VPN server for remote clients using IKEv1 XAUTH with Certificates: Difference between revisions
Paul Wouters (talk | contribs) |
Paul Wouters (talk | contribs) No edit summary |
||
| (18 intermediate revisions by 2 users not shown) | |||
| Line 8: | Line 8: | ||
* All Apple iphones, ipads | * All Apple iphones, ipads | ||
* Mac OSX | * Mac OSX (see below) | ||
* Android 4.x (ICS and newer) | * Android 4.x (ICS and newer) | ||
* Linux with NetworkManager or commandline | * Linux with NetworkManager or commandline | ||
| Line 18: | Line 18: | ||
These days, [https://tools.ietf.org/html/draft-ietf-ipsec-isakmp-xauth-06 IKEv1 / XAUTH] is the most commonly used IPsec connection method. It can be deployed using a group shared key (PSK) or X.509 certificates. In this scenario, libreswan is configured with an IP address pool, and it assigns an IP to connecting clients. Apart from the X.509 authentication, XAUTH also requires a username and password. The password can also contain a one time password (OTP) such as Google Authenticator | These days, [https://tools.ietf.org/html/draft-ietf-ipsec-isakmp-xauth-06 IKEv1 / XAUTH] is the most commonly used IPsec connection method. It can be deployed using a group shared key (PSK) or X.509 certificates. In this scenario, libreswan is configured with an IP address pool, and it assigns an IP to connecting clients. Apart from the X.509 authentication, XAUTH also requires a username and password. The password can also contain a one time password (OTP) such as Google Authenticator | ||
=== ipsec.conf for XAUTH/RSA === | === Server ipsec.conf for XAUTH/RSA === | ||
<pre> | <pre> | ||
| Line 25: | Line 25: | ||
protostack=netkey | protostack=netkey | ||
# exclude networks used on server side by adding %v4:!a.b.c.0/24 | # exclude networks used on server side by adding %v4:!a.b.c.0/24 | ||
virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!10.231.247.0/24,%v4:!10.231.246.0/24 | |||
conn xauth-rsa | conn xauth-rsa | ||
| Line 41: | Line 41: | ||
rightid=%fromcert | rightid=%fromcert | ||
rightrsasigkey=%cert | rightrsasigkey=%cert | ||
modecfgdns1=193.110.157.123 | modecfgdns=193.110.157.123,8.8.8.8 | ||
modecfgdns2=8.8.8.8 | # Versions up to 3.22 used modecfgdns1 and modecfgdns2 | ||
#modecfgdns1=193.110.157.123 | |||
#modecfgdns2=8.8.8.8 | |||
leftxauthserver=yes | leftxauthserver=yes | ||
rightxauthclient=yes | rightxauthclient=yes | ||
| Line 49: | Line 51: | ||
modecfgpull=yes | modecfgpull=yes | ||
xauthby=alwaysok | xauthby=alwaysok | ||
fragmentation=yes | |||
# xauthby=pam | # xauthby=pam | ||
# xauthfail=soft | # xauthfail=soft | ||
| Line 65: | Line 67: | ||
iptables -t nat -A POSTROUTING -s 10.231.247.0/24 -d 0.0.0.0/8 -j MASQUERADE | iptables -t nat -A POSTROUTING -s 10.231.247.0/24 -d 0.0.0.0/8 -j MASQUERADE | ||
</pre> | </pre> | ||
=== Client ipsec.conf XAUTH/RSA === | |||
This is mostly a mirror image of the server side | |||
<pre> | |||
conn xauth-rsa | |||
authby=rsasig | |||
pfs=no | |||
auto=add | |||
rekey=no | |||
left=%defaultroute | |||
leftcert=YourCert.example.com | |||
leftid=%fromcert | |||
leftsendcert=always | |||
leftxauthusername=YourName | |||
rightsubnet=0.0.0.0/0 | |||
right=vpn.example.com | |||
rightid=%fromcert | |||
rightxauthserver=yes | |||
leftxauthclient=yes | |||
rightmodecfgserver=yes | |||
leftmodecfgclient=yes | |||
modecfgpull=yes | |||
xauthby=alwaysok | |||
ike-frag=yes | |||
# xauthby=pam | |||
# xauthfail=soft | |||
# Can be played with below | |||
# dpddelay=30 | |||
# dpdtimeout=120 | |||
# dpdaction=clear | |||
# | |||
# Commonly needed to talk to Cisco server | |||
# Might also need _exact_ ike= and esp= lines | |||
remote-peer-type=cisco | |||
aggrmode=yes | |||
</pre> | |||
You can store your XAUTH password in /etc/ipsec.secrets if you do not use NetworkManager and if you're not using a one time token: | |||
<pre> | |||
# /etc/ipsec.secrets | |||
@YOUR_ID: XAUTH "password" | |||
</pre> | |||
When using PSK instead of RSA/certificates, you usually require a "GroupPSK" which is the XAUTH secret, and also need to use leftid=@GroupID instead of using the ID of your certificate. | |||
=== Aggressive Mode === | |||
