Hi there, I’ve tried to set up the IKEV2 VPN for my overall devices.
I have the following network topology, where
- vether0 (10.0.0.0/24) network groups some VMs (bridge0 is used as L2 switch
grouping the appripriate tap devices)
- enc0 (172.24.24.0/24) network is intended for the devices connecting the VPN
server# ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768
index 4 priority 0 llprio 3
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet 127.0.0.1 netmask 0xff000000
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 50:65:f3:f0:9e:78
index 1 priority 0 llprio 3
groups: egress
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet6 fe80::5265:f3ff:fef0:9e78%bge0 prefixlen 64 scopeid 0x1
inet6 2a02:2b88:2:2::6e2c:1 prefixlen 64
inet 89.221.223.253 netmask 0xffffff00 broadcast 89.221.223.255
bge1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
lladdr 50:65:f3:f0:9e:79
index 2 priority 0 llprio 3
media: Ethernet autoselect (none)
status: no carrier
enc0: flags=41<UP,RUNNING>
index 3 priority 0 llprio 3
groups: enc
status: active
inet6 2001:470:8c78:a0::1 prefixlen 64
inet 172.24.24.1 netmask 0xffffff00
bridge0: flags=41<UP,RUNNING>
description: switch19-uplink
index 5 llprio 3
groups: bridge
priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp
tap1 flags=3<LEARNING,DISCOVER>
port 60 ifpriority 0 ifcost 0
tap10 flags=3<LEARNING,DISCOVER>
port 59 ifpriority 0 ifcost 0
tap6 flags=3<LEARNING,DISCOVER>
port 58 ifpriority 0 ifcost 0
tap4 flags=3<LEARNING,DISCOVER>
port 57 ifpriority 0 ifcost 0
tap7 flags=3<LEARNING,DISCOVER>
port 55 ifpriority 0 ifcost 0
tap3 flags=3<LEARNING,DISCOVER>
port 52 ifpriority 0 ifcost 0
tap2 flags=3<LEARNING,DISCOVER>
port 51 ifpriority 0 ifcost 0
tap9 flags=3<LEARNING,DISCOVER>
port 50 ifpriority 0 ifcost 0
tap8 flags=3<LEARNING,DISCOVER>
port 49 ifpriority 0 ifcost 0
tap5 flags=3<LEARNING,DISCOVER>
port 13 ifpriority 0 ifcost 0
tap0 flags=3<LEARNING,DISCOVER>
port 8 ifpriority 0 ifcost 0
vether0 flags=3<LEARNING,DISCOVER>
port 6 ifpriority 0 ifcost 0
vether0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
lladdr fe:e1:ba:d0:bd:33
index 6 priority 0 llprio 3
groups: vether
media: Ethernet autoselect
status: active
inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33136
index 7 priority 0 llprio 3
groups: pflog
tap0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
lladdr fe:e1:ba:d1:50:86
description: vm3-if0-namer
index 8 priority 0 llprio 3
groups: tap
status: active
tap5: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
lladdr fe:e1:ba:d6:76:2d
description: vm2-if0-klarasukana
index 13 priority 0 llprio 3
groups: tap
status: active
tap8: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
lladdr fe:e1:ba:da:34:b7
description: vm5-if0-mail2
index 49 priority 0 llprio 3
groups: tap
status: active
tap9: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
lladdr fe:e1:ba:db:53:5b
description: vm5-if1-mail2
index 50 priority 0 llprio 3
groups: tap
status: active
tap2: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
lladdr fe:e1:ba:dc:97:99
description: vm4-if0-mail1
index 51 priority 0 llprio 3
groups: tap
status: active
tap3: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
lladdr fe:e1:ba:dd:64:70
description: vm4-if1-mail1
index 52 priority 0 llprio 3
groups: tap
status: active
tap7: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
lladdr fe:e1:ba:d0:e6:00
description: vm8-if0-xmpp
index 55 priority 0 llprio 3
groups: tap
status: active
tap4: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
lladdr fe:e1:ba:d2:3e:83
description: vm7-if0-mda
index 57 priority 0 llprio 3
groups: tap
status: active
tap6: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
lladdr fe:e1:ba:d3:f0:9d
description: vm1-if0-sukany
index 58 priority 0 llprio 3
groups: tap
status: active
tap10: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
lladdr fe:e1:ba:d4:ba:41
description: vm9-if0-ubuntu
index 59 priority 0 llprio 3
groups: tap
status: active
tap1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
lladdr fe:e1:ba:d5:2b:25
description: vm6-if0-monitor
index 60 priority 0 llprio 3
groups: tap
status: active
This is my sysctl.conf settings:
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
There is my firewall settings
