ikev2 and road warriors setup

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

ikev2 and road warriors setup

Radek
Hello,

I have configured OpenIKED Site-to-Site VPN between two gateways:
serv73 - OBSD6.1, IP A.B.C.73,
serv75 - OBSD6.2, IP A.B.C.75.
I seems to work fine.

I'm trying to set up VPN for a few road warriors in one of these gateways. As much as it is possible authorisation should be users's IP independent. If I get it right certificate is always binded to cetrain IP so I need to use login and password authentication.
After spending some time with playing around that I can not find the proper configutarion.
I know the reason for that is a lack of certificate (I don't have any idea what cert it is) but maybe something else that I have missed or did it wrong.
I have read manuals but not everything is clear for me.

On win7 I got 809 error.
Client is configured as below:
https://hide.me/en/vpnsetup/windows7/ikev2/

Any help appreciated :)

My configs:

[root@@serv75/home/rdk:]iked -dv
ikev2_recv: IKE_SA_INIT request from initiator X.X.X.X:500 to A.B.C.75:500 policy 'roadwarrior' id 0, 528 bytes
ikev2_msg_send: IKE_SA_INIT response from A.B.C.75:500 to X.X.X.X:500 msgid 0, 325 bytes
ikev2_recv: IKE_AUTH request from initiator X.X.X.X:4500 to A.B.C.75:4500 policy 'roadwarrior' id 1, 764 bytes
ca_getreq: no valid local certificate found
ikev2_recv: IKE_AUTH request from initiator X.X.X.X:4500 to A.B.C.75:4500 policy 'roadwarrior' id 1, 764 bytes
ikev2_recv: IKE_AUTH request from initiator X.X.X.X:4500 to A.B.C.75:4500 policy 'roadwarrior' id 1, 764 bytes


root@@serv75/home/rdk:]cat /etc/iked.conf
remote_gw73     =     "A.B.C.73" # serv33
remote_lan73    =     "10.0.73.0/24"
local_gw        =     "10.0.75.254" # serv75
local_lan       =     "10.0.75.0/24"
dns1     =     "8.8.8.8"

ikev2 active esp from $local_gw to $remote_gw73 \
from $local_lan to $remote_lan73 peer $remote_gw73 \
psk "test123"

user "test" "pass1234"
ikev2 "roadwarrior" passive esp \
        from 0.0.0.0/0 to 10.0.75.0/24 \
        local any peer any \
        eap "mschap-v2" \
        config address 10.0.75.123 \
        config name-server 8.8.8.8 \
        tag "$name-$id"

[root@@serv75/home/rdk:]cat /etc/pf.conf
ext_if          = "vr0"
lan_if          = "vr1"            # vr1
lan_local       = $lan_if:network  # 10.0.75.0/24
ext_ip          = "A.B.C.75"
bud             = "A.B.C.0/25"
rdkhome_wy      = "YY.YY.YY.YY"
rdkhome_mon     = "XX.XX.XX.XX"
ssh_port        = "1071"
icmp_types      = "{ echoreq, unreach }"
table <vpn_peers> const { A.B.C.73, A.B.C.74 }
set skip on { lo, enc0 }
block return on $ext_if # block stateless traffic
match out log on $ext_if from $lan_local nat-to $ext_if set prio (1, 6)
pass in log quick inet proto tcp from { $bud, $rdkhome_wy, $rdkhome_mon} to $ext_if port $ssh_port \
        set prio (1, 6) keep state
pass out quick on egress proto esp from (egress:0) to <vpn_peers>                  keep state
pass out quick on egress proto udp from (egress:0) to <vpn_peers> port {500, 4500} keep state
pass  in quick on egress proto esp from <vpn_peers> to (egress:0)                  keep state
pass  in quick on egress proto udp from <vpn_peers> to (egress:0) port {500, 4500} keep state
pass out quick on trust received-on enc0 keep state
pass out log proto tcp set prio (1, 6) keep state
pass log proto udp set prio (1, 6) keep state
pass inet proto icmp all icmp-type $icmp_types set prio (1, 6) keep state
pass log inet proto { tcp, udp } from $lan_local to any set prio (1, 6) keep state
block return in on ! lo0 proto tcp to port 6000:6010

