VPN server for remote clients using IKEv2

From Libreswan
Revision as of 20:32, 27 May 2015 by Paul Wouters (talk | contribs)
Jump to navigation Jump to search

There are different methods for providing a VPN server for roaming (dynamic) clients. Which method to use depends on the clients that need to be supported.

This method using IKEv2 without EAP, also called "Machine Certificate" based authentication.

Supported clients:

  • libreswan
  • Windows 7 and up
  • Windows Phone (requires latest firmware)
  • OSX ?
  • iOS (via profile manager only?)

X.509 Certificate requirements

Special case needs to be taken when generating X.509 certificates for this method.

  • The VPN gateway's certificate must have its DNS name as SubjectAltname (SAN) in the certificate
  • The VPN gateway's certificate must have EKU serverAuth. It may have EKU clientAuth

ipsec.conf for IKEv2 Machine Certificate VPN server

conn ikev2-cp
    # The server's actual IP goes here - not elastic IPs
    left=1.2.3.4
    leftcert=vpn.example.com
    leftid=@vpn.example.com
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    leftrsasigkey=%cert
    # Clients
    right=%any
    # your addresspool to use - you might need NAT rules if providing full internet to clients
    rightaddresspool=192.168.66.1-192.168.66.254
    # optional rightid with restrictions
    # rightid="C=CA, L=Toronto, O=Libreswan Project, OU=*, CN=*, E=*"
    rightca=%same
    rightrsasigkey=%cert
    #
    # connection configuration
    # DNS servers for clients to use
    modecfgdns1=8.8.8.8
    modecfgdns2=193.110.157.123
    narrowing=yes
    # recommended dpd/liveness to cleanup vanished clients
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear
    auto=add
    ikev2=insist
    rekey=no
    # ikev2 fragmentation support requires libreswan 3.14 or newer
    fragmentation=yes
    # optional PAM username verification (eg to implement bandwidth quota
    # pam-authorize=yes