iked road warrior setup with multiple clients connecting

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

iked road warrior setup with multiple clients connecting

Michael Lam
Hi,

I have a very straight forward setup use case that I want to use my
OpenBSD router as a VPN gateway, which will accept IKEv2 road warrior
connections from the Internet and route all traffics through my
router.

I am using a ms-chapv2 authentication and a letsencrypt certificate,
which I can successfully obtain. All my clients are Apple devices
with latest iOS installed. They normally are connected to the Internet
directly without going through this router.

Configuration as below:

user “a” "123456"
user “b” "246810"
user “c” "135791"

set passive

ikev2 "rw" passive esp \
        from any to 172.20.11.0/24 \
        local any peer any \
        srcid my.fqdn.org \
        eap mschap-v2 \
        config protected-subnet 172.20.10.0/24 \
        config address 172.20.11/0/24 \
        config name-server 172.20.10.1

I use “from any” because I want all traffics to be routed to the
OpenBSD box. And “to 172.20.11.0/24” is the subnet that I use for
VPN allocation. That’s why I also have config address 172.20.11.0/24
in the configuration.

my.fqdn.org is a public IP address which I’ve obtained a domain name
pointing to it.

I have this working flawlessly with all the devices individually.
However, when I tried to connect the 2nd device (user b) while the
1st device (user a) is still connected, the 1st device’s connectivity
will not go through anymore until I disconnect the 2nd device
(user b).

Through some search some of the post recommend I change

“to 172.20.11.0/24” to “to any”

But none of the client can connect anymore.

I further check “ipsecctl -sa” to see what kind of traffic selector
is being established. I noticed that when I connect the 2nd device
(user b), the traffic selector of user (b) replaces that of user (a)
because they’re in the same subnet (172.20.11.0/24) although they have
different IP addresses assigned.

It looks like in this use case, iked does not narrow down the traffic
selector although it allows multiple addresses to be allocated to
different devices, which kinds of defeats the purpose of the
“config address” directive.

Is there any way to get around this or it is something that someone
needs to write a patch to fix? (I’m no coder so I am now reverting
to good old IPsec/L2TP for now).

Rgds,

Mike

Reply | Threaded
Open this post in threaded view
|

Re: iked road warrior setup with multiple clients connecting

Hrvoje Popovski
On 25.2.2019. 16:44, Michael Lam wrote:

> Hi,
>
> I have a very straight forward setup use case that I want to use my
> OpenBSD router as a VPN gateway, which will accept IKEv2 road warrior
> connections from the Internet and route all traffics through my
> router.
>
> I am using a ms-chapv2 authentication and a letsencrypt certificate,
> which I can successfully obtain. All my clients are Apple devices
> with latest iOS installed. They normally are connected to the Internet
> directly without going through this router.
>
> Configuration as below:
>
> user “a” "123456"
> user “b” "246810"
> user “c” "135791"
>
> set passive
>
> ikev2 "rw" passive esp \
>         from any to 172.20.11.0/24 \
>         local any peer any \
>         srcid my.fqdn.org \
>         eap mschap-v2 \
>         config protected-subnet 172.20.10.0/24 \
>         config address 172.20.11/0/24 \
                                  ^
is this typo?

Reply | Threaded
Open this post in threaded view
|

Re: iked road warrior setup with multiple clients connecting

William Ahern-2
In reply to this post by Michael Lam
On Mon, Feb 25, 2019 at 03:44:10PM +0000, Michael Lam wrote:

> Hi,
>
> I have a very straight forward setup use case that I want to use my
> OpenBSD router as a VPN gateway, which will accept IKEv2 road warrior
> connections from the Internet and route all traffics through my
> router.
>
> I am using a ms-chapv2 authentication and a letsencrypt certificate,
> which I can successfully obtain. All my clients are Apple devices
> with latest iOS installed. They normally are connected to the Internet
> directly without going through this router.
>
> Configuration as below:
>
> user “a” "123456"
> user “b” "246810"
> user “c” "135791"
>
> set passive
>
> ikev2 "rw" passive esp \
>         from any to 172.20.11.0/24 \
>         local any peer any \
>         srcid my.fqdn.org \
>         eap mschap-v2 \
>         config protected-subnet 172.20.10.0/24 \
>         config address 172.20.11/0/24 \
>         config name-server 172.20.10.1
>
> I use “from any” because I want all traffics to be routed to the
> OpenBSD box. And “to 172.20.11.0/24” is the subnet that I use for
> VPN allocation. That’s why I also have config address 172.20.11.0/24
> in the configuration.
>
> my.fqdn.org is a public IP address which I’ve obtained a domain name
> pointing to it.
>
> I have this working flawlessly with all the devices individually.