[root@@serv75/home/rdk:]cat /etc/hostname.vr0
inet A.B.C.75 255.255.254.0 NONE description "WAN75"
group trust

[root@@serv75/home/rdk:]cat /etc/hostname.vr1
inet 10.0.75.254 255.255.255.0 NONE description "LAN75"
group trust

[root@@serv75/home/rdk:]cat /etc/hostname.enc0
up

[root@@serv75/home/rdk:]cat /etc/rc.conf.local
iked_flags=YES
ntpd_flags="-s"
dhcpd_flags="vr1 vr2 vr3"

[root@@serv75/home/rdk:]cat /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet.ipcomp.enable=1
net.inet.esp.enable=1


--
radek

Reply | Threaded
Open this post in threaded view
|

Re: ikev2 and road warriors setup

Radek
Hi again,

I'm still trying to make it work for roadwarriors.
VPN server has IP address A.B.9.73/23. It is OpenBSD6.1.

I generated certs:

# hostname
serv73

# ikectl ca vpn create (CN = serv73)
# ikectl ca vpn install

# ikectl ca vpn certificate A.B.9.73 create
# ikectl ca vpn certificate A.B.9.73 install

# ikectl ca vpn certificate A.B.9.76 create #(CN = A.B.9.76)
# ikectl ca vpn certificate A.B.9.76 export

After installing A.B.9.76.zip in Win7 I can connect to VPN server from any IP address that is in range A.B.9.0/23.

I can't connect from IP that is NOT from A.B.9.0/23.
I tried to connect from many IPs (public and behind NAT) but every time I got "809 error".

Can anyone please help me with solving that problem?

# cat /etc/iked.conf
[snip]
ikev2 "roadWarrior" passive esp \
        from 10.0.73.0/24 to 0.0.0.0/0 local A.B.9.73 peer any \
        srcid A.B.9.73 \
        config address 10.0.70.128 \
        tag "$name-$id"

# iked -n
configuration OK

# cat /etc.pf.conf
ext_if          = "vr0"
lan_if          = "vr1"            # vr1
lan_local       = $lan_if:network  # 10.0.73.0/24
ext_ip          = "A.B.9.73"
bud             = "A.B.9.0/25"
rdkhome_wy      = "YY.YY.YY.YY"
rdkhome_mon     = "XX.XX.XX.XX"
ssh_port        = "1071"
icmp_types      = "{ echoreq, unreach }"
table <vpn_peers> const { A.B.9.74, A.B.C.75 }
set skip on { lo, enc0 }
block return on $ext_if # block stateless traffic

match out log on $ext_if from $lan_local nat-to $ext_if set prio (1, 6)

pass in log quick inet proto tcp from { $bud, $rdkhome_wy, $rdkhome_mon} to $ext_if port $ssh_port \
        set prio (1, 6) keep state

pass out quick on egress proto esp from (egress:0) to <vpn_peers>                  keep state
pass out quick on egress proto udp from (egress:0) to <vpn_peers> port {500, 4500} keep state
pass  in quick on egress proto esp from <vpn_peers> to (egress:0)                  keep state
pass  in quick on egress proto udp from <vpn_peers> to (egress:0) port {500, 4500} keep state
pass out quick on trust received-on enc0 keep state
pass out log proto tcp set prio (1, 6) keep state
pass log proto udp set prio (1, 6) keep state

pass inet proto icmp all icmp-type $icmp_types set prio (1, 6) keep state
pass log inet proto { tcp, udp } from $lan_local to any set prio (1, 6) keep state

