VPN server for remote clients using IKEv2
Jump to navigation
Jump to search
There are different methods for providing a VPN server for roaming (dynamic) clients. Which method to use depends on the clients that need to be supported.
This method using IKEv2 without EAP, also called "Machine Certificate" based authentication.
Supported clients:
- libreswan
- Windows 7 and up
- Windows Phone (requires latest firmware)
- OSX ?
- iOS (via profile manager only?)
X.509 Certificate requirements
Special case needs to be taken when generating X.509 certificates for this method.
- The VPN gateway's certificate must have its DNS name as SubjectAltname (SAN) in the certificate
- The VPN gateway's certificate must have EKU serverAuth. It may have EKU clientAuth
ipsec.conf for IKEv2 Machine Certificate VPN server
conn ikev2-cp
# The server's actual IP goes here - not elastic IPs
left=1.2.3.4
leftcert=vpn.example.com
leftid=@vpn.example.com
leftsendcert=always
leftsubnet=0.0.0.0/0
leftrsasigkey=%cert
# Clients
right=%any
# your addresspool to use - you might need NAT rules if providing full internet to clients
rightaddresspool=192.168.66.1-192.168.66.254
# optional rightid with restrictions
# rightid="C=CA, L=Toronto, O=Libreswan Project, OU=*, CN=*, E=*"
rightca=%same
rightrsasigkey=%cert
#
# connection configuration
# DNS servers for clients to use
modecfgdns1=8.8.8.8
modecfgdns2=193.110.157.123
narrowing=yes
# recommended dpd/liveness to cleanup vanished clients
dpddelay=30
dpdtimeout=120
dpdaction=clear
auto=add
ikev2=insist
rekey=no
# ikev2 fragmentation support requires libreswan 3.14 or newer
fragmentation=yes
# optional PAM username verification (eg to implement bandwidth quota
# pam-authorize=yes