VPN server for remote clients using IKEv2: Difference between revisions
| Paul Wouters (talk | contribs) No edit summary | Paul Wouters (talk | contribs)  No edit summary | ||
| (15 intermediate revisions by 3 users not shown) | |||
| Line 9: | Line 9: | ||
| * Windows 7 and up | * Windows 7 and up | ||
| * Windows Phone (requires latest firmware) | * Windows Phone (requires latest firmware) | ||
| * OSX  | * OSX and iOS | ||
| *  | * Android with strongswan client | ||
| === X.509 Certificate requirements === | === X.509 Certificate requirements === | ||
| When serving Windows clients, special care needs to be taken when generating X.509 certificates for this method. | |||
| * The VPN gateway's certificate must have its DNS name as SubjectAltname (SAN) in the certificate. The client then must connect to the VPN using the DNS name. Alternately, the client can connect using the IP if the SAN contains the IP address of the gateway.  | |||
| * The VPN gateway's certificate must have the Digital Signature and Key Encipherment KU extensions if the SAN and CN use the same, full DNS name. | |||
| * The certificates also need to have the serverAuth and clientAuth ExtendedKeyUSage ("EKU") attribytes set. Alternatively, EKU checking can be disabled, see [[Interoperability#Windows_Certificate_requirements]] | |||
| {{ ambox | nocat=true | type=speedy | text = Windows uses only insecure defaults for IKEv2. To interop with libreswan, you need to either specify a modp1024 based proposal or change the registry and add a DWORD HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\NegotiateDH2048_AES256 }} | |||
| === ipsec.conf for IKEv2 Machine Certificate VPN server === | === ipsec.conf for IKEv2 Machine Certificate VPN server === | ||
| <pre> | |||
| conn ikev2-cp | conn ikev2-cp | ||
|      # The server's actual IP goes here - not elastic IPs |      # The server's actual IP goes here - not elastic IPs | ||
| Line 40: | Line 45: | ||
|      # connection configuration |      # connection configuration | ||
|      # DNS servers for clients to use |      # DNS servers for clients to use | ||
|      modecfgdns1=8.8.8.8 |      modecfgdns=8.8.8.8,193.100.157.123 | ||
|      modecfgdns2=193.110.157.123 |     # Versions up to 3.22 used modecfgdns1 and modecfgdns2 | ||
|     #modecfgdns1=8.8.8.8 | |||
|      #modecfgdns2=193.110.157.123 | |||
|      narrowing=yes |      narrowing=yes | ||
|      # recommended dpd/liveness to cleanup vanished clients |      # recommended dpd/liveness to cleanup vanished clients | ||
| Line 54: | Line 61: | ||
|      # optional PAM username verification (eg to implement bandwidth quota |      # optional PAM username verification (eg to implement bandwidth quota | ||
|      # pam-authorize=yes |      # pam-authorize=yes | ||
| </pre> | |||
| == Libreswan client == | |||
| You can use the NetworkManager-libreswan package to configure a VPN client connection using NetworkManager. You still need to import the PKCS#12 certificate bundle using: | |||
| <pre> | |||
| ipsec import file.p12 | |||
| </pre> | |||
| If you do not want to use NetworkManager, but a static connection file that you can manually bring up using ipsec auto --up connname, you can create a file similar to this one: | |||
| Then add a client.conf in /etc/ipsec.d/ containing: | |||
| <pre> | |||
| # IKEv2 roadwarrior client config using X.509 certificates | |||
| conn vpn.example.com | |||
| 	left=%defaultroute | |||
| 	leftcert=YourCertFiendlyName | |||
| 	leftid=%fromcert | |||
| 	leftrsasigkey=%cert | |||
| 	leftsubnet=0.0.0.0/0  | |||
| 	leftmodecfgclient=yes | |||
| 	right=vpn.example.com | |||
| 	rightsubnet=0.0.0.0/0  | |||
| 	rightid=@vpn.example.com | |||
| 	rightrsasigkey=%cert | |||
| 	narrowing=yes | |||
| 	ikev2=insist | |||
| 	rekey=yes | |||
| 	fragmentation=yes | |||
| 	mobike=yes | |||
| 	auto=add | |||
| </pre> | |||
| You will also need to import the PKCS#12 certificate file as shown above. | |||
| == Windows 7 client configuration with "RasClient" native IKEv2 == | |||
| * Control Panel -> Network and Internet -> Network and Sharing Center -> Set Up a Connection or Network | |||
| * Choose the "Connect to a Workplace" VPN option -> Use my Internet connection (VPN) | |||
| * Enter the gateway address or DNS name. What you enter here should correlate to a subjectAltName that is on leftcert.  | |||
| * Name the connection. | |||
| * Select "Don't connect now; just set it up so I can connect later" | |||