block return in on ! lo0 proto tcp to port 6000:6010



# iked -dvv
ikev2_recv: IKE_SA_INIT request from initiator E.F.G.H:500 to A.B.9.73:500 policy 'roadWarrior' id 0, 528 bytes
ikev2_recv: ispi 0x35e2e7f614678913 rspi 0x0000000000000000
ikev2_policy2id: srcid IPV4/A.B.9.73 length 8
ikev2_pld_parse: header ispi 0x35e2e7f614678913 rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 528 response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 256
ikev2_pld_sa: more than one proposal specified
ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid IKE spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136
ikev2_pld_ke: dh group MODP_1024 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 52
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0x35e2e7f614678913 0x0000000000000000 E.F.G.H:500
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0x35e2e7f614678913 0x0000000000000000 A.B.9.73:500
sa_state: INIT -> SA_INIT
ikev2_sa_negotiate: score 21
sa_stateok: SA_INIT flags 0x0000, require 0x0000
sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 )
ikev2_sa_keys: SKEYSEED with 20 bytes
ikev2_sa_keys: S with 96 bytes
ikev2_prfplus: T1 with 20 bytes
ikev2_prfplus: T2 with 20 bytes
ikev2_prfplus: T3 with 20 bytes
ikev2_prfplus: T4 with 20 bytes
ikev2_prfplus: T5 with 20 bytes
ikev2_prfplus: T6 with 20 bytes
ikev2_prfplus: T7 with 20 bytes
ikev2_prfplus: T8 with 20 bytes
ikev2_prfplus: Tn with 160 bytes
ikev2_sa_keys: SK_d with 20 bytes
ikev2_sa_keys: SK_ai with 20 bytes
ikev2_sa_keys: SK_ar with 20 bytes
ikev2_sa_keys: SK_ei with 24 bytes
ikev2_sa_keys: SK_er with 24 bytes
ikev2_sa_keys: SK_pi with 20 bytes
ikev2_sa_keys: SK_pr with 20 bytes
ikev2_add_proposals: length 40
ikev2_next_payload: length 44 nextpayload KE
ikev2_next_payload: length 136 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0x35e2e7f614678913 0x177a4400d017d93f A.B.9.73:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0x35e2e7f614678913 0x177a4400d017d93f E.F.G.H:500
ikev2_next_payload: length 28 nextpayload CERTREQ
ikev2_add_certreq: type X509_CERT length 21
ikev2_next_payload: length 25 nextpayload NONE
ikev2_pld_parse: header ispi 0x35e2e7f614678913 rspi 0x177a4400d017d93f nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 325 response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 44
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid IKE spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136
ikev2_pld_ke: dh group MODP_1024 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00 length 25
ikev2_pld_certreq: type X509_CERT length 20
ikev2_msg_send: IKE_SA_INIT response from A.B.9.73:500 to E.F.G.H:500 msgid 0, 325 bytes
config_free_proposals: free 0x8134e000

Generating and installing certificate for E.F.G.H doesn't make any change.


On Sat, 27 Jan 2018 19:55:46 +0100
Radek <[hidden email]> wrote:

