VPN server for remote clients using IKEv2: Difference between revisions

From Libreswan
Jump to navigation Jump to search
No edit summary
No edit summary
 
(8 intermediate revisions by 2 users not shown)
Line 9: Line 9:
* Windows 7 and up
* Windows 7 and up
* Windows Phone (requires latest firmware)
* Windows Phone (requires latest firmware)
* OSX ?
* OSX and iOS
* iOS (via profile manager only?)
* Android with strongswan client


=== X.509 Certificate requirements ===
=== X.509 Certificate requirements ===
Line 18: Line 18:
* The VPN gateway's certificate must have its DNS name as SubjectAltname (SAN) in the certificate. The client then must connect to the VPN using the DNS name. Alternately, the client can connect using the IP if the SAN contains the IP address of the gateway.  
* The VPN gateway's certificate must have its DNS name as SubjectAltname (SAN) in the certificate. The client then must connect to the VPN using the DNS name. Alternately, the client can connect using the IP if the SAN contains the IP address of the gateway.  
* The VPN gateway's certificate must have the Digital Signature and Key Encipherment KU extensions if the SAN and CN use the same, full DNS name.
* The VPN gateway's certificate must have the Digital Signature and Key Encipherment KU extensions if the SAN and CN use the same, full DNS name.
* The certificates also need to have the serverAuth and clientAuth ExtendedKeyUSage ("EKU") attribytes set. Alternatively, EKU checking can be
* The certificates also need to have the serverAuth and clientAuth ExtendedKeyUSage ("EKU") attribytes set. Alternatively, EKU checking can be disabled, see [[Interoperability#Windows_Certificate_requirements]]
  disabled, see [[Interoperability#Windows_Certificate_requirements]]


{{ ambox | nocat=true | type=speedy | text = Windows uses only insecure defaults for IKEv2. To interop with libreswan, you need to either specify a modp1024 based proposal or change the registry and add a DWORD HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\NegotiateDH2048_AES256 }}
{{ ambox | nocat=true | type=speedy | text = Windows uses only insecure defaults for IKEv2. To interop with libreswan, you need to either specify a modp1024 based proposal or change the registry and add a DWORD HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\NegotiateDH2048_AES256 }}
Line 48: Line 47:
     modecfgdns=8.8.8.8,193.100.157.123
     modecfgdns=8.8.8.8,193.100.157.123
     # Versions up to 3.22 used modecfgdns1 and modecfgdns2
     # Versions up to 3.22 used modecfgdns1 and modecfgdns2
     modecfgdns1=8.8.8.8
     #modecfgdns1=8.8.8.8
     modecfgdns2=193.110.157.123
     #modecfgdns2=193.110.157.123
     narrowing=yes
     narrowing=yes
     # recommended dpd/liveness to cleanup vanished clients
     # recommended dpd/liveness to cleanup vanished clients
Line 63: Line 62:
     # pam-authorize=yes
     # pam-authorize=yes
</pre>
</pre>
== Libreswan client ==
You can use the NetworkManager-libreswan package to configure a VPN client connection using NetworkManager. You still need to import the PKCS#12 certificate bundle using:
<pre>
ipsec import file.p12
</pre>
If you do not want to use NetworkManager, but a static connection file that you can manually bring up using ipsec auto --up connname, you can create a file similar to this one:
Then add a client.conf in /etc/ipsec.d/ containing:
<pre>
# IKEv2 roadwarrior client config using X.509 certificates
conn vpn.example.com
left=%defaultroute
leftcert=YourCertFiendlyName
leftid=%fromcert
leftrsasigkey=%cert
leftsubnet=0.0.0.0/0
leftmodecfgclient=yes
right=vpn.example.com
rightsubnet=0.0.0.0/0
rightid=@vpn.example.com
rightrsasigkey=%cert
narrowing=yes
ikev2=insist
rekey=yes
fragmentation=yes
mobike=yes
auto=add
</pre>
You will also need to import the PKCS#12 certificate file as shown above.


== Windows 7 client configuration with "RasClient" native IKEv2 ==
== Windows 7 client configuration with "RasClient" native IKEv2 ==
Line 84: Line 118:


Verify that you have imported the client certificate with private key into the Computer certificate store and not the Local user store. Starting mmc.exe as an administrator will allow you to do this.
Verify that you have imported the client certificate with private key into the Computer certificate store and not the Local user store. Starting mmc.exe as an administrator will allow you to do this.
Newer versions of Windows require that the certificate has both serverAuth and clientAuth EKU's set.
example tutorial: https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs
example tutorial: https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs


