi 0x7a8197f6 auth hmac-sha1 enc
> aes-256
> esp tunnel from 5.6.7.8 to 1.2.3.4 spi 0x926fb219 auth hmac-sha1 enc
> aes-256
>
> Output from iked -dvvv:
> ikev2_pld_cp: INTERNAL_IP4_SERVER 0x5ba0 length 4
> ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 4
> ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 4
> ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00
> length
> 44
> ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP spisize 4
> xforms 3 spi 0xe7ce691f
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
> ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
> ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00
> length
> 24
> ikev2_pld_ts: count 1 length 16
> ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
> 65535
> ikev2_pld_ts: start 192.168.40.34 end 192.168.40.34
> ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00
> length 24
> ikev2_pld_ts: count 1 length 16
> ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
> 65535
> ikev2_pld_ts: start 192.168.10.0 end 192.168.10.255
> ikev2_msg_send: IKE_AUTH response from 1.2.3.4:4500 to 5.6.7.8:15573
> msgid 1,
> 1452 bytes, NAT-T
> pfkey_sa_add: update spi 0xe7ce691f
> pfkey_sa: udpencap port 15573
> ikev2_childsa_enable: loaded CHILD SA spi 0xe7ce691f
> pfkey_sa_add: add spi 0xabf256a4
> pfkey_sa: udpencap port 15573
> ikev2_childsa_enable: loaded CHILD SA spi 0xabf256a4
> ikev2_childsa_enable: loaded flow 0x1166a0b99800
> ikev2_childsa_enable: loaded flow 0x1166a0b99400
> sa_state: VALID -> ESTABLISHED from 5.6.7.8:15573 to 1.2.3.4:4500 policy
> 'IKEv2 DIAL-IN'
>
>
> The problem is, from the remote worker, I cannot connect to any resources
> on
> the remote network. Pinging the remote gateway's internal IP address or the
> DNS server produces no replies.
>
> Equally, the gateway cannot ping the remote worker's IP address.
>
> tcpdump on the enc0 and pflog0 interfaces produces no results at all when
> creating traffic between the two.
>
> What am I missing?
>
>
>
> Kind regards,
>
> Roberto Katalinic
> 07460663373
>
> kliker IT
> www.kliker.it<http://www.kliker.it>
> 08455442033
>
> Information contained in this e-mail is intended for the use of the
> addressee
> only, and is confidential and may be the subject of Legal Professional
> Privilege. Any dissemination, distribution, copying or use of this
> communication without prior permission of the addressee is strictly
> prohibited. The contents of an attachment to this e-mail may contain
> software
> viruses which could damage your own computer system. While Kliker IT
> Services
> Ltd. has taken every reasonable precaution to minimise this risk, we cannot
> accept liability for any damage which you sustain as a result of software
> viruses. You should carry out your own virus checks before opening the
> attachment. Registered Office: New House, South Grove, Petworth, GU280ED.
> Company Number: 8206089.Company Registered in England and Wales.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: IKEv2 (iked) VPN with Windows 10 clients

Roberto Katalinic
Thanks for the suggestions guys problem solved.

It appears there was a static route on the test machine that was causing the issue. Once removed traffic started flowing to the destination.

Kind regards,

Roberto Katalinic
07460663373

kliker IT
www.kliker.it<http://www.kliker.it>
08455442033

From: Bobby Johnson [mailto:[hidden email]]
Sent: 15 March 2017 02:08
To: Roberto Katalinic <[hidden email]>
Cc: misc <[hidden email]>
Subject: Re: IKEv2 (iked) VPN with Windows 10 clients

Your configuration looks reasonable. You should upgrade to 6.0.  You could replace the local network range with 0.0.0.0/0<http://0.0.0.0/0> to limit the flow less.  I've found that config address with a range doesn't work as expected with multiple clients.  Below is an example of a working config using machine certs for windows clients, including Windows 10.

ikev2 passive esp \
from 0.0.0.0/0<http://0.0.0.0/0> to 192.168.40.2 local 1.2.3.4 peer any \
srcid "asn1_dn of server cert"
dstid "asn1_dn of client cert" \
config address 192.168.40.2 \
config name-server 10.0.0.4


On Mar 10, 2017 7:58 AM, "Roberto Katalinic" <[hidden email]<mailto:[hidden email]>> wrote:
I have a few remote workers with Windows 10 and would like to move them to
IKEv2 VPN.

