Re: ikev2 and road warriors setup
Another question araised in my random walk: How can I assign static IPs to more
than one client?
I played around with DSTID but when I add DSTID to my policy then auth stops
working.
ikev2 "roadWarrior" passive ipcomp esp \
from 192.168.2.0/24 to 10.0.1.0/24 \
local 4.5.6.88 peer any \
srcid 4.5.6.88 \
dstid "/C.../CN=win7/emailAddress=r...@123.com" \
config address 10.0.1.123 \
tag "$id" tap enc0
The only working way I have found is to assign static IP to specific peer (IP
or network)
local 4.5.6.88 peer 1.2.3.4/32
or
local 4.5.6.88 peer 1.2.3.0/24
but this in NOT what I need.
I need to do sth like this:
policy1, peer any, warrior1/CA1/ASN11, config address IP1
policy2, peer any, warrior2/CA2,ASN12, config address IP2
policy3, peer any, warrior3/CA3,ASN13, config address IP3
...
policyN "catch the rest" config address 10.0.11/24 \
Any help appreciated!
On Fri, 28 Dec 2018 10:41:22 +0100
Radek wrote:
> Hello,
>
> finally I solved my problem as follows:
> 1. Uncheck "use default gateway on remote network" in warrior (Windows)
> 2. Create route192.bat file: route add 192.168.2.0 mask 255.255.255.0
> 10.0.1.123
> 3. Run route192.bat as administrator (when vpn connection is established)
> It works as expected, traffic to 192.168.2.0 goes through VPN, the rest
> through warrior's local gateway.
> # When using PPTP (npppd) I do not need to add extra route to "LAN behind
> VPNgateway" (2.) - it works by default. Why?
>
> GW88# grep "^[^#;]" /etc/iked.conf
> ikev2 "roadWarrior" passive ipcomp esp \
> from 192.168.2.0/24 to 10.0.1.0/24 \
> local 4.5.6.88 peer any \
> srcid 4.5.6.88 \
> config address 10.0.1.123 \
> tag "$id" tap enc0
>
> GW88# grep "^[^#;]" /etc/pf.conf
> set skip on {lo, enc}
> match in all scrub (no-df random-id)
> match out all scrub (no-df random-id)
> match out on egress from lan:network to any nat-to egress
> block log all
> pass in on egress proto udp from any to any port {isakmp,ipsec-nat-t}
> pass in on egress proto {ah,esp}
> pass out on egress
> pass on lan
>
>
>
> On Wed, 12 Dec 2018 21:45:25 +0100
> Radek wrote:
>
> > Hello again,
> >
> > I am using PPTP VPN (npppd) and it works as expected on windows clients -
> > traffic to the "LAN behind that VPNgateway" is going through VPNgateway.
> > The "rest" is going through clients' gateway - DO NOT "use default gateway
> > on remote network".
> >
> > I have been playing around with iked.conf, pf.conf and ipsec.conf - still
> > cannot get it working in this manner.
> > I do not want to use OpenIKED as a internet gateway, VPN is needed only to
> > access "LAN behind that VPNgateway".
> >
> > Could someone please help me with this problem? Christmas is coming...
> >
> > Many thanks!
> >
> > On Fri, 7 Dec 2018 20:20:21 +0100
> > Radek wrote:
> >
> > > Hello,
> > >
> > > I am still almost in the same point.
> > > If I want to reach my GW88_LAN I have to check "use default gateway on
> > > remote network" box (Windows roadwarrior), but this option makes me
> > > reaching the internet through GW88.
> > >
> > > I want to use VPN GW88 to access 192.168.2.0/24 ONLY and roadwarrior's
> > > "local" gateway for the rest of the traffic - unchecked box "use default
> > > gateway on remote network".
> > > If the box is unchecked I am not able to access 192.168.2.0/24.
> > >
> > > What should I change in my confs to get it working in this manner?
> > >
> > > GW88# grep "^[^#;]" /etc/pf.conf
> > > set skip on {lo, enc}
> > > match in all scrub (no-df random-id)
> > > match out all scrub (no-df random-id)
> > > match out on egress from lan:network to any nat-to egress
> > > block log all
> > > pass out quick on egress inet received-on enc0 nat-to (egress)
> > > pass in on egress proto udp from any to (egress:0) port
> > > {isakmp,ipsec-nat-t}
> > > pass in on egress proto {ah,esp}
> > > pass out on egress
> > > pass on lan
> > >
> > >
> > > GW88# grep "^[^#;]" /etc/iked.conf
> > > ikev2 "roadWarrior" passive esp \
> > > from 0.0.0.0/0 to 10.0.1.0/24 \
> > > from 192.168.2.0/24 to 10.0.1.0/24 \
> > > local 4.5.6.88 peer any \
> > > srcid 4.5.6.88 \
> > > config address 10.0.1.0/24 \
> > > config netmask 255.255.255.0 \
> > > config name-server 8.8.8.8
> > >
> > > On Fri, 30 Nov 2018 15:06:28 +0100
> > > Radek wrote:
> > >
> > > > Hello,
> > > >
> > > > Thank all of you for your time and your help in this matter!
> > > > I think that the ISP of A.B.C.0/23 is filtering/blocking some
> > > > certificates.
> > > > I have moved VPN server and clients out of A.B.C.0/23. They can connect
> > > > pretty fine using CA now. Clients from A.B.C.0/23 still can NOT connect
> > > > to VPN serv.
> > > > Site-to-Site VPN is doing its job.
> > > >
> > > > The road_warriors(Windows) can ping GW88_LAN_machine (192.168.2.1) ONLY
> > > > if "use default gateway on remote network" is set.
> > > > I need to make road_warriors:
> > > > - reaching GW88_LAN_machines 192.168.2.254/24
> > > > - reaching GW119_LAN_machine
Re: ikev2 and road warriors setup
Hello,
finally I solved my problem as follows:
1. Uncheck "use default gateway on remote network" in warrior (Windows)
2. Create route192.bat file: route add 192.168.2.0 mask 255.255.255.0 10.0.1.123
3. Run route192.bat as administrator (when vpn connection is established)
It works as expected, traffic to 192.168.2.0 goes through VPN, the rest through
warrior's local gateway.
# When using PPTP (npppd) I do not need to add extra route to "LAN behind
VPNgateway" (2.) - it works by default. Why?
GW88# grep "^[^#;]" /etc/iked.conf
ikev2 "roadWarrior" passive ipcomp esp \
from 192.168.2.0/24 to 10.0.1.0/24 \
local 4.5.6.88 peer any \
srcid 4.5.6.88 \
config address 10.0.1.123 \
tag "$id" tap enc0
GW88# grep "^[^#;]" /etc/pf.conf
set skip on {lo, enc}
match in all scrub (no-df random-id)
match out all scrub (no-df random-id)
match out on egress from lan:network to any nat-to egress
block log all
pass in on egress proto udp from any to any port {isakmp,ipsec-nat-t}
pass in on egress proto {ah,esp}
pass out on egress
pass on lan
On Wed, 12 Dec 2018 21:45:25 +0100
Radek wrote:
> Hello again,
>
> I am using PPTP VPN (npppd) and it works as expected on windows clients -
> traffic to the "LAN behind that VPNgateway" is going through VPNgateway. The
> "rest" is going through clients' gateway - DO NOT "use default gateway on
> remote network".
