VPN server for remote clients using IKEv2
Jump to navigation
Jump to search
There are different methods for providing a VPN server for roaming (dynamic) clients. Which method to use depends on the clients that need to be supported.
This method using IKEv2 without EAP, also called "Machine Certificate" based authentication.
Supported clients:
- libreswan
- Windows 7 and up
- Windows Phone (requires latest firmware)
- OSX ?
- iOS (via profile manager only?)
X.509 Certificate requirements
Special case needs to be taken when generating X.509 certificates for this method.
- The VPN gateway's certificate must have its DNS name as SubjectAltname (SAN) in the certificate
- The VPN gateway's certificate must have EKU serverAuth. It may have EKU clientAuth
ipsec.conf for IKEv2 Machine Certificate VPN server
conn ikev2-cp
# The server's actual IP goes here - not elastic IPs left=1.2.3.4 leftcert=vpn.example.com leftid=@vpn.example.com leftsendcert=always leftsubnet=0.0.0.0/0 leftrsasigkey=%cert # Clients right=%any # your addresspool to use - you might need NAT rules if providing full internet to clients rightaddresspool=192.168.66.1-192.168.66.254 # optional rightid with restrictions # rightid="C=CA, L=Toronto, O=Libreswan Project, OU=*, CN=*, E=*" rightca=%same rightrsasigkey=%cert # # connection configuration # DNS servers for clients to use modecfgdns1=8.8.8.8 modecfgdns2=193.110.157.123 narrowing=yes # recommended dpd/liveness to cleanup vanished clients dpddelay=30 dpdtimeout=120 dpdaction=clear auto=add ikev2=insist rekey=no # ikev2 fragmentation support requires libreswan 3.14 or newer fragmentation=yes # optional PAM username verification (eg to implement bandwidth quota # pam-authorize=yes