On Android, there is a field called "IPSec identifier" and on iOS/OSX there is a field called "Group Name". When these fields are blank, Aggressive Mode is used. When these are not blank, Main Mode is used and the value is the rightid=@String. Unfortunately, iOS/OSX sends these as hex, which can be matched using rightid=@[String] but then it no longer works for Android or NetworkManager. These values are best left unset when using libreswan as a server. When connecting to a Ciso with libreswan as a client, you will need to use rightid=@String and aggrmode=yes. | |||
{{ ambox | nocat=true | type=speedy | text = iOS UserInterface bug: If you ever fill in the "Group Name" and then clear it - the connection remains using Aggressive Mode. If you want to use Main Mode your only choice is to delete the VPN profile and start one from scratch where you never touch the "Group Name" input box. }} | |||
=== User/password authentication for XAUTH === | === User/password authentication for XAUTH === | ||
| Line 70: | Line 128: | ||
Libreswan has three options for the user/password authentication. This is specified using the xauthby= option. If using X.509 certificates, which are issued to individual devices/users and which can be revoked, there is no real need to have an additional username/password layer. In that case, '''xauthby=alwaysok''' can be used. This should '''not''' be used when using a PSK. | Libreswan has three options for the user/password authentication. This is specified using the xauthby= option. If using X.509 certificates, which are issued to individual devices/users and which can be revoked, there is no real need to have an additional username/password layer. In that case, '''xauthby=alwaysok''' can be used. This should '''not''' be used when using a PSK. | ||
If there are only a handful of users that need to be authenticated, '''xauthby=file''' can be used. The format of this file is similar to the Apache htpasswd file, and the '''htpasswd''' command can be used to create the file and the user/passwords. The only difference is an additional third column specifying the connection name. An example of an '''/etc/ipsec.d/ | If there are only a handful of users that need to be authenticated, '''xauthby=file''' can be used. The format of this file is similar to the Apache htpasswd file, and the '''htpasswd''' command can be used to create the file and the user/passwords. The only difference is an additional third column specifying the connection name. An example of an '''/etc/ipsec.d/passwd''' file for the above example connection (using xauthby=file) would be: | ||
<pre> | <pre> | ||
| Line 77: | Line 135: | ||
</pre> | </pre> | ||
The last method that can be used is '''xauthby=pam'''. Using this configuration, libreswan | The last method that can be used is '''xauthby=pam'''. Using this configuration, libreswan uses the '''/etc/pam.d/pluto''' pam configuration file to authenticate users. An /etc/pam.d/pluto example file: | ||
<pre> | <pre> | ||
| Line 97: | Line 155: | ||
session required pam_loginuid.so | session required pam_loginuid.so | ||
</pre> | </pre> | ||
=== xauthfail= option === | |||
Some deployments wish to '''catch''' the user when their password is wrong or disabled and notify them. When the option '''xauthfail=soft''' is set, the authentication failure is ignored and the IPsec tunnel is allowed to establish. The "updown" script is signaled with the environment variable XAUTHFAIL=soft. This can be used to NAT this user to a specific web page where they can renew their VPN subscription. | |||
=== fragmentation= option === | |||
It is recommended to use the '''fragmentation=yes''' option to make the IKE connection more reliable. This is particularly important when using X.509 certificates, which tend to cause fragmentation when used with 2048 bit RSA keys. | |||
== IPsec with L2TP == | == IPsec with L2TP == | ||
See [[VPN_server_for_remote_clients_using_IKEv1_with_L2TP]] | |||
Latest revision as of 03:22, 21 January 2021
There are different methods for providing a VPN server for roaming (dynamic) clients. Which method to use depends on the clients that need to be supported.
XAUTH / RSA a.k.a "Cisco IPsec mode"
Supported clients:
- All Apple iphones, ipads
- Mac OSX (see below)
- Android 4.x (ICS and newer)
- Linux with NetworkManager or commandline
- Microsoft Windows using a third party client such as the Cisco client, or the free Shrew Soft client
Notably, Microsoft Windows does not support XAUTH natively. Blackberry devices also do not support this method.