>
> I have been playing around with iked.conf, pf.conf and ipsec.conf - still
> cannot get it working in this manner.
> I do not want to use OpenIKED as a internet gateway, VPN is needed only to
> access "LAN behind that VPNgateway".
>
> Could someone please help me with this problem? Christmas is coming...
>
> Many thanks!
>
> On Fri, 7 Dec 2018 20:20:21 +0100
> Radek wrote:
>
> > Hello,
> >
> > I am still almost in the same point.
> > If I want to reach my GW88_LAN I have to check "use default gateway on
> > remote network" box (Windows roadwarrior), but this option makes me
> > reaching the internet through GW88.
> >
> > I want to use VPN GW88 to access 192.168.2.0/24 ONLY and roadwarrior's
> > "local" gateway for the rest of the traffic - unchecked box "use default
> > gateway on remote network".
> > If the box is unchecked I am not able to access 192.168.2.0/24.
> >
> > What should I change in my confs to get it working in this manner?
> >
> > GW88# grep "^[^#;]" /etc/pf.conf
> > set skip on {lo, enc}
> > match in all scrub (no-df random-id)
> > match out all scrub (no-df random-id)
> > match out on egress from lan:network to any nat-to egress
> > block log all
> > pass out quick on egress inet received-on enc0 nat-to (egress)
> > pass in on egress proto udp from any to (egress:0) port {isakmp,ipsec-nat-t}
> > pass in on egress proto {ah,esp}
> > pass out on egress
> > pass on lan
> >
> >
> > GW88# grep "^[^#;]" /etc/iked.conf
> > ikev2 "roadWarrior" passive esp \
> > from 0.0.0.0/0 to 10.0.1.0/24 \
> > from 192.168.2.0/24 to 10.0.1.0/24 \
> > local 4.5.6.88 peer any \
> > srcid 4.5.6.88 \
> > config address 10.0.1.0/24 \
> > config netmask 255.255.255.0 \
> > config name-server 8.8.8.8
> >
> > On Fri, 30 Nov 2018 15:06:28 +0100
> > Radek wrote:
> >
> > > Hello,
> > >
> > > Thank all of you for your time and your help in this matter!
> > > I think that the ISP of A.B.C.0/23 is filtering/blocking some
> > > certificates.
> > > I have moved VPN server and clients out of A.B.C.0/23. They can connect
> > > pretty fine using CA now. Clients from A.B.C.0/23 still can NOT connect
> > > to VPN serv.
> > > Site-to-Site VPN is doing its job.
> > >
> > > The road_warriors(Windows) can ping GW88_LAN_machine (192.168.2.1) ONLY
> > > if "use default gateway on remote network" is set.
> > > I need to make road_warriors:
> > > - reaching GW88_LAN_machines 192.168.2.254/24
> > > - reaching GW119_LAN_machines 172.16.X.X via GW88 - if it is possible
> > > - force road_warriors to use its own gateway for the rest of traffic -
> > > unticked "use default gateway on remote network".
> > >
> > > I was playing around with iked.conf and pf.conf but I did not find the
> > > way to make it work.
> > > I will be grateful if anyone could help me with that.
> > >
> > > My network diagram and configs of GW88:
> > >
> > > GW88$ cat /etc/hostname.enc0
> > > inet 10.0.1.254 255.255.255.0
> > >
> > > GW88$ cat /etc/iked.conf
> > > #
> > > ikev2 "roadWarrior" passive esp \
> > > from 192.168.2.0/24 to 10.0.1.0/24 \
> > > local 4.5.6.88 peer any \
> > > srcid 4.5.6.88 \
> > > config address 10.0.1.0/24
> > > #
> > > #
> > > remote_gw_GW119 = "1.2.3.119" # fw_GW119
> > > remote_lan_GW119_1 = "172.16.1.0/24"
> > > remote_lan_GW119_2 = "172.16.2.0/24"
> > >
> > > local_gw_GW88_2 = "192.168.2.254"
> > > local_lan_GW88_2 = "192.168.2.0/24"
> > >
> > > ikev2 active esp from $local_gw_GW88_2 to $remote_gw_GW119 \
> > > from $local_lan_GW88_2 to $remote_lan_GW119_1 peer $remote_gw_GW119 \
> > > psk "pks
Re: ikev2 and road warriors setup
Hello again,
I am using PPTP VPN (npppd) and it works as expected on windows clients -
traffic to the "LAN behind that VPNgateway" is going through VPNgateway. The
"rest" is going through clients' gateway - DO NOT "use default gateway on
remote network".
I have been playing around with iked.conf, pf.conf and ipsec.conf - still
cannot get it working in this manner.
I do not want to use OpenIKED as a internet gateway, VPN is needed only to
access "LAN behind that VPNgateway".
Could someone please help me with this problem? Christmas is coming...
Many thanks!
On Fri, 7 Dec 2018 20:20:21 +0100
Radek wrote:
> Hello,
>
> I am still almost in the same point.
> If I want to reach my GW88_LAN I have to check "use default gateway on remote
> network" box (Windows roadwarrior), but this option makes me reaching the
> internet through GW88.
>
> I want to use VPN GW88 to access 192.168.2.0/24 ONLY and roadwarrior's
> "local" gateway for the rest of the traffic - unchecked box "use default
> gateway on remote network".
> If the box is unchecked I am not able to access 192.168.2.0/24.
>
> What should I change in my confs to get it working in this manner?
>
> GW88# grep "^[^#;]" /etc/pf.conf
> set skip on {lo, enc}
> match in all scrub (no-df random-id)
> match out all scrub (no-df random-id)
> match out on egress from lan:network to any nat-to egress
> block log all
> pass out quick on egress inet received-on enc0 nat-to (egress)
> pass in on egress proto udp from any to (egress:0) port {isakmp,ipsec-nat-t}
> pass in on egress proto {ah,esp}
> pass out on egress
> pass on lan
>
>
> GW88# grep "^[^#;]" /etc/iked.conf
> ikev2 "roadWarrior" passive esp \
> from 0.0.0.0/0 to 10.0.1.0/24 \
> from 192.168.2.0/24 to 10.0.1.0/24 \
> local 4.5.6.88 peer any \
> srcid 4.5.6.88 \
> config address 10.0.1.0/24 \
> config netmask 255.255.255.0 \
> config name-server 8.8.8.8
>
> On Fri, 30 Nov 2018 15:06:28 +0100
> Radek wrote:
>
> > Hello,
> >
> > Thank all of you for your time and your help in this matter!
> > I think that the ISP of A.B.C.0/23 is filtering/blocking some certificates.
> > I have moved VPN server and clients out of A.B.C.0/23. They can connect
> > pretty fine using CA now. Clients from A.B.C.0/23 still can NOT connect to
> > VPN serv.
> > Site-to-Site VPN is doing its job.
> >
> > The road_warriors(Windows) can ping GW88_LAN_machine (192.168.2.1) ONLY if
> > "use default gateway on remote network" is set.
> > I need to make road_warriors:
> > - reaching GW88_LAN_machines 192.168.2.254/24
> > - reaching GW119_LAN_machines 172.16.X.X via GW88 - if it is possible
> > - force road_warriors to use its own gateway for the rest of traffic -
> > unticked "use default gateway on remote network".
> >
> > I was playing around with iked.conf and pf.conf but I did not find the way
> > to make it work.
> > I will be grateful if anyone could help me with that.