| * Click "Create" and close the dialog. | |||
| * Click the network icon on the panel and right click on the VPN connection you created and select "Properties" | |||
| * On the Options tab, de-select the "Prompt for name and password, certificate, etc." and "Include windows logon domain" boxes. | |||
| * On the Security tab, set "Type of VPN" to IKEv2. | |||
| * In the "Authentication" box of the Security tab, select the "Use machine certificates" radial button. | |||
| That's all, now click "Connect" under the created connection. | |||
| ==Common Windows 7 client errors== | |||
| 13806: IKE failed to find valid machine certificate. Contact your Network Security Administrator about installing a valid certificate in the appropriate Certificate Store. | |||
| Verify that you have imported the client certificate with private key into the Computer certificate store and not the Local user store. Starting mmc.exe as an administrator will allow you to do this. | |||
| Newer versions of Windows require that the certificate has both serverAuth and clientAuth EKU's set. | |||
| example tutorial: https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs | |||
| 13801: IKE authentication credentials are unacceptable. | |||
| Verify that the gateway certificate has a SAN that matches the address entered into the Windows client configuration. The certificate should also contain the serverAuth EKU. | |||
| == Example certificate generation with certutil == | |||
| * As root, create a database to generate certificates for this example. This database will hold the private key of the CA and allow you to generate new host certificates. | |||
| <pre> | |||
| # mkdir ${HOME}/tmpdb | |||
| # certutil -N -d sql:${HOME}/tmpdb | |||
| Enter a password which will be used to encrypt your keys. | |||
| The password should be at least 8 characters long, | |||
| and should contain at least one non-alphabetic character. | |||
| Enter new password:  | |||
| Re-enter password:  | |||
| </pre> | |||
| * Generate the CA certificate with a CA basic constraints extension | |||
| <pre> | |||
| # certutil -S -x -n "Example CA" -s "O=Example,CN=Example CA" \ | |||
|  -k rsa -g 4096 -v 12 -d sql:${HOME}/tmpdb -t "CT,," -2 | |||
| A random seed must be generated that will be used in the | |||
| creation of your key.  One of the easiest ways to create a | |||
| random seed is to use the timing of keystrokes on a keyboard. | |||
| To begin, type keys on the keyboard until this progress meter | |||
| is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD! | |||
| Continue typing until the progress meter is full: | |||
| |************************************************************| | |||
| Finished.  Press enter to continue:  | |||
| Generating key.  This may take a few moments... | |||
| Is this a CA certificate [y/N]? | |||
| y | |||
| Enter the path length constraint, enter to skip [<0 for unlimited path]: >  | |||
| Is this a critical extension [y/N]? | |||
| N | |||
| </pre> | |||
| * Generate the server certificate and assign extensions: | |||
| <pre> | |||
| # certutil -S -c "Example CA" -n "vpn.example.com" -s "O=Example,CN=vpn.example.com" \ | |||
|    -k rsa -g 4096 -v 12 -d sql:${HOME}/tmpdb -t ",," -1 -6 -8 "vpn.example.com" | |||
| A random seed must be generated that will be used in the | |||
| creation of your key.  One of the easiest ways to create a | |||
| random seed is to use the timing of keystrokes on a keyboard. | |||
| To begin, type keys on the keyboard until this progress meter | |||
| is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD! | |||
| Continue typing until the progress meter is full: | |||
| |************************************************************| | |||
| Finished.  Press enter to continue: | |||
| Generating key.  This may take a few moments... | |||
|                 0 - Digital Signature | |||
|                 1 - Non-repudiation | |||
|                 2 - Key encipherment | |||
|                 3 - Data encipherment | |||
|                 4 - Key agreement | |||
|                 5 - Cert signing key | |||
|                 6 - CRL signing key | |||
|                 Other to finish | |||
|  > 0 | |||
|                 0 - Digital Signature | |||
|                 1 - Non-repudiation | |||
|                 2 - Key encipherment | |||
|                 3 - Data encipherment | |||
|                 4 - Key agreement | |||
|                 5 - Cert signing key | |||
