User Tools

Site Tools


doc:howto:vpn.ipsec.roadwarrior

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:howto:vpn.ipsec.roadwarrior [2013/07/04 21:44]
jaf323
doc:howto:vpn.ipsec.roadwarrior [2014/07/05 13:32] (current)
bobcov
Line 1: Line 1:
-====== IPSec Road Warrior Configuration:​ Android, ​Window7Blackberry ​Clients ====== +====== IPSec Road Warrior Configuration:​ Android, ​Windows 7BB10, PlayBook ​Clients ====== 
 +| For an overview over all existing Virtual private network (VPN)-related articles in the OpenWrt wiki, please visit [[doc/​howto/​vpn.overview]] |
 :!: This page is about strongswan. The old racoon documentation can be found [[vpn.ipsec.roadwarrior.racoon|here]]. :!: This page is about strongswan. The old racoon documentation can be found [[vpn.ipsec.roadwarrior.racoon|here]].
  
Line 6: Line 6:
  
 The basic context of the "road warrior"​ configuration:​ The basic context of the "road warrior"​ configuration:​
-  - They (client) ​have a dynamically assigned (private) IP outside your private net which changes. +  - Your OpenWrt router is the HOST or gateway that receives requests to connect from mobile users, or clients. 
-  - They frequently move around. +  - The clients ​have a dynamically assigned (private) IP outside your private net which changes. 
-  - They require access to both internal and external resources (full tunnel support) through a "​gateway"​.+  - The clients ​frequently move around. 
 +  - The clients ​require access to both internal and external resources (full tunnel support) through a "​gateway"​.
  
 Examples would be a phone or laptop that wants to VPN into a home network. Examples would be a phone or laptop that wants to VPN into a home network.
 Note that Strongswan'​s IKEv2 with MOBIKE lets you leave VPN up ALL the time on a phone with near zero battery drain or perceptible performance hit. The benefits of this cannot be understated for the roadwarrior. Note that Strongswan'​s IKEv2 with MOBIKE lets you leave VPN up ALL the time on a phone with near zero battery drain or perceptible performance hit. The benefits of this cannot be understated for the roadwarrior.
 +
 +{{:​media:​ipsecnet.gif|}}
  
 This configuration uses TWO authentication mechanisms: certificates and a username/​password challenge (EAP) for an added layer of security. This is an IKEv2 setup. Everything else in my opinion is obsolete and should not be used. IKEv2 is built-in to Windows 7 and Blackberry. It's added to Android using the Strongswan client. ​ This configuration uses TWO authentication mechanisms: certificates and a username/​password challenge (EAP) for an added layer of security. This is an IKEv2 setup. Everything else in my opinion is obsolete and should not be used. IKEv2 is built-in to Windows 7 and Blackberry. It's added to Android using the Strongswan client. ​
Line 17: Line 20:
 ===== Prerequisites ===== ===== Prerequisites =====
   * Supported version of OpenWrt (opkg will complain about kernel version if not).   * Supported version of OpenWrt (opkg will complain about kernel version if not).
-  * Strongswan-Full 5.x.x+  * Strongswan-Full 5.x.x (tested to 5.0.4-1 as explained, and to 5.1.1-1 with some slight config modifications)
   * OpenSSL (to make the .p12 or PKCS#12 package you distribute to clients)   * OpenSSL (to make the .p12 or PKCS#12 package you distribute to clients)
  
-Tested on OpenWrt Barrier Breaker r37092 on WNDR3700v2. ​ (Strongswan did not install on 34054 for me).+Tested on OpenWrt Barrier Breaker r37092-r39879 ​on WNDR3700v2. ​ (Strongswan did not install on 34054 for me).
  