> >
> > My network diagram and configs of GW88:
> >
> > GW88$ cat /etc/hostname.enc0
> > inet 10.0.1.254 255.255.255.0
> >
> > GW88$ cat /etc/iked.conf
> > #
> > ikev2 "roadWarrior" passive esp \
> > from 192.168.2.0/24 to 10.0.1.0/24 \
> > local 4.5.6.88 peer any \
> > srcid 4.5.6.88 \
> > config address 10.0.1.0/24
> > #
> > #
> > remote_gw_GW119 = "1.2.3.119" # fw_GW119
> > remote_lan_GW119_1 = "172.16.1.0/24"
> > remote_lan_GW119_2 = "172.16.2.0/24"
> >
> > local_gw_GW88_2 = "192.168.2.254"
> > local_lan_GW88_2 = "192.168.2.0/24"
> >
> > ikev2 active esp from $local_gw_GW88_2 to $remote_gw_GW119 \
> > from $local_lan_GW88_2 to $remote_lan_GW119_1 peer $remote_gw_GW119 \
> > psk "pkspass"
> >
> > ikev2 active esp from $local_gw_GW88_2 to $remote_gw_GW119 \
> > from $local_lan_GW88_2 to $remote_lan_GW119_2 peer $remote_gw_GW119 \
> > psk "pskpass"
> >
> >
> > GW88$ cat /etc/pf.conf
> > set skip on {lo, enc}
> >
> > match in all scrub (no-df random-id)
> > match out all scrub (no-df random-id)
> >
> > match out on egress from lan:network to any nat-to egress
> >
> > block log all
> > pass in on egress proto udp from any to any port {isakmp,ipsec-nat-t}
> > pass in on egress proto {ah,esp}
> > pass out on egress
> > pass on lan
> >
> > table persist counters
> > pass in on egress proto tcp from { 1.2.3.119 A.B.C.0/23 } to port ssh flags
> > S/SA \
> > set prio (6, 7) keep state \
> > (max-src-conn 15, max-src-conn-rate 2/10, overload
> > flush global)
> >
> > icmp_types = "{ echoreq, unreach }"
> > pass inet proto icmp all icmp-type $icmp_types
> >
> >
> >
> >++
> >|road_warrior|
> > +-+10.0.1.0/24 |
> > | ++
> > |
> >ikev2
> > |
> > |
> > v
> >
> > 4.5.6.881.2.3.119
> > +-+ +--+
> > | |
> > |
Re: ikev2 and road warriors setup
Hello,
I am still almost in the same point.
If I want to reach my GW88_LAN I have to check "use default gateway on remote
network" box (Windows roadwarrior), but this option makes me reaching the
internet through GW88.
I want to use VPN GW88 to access 192.168.2.0/24 ONLY and roadwarrior's "local"
gateway for the rest of the traffic - unchecked box "use default gateway on
remote network".
If the box is unchecked I am not able to access 192.168.2.0/24.
What should I change in my confs to get it working in this manner?
GW88# grep "^[^#;]" /etc/pf.conf
set skip on {lo, enc}
match in all scrub (no-df random-id)
match out all scrub (no-df random-id)
match out on egress from lan:network to any nat-to egress
block log all
pass out quick on egress inet received-on enc0 nat-to (egress)
pass in on egress proto udp from any to (egress:0) port {isakmp,ipsec-nat-t}
pass in on egress proto {ah,esp}
pass out on egress
pass on lan
GW88# grep "^[^#;]" /etc/iked.conf
ikev2 "roadWarrior" passive esp \
from 0.0.0.0/0 to 10.0.1.0/24 \
from 192.168.2.0/24 to 10.0.1.0/24 \
local 4.5.6.88 peer any \
srcid 4.5.6.88 \
config address 10.0.1.0/24 \
config netmask 255.255.255.0 \
config name-server 8.8.8.8
On Fri, 30 Nov 2018 15:06:28 +0100
Radek wrote:
> Hello,
>
> Thank all of you for your time and your help in this matter!
> I think that the ISP of A.B.C.0/23 is filtering/blocking some certificates.
> I have moved VPN server and clients out of A.B.C.0/23. They can connect
> pretty fine using CA now. Clients from A.B.C.0/23 still can NOT connect to
> VPN serv.
> Site-to-Site VPN is doing its job.
>
> The road_warriors(Windows) can ping GW88_LAN_machine (192.168.2.1) ONLY if
> "use default gateway on remote network" is set.
> I need to make road_warriors:
> - reaching GW88_LAN_machines 192.168.2.254/24
> - reaching GW119_LAN_machines 172.16.X.X via GW88 - if it is possible
> - force road_warriors to use its own gateway for the rest of traffic -
> unticked "use default gateway on remote network".
>
> I was playing around with iked.conf and pf.conf but I did not find the way to
> make it work.
> I will be grateful if anyone could help me with that.
>
> My network diagram and configs of GW88:
>
> GW88$ cat /etc/hostname.enc0
> inet 10.0.1.254 255.255.255.0
>
> GW88$ cat /etc/iked.conf
> #
> ikev2 "roadWarrior" passive esp \
> from 192.168.2.0/24 to 10.0.1.0/24 \
> local 4.5.6.88 peer any \
> srcid 4.5.6.88 \
> config address 10.0.1.0/24
> #
> #
> remote_gw_GW119 = "1.2.3.119" # fw_GW119
> remote_lan_GW119_1 = "172.16.1.0/24"
> remote_lan_GW119_2 = "172.16.2.0/24"
>
> local_gw_GW88_2 = "192.168.2.254"
> local_lan_GW88_2 = "192.168.2.0/24"
>
> ikev2 active esp from $local_gw_GW88_2 to $remote_gw_GW119 \
> from $local_lan_GW88_2 to $remote_lan_GW119_1 peer $remote_gw_GW119 \
> psk "pkspass"
>
> ikev2 active esp from $local_gw_GW88_2 to $remote_gw_GW119 \
> from $local_lan_GW88_2 to $remote_lan_GW119_2 peer $remote_gw_GW119 \
> psk "pskpass"
>
>
> GW88$ cat /etc/pf.conf
> set skip on {lo, enc}
>
> match in all scrub (no-df random-id)
> match out all scrub (no-df random-id)
>
> match out on egress from lan:network to any nat-to egress
>
> block log all
> pass in on egress proto udp from any to any port {isakmp,ipsec-nat-t}
> pass in on egress proto {ah,esp}
> pass out on egress
> pass on lan
>
> table persist counters
> pass in on egress proto tcp from { 1.2.3.119 A.B.C.0/23 } to port ssh flags
> S/SA \
> set prio (6, 7) keep state \
> (max-src-conn 15, max-src-conn-rate 2/10, overload
> flush global)
>
> icmp_types = "{ echoreq, unreach }"
> pass inet proto icmp all icmp-type $icmp_types
>
>
>
>++
>|road_warrior|
> +-+10.0.1.0/24 |
> | ++
> |
>ikev2
> |
> |
> v
>
> 4.5.6.881.2.3.119
> +-+ +--+
> | |
> | GW88 | <--+site-to-site VPN+--> | GW119 |
> +--+--+ +---+--+
>| |
>+-+192.168.1.254/24 |
>| |
>| 172.16.1.254/24---+
>| |
>+---+-+192.168.2.254/24 |
>| | |
>| | +---+ |
>| +---+192.168.2.1| 172.16.2.254/24---|
>| ++
>|
>|+192.168.3.254/24
>
> Thanks!