|                 6 - CRL signing key | |||
|                 Other to finish | |||
|  > 2 | |||
|                 0 - Digital Signature | |||
|                 1 - Non-repudiation | |||
|                 2 - Key encipherment | |||
|                 3 - Data encipherment | |||
|                 4 - Key agreement | |||
|                 5 - Cert signing key | |||
|                 6 - CRL signing key | |||
|                 Other to finish | |||
|  > 8  | |||
| Is this a critical extension [y/N]? | |||
| N | |||
|                 0 - Server Auth | |||
|                 1 - Client Auth | |||
|                 2 - Code Signing | |||
|                 3 - Email Protection | |||
|                 4 - Timestamp | |||
|                 5 - OCSP Responder | |||
|                 6 - Step-up | |||
|                 7 - Microsoft Trust List Signing | |||
|                 Other to finish | |||
|  > 0 | |||
|                 0 - Server Auth | |||
|                 1 - Client Auth | |||
|                 2 - Code Signing | |||
|                 3 - Email Protection | |||
|                 4 - Timestamp | |||
|                 5 - OCSP Responder | |||
|                 6 - Step-up | |||
|                 7 - Microsoft Trust List Signing | |||
|                 Other to finish | |||
|  > 1 | |||
|                 0 - Server Auth | |||
|                 1 - Client Auth | |||
|                 2 - Code Signing | |||
|                 3 - Email Protection | |||
|                 4 - Timestamp | |||
|                 5 - OCSP Responder | |||
|                 6 - Step-up | |||
|                 7 - Microsoft Trust List Signing | |||
|                 Other to finish | |||
|  > 8 | |||
| Is this a critical extension [y/N]? | |||
| N | |||
| </pre> | |||
| * Generate the client certificate, similar to the above | |||
| <pre> | |||
| # certutil -S -c "Example CA" -n "win7client.example.com" -s "O=Example,CN=win7client.example.com" \ | |||
|    -k rsa -g 4096 -v 12 -d sql:${HOME}/tmpdb -t ",," -1 -6 -8 "win7client.example.com" | |||
| -- repeat same extensions above -- | |||
| </pre> | |||
| * The database should now contain | |||
| <pre> | |||
| # certutil -L -d sql:${HOME}/tmpdb/ | |||
| Certificate Nickname                                         Trust Attributes | |||
|                                                              SSL,S/MIME,JAR/XPI | |||
| Example CA                                                   CTu,u,u | |||
| vpn.example.com                                              u,u,u | |||
| win7client.example.com                                       u,u,u | |||
| </pre> | |||
| * Export the p12 files that contain the host certificate, private key, and CA certificate. | |||
| <pre> | |||
| # pk12util -o win7client.example.com.p12 -n "win7client.example.com" -d sql:${HOME}/tmpdb/ | |||
| Enter password for PKCS12 file:  | |||
| Re-enter password:  | |||
| pk12util: PKCS12 EXPORT SUCCESSFUL | |||
| </pre> | |||
| * The win7client.example.com.p12 should then be transferred to the client and imported to the Computer certificate store. The CA cert once imported must be placed into the "Trusted Root Certification Authorities" folder of the store.  | |||
| * Export the gateway certificate and import it into the pluto DB | |||
| <pre> | |||
| # pk12util -o vpn.example.com.p12 -n "vpn.example.com" -d sql:${HOME}/tmpdb/ | |||
| Enter password for PKCS12 file: | |||
| Re-enter password:   | |||
| pk12util: PKCS12 EXPORT SUCCESSFUL | |||
| # ipsec import vpn.example.com.p12  | |||
| Enter password for PKCS12 file:  | |||
| pk12util: PKCS12 IMPORT SUCCESSFUL | |||
| </pre> | |||
Latest revision as of 22:04, 11 March 2021
There are different methods for providing a VPN server for roaming (dynamic) clients. Which method to use depends on the clients that need to be supported.
This method using IKEv2 without EAP, also called "Machine Certificate" based authentication.
Supported clients:
- libreswan
- Windows 7 and up
- Windows Phone (requires latest firmware)
- OSX and iOS
- Android with strongswan client
X.509 Certificate requirements
When serving Windows clients, special care needs to be taken when generating X.509 certificates for this method.
- The VPN gateway's certificate must have its DNS name as SubjectAltname (SAN) in the certificate. The client then must connect to the VPN using the DNS name. Alternately, the client can connect using the IP if the SAN contains the IP address of the gateway.