 To make sure Strongswan runs, you can type  To make sure Strongswan runs, you can type 
Line 54: Line 57:
 } }
 </​code>​ </​code>​
 +Starting with StrongSwan 5.1.1 (or perhaps earlier), you may find that charon plugins are not loading dynamically. If you find this to be true (or its just not working, which you can spot by changing charondebug in ipsec.conf),​ try explicitly telling charon which plugins you want by adding "load = ..." to charon like this:
 +
 +<​code>​
 +charon {
 +load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown attr farp dhcp
 +.....
 +</​code>​
 +The above issue seems to have been resolved in 5.1.2 according to the 
 +[[https://​wiki.strongswan.org/​projects/​strongswan/​wiki/​PluginLoad|Wiki here.]]
 ''​charon''​ is the IKEv2 daemon. ''​pluto''​ is the IKEv1 daemon which we won't use. Replace the IP addresses with the appropriate values for your INTERNAL network. In this and other examples, I expect your private internal network to be 10.0.0.0/​24. ''​charon''​ is the IKEv2 daemon. ''​pluto''​ is the IKEv1 daemon which we won't use. Replace the IP addresses with the appropriate values for your INTERNAL network. In this and other examples, I expect your private internal network to be 10.0.0.0/​24.
 "​dns1"​ entry tells ''​charon''​ (the IKEv2 service) where to go for dns - typically the openwrt host. "​dns1"​ entry tells ''​charon''​ (the IKEv2 service) where to go for dns - typically the openwrt host.
Line 62: Line 74:
 ===== ipsec.conf ===== ===== ipsec.conf =====
    
-note that this is a certificate-based configuration with an additional username/​password challenge. It REQUIRES you to put certificates on the server and clients, as well as have clients supply username and password. ​+Note that this is a certificate-based configuration with an additional username/​password challenge. It REQUIRES you to put certificates on the server and clients, as well as have clients supply username and password. ​
  
 <​code>​ <​code>​
Line 83: Line 95:
  ​rightauth2=eap-mschapv2  ​rightauth2=eap-mschapv2
  ​auto=add  ​auto=add
 + ​esp=aes-aes256-sha-modp1024,​aes256-sha512-modp4096
 + ​ike=aes-aes256-sha-modp1024,​aes256-sha512-modp4096
 +
 </​code>​ </​code>​
 Explanation:​ Explanation:​
-The notion of "​left"​ and "​right"​ is explained in the strongswan documentation,​ but briefly, "​left"​ here is the private net you want access to, and "​right"​ is the client side.+The notion of "​left"​ and "​right"​ is explained in the strongswan documentation,​ but briefly, "​left"​ here is the "​Local"​ (Left = Local) or private net you want access to, and "​right"​ is the "​Remote"​ (Right = Remote) or client side.
   * The ''​config setup''​ block is needed but can be empty   * The ''​config setup''​ block is needed but can be empty
   * The ''​conn %default''​ block provides default settings if you plan on adding more profiles.   * The ''​conn %default''​ block provides default settings if you plan on adding more profiles.
   * ''​conn roadwarrior''​ is our roadwarrior configuration.   * ''​conn roadwarrior''​ is our roadwarrior configuration.
-  * ''​leftauth=pubkey''​ tells the host to use certificates.+  * ''​leftauth = pubkey''​ tells the host to use certificates.
   * ''​leftid =''​ the FQDN you put in the cert as subjectAltName (see "​--san"​ option when you make your certs below). Note that it could be anything as long as it matches. Use of dyndns (in example) is advised if your gateway is also assigned a dynamic address.   * ''​leftid =''​ the FQDN you put in the cert as subjectAltName (see "​--san"​ option when you make your certs below). Note that it could be anything as long as it matches. Use of dyndns (in example) is advised if your gateway is also assigned a dynamic address.
-  * ''​leftsubnet =''​ the scope of VPN. 0.0.0.0/0 is a full tunnel, meaning ALL traffice ​will go through the VPN. You can put 10.0.0.0/24 if you want your client to use the VPN to reach ONLY those addresses and your private net is 10.0.0.0/​24. The full tunnel option is more secure because it prevents a client from acting as a bridge. +  * ''​leftsubnet =''​ the scope of VPN. 0.0.0.0/0 is a full tunnel, meaning ALL traffic ​will go through the VPN. You can put 10.0.0.0/24 if you want your client to use the VPN to reach ONLY those addresses and your private net is 10.0.0.0/​24. The full tunnel option is more secure because it prevents a client from acting as a bridge. 
-  * ''​right=%any''​ - lets any peer IP connect. (remote user) +  * ''​right = %any''​ - lets any peer IP connect. (remote user) 
-  * ''​rightsourceIP''​ = The pool of internal addresses to use for the VPN clients. Note that if you have only ONE client connecting, you could use 10.0.1.100/​32 as an example, which means that only 1 host can connect and it will be given the address 10.0.1.100.  +  * ''​rightsourceIP''​ = The pool of internal addresses to use for the VPN clients. Note that if you have only ONE client connecting, you could use 10.0.1.100/​32 as an example, which means that only 1 host can connect and it will be given the address 10.0.1.100. You may want to assign IPs from a subnet which doesn'​t overlap neither your home nor your guest'​s LAN
-  * ''​rightcert=''​ the cert the client needs +  * ''​rightcert = ''​ the cert the client needs 
-  * ''​rightauth=pubkey''​ Tells the client to use certificates. +  * ''​rightauth = pubkey''​ Tells the client to use certificates. 
-  * ''​rightauth2=eap-mschapv2''​ tells the client to use a second challenge: username and password.+  * ''​rightauth2 = eap-mschapv2''​ tells the client to use a second challenge: username and password. 
 +  * ''​esp''​ and ''​ike''​ specify the cipher suites, and the dh group which is required for PFS. Note that the PFS directive has been deprecated. Google "​Perfect Forward Secrecy"​ for details - you want this.["​Deprecated"​ -That means you shouldn'​t be using it typically because it is dangerous, outdated, or because a better alternative exists. If anyone else can edit this to spellout precisely why we should google and what we're looking for, would be appreciated] 
 + 
 +If you want to issue personal certificates to your clients then you should verify the signing CA's identity instead of the client certificates itself. To achieve this, use the ''​rightca''​ directive instead of ''​rightcert''​. More information on this: [[http://​wiki.strongswan.org/​projects/​strongswan/​wiki/​ConnSection|strongSwan documentation]]
  