>
> On Thu, 8 Nov 2018 14:04:23 +0100
> Radek wrote:
>
> > I've been playing around with netcat.
> > I noticed that the netcat process on my VPN_server does not show any "X" on
> > stdout for ports 4500 and 1701.
> >
>
Re: ikev2 and road warriors setup
Hello,
Thank all of you for your time and your help in this matter!
I think that the ISP of A.B.C.0/23 is filtering/blocking some certificates.
I have moved VPN server and clients out of A.B.C.0/23. They can connect pretty
fine using CA now. Clients from A.B.C.0/23 still can NOT connect to VPN serv.
Site-to-Site VPN is doing its job.
The road_warriors(Windows) can ping GW88_LAN_machine (192.168.2.1) ONLY if "use
default gateway on remote network" is set.
I need to make road_warriors:
- reaching GW88_LAN_machines 192.168.2.254/24
- reaching GW119_LAN_machines 172.16.X.X via GW88 - if it is possible
- force road_warriors to use its own gateway for the rest of traffic - unticked
"use default gateway on remote network".
I was playing around with iked.conf and pf.conf but I did not find the way to
make it work.
I will be grateful if anyone could help me with that.
My network diagram and configs of GW88:
GW88$ cat /etc/hostname.enc0
inet 10.0.1.254 255.255.255.0
GW88$ cat /etc/iked.conf
#
ikev2 "roadWarrior" passive esp \
from 192.168.2.0/24 to 10.0.1.0/24 \
local 4.5.6.88 peer any \
srcid 4.5.6.88 \
config address 10.0.1.0/24
#
#
remote_gw_GW119 = "1.2.3.119" # fw_GW119
remote_lan_GW119_1 = "172.16.1.0/24"
remote_lan_GW119_2 = "172.16.2.0/24"
local_gw_GW88_2 = "192.168.2.254"
local_lan_GW88_2 = "192.168.2.0/24"
ikev2 active esp from $local_gw_GW88_2 to $remote_gw_GW119 \
from $local_lan_GW88_2 to $remote_lan_GW119_1 peer $remote_gw_GW119 \
psk "pkspass"
ikev2 active esp from $local_gw_GW88_2 to $remote_gw_GW119 \
from $local_lan_GW88_2 to $remote_lan_GW119_2 peer $remote_gw_GW119 \
psk "pskpass"
GW88$ cat /etc/pf.conf
set skip on {lo, enc}
match in all scrub (no-df random-id)
match out all scrub (no-df random-id)
match out on egress from lan:network to any nat-to egress
block log all
pass in on egress proto udp from any to any port {isakmp,ipsec-nat-t}
pass in on egress proto {ah,esp}
pass out on egress
pass on lan
table persist counters
pass in on egress proto tcp from { 1.2.3.119 A.B.C.0/23 } to port ssh flags
S/SA \
set prio (6, 7) keep state \
(max-src-conn 15, max-src-conn-rate 2/10, overload flush
global)
icmp_types = "{ echoreq, unreach }"
pass inet proto icmp all icmp-type $icmp_types
++
|road_warrior|
+-+10.0.1.0/24 |
| ++
|
ikev2
|
|
v
4.5.6.881.2.3.119
+-+ +--+
| |
| GW88 | <--+site-to-site VPN+--> | GW119 |
+--+--+ +---+--+
| |
+-+192.168.1.254/24 |
| |
| 172.16.1.254/24---+
| |
+---+-+192.168.2.254/24 |
| | |
| | +---+ |
| +---+192.168.2.1| 172.16.2.254/24---|
| ++
|
|+192.168.3.254/24
Thanks!
On Thu, 8 Nov 2018 14:04:23 +0100
Radek wrote:
> I've been playing around with netcat.
> I noticed that the netcat process on my VPN_server does not show any "X" on
> stdout for ports 4500 and 1701.
>
> May it be relevant to my VPN issue?
>
> VPN_serv is A.B.C.77/23 (it is not behind NAT):
>
> $ pfctl -s rules
> pass all flags S/SA
>
> $ nc -u -l 500
>
>
> X.Y.Z.11/29$ nc -vuz A.B.C.77 4500
> A.B.C.69/23$ nc -vuz A.B.C.77 4500
> $ nc -u -l 4500
> NOTHING IS HERE
>
> $ nc -u -l 4499
>
>
> $ nc -u -l 4501
>
>
> X.Y.Z.11/29$ nc -vuz A.B.C.77 1701
> A.B.C.69/23$ nc -vuz A.B.C.77 1701
> $ nc -u -l 1701
> NOTHING IS HERE
>
> $ nc -u -l 22
>
>
> $ nc -u -l 1234
>
>
> On Wed, 7 Nov 2018 12:17:09 +0100
> Radek wrote:
>
> > Yesterday I tried this scenario:
> >
> > Win7_warrior - 192.168.x.x, NAT, GW: 1.2.3.119
> > VPN_L2TP (Mikrotik) - A.B.C.75/23, not NATed
> > VPN_IKEv2 - A.B.C.77/23, not NATed
> >
> > I connected Win7_warrior to VPN_L2TP and then to VPN_IKEv2. I was having
> > two active VPN conn in one time.
> > Next, I disconnected VPN_L2TP. VPN_IKEv2 was still active and was working
> > fine.
> >
> > When I disconnected VPN_IKEv2 and was trying to connect VPN_IKEv2 omitting
> > VPN_L2TP - I got 809.
> >
> > Removing home_router which is between Win7_warrior and 1.2.3.119 does not
> > change anything.
> >
> > Another thing:
> > I install VPN_IKEv2 OS via PXEboot and get private IP from dhcp server.
> > Then I move to public A.B.C.77/23 editing /etc/hostname, mygate,
> > resolv.conf. Maybe I missed something in network conf that is important for
> > OpenIKED?
> >
> > Any idea?