Are you sure things worked flawlessly with "from any". IIRC the "any"
keyword doesn't work as expected and one must instead use "0.0.0.0/0"
explicitly. I may be wrong but I'm fairly confident I lost an entire evening
relearning that lesson not too long ago.

Reply | Threaded
Open this post in threaded view
|

Re: iked road warrior setup with multiple clients connecting

Stuart Henderson
In reply to this post by Michael Lam
On 2019-02-25, Michael Lam <[hidden email]> wrote:

> Hi,
>
> I have a very straight forward setup use case that I want to use my
> OpenBSD router as a VPN gateway, which will accept IKEv2 road warrior
> connections from the Internet and route all traffics through my
> router.
>
> I am using a ms-chapv2 authentication and a letsencrypt certificate,
> which I can successfully obtain. All my clients are Apple devices
> with latest iOS installed. They normally are connected to the Internet
> directly without going through this router.

Interested to know what you did to get a letsencrypt working with
clients, I haven't been able to do that yet, iked doesn't seem to have
any way to send the intermediate cert.

> Configuration as below:
>
> user “a” "123456"
> user “b” "246810"
> user “c” "135791"
>
> set passive
>
> ikev2 "rw" passive esp \
>         from any to 172.20.11.0/24 \
>         local any peer any \
>         srcid my.fqdn.org \
>         eap mschap-v2 \
>         config protected-subnet 172.20.10.0/24 \
>         config address 172.20.11/0/24 \
>         config name-server 172.20.10.1
>
> I use “from any” because I want all traffics to be routed to the
> OpenBSD box. And “to 172.20.11.0/24” is the subnet that I use for
> VPN allocation. That’s why I also have config address 172.20.11.0/24
> in the configuration.

For "all traffic from clients is sent tunnelled via the iked box",
I've used "from 0.0.0.0/0 to 0.0.0.0/0", and without "config
protected-subnet". It works, but I haven't convinced myself that it's
secure in the face of malicious clients yet (i.e. not sure if the client
is restricted to only using the address they get from the pool via
mode-config, or if they can pick some other address to hijack traffic).

> my.fqdn.org is a public IP address which I’ve obtained a domain name
> pointing to it.
>
> I have this working flawlessly with all the devices individually.
> However, when I tried to connect the 2nd device (user b) while the
> 1st device (user a) is still connected, the 1st device’s connectivity
> will not go through anymore until I disconnect the 2nd device
> (user b).
>
> Through some search some of the post recommend I change
>
> “to 172.20.11.0/24” to “to any”
>
> But none of the client can connect anymore.
>
> I further check “ipsecctl -sa” to see what kind of traffic selector
> is being established. I noticed that when I connect the 2nd device
> (user b), the traffic selector of user (b) replaces that of user (a)
> because they’re in the same subnet (172.20.11.0/24) although they have
> different IP addresses assigned.
>
> It looks like in this use case, iked does not narrow down the traffic
> selector although it allows multiple addresses to be allocated to
> different devices, which kinds of defeats the purpose of the
> “config address” directive.
>
> Is there any way to get around this or it is something that someone
> needs to write a patch to fix? (I’m no coder so I am now reverting
> to good old IPsec/L2TP for now).
>
> Rgds,
>
> Mike
>
>

slightly sanitised version of one of my configs:

ikev2 "vpn" passive esp from 0.0.0.0/0 to 0.0.0.0/0 \
  local $my_ip \
  peer any \
  ikesa enc aes-256 enc aes-128  prf hmac-sha2-256               auth hmac-sha2-256  group ecp256 \
  ikesa enc aes-256 enc aes-128  prf hmac-sha2-256 prf hmac-sha1 auth hmac-sha2-256  group ecp256 group modp2048 group modp1024 \
  childsa enc aes-256-gcm enc aes-128-gcm \
  childsa enc aes-256 enc aes-128 auth hmac-sha2-256 auth hmac-sha1 \
  srcid "my.name" \
  eap "mschap-v2" \
  config address 192.0.2.0/24 \
  config name-server 9.9.9.9 \
  tag "$name-$id"