> Hello,
>
> I have configured OpenIKED Site-to-Site VPN between two gateways:
> serv73 - OBSD6.1, IP A.B.C.73,
> serv75 - OBSD6.2, IP A.B.C.75.
> I seems to work fine.
>
> I'm trying to set up VPN for a few road warriors in one of these gateways. As much as it is possible authorisation should be users's IP independent. If I get it right certificate is always binded to cetrain IP so I need to use login and password authentication.
> After spending some time with playing around that I can not find the proper configutarion.
> I know the reason for that is a lack of certificate (I don't have any idea what cert it is) but maybe something else that I have missed or did it wrong.
> I have read manuals but not everything is clear for me.
>
> On win7 I got 809 error.
> Client is configured as below:
> https://hide.me/en/vpnsetup/windows7/ikev2/
>
> Any help appreciated :)
>
> My configs:
>
> [root@@serv75/home/rdk:]iked -dv
> ikev2_recv: IKE_SA_INIT request from initiator X.X.X.X:500 to A.B.C.75:500 policy 'roadwarrior' id 0, 528 bytes
> ikev2_msg_send: IKE_SA_INIT response from A.B.C.75:500 to X.X.X.X:500 msgid 0, 325 bytes
> ikev2_recv: IKE_AUTH request from initiator X.X.X.X:4500 to A.B.C.75:4500 policy 'roadwarrior' id 1, 764 bytes
> ca_getreq: no valid local certificate found
> ikev2_recv: IKE_AUTH request from initiator X.X.X.X:4500 to A.B.C.75:4500 policy 'roadwarrior' id 1, 764 bytes
> ikev2_recv: IKE_AUTH request from initiator X.X.X.X:4500 to A.B.C.75:4500 policy 'roadwarrior' id 1, 764 bytes
>
>
> root@@serv75/home/rdk:]cat /etc/iked.conf
> remote_gw73     =     "A.B.C.73" # serv33
> remote_lan73    =     "10.0.73.0/24"
> local_gw        =     "10.0.75.254" # serv75
> local_lan       =     "10.0.75.0/24"
> dns1     =     "8.8.8.8"
>
> ikev2 active esp from $local_gw to $remote_gw73 \
> from $local_lan to $remote_lan73 peer $remote_gw73 \
> psk "test123"
>
> user "test" "pass1234"
> ikev2 "roadwarrior" passive esp \
>         from 0.0.0.0/0 to 10.0.75.0/24 \
>         local any peer any \
>         eap "mschap-v2" \
>         config address 10.0.75.123 \
>         config name-server 8.8.8.8 \
>         tag "$name-$id"
>
> [root@@serv75/home/rdk:]cat /etc/pf.conf
> ext_if          = "vr0"
> lan_if          = "vr1"            # vr1
> lan_local       = $lan_if:network  # 10.0.75.0/24
> ext_ip          = "A.B.C.75"
> bud             = "A.B.C.0/25"
> rdkhome_wy      = "YY.YY.YY.YY"
> rdkhome_mon     = "XX.XX.XX.XX"
> ssh_port        = "1071"
> icmp_types      = "{ echoreq, unreach }"
> table <vpn_peers> const { A.B.C.73, A.B.C.74 }
> set skip on { lo, enc0 }
> block return on $ext_if # block stateless traffic
> match out log on $ext_if from $lan_local nat-to $ext_if set prio (1, 6)
> pass in log quick inet proto tcp from { $bud, $rdkhome_wy, $rdkhome_mon} to $ext_if port $ssh_port \
>         set prio (1, 6) keep state
> pass out quick on egress proto esp from (egress:0) to <vpn_peers>                  keep state
> pass out quick on egress proto udp from (egress:0) to <vpn_peers> port {500, 4500} keep state
> pass  in quick on egress proto esp from <vpn_peers> to (egress:0)                  keep state
> pass  in quick on egress proto udp from <vpn_peers> to (egress:0) port {500, 4500} keep state
> pass out quick on trust received-on enc0 keep state
> pass out log proto tcp set prio (1, 6) keep state
> pass log proto udp set prio (1, 6) keep state
> pass inet proto icmp all icmp-type $icmp_types set prio (1, 6) keep state
> pass log inet proto { tcp, udp } from $lan_local to any set prio (1, 6) keep state
> block return in on ! lo0 proto tcp to port 6000:6010
>
> [root@@serv75/home/rdk:]cat /etc/hostname.vr0
> inet A.B.C.75 255.255.254.0 NONE description "WAN75"
> group trust
>
> [root@@serv75/home/rdk:]cat /etc/hostname.vr1
> inet 10.0.75.254 255.255.255.0 NONE description "LAN75"
> group trust
>
> [root@@serv75/home/rdk:]cat /etc/hostname.enc0
> up
>
> [root@@serv75/home/rdk:]cat /etc/rc.conf.local
> iked_flags=YES
> ntpd_flags="-s"
> dhcpd_flags="vr1 vr2 vr3"
>
> [root@@serv75/home/rdk:]cat /etc/sysctl.conf
> net.inet.ip.forwarding=1
> net.inet.ipcomp.enable=1
> net.inet.esp.enable=1
>
>
> --
> radek


--
radek