> >
> >
> > On Tue, 6 Nov 2018 11:21:52
Re: ikev2 and road warriors setup
I've been playing around with netcat. I noticed that the netcat process on my VPN_server does not show any "X" on stdout for ports 4500 and 1701. May it be relevant to my VPN issue? VPN_serv is A.B.C.77/23 (it is not behind NAT): $ pfctl -s rules pass all flags S/SA $ nc -u -l 500 X.Y.Z.11/29$ nc -vuz A.B.C.77 4500 A.B.C.69/23$ nc -vuz A.B.C.77 4500 $ nc -u -l 4500 NOTHING IS HERE $ nc -u -l 4499 $ nc -u -l 4501 X.Y.Z.11/29$ nc -vuz A.B.C.77 1701 A.B.C.69/23$ nc -vuz A.B.C.77 1701 $ nc -u -l 1701 NOTHING IS HERE $ nc -u -l 22 $ nc -u -l 1234 On Wed, 7 Nov 2018 12:17:09 +0100 Radek wrote: > Yesterday I tried this scenario: > > Win7_warrior - 192.168.x.x, NAT, GW: 1.2.3.119 > VPN_L2TP (Mikrotik) - A.B.C.75/23, not NATed > VPN_IKEv2 - A.B.C.77/23, not NATed > > I connected Win7_warrior to VPN_L2TP and then to VPN_IKEv2. I was having two > active VPN conn in one time. > Next, I disconnected VPN_L2TP. VPN_IKEv2 was still active and was working > fine. > > When I disconnected VPN_IKEv2 and was trying to connect VPN_IKEv2 omitting > VPN_L2TP - I got 809. > > Removing home_router which is between Win7_warrior and 1.2.3.119 does not > change anything. > > Another thing: > I install VPN_IKEv2 OS via PXEboot and get private IP from dhcp server. Then > I move to public A.B.C.77/23 editing /etc/hostname, mygate, resolv.conf. > Maybe I missed something in network conf that is important for OpenIKED? > > Any idea? > > > On Tue, 6 Nov 2018 11:21:52 +0100 > Radek wrote: > > > Hello Kim, > > > > > My question was concerning the VPN_server, is the server NATed? > > A.B.C.0/23 is not NATed, it is a public pool. VPN_server is not NATed. > > > > > How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall > > > ... > > I only have switches in my building. > > All routers/firewalls of my network are in another building, I do not know > > the whole network structure, devices, security policies... but I have never > > noticed that any ports were blocked. > > > > I can setup a IKEV2 site-to-site VPN A.B.C.D/23 <--> !A.B.C.0/23 and it > > works like a charm. > > https://community.riocities.com/openike_openbsd.html > > But I can not setup a VPN_server for road warriors. > > > > I have just set up a VPN_L2TP_serv on Mikrotik (A.B.C.75/23). I can connect > > my Win7_warrior from !A.B.C.0/23 (currently testing on GSM network). > > L2TP and IKEV2 use 500, 4500 ports. If L2TP works fine so I conclude that > > it is not any Router/FW problem. > > > > On Tue, 6 Nov 2018 07:48:37 +0100 > > Kim Zeitler wrote: > > > > > Good morning Radek, > > > > > > I have a suspicion ... > > > > > > > For (1), (2) and (3) VPN is working just fine with Win7_warrior and > > > > puffy_warrior if they are connecting from A.B.C.0/23 (it does not > > > > matter if warrior has public IP or it is behind NAT). The rest of the > > > > world fails to connect the VPN_server. > > > My question was concerning the VPN_server, is the server NATed? > > > How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall > > > ... > > > > > > Cheers, > > > Kim > > > > > > > > > > > > -- > > radek > > > -- > radek -- radek
Re: ikev2 and road warriors setup
Yesterday I tried this scenario: Win7_warrior - 192.168.x.x, NAT, GW: 1.2.3.119 VPN_L2TP (Mikrotik) - A.B.C.75/23, not NATed VPN_IKEv2 - A.B.C.77/23, not NATed I connected Win7_warrior to VPN_L2TP and then to VPN_IKEv2. I was having two active VPN conn in one time. Next, I disconnected VPN_L2TP. VPN_IKEv2 was still active and was working fine. When I disconnected VPN_IKEv2 and was trying to connect VPN_IKEv2 omitting VPN_L2TP - I got 809. Removing home_router which is between Win7_warrior and 1.2.3.119 does not change anything. Another thing: I install VPN_IKEv2 OS via PXEboot and get private IP from dhcp server. Then I move to public A.B.C.77/23 editing /etc/hostname, mygate, resolv.conf. Maybe I missed something in network conf that is important for OpenIKED? Any idea? On Tue, 6 Nov 2018 11:21:52 +0100 Radek wrote: > Hello Kim, > > > My question was concerning the VPN_server, is the server NATed? > A.B.C.0/23 is not NATed, it is a public pool. VPN_server is not NATed. > > > How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall ... > I only have switches in my building. > All routers/firewalls of my network are in another building, I do not know > the whole network structure, devices, security policies... but I have never > noticed that any ports were blocked. > > I can setup a IKEV2 site-to-site VPN A.B.C.D/23 <--> !A.B.C.0/23 and it works > like a charm. > https://community.riocities.com/openike_openbsd.html > But I can not setup a VPN_server for road warriors. > > I have just set up a VPN_L2TP_serv on Mikrotik (A.B.C.75/23). I can connect > my Win7_warrior from !A.B.C.0/23 (currently testing on GSM network). > L2TP and IKEV2 use 500, 4500 ports. If L2TP works fine so I conclude that it > is not any Router/FW problem. > > On Tue, 6 Nov 2018 07:48:37 +0100 > Kim Zeitler wrote: > > > Good morning Radek, > > > > I have a suspicion ... > > > > > For (1), (2) and (3) VPN is working just fine with Win7_warrior and > > > puffy_warrior if they are connecting from A.B.C.0/23 (it does not matter > > > if warrior has public IP or it is behind NAT). The rest of the world > > > fails to connect the VPN_server. > > My question was concerning the VPN_server, is the server NATed? > > How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall ... > > > > Cheers, > > Kim > > > > > > > -- > radek -- radek
Re: ikev2 and road warriors setup
Hello Kim, > My question was concerning the VPN_server, is the server NATed? A.B.C.0/23 is not NATed, it is a public pool. VPN_server is not NATed. > How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall ... I only have switches in my building. All routers/firewalls of my network are in another building, I do not know the whole network structure, devices, security policies... but I have never noticed that any ports were blocked. I can setup a IKEV2 site-to-site VPN A.B.C.D/23 <--> !A.B.C.0/23 and it works like a charm. https://community.riocities.com/openike_openbsd.html But I can not setup a VPN_server for road warriors. I have just set up a VPN_L2TP_serv on Mikrotik (A.B.C.75/23). I can connect my Win7_warrior from !A.B.C.0/23 (currently testing on GSM network). L2TP and IKEV2 use 500, 4500 ports. If L2TP works fine so I conclude that it is not any Router/FW problem. On Tue, 6 Nov 2018 07:48:37 +0100 Kim Zeitler wrote: > Good morning Radek, > > I have a suspicion ... > > > For (1), (2) and (3) VPN is working just fine with Win7_warrior and > > puffy_warrior if they are connecting from A.B.C.0/23 (it does not matter if > > warrior has public IP or it is behind NAT). The rest of the world fails to > > connect the VPN_server. > My question was concerning the VPN_server, is the server NATed? > How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall ... > > Cheers, > Kim > > -- radek
Re: ikev2 and road warriors setup
Good morning Radek, I have a suspicion ... For (1), (2) and (3) VPN is working just fine with Win7_warrior and puffy_warrior if they are connecting from A.B.C.0/23 (it does not matter if warrior has public IP or it is behind NAT). The rest of the world fails to connect the VPN_server. My question was concerning the VPN_server, is the server NATed? How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall ... Cheers, Kim smime.p7s Description: S/MIME Cryptographic Signature
Fw: Re: ikev2 and road warriors setup
Hello Kim,
> Could you post your pf.conf?
My VPN_server's(A.B.C.77/23) pf.conf is:
(1)
$ cat /etc/pf.conf
set skip on {lo, enc}
match in all scrub (no-df random-id max-mss 1310)
match out on egress from lan:network to any nat-to egress
#match out on egress from enc0:network to any nat-to egress
block log all
pass in on egress proto udp from any to any port {isakmp,ipsec-nat-t}
pass in on egress proto {ah,esp}
pass out on egress
pass on lan
pass in on egress proto tcp from { 1.2.3.119 A.B.C.0/23 } to port ssh
icmp_types = "{ echoreq, unreach }"
pass inet proto icmp all icmp-type $icmp_types
I also tested my setup with this:
(2)
$ pfctl -s rules
pass all flags S/SA
and this:
(3)
$ pfctl -d
pfctl: pf not enabled
For (1), (2) and (3) VPN is working just fine with Win7_warrior and
puffy_warrior if they are connecting from A.B.C.0/23 (it does not matter if
warrior has public IP or it is behind NAT). The rest of the world fails to
connect the VPN_server.
