VPN server for remote clients using IKEv1 XAUTH with Certificates
There are different methods for providing a VPN server for roaming (dynamic) clients. Which method to use depends a bit on the clients that need to be supported.
XAUTH / RSA a.k.a "Cisco IPsec mode"
Supported clients:
- All Apple iphones, ipads - Mac OSX - Android 4.x (ICS and newer) - Linux with NetworkManager or commandline
Notably, Microsoft Windows http://msdn.microsoft.com/en-us/library/windows/desktop/cc983672.aspx [does not support XAUTH]. Blackberry devices also do not support this method.
These days, IKEv1 / XAUTH is the most commonly used IPsec connection method. It can be deployed using a group shared key (PSK) or X.509 certificates. In this scenario, libreswan is configured with an IP address pool, and it assigns an IP to connecting clients. Apart from the X.509 authentication, XAUTH also requires a username and password. The password can also contain a one time password (OTP) such as Google Authenticator
ipsec.conf for XAUTH/RSA
# libreswan /etc/ipsec.conf configuration file
config setup
protostack=netkey
# exclude networks used on server side by adding %v4:!a.b.c.0/24
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!10.231.247.0/24,%v4:!10.231.246.0/24
conn xauth-rsa
authby=rsasig
pfs=no
auto=add
rekey=no
left=YourPublicIP
leftcert=vpn.example.com
leftid=@vpn.nohats.ca
leftsendcert=always
leftsubnet=0.0.0.0/0
rightaddresspool=10.231.247.1-10.231.247.254
right=%any
rightid=%fromcert
rightrsasigkey=%cert
modecfgdns1=193.110.157.123
modecfgdns2=8.8.8.8
leftxauthserver=yes
rightxauthclient=yes
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=yes
xauthby=alwaysok
ike_frag=yes
# xauthby=pam
# xauthfail=soft
# Can be played with below
# dpddelay=30
# dpdtimeout=120
# dpdaction=clear
In this example, the IP pool is 10.231.247.0/24 so on the VPN server you would need to provide some NAT rules if you wish to offer full internet connectivity through the VPN. Assuming that your office servers behind this VPN server uses 10.231.246.0/24, you would add the following iptables rules on the VPN server:
iptables -t nat -I POSTROUTING -s 10.231.247.0/24 -d 10.231.246.0/24 -j RETURN iptables -t nat -A POSTROUTING -s 10.231.247.0/24 -d 0.0.0.0/8 -j MASQUERADE
User/password authentication for XAUTH
Libreswan has three options for the user/password authentication. This is specified using the xauthby= option. If using X.509 certificates, which are issued to individual devices/users and which can be revoked, there is no real need to have an additional username/password layer. In that case, xauthby=alwaysok can be used. This should not be used when using a PSK.
If there are only a handful of users that need to be authenticated, xauthby=file can be used. The format of this file is similar to the Apache htpasswd file, and the htpasswd command can be used to create the file and the user/passwords. The only difference is an additional third column specifying the connection name. An example of an /etc/ipsec.d/htpasswd file for the above example connection (using xauthby=file) would be:
john:$apr1$5h/bAg4p$Q5/c2XjwSzYy3sh/1j8Bp/:xauth-rsa paul:$apr1$YiVSo114$um2oIM6AqucFuMeXl/1ab0:xauth-rsa
The last method that can be used is xauthby=pam. Using this configuration, libreswan users the /etc/pam.d/pluto pam configuration file to authenticate users. An /etc/pam.d/pluto example file:
#%PAM-1.0 # Regular System auth auth include system-auth # # Google Authenticator with Regular System auth in combined prompt mode # (OTP is added to the password at the password prompt without separator) # auth required pam_google_authenticator.so forward_pass # auth include system-auth use_first_pass # # Common account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so