external="bge0"
internal="vether0"
vpn="enc0"
bridge="bridge0"
dns="10.0.0.2"
jabber="10.0.0.9"
jitsi="10.0.0.10"
tcp_pass_in= "{ 22 80 443 2222 25 465 587 143 993 5232 5000 5222 5269 5280 }"
udp_pass_in=" { 53 } "
icmp_types = "{ echoreq, unreach }"
set skip on lo
set loginterface bge0
block in on $external all
set block-policy drop
set timeout { udp.first 300, udp.single 150, udp.multiple 900 }
#IPv6 - pass in/out all IPv6 ICMP traffic
pass in quick proto icmp6 all
# ping pong
pass inet proto icmp all icmp-type $icmp_types keep state
###### IPv6 rules #############
# Allow outgoing services
pass out on $external inet6 proto tcp to any port $tcp_pass_in
pass out on $external inet6 proto udp to any port $udp_pass_in
# pass out traffic on external from internal
match out on $external from ($internal) to any nat-to ($external)
match out on $external from ($vpn) to any nat-to ($external)
# VPN
pass in on $external proto udp from any to any port {isakmp, ipsec-nat-t}
pass in on $external proto esp from any to any
pass log on enc0 tagged ROADW
match out log on $external inet tagged ROADW nat-to $external
pass quick proto udp from any to self port {isakmp, ipsec-nat-t} keep state
pass on $vpn from any to self keep state (if-bound)
# allow traffic on internal network
pass quick on {$internal $bridge $vpn} all
# pass out these ports and keep-state
pass out on $external
match out on $external from vether0:network to any nat-to ($external)
match out on $external from enc0:network to any nat-to ($external)
# allow tcp/udp traffic in through external
pass in proto tcp from any to any port $tcp_pass_in
pass in proto udp from any to any port $udp_pass_in
# DNS
pass in on $external proto {tcp udp } from any to any port 53 rdr-to $dns
# XMPP
pass in on $external proto tcp from any to any port 5000 rdr-to $jabber
pass in on $external proto tcp from any to any port 5222 rdr-to $jabber
pass in on $external proto tcp from any to any port 5269 rdr-to $jabber
pass in on $external proto tcp from any to any port 5280 rdr-to $jabber
pass in on $external proto tcp from any to any port 5000 rdr-to $jabber
# ASTERISK
table <sip_guard> persist
block in quick on $external proto {tcp udp} from <sip_guard> to any port {
5060:5061 }
pass in on $external proto {tcp udp} from any to any port 20000:22000 rdr-to
$jabber
pass in on $external proto {tcp udp} from any to any port 3487 rdr-to $jabber
pass in on $external proto {tcp udp} from any to any port 5060:5061 keep state
(max-src-conn 10, max-src-conn-rate 10/10, overload <sip_guard> flush ) rdr-to
$jabber
# JITSI
pass in on $external proto {tcp udp} from any to any port 10000:11000 rdr-to
$jitsi
#SSH - bruteforce
table <guard> persist
block in quick on $external proto tcp from <guard> to ($external) port ssh
label "ssh bruteforce"
pass in on $external proto tcp from any to ($external) port ssh synproxy state
(max-src-conn 15, max-src-conn-rate 5/30, overload <guard> flush)
# HTTP / HTTPS - bruteforce
table <web_guard> persist
block in quick on $external proto tcp from <web_guard> to any port {http https}
label "http/https brute force"
pass in on $external proto tcp from any to any port {http https} modulate state
(max-src-conn 1000, max-src-conn-rate 250/1, overload <web_guard> flush)
# Email traffic - bruteforce
table <mail_guard> persist
block in quick on $external proto tcp from <mail_guard> to any port {25 143 465
587 993 995} label "mail brute force"
pass in on $external proto tcp from any to any port {25 143 465 587 993 995}
modulate state (max-src-conn 250, max-src-conn-rate 250/1, overload
<mail_guard> flush)
I’ve set up the PKI for iked by following way
ikectl ca securenet create
ikectl ca securenet install
ikectl ca securenet certificate sukany.cz <http://sukany.cz/> create server
ikectl ca securenet certificate server.sukany.cz <http://server.sukany.cz/>
create server
ikectl ca securenet certificate sukany.cz <http://sukany.cz/> install
ikectl ca securenet certificate server.sukany.cz <http://server.sukany.cz/>
install
ikectl ca securenet certificate martin.securenet create client
ikectl ca securenet certificate martin.securenet install
ikectl ca securenet certificate martin.securenet export
I’ve imported the exported certificates (*pfx files) in my OS X device.