> How do you connect to networks !A.B.C.0/23
> Is your IPSec connection NATed?
!A.B.C.0/23 I mean:
A.B.F.0/24 - tested both: public IP and behind router/NAT, warrior: Win7_warrior
1.2.3.119 - tested both: public IP and behind router/NAT, warrior: Win7_warrior
and puffy_warrior
GSM network - only NATed connections, warrior: Win7_warrior
Some tcpdumps of attempts to connect to VPN_server(pass all flags S/SA):
### Win7_warrior, behind NAT:
$ tcpdump -i vr0 -n host 1.2.3.119
tcpdump: listening on vr0, link-type EN10MB
18:32:12.794944 1.2.3.119.500 > A.B.C.77.500: isakmp v2.0 exchange IKE_SA_INIT
cookie: 87afea67c2d6ce65-> msgid: len: 528
18:32:13.002417 A.B.C.77.500 > 1.2.3.119.500: isakmp v2.0 exchange IKE_SA_INIT
cookie: 87afea67c2d6ce65->8da1daeaa81e51b2 msgid: len: 329
^C
811 packets received by filter
0 packets dropped by kernel
### Win7_warrior, public IP
$ tcpdump -i vr0 -n host 1.2.3.119
tcpdump: listening on vr0, link-type EN10MB
18:51:25.446238 1.2.3.119.500 > A.B.C.77.500: isakmp v2.0 exchange IKE_SA_INIT
cookie: 06d0dd81ba2f129d-> msgid: len: 528
18:51:25.654428 A.B.C.77.500 > 1.2.3.119.500: isakmp v2.0 exchange IKE_SA_INIT
cookie: 06d0dd81ba2f129d->3e3cf1b1a7a5a3b8 msgid: len: 329
^C
292 packets received by filter
0 packets dropped by kernel
### puffy_warrior (pfctl -d), behind NAT
$ tcpdump -i vr0 -n host 1.2.3.119
tcpdump: listening on vr0, link-type EN10MB
18:45:33.600661 A.B.C.77.22 > 1.2.3.119.49486: . ack 2747766535 win 273 (DF)
18:45:40.562967 1.2.3.119.500 > A.B.C.77.500: isakmp v2.0 exchange IKE_SA_INIT
cookie: 64755be010cd32d2-> msgid: len: 510
18:45:41.927874 A.B.C.77.500 > 1.2.3.119.500: isakmp v2.0 exchange IKE_SA_INIT
cookie: 64755be010cd32d2->2a0fe33c6b9afff8 msgid: len: 471
Thanks!
On Mon, 5 Nov 2018 09:27:25 +0100
Kim Zeitler wrote:
> Hello Radek,
>
>
> On 11/2/18 10:16 PM, Radek wrote:
> > Thank you for your response,
> >
> > Following your suggestion I removed IP from enc0 and changed iked.conf as
> > below:
> >
> > $ cat /etc/iked.conf
> > dns1 = "8.8.8.8"
> > dns2 = "8.8.4.4"
> > ikev2 "roadWarrior" ipcomp esp \
> > from 0.0.0.0/0 to 0.0.0.0/0 \
> > local A.B.C.77 peer any \
> > srcid
> > "/C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com" \
> > config address 10.0.1.0/24 \
> > config netmask 255.255.255.0 \
> > config name-server $dns1 \
> > config name-server $dns2 \
> > config access-server A.B.C.77 \
> > config protected-subnet 0.0.0.0/0 \
> > tag "$id"
> >
> > It did not solve my problem. Clients from !A.B.C.0/23 still get 809 Error.
> I know this set-up to be working, as it is currently running here in
> production.
>
>
> >
> > I also tried another scenario: puffy_server <-> puffy_warrior
> > The same. My warrior also can not connect if it is !A.B.C.0/23 and it VPN
> > works fine for clients from A.B.C.0/23.
> > Both machines are 6.3/i386.
> Your set-up is still a bit 'unclear', I would rather say you have a
> firewall/routing problem than an IPSec problem. Error 809 means no data
> received.
>
> Could you post your pf.conf?
> How do you connect to networks !A.B.C.0/23
> Is your IPSec connection NATed?
>
> Cheers
> Kim
>
--
radek
Re: ikev2 and road warriors setup
Hello Radek, On 11/2/18 10:16 PM, Radek wrote: Thank you for your response, Following your suggestion I removed IP from enc0 and changed iked.conf as below: $ cat /etc/iked.conf dns1 = "8.8.8.8" dns2 = "8.8.4.4" ikev2 "roadWarrior" ipcomp esp \ from 0.0.0.0/0 to 0.0.0.0/0 \ local A.B.C.77 peer any \ srcid "/C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com" \ config address 10.0.1.0/24 \ config netmask 255.255.255.0 \ config name-server $dns1 \ config name-server $dns2 \ config access-server A.B.C.77 \ config protected-subnet 0.0.0.0/0 \ tag "$id" It did not solve my problem. Clients from !A.B.C.0/23 still get 809 Error. I know this set-up to be working, as it is currently running here in production. I also tried another scenario: puffy_server <-> puffy_warrior The same. My warrior also can not connect if it is !A.B.C.0/23 and it VPN works fine for clients from A.B.C.0/23. Both machines are 6.3/i386. Your set-up is still a bit 'unclear', I would rather say you have a firewall/routing problem than an IPSec problem. Error 809 means no data received. Could you post your pf.conf? How do you connect to networks !A.B.C.0/23 Is your IPSec connection NATed? Cheers Kim smime.p7s Description: S/MIME Cryptographic Signature
Re: ikev2 and road warriors setup
Thank you for your response, Following your suggestion I removed IP from enc0 and changed iked.conf as below: $ cat /etc/iked.conf dns1 = "8.8.8.8" dns2 = "8.8.4.4" ikev2 "roadWarrior" ipcomp esp \ from 0.0.0.0/0 to 0.0.0.0/0 \ local A.B.C.77 peer any \ srcid "/C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com" \ config address 10.0.1.0/24 \ config netmask 255.255.255.0 \ config name-server $dns1 \ config name-server $dns2 \ config access-server A.B.C.77 \ config protected-subnet 0.0.0.0/0 \ tag "$id" It did not solve my problem. Clients from !A.B.C.0/23 still get 809 Error. I also tried another scenario: puffy_server <-> puffy_warrior The same. My warrior also can not connect if it is !A.B.C.0/23 and it VPN works fine for clients from A.B.C.0/23. Both machines are 6.3/i386. Confs: puffy_server (just changed /etc/iked.conf and /etc/hostname.enc0 as below, the rest of my previous conf is untached) $ cat /etc/iked.conf # puffy_server ikev2 office passive esp \ from 172.16.0.64 to 0.0.0.0/0 \ from 172.16.0.254 to 0.0.0.0/0 \ local A.B.C.77 peer any \ srcid "/C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com" dstid "/C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=puffy63/emailAddress=puff...