 ===== ipsec.secrets ===== ===== ipsec.secrets =====
Line 126: Line 144:
 mv clientCert.pem /​etc/​ipsec.d/​certs/​ mv clientCert.pem /​etc/​ipsec.d/​certs/​
 mv clientKey.pem /​etc/​ipsec.d/​private/​ mv clientKey.pem /​etc/​ipsec.d/​private/​
 +mv caKey.pem /​etc/​ipsec.d/​private/​
 </​code>​ </​code>​
  
Line 161: Line 180:
 </​code>​ </​code>​
 Explanation:​ Explanation:​
-Basically you're opening up the ports/​protocols on the WAN zone that strongswan needs to accept traffic from a client. You can also create a custom zone called "​VPN"​ if you want to get fancy. Note that some guides have you adding additional forwarding rules using ''​firewall.user''​. This is NOT necessary due to the fact that strongswan does this dynamically,​ as long as you have the ''​leftfirewall=yes''​ line in ipsec.conf.+Basically you're opening up the ports/​protocols on the WAN zone that strongswan needs to accept traffic from a client. You can also create a custom zone called "​VPN"​ if you want to get fancy. ​ 
 + 
 +Note that some guides have you adding additional forwarding rules using ''​firewall.user''​. This is NOT necessary due to the fact that strongswan does this dynamically,​ as long as you have the ''​leftfirewall=yes''​ line in ipsec.conf. ​ 
 + 
 +HOWEVER: some builds of Strongswan (eg. v5.0.0 which is included in the 12.09 Attitude Adjustment package repository) seem to require the custom forwarding rules (perhaps because the ''​leftfirewall=yes''​ does not behave as it should??), so if you connect but don't get a default gateway and/or can't pass traffic, add these to firewall.user:​ 
 + 
 +<​code>​ 
 +iptables -I INPUT  -m policy --dir in --pol ipsec --proto esp -j ACCEPT 
 +iptables -I FORWARD ​ -m policy --dir in --pol ipsec --proto esp -j ACCEPT 
 +iptables -I FORWARD ​ -m policy --dir out --pol ipsec --proto esp -j ACCEPT 
 +iptables -I OUTPUT ​  -m policy --dir out --pol ipsec --proto esp -j ACCEPT 
 +</​code>​
  