- The VPN gateway's certificate must have the Digital Signature and Key Encipherment KU extensions if the SAN and CN use the same, full DNS name.
- The certificates also need to have the serverAuth and clientAuth ExtendedKeyUSage ("EKU") attribytes set. Alternatively, EKU checking can be disabled, see Interoperability#Windows_Certificate_requirements
|  | Windows uses only insecure defaults for IKEv2. To interop with libreswan, you need to either specify a modp1024 based proposal or change the registry and add a DWORD HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\NegotiateDH2048_AES256 | 
ipsec.conf for IKEv2 Machine Certificate VPN server
conn ikev2-cp
    # The server's actual IP goes here - not elastic IPs
    left=1.2.3.4
    leftcert=vpn.example.com
    leftid=@vpn.example.com
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    leftrsasigkey=%cert
    # Clients
    right=%any
    # your addresspool to use - you might need NAT rules if providing full internet to clients
    rightaddresspool=192.168.66.1-192.168.66.254
    # optional rightid with restrictions
    # rightid="C=CA, L=Toronto, O=Libreswan Project, OU=*, CN=*, E=*"
    rightca=%same
    rightrsasigkey=%cert
    #
    # connection configuration
    # DNS servers for clients to use
    modecfgdns=8.8.8.8,193.100.157.123
    # Versions up to 3.22 used modecfgdns1 and modecfgdns2
    #modecfgdns1=8.8.8.8
    #modecfgdns2=193.110.157.123
    narrowing=yes
    # recommended dpd/liveness to cleanup vanished clients
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear
    auto=add
    ikev2=insist
    rekey=no
    # ikev2 fragmentation support requires libreswan 3.14 or newer
    fragmentation=yes
    # optional PAM username verification (eg to implement bandwidth quota
    # pam-authorize=yes
Libreswan client
You can use the NetworkManager-libreswan package to configure a VPN client connection using NetworkManager. You still need to import the PKCS#12 certificate bundle using:
ipsec import file.p12
If you do not want to use NetworkManager, but a static connection file that you can manually bring up using ipsec auto --up connname, you can create a file similar to this one:
Then add a client.conf in /etc/ipsec.d/ containing:
# IKEv2 roadwarrior client config using X.509 certificates conn vpn.example.com left=%defaultroute leftcert=YourCertFiendlyName leftid=%fromcert leftrsasigkey=%cert leftsubnet=0.0.0.0/0 leftmodecfgclient=yes right=vpn.example.com rightsubnet=0.0.0.0/0 rightid=@vpn.example.com rightrsasigkey=%cert narrowing=yes ikev2=insist rekey=yes fragmentation=yes mobike=yes auto=add
You will also need to import the PKCS#12 certificate file as shown above.
Windows 7 client configuration with "RasClient" native IKEv2
- Control Panel -> Network and Internet -> Network and Sharing Center -> Set Up a Connection or Network
- Choose the "Connect to a Workplace" VPN option -> Use my Internet connection (VPN)
- Enter the gateway address or DNS name. What you enter here should correlate to a subjectAltName that is on leftcert.
- Name the connection.
- Select "Don't connect now; just set it up so I can connect later"
- Click "Create" and close the dialog.
- Click the network icon on the panel and right click on the VPN connection you created and select "Properties"
- On the Options tab, de-select the "Prompt for name and password, certificate, etc." and "Include windows logon domain" boxes.
- On the Security tab, set "Type of VPN" to IKEv2.
- In the "Authentication" box of the Security tab, select the "Use machine certificates" radial button.
That's all, now click "Connect" under the created connection.
Common Windows 7 client errors
13806: IKE failed to find valid machine certificate. Contact your Network Security Administrator about installing a valid certificate in the appropriate Certificate Store.
Verify that you have imported the client certificate with private key into the Computer certificate store and not the Local user store. Starting mmc.exe as an administrator will allow you to do this. Newer versions of Windows require that the certificate has both serverAuth and clientAuth EKU's set.
example tutorial: https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs
13801: IKE authentication credentials are unacceptable.
Verify that the gateway certificate has a SAN that matches the address entered into the Windows client configuration. The certificate should also contain the serverAuth EKU.
Example certificate generation with certutil
- As root, create a database to generate certificates for this example. This database will hold the private key of the CA and allow you to generate new host certificates.