On my gateway (OpenBSD 5.7) the iked.conf file is:
ikev2 "IKEv2 DIAL-IN" passive esp \
        from 192.168.10.0/24<http://192.168.10.0/24> to 192.168.40.0/24<http://192.168.40.0/24> \
        local 1.2.3.4 peer 0.0.0.0/0<http://0.0.0.0/0> \
        srcid 1.2.3.4 \
        config access-server 192.168.10.10 \
        config name-server 192.168.10.21 \
        config address 192.168.40.0/24<http://192.168.40.0/24>

My remote client is configured like this:
VPN Type: IKEv2
Data encryption: Optional
Authentication: Use machine Certificates (no EAP)

My PF rules contain the following lines which are definitely not overruled by
any rules further down the line:
set skip on {lo,enc0}
pass in on egress proto udp from any to any port {500,4500}
pass in on egress proto {ah,esp}

When the client attempts connection, the SA is configured and Windows reports
the connection as established. It also acquires an IP address and the DNS
server as specified in the iked.conf file:

PPP adapter EDGE:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : EDGE
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.40.87(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.10.21
   NetBIOS over Tcpip. . . . . . . . : Enabled

My gateway also reports the connection as established and the SA is shown by
ipsecctl -sa:
FLOWS:
flow esp in from 192.168.40.87 to 192.168.10.0/24<http://192.168.10.0/24> peer 5.6.7.8 srcid
IPV4/1.2.3.4<http://1.2.3.4> type use
flow esp out from 192.168.10.0/24<http://192.168.10.0/24> to 192.168.40.87 peer 5.6.7.8 srcid
IPV4/1.2.3.4<http://1.2.3.4> type require
flow esp out from ::/0 to ::/0 type deny

SAD:
esp tunnel from 1.2.3.4 to 5.6.7.8 spi 0x7a8197f6 auth hmac-sha1 enc aes-256
esp tunnel from 5.6.7.8 to 1.2.3.4 spi 0x926fb219 auth hmac-sha1 enc aes-256

Output from iked -dvvv:
ikev2_pld_cp: INTERNAL_IP4_SERVER 0x5ba0 length 4
ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 4
ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 4
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length
44
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP spisize 4
xforms 3 spi 0xe7ce691f
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 192.168.40.34 end 192.168.40.34
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00
length 24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 192.168.10.0 end 192.168.10.255
ikev2_msg_send: IKE_AUTH response from 1.2.3.4:4500<http://1.2.3.4:4500> to 5.6.7.8:15573<http://5.6.7.8:15573> msgid 1,
1452 bytes, NAT-T
pfkey_sa_add: update spi 0xe7ce691f
pfkey_sa: udpencap port 15573
ikev2_childsa_enable: loaded CHILD SA spi 0xe7ce691f
pfkey_sa_add: add spi 0xabf256a4
pfkey_sa: udpencap port 15573
ikev2_childsa_enable: loaded CHILD SA spi 0xabf256a4
ikev2_childsa_enable: loaded flow 0x1166a0b99800
ikev2_childsa_enable: loaded flow 0x1166a0b99400
sa_state: VALID -> ESTABLISHED from 5.6.7.8:15573<http://5.6.7.8:15573> to 1.2.3.4:4500<http://1.2.3.4:4500> policy
'IKEv2 DIAL-IN'


The problem is, from the remote worker, I cannot connect to any resources on
the remote network. Pinging the remote gateway's internal IP address or the
DNS server produces no replies.

Equally, the gateway cannot ping the remote worker's IP address.

tcpdump on the enc0 and pflog0 interfaces produces no results at all when
creating traffic between the two.

What am I missing?



Kind regards,

Roberto Katalinic
07460663373

kliker IT
www.kliker.it<http://www.kliker.it><http://www.kliker.it>
08455442033

Information contained in this e-mail is intended for the use of the addressee
only, and is confidential and may be the subject of Legal Professional
Privilege. Any dissemination, distribution, copying or use of this
communication without prior permission of the addressee is strictly
prohibited. The contents of an attachment to this e-mail may contain software
viruses which could damage your own computer system. While Kliker IT Services
Ltd. has taken every reasonable precaution to minimise this risk, we cannot
accept liability for any damage which you sustain as a result of software
viruses. You should carry out your own virus checks before opening the
attachment. Registered Office: New House, South Grove, Petworth, GU280ED.
Company Number: 8206089.Company Registered in England and Wales.
Information contained in this e-mail is intended for the use of the addressee only, and is confidential and may be the subject of Legal Professional Privilege. Any dissemination, distribution, copying or use of this communication without prior permission of the addressee is strictly prohibited. The contents of an attachment to this e-mail may contain software viruses which could damage your own computer system. While Kliker IT Services Ltd. has taken every reasonable precaution to minimise this risk, we cannot accept liability for any damage which you sustain as a result of software viruses. You should carry out your own virus checks before opening the attachment. Registered Office: New House, South Grove, Petworth, GU280ED. Company Number: 8206089.Company Registered in England and Wales.

Loading...