@123.com" $ cat /etc/hostname.enc0 up puffy_warrior: $ cat /etc/iked.conf # puffy_warrior ikev2 home active esp \ from egress to 172.16.0.0/24 \ local egress peer A.B.C.77 \ srcid "/C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=puffy63/emailAddress=puff...@123.com" dstid "/C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com" $ pfctl -s rules pass all flags S/SA This is warrior log, public IP 1.2.3.119: $ iked -dvv set_policy_auth_method: using rfc7427 for peer ikev2 "home" active esp inet from 1.2.3.119 to 172.16.0.0/24 local 1.2.3.119 peer A.B.C.77 ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 srcid /C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=puffy63/emailAddress=puff...@123.com dstid /C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com lifetime 10800 bytes 536870912 rfc7427 /etc/iked.conf: loaded 1 configuration rules ca_privkey_serialize: type RSA_KEY length 1191 ca_pubkey_serialize: type RSA_KEY length 270 ca_privkey_to_method: type RSA_KEY method RSA_SIG ca_getkey: received private key type RSA_KEY length 1191 ca_getkey: received public key type RSA_KEY length 270 ca_dispatch_parent: config reset ca_reload: loaded ca file ca.crt ca_reload: loaded crl file ca.crl ca_reload: /C=PL/ST=ZP/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com ca_reload: loaded 1 ca certificate ca_reload: loaded cert file puffy63.crt ca_validate_cert: /C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=puffy63/emailAddress=puff...@123.com ok ca_reload: local cert type X509_CERT config_getocsp: ocsp_url none ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 config_getpolicy: received policy config_getpfkey: received pfkey fd 3 config_getcompile: compilation done config_getsocket: received socket fd 4 config_getsocket: received socket fd 5 config_getsocket: received socket fd 6 config_getsocket: received socket fd 7 config_getmobike: mobike ikev2_init_ike_sa: initiating "home" ca_x509_name_parse: setting 'C' to 'PL' ca_x509_name_parse: setting 'ST' to 'ZK' ca_x509_name_parse: setting 'L' to 'KL' ca_x509_name_parse: setting 'O' to 'PK' ca_x509_name_parse: setting 'OU' to 'test' ca_x509_name_parse: setting 'CN' to 'puffy63' ca_x509_name_parse: setting 'emailAddress' to 'puff...@123.com' ikev2_policy2id: srcid ASN1_DN//C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=puffy63/emailAddress=puff...@123.com length 123 ikev2_add_proposals: length 108 ikev2_next_payload: length 112 nextpayload KE ikev2_next_payload: length 264 nextpayload NONCE ikev2_next_payload: length 36 nextpayload NOTIFY ikev2_nat_detection: local source 0x64068214f68d9422 0x 1.2.3.119:500 ikev2_next_payload: length 28 nextpayload NOTIFY ikev2_nat_detection: local destination 0x64068214f68d9422 0x A.B.C.77:500 ikev2_next_payload: length 28 nextpayload NOTIFY ikev2_next_payload: length 14 nextpayload NONE ikev2_pld_parse: header ispi 0x64068214f68d9422 rspi 0x nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 510 response 0 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 112 ikev2_pld_sa: more 0 reserved 0 length 108 proposal #1 protoid IKE spisize 0 xforms 11 spi 0 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 ikev2_pld_xform: more 3 reserved 0
Re: ikev2 and road warriors setup
On 10/28/18 3:04 PM, Radek wrote: Hello, I really need your help. I am still trying to configure Ikev2 VPN Gateway (A.B.C.77/23) for road warriors clients (Windows). The problem is that it works ONLY if clients are in the same subnet as VPN Gateway (A.B.C.0/23). Clients from out of the gateway's subnet (!A.B.C.0/23) can not establish the connection (809 Error). It does not matter if they are behind NAT or not, tried different ISP - the same. Current tested client is Win7 (1.2.3.119). It works from A.B.C.0/23 I do not know what I am doing wrong. Can anyone please help me with solving this problem? Thank you. This is a fresh 6.3/i386 install: # cat /etc/hostname.enc0 inet 10.0.1.1 255.255.255.0 10.0.1.255 up You don't need an IP on enc0 # cat /etc/iked.conf ikev2 "test" passive esp \ from 0.0.0.0/0 to 0.0.0.0/0 \ local A.B.C.77 peer any \ srcid A.B.C.77 \ config address 10.0.1.0/24 \ config name-server 8.8.8.8 \ tag "IKED" Try something like this, it works for both Win7 and Win10: /etc/iked.conf - ikev2 "roadWarrior" ipcomp esp \ from 0.0.0.0/0 to 0.0.0.0/0 \ peer any \ srcid $srcid \ config address 10.0.1.0/24 \ config netmask 255.255.255.0 \ config name-server $dns1 \ config name-server $dns2 \ config access-server A.B.C.77 \ config protected-subnet 0.0.0.0/0 \ tag "$id" 'access-server' tells Windows what gateway to use for 'protected-subnet' (see iked.conf(5)). smime.p7s Description: S/MIME Cryptographic Signature
Re: ikev2 and road warriors setup
Hello,
I really need your help.
I am still trying to configure Ikev2 VPN Gateway (A.B.C.77/23) for road
warriors clients (Windows).
The problem is that it works ONLY if clients are in the same subnet as VPN
Gateway (A.B.C.0/23).
Clients from out of the gateway's subnet (!A.B.C.0/23) can not establish the
connection (809 Error). It does not matter if they are behind NAT or not, tried
different ISP - the same.
Current tested client is Win7 (1.2.3.119). It works from A.B.C.0/23
I do not know what I am doing wrong.
Can anyone please help me with solving this problem?
Thank you.