Reply | Threaded
Open this post in threaded view
|

Re: iked road warrior setup with multiple clients connecting

Michael Lam
In reply to this post by William Ahern-2


> On 26 Feb 2019, at 5:11 AM, William Ahern <[hidden email]> wrote:
>
> On Mon, Feb 25, 2019 at 03:44:10PM +0000, Michael Lam wrote:
>> Hi,
>>
>> I have a very straight forward setup use case that I want to use my
>> OpenBSD router as a VPN gateway, which will accept IKEv2 road warrior
>> connections from the Internet and route all traffics through my
>> router.
>>
>> I am using a ms-chapv2 authentication and a letsencrypt certificate,
>> which I can successfully obtain. All my clients are Apple devices
>> with latest iOS installed. They normally are connected to the Internet
>> directly without going through this router.
>>
>> Configuration as below:
>>
>> user “a” "123456"
>> user “b” "246810"
>> user “c” "135791"
>>
>> set passive
>>
>> ikev2 "rw" passive esp \
>>        from any to 172.20.11.0/24 \
>>        local any peer any \
>>        srcid my.fqdn.org \
>>        eap mschap-v2 \
>>        config protected-subnet 172.20.10.0/24 \
>>        config address 172.20.11/0/24 \
>>        config name-server 172.20.10.1
>>
>> I use “from any” because I want all traffics to be routed to the
>> OpenBSD box. And “to 172.20.11.0/24” is the subnet that I use for
>> VPN allocation. That’s why I also have config address 172.20.11.0/24
>> in the configuration.
>>
>> my.fqdn.org is a public IP address which I’ve obtained a domain name
>> pointing to it.
>>
>> I have this working flawlessly with all the devices individually.
>
> Are you sure things worked flawlessly with "from any". IIRC the "any"
> keyword doesn't work as expected and one must instead use "0.0.0.0/0"
> explicitly. I may be wrong but I'm fairly confident I lost an entire evening
> relearning that lesson not too long ago.

I’ve made several changes during my testing. As far as I can recall it works.
Also tried 0.0.0.0/0.

Also there is a typo for config address - which I’ve made when I copy &
paste into email and modify (so that I won’t expose some of my internal
configuration).

The point is that I cannot make it working with more than 1 client connected
simultaneously. Other than that I’ve a good working configuration and I
have actually used it for a few days until I switched back to IPsec/L2TP now

Reply | Threaded
Open this post in threaded view
|

Re: iked road warrior setup with multiple clients connecting

Michael Lam
In reply to this post by William Ahern-2


> On 26 Feb 2019, at 5:11 AM, William Ahern <[hidden email]> wrote:
>
> On Mon, Feb 25, 2019 at 03:44:10PM +0000, Michael Lam wrote:
>> Hi,
>>
>> I have a very straight forward setup use case that I want to use my
>> OpenBSD router as a VPN gateway, which will accept IKEv2 road warrior
>> connections from the Internet and route all traffics through my
>> router.
>>
>> I am using a ms-chapv2 authentication and a letsencrypt certificate,
>> which I can successfully obtain. All my clients are Apple devices
>> with latest iOS installed. They normally are connected to the Internet
>> directly without going through this router.
>>
>> Configuration as below:
>>
>> user "a" "123456"
>> user "b" "246810"
>> user "c" "135791"
>>
>> set passive
>>
>> ikev2 "rw" passive esp \
>>        from any to 172.20.11.0/24 \
>>        local any peer any \
>>        srcid my.fqdn.org \
>>        eap mschap-v2 \
>>        config protected-subnet 172.20.10.0/24 \
>>        config address 172.20.11/0/24 \
>>        config name-server 172.20.10.1
>>
>> I use “from any” because I want all traffics to be routed to the
>> OpenBSD box. And “to 172.20.11.0/24” is the subnet that I use for
>> VPN allocation. That’s why I also have config address 172.20.11.0/24
>> in the configuration.
>>
>> my.fqdn.org is a public IP address which I’ve obtained a domain name
>> pointing to it.
>>
>> I have this working flawlessly with all the devices individually.
>
> Are you sure things worked flawlessly with "from any". IIRC the "any"
> keyword doesn't work as expected and one must instead use "0.0.0.0/0"
> explicitly. I may be wrong but I'm fairly confident I lost an entire evening
> relearning that lesson not too long ago.