Line 94: Line 130:
* As root, create a database to generate certificates for this example. This database will hold the private key of the CA and allow you to generate new host certificates.
* As root, create a database to generate certificates for this example. This database will hold the private key of the CA and allow you to generate new host certificates.
<pre>
<pre>
# certutil -N -d sql:~/tmpdb/
# mkdir ${HOME}/tmpdb
# certutil -N -d sql:${HOME}/tmpdb
Enter a password which will be used to encrypt your keys.
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
The password should be at least 8 characters long,
Line 106: Line 143:
<pre>
<pre>
# certutil -S -x -n "Example CA" -s "O=Example,CN=Example CA" \
# certutil -S -x -n "Example CA" -s "O=Example,CN=Example CA" \
  -k rsa -g 4096 -v 12 -d sql:~/tmpdb -t "CT,," -2
  -k rsa -g 4096 -v 12 -d sql:${HOME}/tmpdb -t "CT,," -2


A random seed must be generated that will be used in the
A random seed must be generated that will be used in the
Line 131: Line 168:
* Generate the server certificate and assign extensions:
* Generate the server certificate and assign extensions:
<pre>
<pre>
# certutil -S -c "Example CA" -n "gateway" -s "O=Example,CN=gateway.example.com" \  
# certutil -S -c "Example CA" -n "vpn.example.com" -s "O=Example,CN=vpn.example.com" \
   -k rsa -g 4096 -v 12 -d sql:~/tmpdb -t ",," -1 -6 -8 "gateway.example.com"
   -k rsa -g 4096 -v 12 -d sql:${HOME}/tmpdb -t ",," -1 -6 -8 "vpn.example.com"


A random seed must be generated that will be used in the
A random seed must be generated that will be used in the
Line 188: Line 225:
                 Other to finish
                 Other to finish
  > 0
  > 0
                0 - Server Auth
                1 - Client Auth
                2 - Code Signing
                3 - Email Protection
                4 - Timestamp
                5 - OCSP Responder
                6 - Step-up
                7 - Microsoft Trust List Signing
                Other to finish
> 1
                 0 - Server Auth
                 0 - Server Auth
                 1 - Client Auth
                 1 - Client Auth
Line 204: Line 251:
* Generate the client certificate, similar to the above
* Generate the client certificate, similar to the above
<pre>
<pre>
# certutil -S -c "Example CA" -n "win7" -s "O=Example,CN=win7client.example.com" \
# certutil -S -c "Example CA" -n "win7client.example.com" -s "O=Example,CN=win7client.example.com" \
   -k rsa -g 4096 -v 12 -d sql:~/tmpdb -t ",," -1 -6 -8 "win7client.example.com"
   -k rsa -g 4096 -v 12 -d sql:${HOME}/tmpdb -t ",," -1 -6 -8 "win7client.example.com"
-- repeat same extensions above --
-- repeat same extensions above --
</pre>
</pre>
Line 211: Line 258:
* The database should now contain
* The database should now contain
<pre>
<pre>
# certutil -L -d sql:~/tmpdb/
# certutil -L -d sql:${HOME}/tmpdb/


Certificate Nickname                                        Trust Attributes
Certificate Nickname                                        Trust Attributes
Line 217: Line 264:


Example CA                                                  CTu,u,u
Example CA                                                  CTu,u,u
gateway                                                      u,u,u
vpn.example.com                                              u,u,u
win7                                                        u,u,u
win7client.example.com                                      u,u,u
</pre>
</pre>


* Export the p12 files that contain the host certificate, private key, and CA certificate.
* Export the p12 files that contain the host certificate, private key, and CA certificate.
<pre>
<pre>
# pk12util -o win7.p12 -n "win7" -d sql:~/tmpdb/
# pk12util -o win7client.example.com.p12 -n "win7client.example.com" -d sql:${HOME}/tmpdb/
Enter password for PKCS12 file:  
Enter password for PKCS12 file:  
Re-enter password:  
Re-enter password:  
pk12util: PKCS12 EXPORT SUCCESSFUL
pk12util: PKCS12 EXPORT SUCCESSFUL
</pre>
</pre>
* The win7.p12 should then be transferred to the client and imported to the Computer certificate store. The CA cert once imported must be placed into the "Trusted Root Certification Authorities" folder of the store.  
* The win7client.example.com.p12 should then be transferred to the client and imported to the Computer certificate store. The CA cert once imported must be placed into the "Trusted Root Certification Authorities" folder of the store.  
* Export the gateway certificate and import it into the pluto DB
* Export the gateway certificate and import it into the pluto DB
<pre>
<pre>
# pk12util -o gateway.p12 -n "gateway" -d sql:~/tmpdb/
# pk12util -o vpn.example.com.p12 -n "vpn.example.com" -d sql:${HOME}/tmpdb/
Enter password for PKCS12 file:
Enter password for PKCS12 file:
Re-enter password:   
Re-enter password:   
pk12util: PKCS12 EXPORT SUCCESSFUL
pk12util: PKCS12 EXPORT SUCCESSFUL


# ipsec import gateway.p12  
# ipsec import vpn.example.com.p12  
Enter password for PKCS12 file:  
Enter password for PKCS12 file:  
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
</pre>
</pre>

Latest revision as of 21:04, 11 March 2021

There are different methods for providing a VPN server for roaming (dynamic) clients. Which method to use depends on the clients that need to be supported.