This is a fresh 6.3/i386 install:
# syspatch -l
001_perl
002_libtls
003_arp
004_gif
005_httpd
006_ipseclen
007_libcrypto
008_ipsecout
009_libcrypto
011_perl
012_execsize
013_ipsecexpire
014_amdlfence
015_ioport
WAN:
# cat /etc/hostname.vr0
inet A.B.C.77 255.255.254.0
LAN:
# cat /etc/hostname.vr3
inet 172.16.0.254 255.255.255.0 NONE
group lan
# cat /etc/hostname.enc0
inet 10.0.1.1 255.255.255.0 10.0.1.255
up
# cat /etc/iked.conf
ikev2 "test" passive esp \
from 0.0.0.0/0 to 0.0.0.0/0 \
local A.B.C.77 peer any \
srcid A.B.C.77 \
config address 10.0.1.0/24 \
config name-server 8.8.8.8 \
tag "IKED"
# cat /etc/pf.conf
set skip on {lo, enc}
match in all scrub (no-df random-id max-mss 1310)
match out on egress from lan:network to any nat-to egress
match out on egress from enc0:network to any nat-to egress
block log all
pass in on egress proto udp from any to any port {isakmp,ipsec-nat-t}
pass in on egress proto {ah,esp}
pass out on egress
pass on lan
pass in on egress proto tcp from { 1.2.3.119 A.B.C.0/23 } to port ssh
icmp_types = "{ echoreq, unreach }"
pass inet proto icmp all icmp-type $icmp_types
# ikectl show ca vpn certificates
subject= /C=PL/ST=ZP/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com
SHA1 Fingerprint=37:2F:33:EA:C4:9C:45:0A:80:38:EC:0E:A6:F8:8B:EA:10:84:71:CB
notBefore=Oct 25 12:23:53 2018 GMT
notAfter=Oct 25 12:23:53 2019 GMT
subject= /C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com
SHA1 Fingerprint=4C:AE:A5:C6:E3:71:81:09:C0:73:BF:03:5F:E2:02:CE:48:BF:03:78
notBefore=Oct 25 12:27:35 2018 GMT
notAfter=Oct 25 12:27:35 2019 GMT
subject= /C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=win7/emailAddress=t...@123.com
SHA1 Fingerprint=E2:C1:96:F3:26:0F:CA:CD:49:0A:33:65:58:0E:07:B7:A7:90:D4:18
notBefore=Oct 25 12:32:31 2018 GMT
notAfter=Oct 25 12:32:31 2019 GMT
subject= /C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=w520/emailAddress=w...@123.com
SHA1 Fingerprint=00:ED:49:7B:CE:AF:46:25:BE:39:B6:51:AD:3E:06:91:99:58:50:C9
notBefore=Oct 27 08:54:14 2018 GMT
notAfter=Oct 27 08:54:14 2019 GMT
# iked -vvd
ikev2 "test" passive esp inet from 0.0.0.0/0 to 0.0.0.0/0 local A.B.C.77 peer
any ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth
hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc
aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 srcid A.B.C.77 lifetime
10800 bytes 536870912 signature config address 10.0.1.0 config name-server
8.8.8.8 tag "IKED"
/etc/iked.conf: loaded 1 configuration rules
ca_privkey_serialize: type RSA_KEY length 1193
ca_pubkey_serialize: type RSA_KEY length 270
ca_privkey_to_method: type RSA_KEY method RSA_SIG
ca_getkey: received private key type RSA_KEY length 1193
ca_getkey: received public key type RSA_KEY length 270
ca_dispatch_parent: config reset
config_getpolicy: received policy
config_getpfkey: received pfkey fd 3
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getsocket: received socket fd 6
ca_reload: loaded ca file ca.crt
config_getsocket: received socket fd 7
config_getmobike: mobike
ca_reload: loaded crl file ca.crl
ca_reload: /C=PL/ST=ZP/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com
ca_reload: loaded 1 ca certificate
ca_reload: loaded cert file A.B.C.77.crt
ca_validate_cert:
/C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com ok
ca_reload: local cert type X509_CERT
config_getocsp: ocsp_url none
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
ikev2_recv: IKE_SA_INIT request from initiator 1.2.3.119:500 to A.B.C.77:500
policy 'test' id 0, 528 bytes
ikev2_recv: ispi 0x683d59d10fbe4a9e rspi 0x
ikev2_policy2id: srcid IPV4/A.B.C.77 length 8
ikev2_pld_parse: header ispi 0x683d59d10fbe4a9e rspi 0x
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 528
response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 256
ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
Re: ikev2 and road warriors setup
Hi again,
I'm still trying to make it work for roadwarriors.
VPN server has IP address A.B.9.73/23. It is OpenBSD6.1.
I generated certs:
# hostname
serv73
# ikectl ca vpn create (CN = serv73)
# ikectl ca vpn install
# ikectl ca vpn certificate A.B.9.73 create
# ikectl ca vpn certificate A.B.9.73 install
# ikectl ca vpn certificate A.B.9.76 create #(CN = A.B.9.76)
# ikectl ca vpn certificate A.B.9.76 export
After installing A.B.9.76.zip in Win7 I can connect to VPN server from any IP
address that is in range A.B.9.0/23.
I can't connect from IP that is NOT from A.B.9.0/23.
I tried to connect from many IPs (public and behind NAT) but every time I got
"809 error".
Can anyone please help me with solving that problem?
# cat /etc/iked.conf
[snip]
ikev2 "roadWarrior" passive esp \
from 10.0.73.0/24 to 0.0.0.0/0 local A.B.9.73 peer any \
srcid A.B.9.73 \
config address 10.0.70.128 \
tag "$name-$id"
# iked -n
configuration OK
# cat /etc.pf.conf
ext_if = "vr0"
lan_if = "vr1"# vr1
lan_local = $lan_if:network # 10.0.73.0/24
ext_ip = "A.B.9.73"
bud = "A.B.9.0/25"
rdkhome_wy = "YY.YY.YY.YY"
rdkhome_mon = "XX.XX.XX.XX"
ssh_port= "1071"
icmp_types = "{ echoreq, unreach }"
table const { A.B.9.74, A.B.C.75 }
set skip on { lo, enc0 }
block return on $ext_if # block stateless traffic
match out log on $ext_if from $lan_local nat-to $ext_if set prio (1, 6)
pass in log quick inet proto tcp from { $bud, $rdkhome_wy, $rdkhome_mon} to
$ext_if port $ssh_port \
set prio (1, 6) keep state
pass out quick on egress proto esp from (egress:0) to
keep state
pass out quick on egress proto udp from (egress:0) to port {500,
4500} keep state
pass in quick on egress proto esp from to (egress:0)
keep state
pass in quick on egress proto udp from to (egress:0) port {500,
4500} keep state
pass out quick on trust received-on enc0 keep state
pass out log proto tcp set prio (1, 6) keep state
pass log proto udp set prio (1, 6) keep state
pass inet proto icmp all icmp-type $icmp_types set prio (1, 6) keep state
pass log inet proto { tcp, udp } from $lan_local to any set prio (1, 6) keep
state
block return in on ! lo0 proto tcp to port 6000:6010
# iked -dvv
ikev2_recv: IKE_SA_INIT request from initiator E.F.G.H:500 to A.B.9.73:500
policy 'roadWarrior' id 0, 528 bytes
ikev2_recv: ispi 0x35e2e7f614678913 rspi 0x
ikev2_policy2id: srcid IPV4/A.B.9.73 length 8
ikev2_pld_parse: header ispi 0x35e2e7f614678913 rspi 0x
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 528
response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 256
ikev2_pld_sa: more than one proposal specified
ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136
ikev2_pld_ke: dh group MODP_1024 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 52
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0x35e2e7f614678913 0x
E.F.G.H:500
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0x35e2e7f614678913 0x
A.B.9.73:500
sa_state: INIT -> SA_INIT
ikev2_sa_negotiate: score 21
sa_stateok: SA_INIT flags 0x, require 0x
sa_stateflags: 0x -> 0x0020 sa (required 0x )
ikev2_sa_keys: SKEYSEED with 20 bytes
ikev2_sa_keys: S with 96 bytes
ikev2_prfplus: T1 with 20 bytes
ikev2_prfplus: T2 with 20 bytes
ikev2_prfplus: T3 with 20 bytes
ikev2_prfplus: T4 with 20 bytes
ikev2_prfplus: T5 with 20 bytes
ikev2_prfplus: T6 with 20 bytes
ikev2_prfplus: T7 with 20 bytes
ikev2_prfplus: T8 with 20 bytes
ikev2_prfplus: Tn with 160 bytes
ikev2_sa_keys: SK_d with 20 bytes
ikev2_sa_keys: SK_ai with 20 bytes
ikev2_sa_keys: SK_ar with 20 bytes
ikev2_sa_keys: SK_ei with 24 bytes
ikev2_sa_keys: SK_er with 24 bytes
ikev2_sa_keys: SK_pi with 20 bytes
ikev2_sa_keys: SK_pr with 20 bytes
ikev2_add_proposals: length 40
ikev2_next_payload: length 44 nextpayload KE
ikev2_next_payload: length 136 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0x35e2e7f614678913 0x177a4400d017d93f
A.B.9.73:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0x35e2e7f614678913 0x17