Also responding to another user (due to some issue I can only get the
mailing list emails fixed.)

I use a Letsencrypt certificate by doing the following:
1. Copying the root certificate file from /etc/ssl/cert.pem (provided by
OpenBSD into "ca" folder.
2. Putting the certificate file obtained from Letsencrypt into "cert" folder
under iked folder.
3. Putting the full chain certificate file into the "ca" folder.

And I got it working using from 0.0.0.0/0 to 172.20.11.0/24

Never got it working with:

from any to any, or
From 0.0.0.0/0 to 0.0.0.0/0

config protected-subnet doesn't really do anything in my setup.



Reply | Threaded
Open this post in threaded view
|

Re: iked road warrior setup with multiple clients connecting

Michael Lam
Just want to highlight that there is a FAQ document checked in that
provides some samples of iked configurations for road-warrior setup.

I am using almost the same setup provided in the sample, and I can only
have one client connected at a time. Once the 2nd client connects it
will stop the first client from working.

Hope this helps with others until it is fixed.

> On 26 Feb 2019, at 10:51 PM, Michael Lam <[hidden email]> wrote:
>
>
>
>> On 26 Feb 2019, at 5:11 AM, William Ahern <[hidden email]> wrote:
>>
>> On Mon, Feb 25, 2019 at 03:44:10PM +0000, Michael Lam wrote:
>>> Hi,
>>>
>>> I have a very straight forward setup use case that I want to use my
>>> OpenBSD router as a VPN gateway, which will accept IKEv2 road warrior
>>> connections from the Internet and route all traffics through my
>>> router.
>>>
>>> I am using a ms-chapv2 authentication and a letsencrypt certificate,
>>> which I can successfully obtain. All my clients are Apple devices
>>> with latest iOS installed. They normally are connected to the Internet
>>> directly without going through this router.
>>>
>>> Configuration as below:
>>>
>>> user "a" "123456"
>>> user "b" "246810"
>>> user "c" "135791"
>>>
>>> set passive
>>>
>>> ikev2 "rw" passive esp \
>>>       from any to 172.20.11.0/24 \
>>>       local any peer any \
>>>       srcid my.fqdn.org \
>>>       eap mschap-v2 \
>>>       config protected-subnet 172.20.10.0/24 \
>>>       config address 172.20.11/0/24 \
>>>       config name-server 172.20.10.1
>>>
>>> I use “from any” because I want all traffics to be routed to the
>>> OpenBSD box. And “to 172.20.11.0/24” is the subnet that I use for
>>> VPN allocation. That’s why I also have config address 172.20.11.0/24
>>> in the configuration.
>>>
>>> my.fqdn.org is a public IP address which I’ve obtained a domain name
>>> pointing to it.
>>>
>>> I have this working flawlessly with all the devices individually.
>>
>> Are you sure things worked flawlessly with "from any". IIRC the "any"
>> keyword doesn't work as expected and one must instead use "0.0.0.0/0"
>> explicitly. I may be wrong but I'm fairly confident I lost an entire evening
>> relearning that lesson not too long ago.
>
> Also responding to another user (due to some issue I can only get the
> mailing list emails fixed.)
>
> I use a Letsencrypt certificate by doing the following:
> 1. Copying the root certificate file from /etc/ssl/cert.pem (provided by
> OpenBSD into "ca" folder.
> 2. Putting the certificate file obtained from Letsencrypt into "cert" folder
> under iked folder.
> 3. Putting the full chain certificate file into the "ca" folder.
>
> And I got it working using from 0.0.0.0/0 to 172.20.11.0/24
>
> Never got it working with:
>
> from any to any, or
> From 0.0.0.0/0 to 0.0.0.0/0
>
> config protected-subnet doesn't really do anything in my setup.
>
>
>

Reply | Threaded
Open this post in threaded view
|

Re: iked road warrior setup with multiple clients connecting

Stuart Henderson
On 2019-02-28, Michael Lam <[hidden email]> wrote:
> Just want to highlight that there is a FAQ document checked in that
> provides some samples of iked configurations for road-warrior setup.
>
> I am using almost the same setup provided in the sample, and I can only
> have one client connected at a time. Once the 2nd client connects it
> will stop the first client from working.
>
> Hope this helps with others until it is fixed.