This method using IKEv2 without EAP, also called "Machine Certificate" based authentication.

Supported clients:

  • libreswan
  • Windows 7 and up
  • Windows Phone (requires latest firmware)
  • OSX and iOS
  • Android with strongswan client

X.509 Certificate requirements

When serving Windows clients, special care needs to be taken when generating X.509 certificates for this method.

  • The VPN gateway's certificate must have its DNS name as SubjectAltname (SAN) in the certificate. The client then must connect to the VPN using the DNS name. Alternately, the client can connect using the IP if the SAN contains the IP address of the gateway.
  • The VPN gateway's certificate must have the Digital Signature and Key Encipherment KU extensions if the SAN and CN use the same, full DNS name.
  • The certificates also need to have the serverAuth and clientAuth ExtendedKeyUSage ("EKU") attribytes set. Alternatively, EKU checking can be disabled, see Interoperability#Windows_Certificate_requirements


ipsec.conf for IKEv2 Machine Certificate VPN server

conn ikev2-cp
    # The server's actual IP goes here - not elastic IPs
    left=1.2.3.4
    leftcert=vpn.example.com
    leftid=@vpn.example.com
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    leftrsasigkey=%cert
    # Clients
    right=%any
    # your addresspool to use - you might need NAT rules if providing full internet to clients
    rightaddresspool=192.168.66.1-192.168.66.254
    # optional rightid with restrictions
    # rightid="C=CA, L=Toronto, O=Libreswan Project, OU=*, CN=*, E=*"
    rightca=%same
    rightrsasigkey=%cert
    #
    # connection configuration
    # DNS servers for clients to use
    modecfgdns=8.8.8.8,193.100.157.123
    # Versions up to 3.22 used modecfgdns1 and modecfgdns2
    #modecfgdns1=8.8.8.8
    #modecfgdns2=193.110.157.123
    narrowing=yes
    # recommended dpd/liveness to cleanup vanished clients
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear
    auto=add
    ikev2=insist
    rekey=no
    # ikev2 fragmentation support requires libreswan 3.14 or newer
    fragmentation=yes
    # optional PAM username verification (eg to implement bandwidth quota
    # pam-authorize=yes

Libreswan client

You can use the NetworkManager-libreswan package to configure a VPN client connection using NetworkManager. You still need to import the PKCS#12 certificate bundle using:

ipsec import file.p12

If you do not want to use NetworkManager, but a static connection file that you can manually bring up using ipsec auto --up connname, you can create a file similar to this one:

Then add a client.conf in /etc/ipsec.d/ containing:

# IKEv2 roadwarrior client config using X.509 certificates
conn vpn.example.com
	left=%defaultroute
	leftcert=YourCertFiendlyName
	leftid=%fromcert
	leftrsasigkey=%cert
	leftsubnet=0.0.0.0/0 
	leftmodecfgclient=yes
	right=vpn.example.com
	rightsubnet=0.0.0.0/0 
	rightid=@vpn.example.com
	rightrsasigkey=%cert
	narrowing=yes
	ikev2=insist
	rekey=yes
	fragmentation=yes
	mobike=yes
	auto=add

You will also need to import the PKCS#12 certificate file as shown above.

Windows 7 client configuration with "RasClient" native IKEv2

  • Control Panel -> Network and Internet -> Network and Sharing Center -> Set Up a Connection or Network
  • Choose the "Connect to a Workplace" VPN option -> Use my Internet connection (VPN)
  • Enter the gateway address or DNS name. What you enter here should correlate to a subjectAltName that is on leftcert.
  • Name the connection.
  • Select "Don't connect now; just set it up so I can connect later"
  • Click "Create" and close the dialog.
  • Click the network icon on the panel and right click on the VPN connection you created and select "Properties"
  • On the Options tab, de-select the "Prompt for name and password, certificate, etc." and "Include windows logon domain" boxes.
  • On the Security tab, set "Type of VPN" to IKEv2.
  • In the "Authentication" box of the Security tab, select the "Use machine certificates" radial button.

That's all, now click "Connect" under the created connection.

Common Windows 7 client errors

13806: IKE failed to find valid machine certificate. Contact your Network Security Administrator about installing a valid certificate in the appropriate Certificate Store.

Verify that you have imported the client certificate with private key into the Computer certificate store and not the Local user store. Starting mmc.exe as an administrator will allow you to do this. Newer versions of Windows require that the certificate has both serverAuth and clientAuth EKU's set.

example tutorial: https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs

13801: IKE authentication credentials are unacceptable.

