OpenBSD VPN with Debian Buster Strongswan roadwarrior client

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenBSD VPN with Debian Buster Strongswan roadwarrior client

Marfaba Stewart
If anyone else is configuring a VPN between an OpenBSD
responder and a Debian Buster initiator with Strongswan
on the Debian box, the following notes may spare you
some pain.

First, configure the OpenBSD responder using the FAQ and the
X.509 Certificate Authentication section. A hearty thanks to
the writers!!

For Debian, we don't need the pfx files. Copy the
client1.domain.tgz (created per the FAQ in the same X.509
section above) to the Debian box.

Inside client1.domain.tgz is local.pub. Copy that to
/etc/iked/pubkeys/fqdn/client1.domain on the OpenBSD
responder. Of course use the real name (which doesn't really
have to resolve on the wider Internet) instead of
"client1.domain."

On the OpenBSD responder, your /etc/iked.conf should be
something like:

responder_ip="INSERT_ RESPONDER_IP_HERE"
vpn_net="INSERT_SUBNET_HERE"
mysrcid="INSERT_SRCID_HERE"
mydns="INSERT_DNS_SERVER_IP_HERE"
set fragmentation
ikev2 'responder_x509' passive esp \
        from 0.0.0.0/0 to $vpn_net \
        local $responder_ip peer any \
        srcid $mysrcid \
        config address $vpn_net \
        config name-server $mydns \
        tag "ROADW"

I believe you do need the set fragmentation line above.
You can make up something for vpn_net, like 172.16.5.0/24.

For DNS, I set up unbound to listen on vether0 and set
"mydns" to be the IP of vether0. Make sure vpn_net is
allowed in an access-control line in unbound.conf.

Then start iked. That's it for the OpenBSD side.

The Debian side took me longer.

I initially saw this error on the OpenBSD responder side:
"pool configured, but IKEV@_CP_REQUEST missing" and
"ikev2_dispatch_cert: failed to send ike auth."

The error on the responder happens if you don't configure vips on
the Debian initiator. A search for "CP_REQUEST" led me to RFC5996
and the source code in /usr/src, which makes it clear
that not assigning a local address through vips on the Debian
box was the source of much of my anguish.

The rest of this is about configuring the Debian initiator.

On the Debian box:
sudo apt install strongswan
sudo apt install strongswan-swanctl

Go to the directory you copied client1.domain.tgz to.
mkdir vpn
cd vpn
tar -xvzf ../client1.domain.tgz
sudo cp certs/client1.domain.crt /etc/swanctl/x509
sudo cp ca/ca.crt /etc/swanctl/x509ca
sudo cp private/client1.domain.key /etc/swanctl/private

Here is the /etc/swanctl/swanctl.conf:

# -----------------------------------
connections {
   joeschmoe {
      local_addrs  = YOUR_LOCAL_IP_HERE
      remote_addrs = OPENBSD_RESPONDER_IP_HERE
        vips = 0.0.0.0
        encap = yes

      local {
         auth = pubkey
         certs = client1.domain.crt # CHANGE
                                    # "client1.domain"
         id = client1.domain    # CHANGE
      }
      remote {
         auth = pubkey
         id = SRCID_HERE # same as $mysrcid on the
                         # OpenBSD responser
      }
      children {
         joeschmoe {
            remote_ts = 0.0.0.0/0
         }
      }
      version = 2
   }
}
authorities {
        joeschmoe {
                cacert = ca.crt
        }
}
# -----------------------------------

A couple of notes about swanctl.conf: I thought I needed
fragmentation = force, but I think that's only for IKEv1 and
everything seems to work without it. Just lower the mtu on
the interface (use nm-connection-manager or nmcli ).

The examples on strongswan.org
I saw had "remote_ts = 0.0.0.0" instead of "remote_ts =
0.0.0.0/0" -- nothing worked for me until I added the "/0"
to the end.

Now do
sudo /usr/sbin/swanctl -q
sudo /usr/sbin/swanctl --initiate --child joeschmoe

And that should bring it up. I see an error "adding DNS
server failed" but resolving does work for me through the
VPN since I changed /etc/resolv.conf too. I've tried a few
things to get rid of the DNS server error message and the
"handling INTERNAL_IP4_DNS attribute failed" message, but
nothing has worked for me so far.

I hope this helps!




Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD VPN with Debian Buster Strongswan roadwarrior client

Ville Valkonen
Hi,


On Fri 19. Feb 2021 at 5.28, marfabastewart <[hidden email]>
wrote:

> If anyone else is configuring a VPN between an OpenBSD
> responder and a Debian Buster initiator with Strongswan
> on the Debian box, the following notes may spare you
> some pain.
>
> First, configure the OpenBSD responder using the FAQ and the
> X.509 Certificate Authentication section. A hearty thanks to
> the writers!!
>
> For Debian, we don't need the pfx files. Copy the
> client1.domain.tgz (created per the FAQ in the same X.509
> section above) to the Debian box.
>
> Inside client1.domain.tgz is local.pub. Copy that to
> /etc/iked/pubkeys/fqdn/client1.domain on the OpenBSD
> responder. Of course use the real name (which doesn't really
> have to resolve on the wider Internet) instead of
> "client1.domain."
>
> On the OpenBSD responder, your /etc/iked.conf should be
> something like:
>
> responder_ip="INSERT_ RESPONDER_IP_HERE"
> vpn_net="INSERT_SUBNET_HERE"
> mysrcid="INSERT_SRCID_HERE"
> mydns="INSERT_DNS_SERVER_IP_HERE"
> set fragmentation
> ikev2 'responder_x509' passive esp \
>         from 0.0.0.0/0 to $vpn_net \
>         local $responder_ip peer any \
>         srcid $mysrcid \
>         config address $vpn_net \
>         config name-server $mydns \
>         tag "ROADW"
>
> I believe you do need the set fragmentation line above.
> You can make up something for vpn_net, like 172.16.5.0/24.
>
> For DNS, I set up unbound to listen on vether0 and set
> "mydns" to be the IP of vether0. Make sure vpn_net is
> allowed in an access-control line in unbound.conf.
>
> Then start iked. That's it for the OpenBSD side.
>
> The Debian side took me longer.
>
> I initially saw this error on the OpenBSD responder side:
> "pool configured, but IKEV@_CP_REQUEST missing" and
> "ikev2_dispatch_cert: failed to send ike auth."
>
> The error on the responder happens if you don't configure vips on
> the Debian initiator. A search for "CP_REQUEST" led me to RFC5996
> and the source code in /usr/src, which makes it clear
> that not assigning a local address through vips on the Debian
> box was the source of much of my anguish.
>
> The rest of this is about configuring the Debian initiator.
>
> On the Debian box:
> sudo apt install strongswan
> sudo apt install strongswan-swanctl
>
> Go to the directory you copied client1.domain.tgz to.
> mkdir vpn
> cd vpn
> tar -xvzf ../client1.domain.tgz
> sudo cp certs/client1.domain.crt /etc/swanctl/x509
> sudo cp ca/ca.crt /etc/swanctl/x509ca
> sudo cp private/client1.domain.key /etc/swanctl/private
>
> Here is the /etc/swanctl/swanctl.conf:
>
> # -----------------------------------
> connections {
>    joeschmoe {
>       local_addrs  = YOUR_LOCAL_IP_HERE
>       remote_addrs = OPENBSD_RESPONDER_IP_HERE
>         vips = 0.0.0.0
>         encap = yes
>
>       local {
>          auth = pubkey
>          certs = client1.domain.crt # CHANGE
>                                     # "client1.domain"
>          id = client1.domain        # CHANGE
>       }
>       remote {
>          auth = pubkey
>          id = SRCID_HERE # same as $mysrcid on the
>                          # OpenBSD responser
>       }
>       children {
>          joeschmoe {
>             remote_ts = 0.0.0.0/0
>          }
>       }
>       version = 2
>    }
> }
> authorities {
>         joeschmoe {
>                 cacert = ca.crt
>         }
> }
> # -----------------------------------
>
> A couple of notes about swanctl.conf: I thought I needed
> fragmentation = force, but I think that's only for IKEv1 and
> everything seems to work without it. Just lower the mtu on
> the interface (use nm-connection-manager or nmcli ).
>
> The examples on strongswan.org
> I saw had "remote_ts = 0.0.0.0" instead of "remote_ts =
> 0.0.0.0/0" -- nothing worked for me until I added the "/0"
> to the end.


That's because it must match what you've configured on the Openbsd side (
0.0.0.0/0).

>
--
Kind regards,
Ville
Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD VPN with Debian Buster Strongswan roadwarrior client

Marfaba Stewart
>> On Fri 19. Feb 2021 at 5.28, marfabastewart
>> <[hidden email]> wrote:

>>  If anyone else is configuring a VPN between an OpenBSD responder and
>>  a Debian Buster initiator with Strongswan

... snip snip ...

>>  On the OpenBSD responder, your /etc/iked.conf should be something like:

... snip snip ...

>>  ikev2 'responder_x509' passive esp \
>>  from 0.0.0.0/0 to $vpn_net \

... snip snip ...

>> The examples on strongswan.org
>> I saw had "remote_ts = 0.0.0.0" instead of "remote_ts =
>> 0.0.0.0/0" -- nothing worked for me until I added the "/0"
>> to the end.

> On Friday, February 19, 2021 2:24 AM, Ville Valkonen
> <[hidden email]> wrote:

... snip snip ...

>  That's because it must match what you've configured on the Openbsd side
>  (0.0.0.0/0).

Thank you very much!

I also found out how to get rid of the DNS errors, just

sudo apt install resolvconf

(I found a post that said one needs resolvconf because of Debian
AppArmor.)