Note that the new FAQ page for VPNs is still a work in progress.
(In particular I think that the "OpenBSD as client" section which
tries to work around iked's lack of client side mode-config support
is not entirely correct yet).

>> Also responding to another user (due to some issue I can only get the
>> mailing list emails fixed.)
>>
>> I use a Letsencrypt certificate by doing the following:
>> 1. Copying the root certificate file from /etc/ssl/cert.pem (provided by
>> OpenBSD into "ca" folder.
>> 2. Putting the certificate file obtained from Letsencrypt into "cert" folder
>> under iked folder.
>> 3. Putting the full chain certificate file into the "ca" folder.

Interesting. I guess Apple works a bit differently to strongswan
in this respect then, perhaps it auto-fetches intermediates (like
gui web browsers do for https, but curl/etc don't).

The problem I'm having with a Let's Encrypt cert (or indeed any cert
that requires an intermediate - before I tried LE I was using an
internal "VPN CA" chained off my main internal CA) is that iked
doesn't present the chain alongside its own certificate. You can
have it send the chain cert along with CAs by including it in the
ca/ directory but clients aren't looking there to validate the
server cert.

I think that's just missing from the implementation for now,
but I was interested to hear that you had it working anyway.

Including the entirety of /etc/ssl/cert.pem in the ca/ folder isn't
doing anything useful, this is just meant to be the CA you are using,
and is used to provide a hint to the client about which client cert
would be acceptable. With a big list that's a big chunk of UDP
fragments, and for EAP-MSCHAPv2 (which doesn't even use a client
cert) it doesn't help.


Reply | Threaded
Open this post in threaded view
|

Re: iked road warrior setup with multiple clients connecting

Michael Lam


> On 1 Mar 2019, at 6:42 AM, Stuart Henderson <[hidden email]> wrote:
>
> On 2019-02-28, Michael Lam <[hidden email]> wrote:
>> Just want to highlight that there is a FAQ document checked in that
>> provides some samples of iked configurations for road-warrior setup.
>>
>> I am using almost the same setup provided in the sample, and I can only
>> have one client connected at a time. Once the 2nd client connects it
>> will stop the first client from working.
>>
>> Hope this helps with others until it is fixed.
>
> Note that the new FAQ page for VPNs is still a work in progress.
> (In particular I think that the "OpenBSD as client" section which
> tries to work around iked's lack of client side mode-config support
> is not entirely correct yet).

Unfortunately in my setup OpenBSD is the server so probably mode-config
support doesn't matter to me. Guess I still have to wait. With 6.5 coming
maybe I will have to wait for 6.6 or pull from CVS when this get fixed (
If it is a bug not my misconfiguration).

>
>>> Also responding to another user (due to some issue I can only get the
>>> mailing list emails fixed.)
>>>
>>> I use a Letsencrypt certificate by doing the following:
>>> 1. Copying the root certificate file from /etc/ssl/cert.pem (provided by
>>> OpenBSD into "ca" folder.
>>> 2. Putting the certificate file obtained from Letsencrypt into "cert" folder
>>> under iked folder.
>>> 3. Putting the full chain certificate file into the "ca" folder.
>
> Interesting. I guess Apple works a bit differently to strongswan
> in this respect then, perhaps it auto-fetches intermediates (like
> gui web browsers do for https, but curl/etc don't).
>
> The problem I'm having with a Let's Encrypt cert (or indeed any cert
> that requires an intermediate - before I tried LE I was using an
> internal "VPN CA" chained off my main internal CA) is that iked
> doesn't present the chain alongside its own certificate. You can
> have it send the chain cert along with CAs by including it in the
> ca/ directory but clients aren't looking there to validate the
> server cert.
>
> I think that's just missing from the implementation for now,
> but I was interested to hear that you had it working anyway.
>
> Including the entirety of /etc/ssl/cert.pem in the ca/ folder isn't
> doing anything useful, this is just meant to be the CA you are using,
> and is used to provide a hint to the client about which client cert
> would be acceptable. With a big list that's a big chunk of UDP
> fragments, and for EAP-MSCHAPv2 (which doesn't even use a client
> cert) it doesn't help.
>
>
To this particular point (copying /etc/ssl/cert.pem into ca/ folder),
If I recall correctly without this I couldn't get it working as iked
will complaint that my letsencrypt certificate is not valid.