Here is the iked configuration
server# cat /etc/iked.conf
ikev2 "securenet" passive esp \
from 0.0.0.0/0 to 0.0.0.0/0 \
from ::0/0 to ::0/0 \
local any peer any \
# eap "mschap-v2" \
ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256 group modp2048 \
childsa enc aes-256 auth hmac-sha2-256 group modp2048 \
srcid securenet \
config address 172.24.24.0/24 \
config address 2001:470:203a:a0::/64 \
config name-server 172.24.24.1 \
config name-server 2001:470:203a:a0::1 \
tag "$name-$id"
Finally, I’ve tried to initiate the connection and here I am:
server# iked -dv
ikev2 "securenet" passive tunnel esp from 0.0.0.0/0 to 0.0.0.0/0 from ::/0 to
::/0 local any peer any ikesa enc aes-256,aes-192,aes-128,3des prf
hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group
curve25519,ecp521,ecp384,ecp256,modp4096,modp3072,modp2048,modp1536,modp1024
childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 esn,noesn
lifetime 10800 bytes 536870912 signature
spi=0xeb80a0271f6aa481: recv IKE_SA_INIT req 0 peer 62.245.102.32:500 local
89.221.223.253:500, 604 bytes, policy 'securenet'
spi=0xeb80a0271f6aa481: ikev2_sa_responder_dh: want dh ECP_256, KE has MODP_2048
spi=0xeb80a0271f6aa481: ikev2_resp_recv: failed to negotiate IKE SA
spi=0xeb80a0271f6aa481: ikev2_add_error: INVALID_KE_PAYLOAD
spi=0xeb80a0271f6aa481: send IKE_SA_INIT res 0 peer 62.245.102.32:500 local
89.221.223.253:500, 38 bytes
spi=0xeb80a0271f6aa481: recv IKE_SA_INIT req 0 peer 62.245.102.32:500 local
89.221.223.253:500, 412 bytes, policy 'securenet'
spi=0xeb80a0271f6aa481: send IKE_SA_INIT res 0 peer 62.245.102.32:500 local
89.221.223.253:500, 265 bytes
spi=0xeb80a0271f6aa481: recv IKE_AUTH req 1 peer 62.245.102.32:61705 local
89.221.223.253:4500, 512 bytes, policy 'securenet'
spi=0xeb80a0271f6aa481: recv IKE_AUTH req 1 peer 62.245.102.32:61705 local
89.221.223.253:4500, 512 bytes, policy 'securenet'
spi=0xeb80a0271f6aa481: recv IKE_AUTH req 1 peer 62.245.102.32:61705 local
89.221.223.253:4500, 512 bytes, policy 'securenet'
spi=0xeb80a0271f6aa481: recv IKE_AUTH req 1 peer 62.245.102.32:61705 local
89.221.223.253:4500, 512 bytes, policy 'securenet'
spi=0xeb80a0271f6aa481: recv IKE_AUTH req 1 peer 62.245.102.32:61705 local
89.221.223.253:4500, 512 bytes, policy 'securenet'
in OS X I could see only the connection timed out. I have suspiction on:
spi=0xeb80a0271f6aa481: ikev2_resp_recv: failed to negotiate IKE SA
but not sure ….
Any ideas?
S pozdravem / Kind regards
Martin Sukaný
UNIX Engineer, Developer, DevOps specialist
xmpp: mar...@sukany.cz <mailto:mar...@sukany.cz>
phone: +420 776 275 713
email: mar...@sukany.cz <mailto:mar...@sukany.cz>
l: https://www.linkedin.com/in/martins6 <https://www.linkedin.com/in/martins6>
signature.asc
Description: Message signed with OpenPGP