Verify that the gateway certificate has a SAN that matches the address entered into the Windows client configuration. The certificate should also contain the serverAuth EKU.

Example certificate generation with certutil

  • As root, create a database to generate certificates for this example. This database will hold the private key of the CA and allow you to generate new host certificates.
# mkdir ${HOME}/tmpdb
# certutil -N -d sql:${HOME}/tmpdb
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password: 
Re-enter password: 
  • Generate the CA certificate with a CA basic constraints extension
# certutil -S -x -n "Example CA" -s "O=Example,CN=Example CA" \
 -k rsa -g 4096 -v 12 -d sql:${HOME}/tmpdb -t "CT,," -2

A random seed must be generated that will be used in the
creation of your key.  One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.

To begin, type keys on the keyboard until this progress meter
is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!

Continue typing until the progress meter is full:

|************************************************************|

Finished.  Press enter to continue: 

Generating key.  This may take a few moments...

Is this a CA certificate [y/N]?
y
Enter the path length constraint, enter to skip [<0 for unlimited path]: > 
Is this a critical extension [y/N]?
N
  • Generate the server certificate and assign extensions:
# certutil -S -c "Example CA" -n "vpn.example.com" -s "O=Example,CN=vpn.example.com" \
   -k rsa -g 4096 -v 12 -d sql:${HOME}/tmpdb -t ",," -1 -6 -8 "vpn.example.com"

A random seed must be generated that will be used in the
creation of your key.  One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.

To begin, type keys on the keyboard until this progress meter
is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!

Continue typing until the progress meter is full:
   
|************************************************************|
   
Finished.  Press enter to continue:
      
Generating key.  This may take a few moments...
   
                0 - Digital Signature
                1 - Non-repudiation
                2 - Key encipherment
                3 - Data encipherment
                4 - Key agreement
                5 - Cert signing key
                6 - CRL signing key
                Other to finish
 > 0
                0 - Digital Signature
                1 - Non-repudiation
                2 - Key encipherment
                3 - Data encipherment
                4 - Key agreement
                5 - Cert signing key
                6 - CRL signing key
                Other to finish
 > 2
                0 - Digital Signature
                1 - Non-repudiation
                2 - Key encipherment
                3 - Data encipherment
                4 - Key agreement
                5 - Cert signing key
                6 - CRL signing key
                Other to finish
 > 8 
Is this a critical extension [y/N]?
N
                0 - Server Auth
                1 - Client Auth
                2 - Code Signing
                3 - Email Protection
                4 - Timestamp
                5 - OCSP Responder
                6 - Step-up
                7 - Microsoft Trust List Signing
                Other to finish
 > 0
                0 - Server Auth
                1 - Client Auth
                2 - Code Signing
                3 - Email Protection
                4 - Timestamp
                5 - OCSP Responder
                6 - Step-up
                7 - Microsoft Trust List Signing
                Other to finish
 > 1
                0 - Server Auth
                1 - Client Auth
                2 - Code Signing
                3 - Email Protection
                4 - Timestamp
                5 - OCSP Responder
                6 - Step-up
                7 - Microsoft Trust List Signing
                Other to finish
 > 8
Is this a critical extension [y/N]?
N
  • Generate the client certificate, similar to the above
# certutil -S -c "Example CA" -n "win7client.example.com" -s "O=Example,CN=win7client.example.com" \
   -k rsa -g 4096 -v 12 -d sql:${HOME}/tmpdb -t ",," -1 -6 -8 "win7client.example.com"
-- repeat same extensions above --
  • The database should now contain
# certutil -L -d sql:${HOME}/tmpdb/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Example CA                                                   CTu,u,u
vpn.example.com                                              u,u,u
win7client.example.com                                       u,u,u
  • Export the p12 files that contain the host certificate, private key, and CA certificate.
# pk12util -o win7client.example.com.p12 -n "win7client.example.com" -d sql:${HOME}/tmpdb/
Enter password for PKCS12 file: 
Re-enter password: 
pk12util: PKCS12 EXPORT SUCCESSFUL
  • The win7client.example.com.p12 should then be transferred to the client and imported to the Computer certificate store. The CA cert once imported must be placed into the "Trusted Root Certification Authorities" folder of the store.
  • Export the gateway certificate and import it into the pluto DB
# pk12util -o vpn.example.com.p12 -n "vpn.example.com" -d sql:${HOME}/tmpdb/
Enter password for PKCS12 file:
Re-enter password:  
pk12util: PKCS12 EXPORT SUCCESSFUL

# ipsec import vpn.example.com.p12 
Enter password for PKCS12 file: 
pk12util: PKCS12 IMPORT SUCCESSFUL