However I couldn't confirm for sure at the moment as I've already
reverted to a IPSec/L2TP VPN using napped.

And yes I only tested iOS devices (that's all I got). The problem
still exist is that I can't have more than 1 client connected at
one time.

Reply | Threaded
Open this post in threaded view
|

Re: iked road warrior setup with multiple clients connecting

Michael Lam
Hi,

Just want to give a pump here to see if anyone get this resolved.

Rgds,

Michael

> On 1 Mar 2019, at 8:24 PM, Michael Lam <[hidden email]> wrote:
>
>
>
>> On 1 Mar 2019, at 6:42 AM, Stuart Henderson <[hidden email]> wrote:
>>
>> On 2019-02-28, Michael Lam <[hidden email]> wrote:
>>> Just want to highlight that there is a FAQ document checked in that
>>> provides some samples of iked configurations for road-warrior setup.
>>>
>>> I am using almost the same setup provided in the sample, and I can only
>>> have one client connected at a time. Once the 2nd client connects it
>>> will stop the first client from working.
>>>
>>> Hope this helps with others until it is fixed.
>>
>> Note that the new FAQ page for VPNs is still a work in progress.
>> (In particular I think that the "OpenBSD as client" section which
>> tries to work around iked's lack of client side mode-config support
>> is not entirely correct yet).
>
> Unfortunately in my setup OpenBSD is the server so probably mode-config
> support doesn't matter to me. Guess I still have to wait. With 6.5 coming
> maybe I will have to wait for 6.6 or pull from CVS when this get fixed (
> If it is a bug not my misconfiguration).
>
>>
>>>> Also responding to another user (due to some issue I can only get the
>>>> mailing list emails fixed.)
>>>>
>>>> I use a Letsencrypt certificate by doing the following:
>>>> 1. Copying the root certificate file from /etc/ssl/cert.pem (provided by
>>>> OpenBSD into "ca" folder.
>>>> 2. Putting the certificate file obtained from Letsencrypt into "cert" folder
>>>> under iked folder.
>>>> 3. Putting the full chain certificate file into the "ca" folder.
>>
>> Interesting. I guess Apple works a bit differently to strongswan
>> in this respect then, perhaps it auto-fetches intermediates (like
>> gui web browsers do for https, but curl/etc don't).
>>
>> The problem I'm having with a Let's Encrypt cert (or indeed any cert
>> that requires an intermediate - before I tried LE I was using an
>> internal "VPN CA" chained off my main internal CA) is that iked
>> doesn't present the chain alongside its own certificate. You can
>> have it send the chain cert along with CAs by including it in the
>> ca/ directory but clients aren't looking there to validate the
>> server cert.
>>
>> I think that's just missing from the implementation for now,
>> but I was interested to hear that you had it working anyway.
>>
>> Including the entirety of /etc/ssl/cert.pem in the ca/ folder isn't
>> doing anything useful, this is just meant to be the CA you are using,
>> and is used to provide a hint to the client about which client cert
>> would be acceptable. With a big list that's a big chunk of UDP
>> fragments, and for EAP-MSCHAPv2 (which doesn't even use a client
>> cert) it doesn't help.
>>
>>
> To this particular point (copying /etc/ssl/cert.pem into ca/ folder),
> If I recall correctly without this I couldn't get it working as iked
> will complaint that my letsencrypt certificate is not valid.
>
> However I couldn't confirm for sure at the moment as I've already
> reverted to a IPSec/L2TP VPN using napped.
>
> And yes I only tested iOS devices (that's all I got). The problem
> still exist is that I can't have more than 1 client connected at
> one time.