 ===== Testing ===== ===== Testing =====
  
-For testing, I used BOTH an android phone with the StrongSwan Client and a Windows 7 machine using native IKEv2. +For testing, I used a Blackberry Z10 with NATIVE Ikev2 support (LOVE your Blackberry), ​an android phone with the StrongSwan Client and a Windows 7 machine using native IKEv2. 
-you can email clientCert.p12 to the client.  + 
-In androidgo to "​Settings ​Security" to import+You can email clientCert.p12 to the mobile clients.  
-==== For Windows 7 ====+ 
 +==== For BlackBerry Clients ==== 
 + 
 +BlackBerry allows you to specify Perfect Forward Secrecy. You will want/need this. This should be standard. To make this workhowever, you need to add the following lines to the ipsec.conf file in the ''​conn roadwarrior''​ section, assuming this is the connection you want for your berry: 
 + 
 +<code> 
 + ​esp=aes-aes256-sha-modp1024,​aes256-sha512-modp4096 
 + ​ike=aes-aes256-sha-modp1024,​aes256-sha512-modp4096 
 +</​code>​ 
 + 
 +What this does is specify what cipher suites to use, including the Diffie Hellman Groups; you can read about these settings in the [[https://​wiki.strongswan.org/​projects/​strongswan/​wiki/​IKEv2CipherSuites|strongswan IKEv2 cipher suite documentation]]. Previously (before Strongswan 5.xxx), you'd use the ''​pfs=yes''​ statement. This has been deprecated. 
 + 
 +Import your certificates into the Berry first, then add a VPN profile with the following settings: 
 + 
 +  * Your gateway type will be "Generic IKEv2 VPN Server",​ 
 +  * Authentication Type = PKI, 
 +  * Authentication ID Type= Identity Certificate Distinguished Name 
 +  * Client Certificate = The name of your client cert ("​clent"​ in the above example) 
 +  * Gateway Auth Type = PKI 
 +  * Gateway Auth ID Type = Identify Certificate Distinguished Name 
 +  * Gateway CA Certificate = your server Certificate name ("​xxxx"​ in the above example) 
 +  * Perfect Forward Secrecy = On (VERY IMPORTANT) 
 +  * Automatically determine IP = ON 
 +  * Automatically determine DNS = ON 
 +  * Automatically determine algorithm = ON 
 + 
 +The rest can be left to defaults. 
 + 
 +If you receive Authentication Error you can try to use distuingished name (DN) of your server'​s certificate instead of the FQDN for the ''​leftid''​ property. It is ''"​C=US,​ O=xxx, CN=yourdomain.dyndns.org"''​ in the example above, but you can find out yours using the command below and looking for the "​Subject"​ field 
 + 
 +<​code>​ 
 +openssl x509 -in /​etc/​ipsec.d/​certs/​serverCert.pem -text -noout 
 +</​code>​  
 + 
 + 
 +==== For Windows 7 Clients ​====
  
 In windows, run certmgr.msc to import your client certificate. Do NOT simply click on the cert - this won't work. In windows, run certmgr.msc to import your client certificate. Do NOT simply click on the cert - this won't work.
 Follow these instructions to setup the Windows VPN connection: [[https://​supportforums.cisco.com/​docs/​DOC-24022]] Follow these instructions to setup the Windows VPN connection: [[https://​supportforums.cisco.com/​docs/​DOC-24022]]
  
-==== For Android ====+==== For Android ​Clients ​==== 
 + 
 +In Android, go to "​Settings > Security"​ to import.
  
 In the Strongswan client, specify "IKEv2 Certificate + EAP" as the type of VPN, pick "​client"​ for your certificate you just imported, and specify the username/​password combo you added to ''/​etc/​ipsec.secrets''​. Keep an eye on the logfile (see above) during initial login to spot any issues. If all goes well, you can use your router as a VPN gateway for any mobile device, tablet, or laptop. In the Strongswan client, specify "IKEv2 Certificate + EAP" as the type of VPN, pick "​client"​ for your certificate you just imported, and specify the username/​password combo you added to ''/​etc/​ipsec.secrets''​. Keep an eye on the logfile (see above) during initial login to spot any issues. If all goes well, you can use your router as a VPN gateway for any mobile device, tablet, or laptop.
Line 179: Line 246:
 Blackberry supports IKEv2 natively. Blackberry supports IKEv2 natively.
  
-==== For Iphones/IOS users ====+==== For iPhones/iOS Clients ​====
  
-IOS, like Android, only supports IKEv1. I do not recommend this. You need to use an app to use IKEv2. I believe Cisco'​s Anyconnect will work but has not been tested. ​+iOS, like Android, only supports IKEv1. I do not recommend this. You need to use an app to use IKEv2. I believe Cisco'​s Anyconnect will work but has not been tested. ​
doc/howto/vpn.ipsec.roadwarrior.1372967042.txt.bz2 · Last modified: 2013/07/04 21:44 (external edit)