These days, IKEv1 / XAUTH is the most commonly used IPsec connection method. It can be deployed using a group shared key (PSK) or X.509 certificates. In this scenario, libreswan is configured with an IP address pool, and it assigns an IP to connecting clients. Apart from the X.509 authentication, XAUTH also requires a username and password. The password can also contain a one time password (OTP) such as Google Authenticator
Server ipsec.conf for XAUTH/RSA
# libreswan /etc/ipsec.conf configuration file
config setup
protostack=netkey
# exclude networks used on server side by adding %v4:!a.b.c.0/24
virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!10.231.247.0/24,%v4:!10.231.246.0/24
conn xauth-rsa
authby=rsasig
pfs=no
auto=add
rekey=no
left=YourPublicIP
leftcert=vpn.example.com
leftid=@vpn.nohats.ca
leftsendcert=always
leftsubnet=0.0.0.0/0
rightaddresspool=10.231.247.1-10.231.247.254
right=%any
rightid=%fromcert
rightrsasigkey=%cert
modecfgdns=193.110.157.123,8.8.8.8
# Versions up to 3.22 used modecfgdns1 and modecfgdns2
#modecfgdns1=193.110.157.123
#modecfgdns2=8.8.8.8
leftxauthserver=yes
rightxauthclient=yes
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=yes
xauthby=alwaysok
fragmentation=yes
# xauthby=pam
# xauthfail=soft
# Can be played with below
# dpddelay=30
# dpdtimeout=120
# dpdaction=clear
In this example, the IP pool is 10.231.247.0/24 so on the VPN server you would need to provide some NAT rules if you wish to offer full internet connectivity through the VPN. Assuming that your office servers behind this VPN server uses 10.231.246.0/24, you would add the following iptables rules on the VPN server:
iptables -t nat -I POSTROUTING -s 10.231.247.0/24 -d 10.231.246.0/24 -j RETURN iptables -t nat -A POSTROUTING -s 10.231.247.0/24 -d 0.0.0.0/8 -j MASQUERADE
Client ipsec.conf XAUTH/RSA
This is mostly a mirror image of the server side
conn xauth-rsa
authby=rsasig
pfs=no
auto=add
rekey=no
left=%defaultroute
leftcert=YourCert.example.com
leftid=%fromcert
leftsendcert=always
leftxauthusername=YourName
rightsubnet=0.0.0.0/0
right=vpn.example.com
rightid=%fromcert
rightxauthserver=yes
leftxauthclient=yes
rightmodecfgserver=yes
leftmodecfgclient=yes
modecfgpull=yes
xauthby=alwaysok
ike-frag=yes
# xauthby=pam
# xauthfail=soft
# Can be played with below
# dpddelay=30
# dpdtimeout=120
# dpdaction=clear
#
# Commonly needed to talk to Cisco server
# Might also need _exact_ ike= and esp= lines
remote-peer-type=cisco
aggrmode=yes
You can store your XAUTH password in /etc/ipsec.secrets if you do not use NetworkManager and if you're not using a one time token:
# /etc/ipsec.secrets @YOUR_ID: XAUTH "password"
When using PSK instead of RSA/certificates, you usually require a "GroupPSK" which is the XAUTH secret, and also need to use leftid=@GroupID instead of using the ID of your certificate.
Aggressive Mode
On Android, there is a field called "IPSec identifier" and on iOS/OSX there is a field called "Group Name". When these fields are blank, Aggressive Mode is used. When these are not blank, Main Mode is used and the value is the rightid=@String. Unfortunately, iOS/OSX sends these as hex, which can be matched using rightid=@[String] but then it no longer works for Android or NetworkManager. These values are best left unset when using libreswan as a server. When connecting to a Ciso with libreswan as a client, you will need to use rightid=@String and aggrmode=yes.
 | iOS UserInterface bug: If you ever fill in the "Group Name" and then clear it - the connection remains using Aggressive Mode. If you want to use Main Mode your only choice is to delete the VPN profile and start one from scratch where you never touch the "Group Name" input box. |
User/password authentication for XAUTH
Libreswan has three options for the user/password authentication. This is specified using the xauthby= option. If using X.509 certificates, which are issued to individual devices/users and which can be revoked, there is no real need to have an additional username/password layer. In that case, xauthby=alwaysok can be used. This should not be used when using a PSK.
If there are only a handful of users that need to be authenticated, xauthby=file can be used. The format of this file is similar to the Apache htpasswd file, and the htpasswd command can be used to create the file and the user/passwords. The only difference is an additional third column specifying the connection name. An example of an /etc/ipsec.d/passwd file for the above example connection (using xauthby=file) would be:
john:$apr1$5h/bAg4p$Q5/c2XjwSzYy3sh/1j8Bp/:xauth-rsa paul:$apr1$YiVSo114$um2oIM6AqucFuMeXl/1ab0:xauth-rsa
The last method that can be used is xauthby=pam. Using this configuration, libreswan uses the /etc/pam.d/pluto pam configuration file to authenticate users. An /etc/pam.d/pluto example file:
#%PAM-1.0 # Regular System auth auth include system-auth # # Google Authenticator with Regular System auth in combined prompt mode # (OTP is added to the password at the password prompt without separator) # auth required pam_google_authenticator.so forward_pass # auth include system-auth use_first_pass # # Common account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so
xauthfail= option
Some deployments wish to catch the user when their password is wrong or disabled and notify them. When the option xauthfail=soft is set, the authentication failure is ignored and the IPsec tunnel is allowed to establish. The "updown" script is signaled with the environment variable XAUTHFAIL=soft. This can be used to NAT this user to a specific web page where they can renew their VPN subscription.
fragmentation= option
It is recommended to use the fragmentation=yes option to make the IKE connection more reliable. This is particularly important when using X.509 certificates, which tend to cause fragmentation when used with 2048 bit RSA keys.