# mkdir ${HOME}/tmpdb
# certutil -N -d sql:${HOME}/tmpdb
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.
Enter new password: 
Re-enter password: 
- Generate the CA certificate with a CA basic constraints extension
# certutil -S -x -n "Example CA" -s "O=Example,CN=Example CA" \
 -k rsa -g 4096 -v 12 -d sql:${HOME}/tmpdb -t "CT,," -2
A random seed must be generated that will be used in the
creation of your key.  One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.
To begin, type keys on the keyboard until this progress meter
is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
Continue typing until the progress meter is full:
|************************************************************|
Finished.  Press enter to continue: 
Generating key.  This may take a few moments...
Is this a CA certificate [y/N]?
y
Enter the path length constraint, enter to skip [<0 for unlimited path]: > 
Is this a critical extension [y/N]?
N
- Generate the server certificate and assign extensions:
# certutil -S -c "Example CA" -n "vpn.example.com" -s "O=Example,CN=vpn.example.com" \
   -k rsa -g 4096 -v 12 -d sql:${HOME}/tmpdb -t ",," -1 -6 -8 "vpn.example.com"
A random seed must be generated that will be used in the
creation of your key.  One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.
To begin, type keys on the keyboard until this progress meter
is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
Continue typing until the progress meter is full:
   
|************************************************************|
   
Finished.  Press enter to continue:
      
Generating key.  This may take a few moments...
   
                0 - Digital Signature
                1 - Non-repudiation
                2 - Key encipherment
                3 - Data encipherment
                4 - Key agreement
                5 - Cert signing key
                6 - CRL signing key
                Other to finish
 > 0
                0 - Digital Signature
                1 - Non-repudiation
                2 - Key encipherment
                3 - Data encipherment
                4 - Key agreement
                5 - Cert signing key
                6 - CRL signing key
                Other to finish
 > 2
                0 - Digital Signature
                1 - Non-repudiation
                2 - Key encipherment
                3 - Data encipherment
                4 - Key agreement
                5 - Cert signing key
                6 - CRL signing key
                Other to finish
 > 8 
Is this a critical extension [y/N]?
N
                0 - Server Auth
                1 - Client Auth
                2 - Code Signing
                3 - Email Protection
                4 - Timestamp
                5 - OCSP Responder
                6 - Step-up
                7 - Microsoft Trust List Signing
                Other to finish
 > 0
                0 - Server Auth
                1 - Client Auth
                2 - Code Signing
                3 - Email Protection
                4 - Timestamp
                5 - OCSP Responder
                6 - Step-up
                7 - Microsoft Trust List Signing
                Other to finish
 > 1
                0 - Server Auth
                1 - Client Auth
                2 - Code Signing
                3 - Email Protection
                4 - Timestamp
                5 - OCSP Responder
                6 - Step-up
                7 - Microsoft Trust List Signing
                Other to finish
 > 8
Is this a critical extension [y/N]?
N
- Generate the client certificate, similar to the above
# certutil -S -c "Example CA" -n "win7client.example.com" -s "O=Example,CN=win7client.example.com" \
   -k rsa -g 4096 -v 12 -d sql:${HOME}/tmpdb -t ",," -1 -6 -8 "win7client.example.com"
-- repeat same extensions above --
- The database should now contain
# certutil -L -d sql:${HOME}/tmpdb/
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
Example CA                                                   CTu,u,u
vpn.example.com                                              u,u,u
win7client.example.com                                       u,u,u
- Export the p12 files that contain the host certificate, private key, and CA certificate.
# pk12util -o win7client.example.com.p12 -n "win7client.example.com" -d sql:${HOME}/tmpdb/
Enter password for PKCS12 file: 
Re-enter password: 
pk12util: PKCS12 EXPORT SUCCESSFUL
- The win7client.example.com.p12 should then be transferred to the client and imported to the Computer certificate store. The CA cert once imported must be placed into the "Trusted Root Certification Authorities" folder of the store.
- Export the gateway certificate and import it into the pluto DB
# pk12util -o vpn.example.com.p12 -n "vpn.example.com" -d sql:${HOME}/tmpdb/
Enter password for PKCS12 file:
Re-enter password:  
pk12util: PKCS12 EXPORT SUCCESSFUL
# ipsec import vpn.example.com.p12 
Enter password for PKCS12 file: 
pk12util: PKCS12 IMPORT SUCCESSFUL