Re: ikev2 and road warriors setup
Another question araised in my random walk: How can I assign static IPs to more than one client? I played around with DSTID but when I add DSTID to my policy then auth stops working. ikev2 "roadWarrior" passive ipcomp esp \ from 192.168.2.0/24 to 10.0.1.0/24 \ local 4.5.6.88 peer any \ srcid 4.5.6.88 \ dstid "/C.../CN=win7/emailAddress=r...@123.com" \ config address 10.0.1.123 \ tag "$id" tap enc0 The only working way I have found is to assign static IP to specific peer (IP or network) local 4.5.6.88 peer 1.2.3.4/32 or local 4.5.6.88 peer 1.2.3.0/24 but this in NOT what I need. I need to do sth like this: policy1, peer any, warrior1/CA1/ASN11, config address IP1 policy2, peer any, warrior2/CA2,ASN12, config address IP2 policy3, peer any, warrior3/CA3,ASN13, config address IP3 ... policyN "catch the rest" config address 10.0.11/24 \ Any help appreciated! On Fri, 28 Dec 2018 10:41:22 +0100 Radek wrote: > Hello, > > finally I solved my problem as follows: > 1. Uncheck "use default gateway on remote network" in warrior (Windows) > 2. Create route192.bat file: route add 192.168.2.0 mask 255.255.255.0 > 10.0.1.123 > 3. Run route192.bat as administrator (when vpn connection is established) > It works as expected, traffic to 192.168.2.0 goes through VPN, the rest > through warrior's local gateway. > # When using PPTP (npppd) I do not need to add extra route to "LAN behind > VPNgateway" (2.) - it works by default. Why? > > GW88# grep "^[^#;]" /etc/iked.conf > ikev2 "roadWarrior" passive ipcomp esp \ > from 192.168.2.0/24 to 10.0.1.0/24 \ > local 4.5.6.88 peer any \ > srcid 4.5.6.88 \ > config address 10.0.1.123 \ > tag "$id" tap enc0 > > GW88# grep "^[^#;]" /etc/pf.conf > set skip on {lo, enc} > match in all scrub (no-df random-id) > match out all scrub (no-df random-id) > match out on egress from lan:network to any nat-to egress > block log all > pass in on egress proto udp from any to any port {isakmp,ipsec-nat-t} > pass in on egress proto {ah,esp} > pass out on egress > pass on lan > > > > On Wed, 12 Dec 2018 21:45:25 +0100 > Radek wrote: > > > Hello again, > > > > I am using PPTP VPN (npppd) and it works as expected on windows clients - > > traffic to the "LAN behind that VPNgateway" is going through VPNgateway. > > The "rest" is going through clients' gateway - DO NOT "use default gateway > > on remote network". > > > > I have been playing around with iked.conf, pf.conf and ipsec.conf - still > > cannot get it working in this manner. > > I do not want to use OpenIKED as a internet gateway, VPN is needed only to > > access "LAN behind that VPNgateway". > > > > Could someone please help me with this problem? Christmas is coming... > > > > Many thanks! > > > > On Fri, 7 Dec 2018 20:20:21 +0100 > > Radek wrote: > > > > > Hello, > > > > > > I am still almost in the same point. > > > If I want to reach my GW88_LAN I have to check "use default gateway on > > > remote network" box (Windows roadwarrior), but this option makes me > > > reaching the internet through GW88. > > > > > > I want to use VPN GW88 to access 192.168.2.0/24 ONLY and roadwarrior's > > > "local" gateway for the rest of the traffic - unchecked box "use default > > > gateway on remote network". > > > If the box is unchecked I am not able to access 192.168.2.0/24. > > > > > > What should I change in my confs to get it working in this manner? > > > > > > GW88# grep "^[^#;]" /etc/pf.conf > > > set skip on {lo, enc} > > > match in all scrub (no-df random-id) > > > match out all scrub (no-df random-id) > > > match out on egress from lan:network to any nat-to egress > > > block log all > > > pass out quick on egress inet received-on enc0 nat-to (egress) > > > pass in on egress proto udp from any to (egress:0) port > > > {isakmp,ipsec-nat-t} > > > pass in on egress proto {ah,esp} > > > pass out on egress > > > pass on lan > > > > > > > > > GW88# grep "^[^#;]" /etc/iked.conf > > > ikev2 "roadWarrior" passive esp \ > > > from 0.0.0.0/0 to 10.0.1.0/24 \ > > > from 192.168.2.0/24 to 10.0.1.0/24 \ > > > local 4.5.6.88 peer any \ > > > srcid 4.5.6.88 \ > > > config address 10.0.1.0/24 \ > > > config netmask 255.255.255.0 \ > > > config name-server 8.8.8.8 > > > > > > On Fri, 30 Nov 2018 15:06:28 +0100 > > > Radek wrote: > > > > > > > Hello, > > > > > > > > Thank all of you for your time and your help in this matter! > > > > I think that the ISP of A.B.C.0/23 is filtering/blocking some > > > > certificates. > > > > I have moved VPN server and clients out of A.B.C.0/23. They can connect > > > > pretty fine using CA now. Clients from A.B.C.0/23 still can NOT connect > > > > to VPN serv. > > > > Site-to-Site VPN is doing its job. > > > > > > > > The road_warriors(Windows) can ping GW88_LAN_machine (192.168.2.1) ONLY > > > > if "use default gateway on remote network" is set. > > > > I need to make road_warriors: > > > > - reaching GW88_LAN_machines 192.168.2.254/24 > > > > - reaching GW119_LAN_machine
Re: ikev2 and road warriors setup
Hello, finally I solved my problem as follows: 1. Uncheck "use default gateway on remote network" in warrior (Windows) 2. Create route192.bat file: route add 192.168.2.0 mask 255.255.255.0 10.0.1.123 3. Run route192.bat as administrator (when vpn connection is established) It works as expected, traffic to 192.168.2.0 goes through VPN, the rest through warrior's local gateway. # When using PPTP (npppd) I do not need to add extra route to "LAN behind VPNgateway" (2.) - it works by default. Why? GW88# grep "^[^#;]" /etc/iked.conf ikev2 "roadWarrior" passive ipcomp esp \ from 192.168.2.0/24 to 10.0.1.0/24 \ local 4.5.6.88 peer any \ srcid 4.5.6.88 \ config address 10.0.1.123 \ tag "$id" tap enc0 GW88# grep "^[^#;]" /etc/pf.conf set skip on {lo, enc} match in all scrub (no-df random-id) match out all scrub (no-df random-id) match out on egress from lan:network to any nat-to egress block log all pass in on egress proto udp from any to any port {isakmp,ipsec-nat-t} pass in on egress proto {ah,esp} pass out on egress pass on lan On Wed, 12 Dec 2018 21:45:25 +0100 Radek wrote: > Hello again, > > I am using PPTP VPN (npppd) and it works as expected on windows clients - > traffic to the "LAN behind that VPNgateway" is going through VPNgateway. The > "rest" is going through clients' gateway - DO NOT "use default gateway on > remote network". > > I have been playing around with iked.conf, pf.conf and ipsec.conf - still > cannot get it working in this manner. > I do not want to use OpenIKED as a internet gateway, VPN is needed only to > access "LAN behind that VPNgateway". > > Could someone please help me with this problem? Christmas is coming... > > Many thanks! > > On Fri, 7 Dec 2018 20:20:21 +0100 > Radek wrote: > > > Hello, > > > > I am still almost in the same point. > > If I want to reach my GW88_LAN I have to check "use default gateway on > > remote network" box (Windows roadwarrior), but this option makes me > > reaching the internet through GW88. > > > > I want to use VPN GW88 to access 192.168.2.0/24 ONLY and roadwarrior's > > "local" gateway for the rest of the traffic - unchecked box "use default > > gateway on remote network". > > If the box is unchecked I am not able to access 192.168.2.0/24. > > > > What should I change in my confs to get it working in this manner? > > > > GW88# grep "^[^#;]" /etc/pf.conf > > set skip on {lo, enc} > > match in all scrub (no-df random-id) > > match out all scrub (no-df random-id) > > match out on egress from lan:network to any nat-to egress > > block log all > > pass out quick on egress inet received-on enc0 nat-to (egress) > > pass in on egress proto udp from any to (egress:0) port {isakmp,ipsec-nat-t} > > pass in on egress proto {ah,esp} > > pass out on egress > > pass on lan > > > > > > GW88# grep "^[^#;]" /etc/iked.conf > > ikev2 "roadWarrior" passive esp \ > > from 0.0.0.0/0 to 10.0.1.0/24 \ > > from 192.168.2.0/24 to 10.0.1.0/24 \ > > local 4.5.6.88 peer any \ > > srcid 4.5.6.88 \ > > config address 10.0.1.0/24 \ > > config netmask 255.255.255.0 \ > > config name-server 8.8.8.8 > > > > On Fri, 30 Nov 2018 15:06:28 +0100 > > Radek wrote: > > > > > Hello, > > > > > > Thank all of you for your time and your help in this matter! > > > I think that the ISP of A.B.C.0/23 is filtering/blocking some > > > certificates. > > > I have moved VPN server and clients out of A.B.C.0/23. They can connect > > > pretty fine using CA now. Clients from A.B.C.0/23 still can NOT connect > > > to VPN serv. > > > Site-to-Site VPN is doing its job. > > > > > > The road_warriors(Windows) can ping GW88_LAN_machine (192.168.2.1) ONLY > > > if "use default gateway on remote network" is set. > > > I need to make road_warriors: > > > - reaching GW88_LAN_machines 192.168.2.254/24 > > > - reaching GW119_LAN_machines 172.16.X.X via GW88 - if it is possible > > > - force road_warriors to use its own gateway for the rest of traffic - > > > unticked "use default gateway on remote network". > > > > > > I was playing around with iked.conf and pf.conf but I did not find the > > > way to make it work. > > > I will be grateful if anyone could help me with that. > > > > > > My network diagram and configs of GW88: > > > > > > GW88$ cat /etc/hostname.enc0 > > > inet 10.0.1.254 255.255.255.0 > > > > > > GW88$ cat /etc/iked.conf > > > # > > > ikev2 "roadWarrior" passive esp \ > > > from 192.168.2.0/24 to 10.0.1.0/24 \ > > > local 4.5.6.88 peer any \ > > > srcid 4.5.6.88 \ > > > config address 10.0.1.0/24 > > > # > > > # > > > remote_gw_GW119 = "1.2.3.119" # fw_GW119 > > > remote_lan_GW119_1 = "172.16.1.0/24" > > > remote_lan_GW119_2 = "172.16.2.0/24" > > > > > > local_gw_GW88_2 = "192.168.2.254" > > > local_lan_GW88_2 = "192.168.2.0/24" > > > > > > ikev2 active esp from $local_gw_GW88_2 to $remote_gw_GW119 \ > > > from $local_lan_GW88_2 to $remote_lan_GW119_1 peer $remote_gw_GW119 \ > > > psk "pks
Re: ikev2 and road warriors setup
Hello again, I am using PPTP VPN (npppd) and it works as expected on windows clients - traffic to the "LAN behind that VPNgateway" is going through VPNgateway. The "rest" is going through clients' gateway - DO NOT "use default gateway on remote network". I have been playing around with iked.conf, pf.conf and ipsec.conf - still cannot get it working in this manner. I do not want to use OpenIKED as a internet gateway, VPN is needed only to access "LAN behind that VPNgateway". Could someone please help me with this problem? Christmas is coming... Many thanks! On Fri, 7 Dec 2018 20:20:21 +0100 Radek wrote: > Hello, > > I am still almost in the same point. > If I want to reach my GW88_LAN I have to check "use default gateway on remote > network" box (Windows roadwarrior), but this option makes me reaching the > internet through GW88. > > I want to use VPN GW88 to access 192.168.2.0/24 ONLY and roadwarrior's > "local" gateway for the rest of the traffic - unchecked box "use default > gateway on remote network". > If the box is unchecked I am not able to access 192.168.2.0/24. > > What should I change in my confs to get it working in this manner? > > GW88# grep "^[^#;]" /etc/pf.conf > set skip on {lo, enc} > match in all scrub (no-df random-id) > match out all scrub (no-df random-id) > match out on egress from lan:network to any nat-to egress > block log all > pass out quick on egress inet received-on enc0 nat-to (egress) > pass in on egress proto udp from any to (egress:0) port {isakmp,ipsec-nat-t} > pass in on egress proto {ah,esp} > pass out on egress > pass on lan > > > GW88# grep "^[^#;]" /etc/iked.conf > ikev2 "roadWarrior" passive esp \ > from 0.0.0.0/0 to 10.0.1.0/24 \ > from 192.168.2.0/24 to 10.0.1.0/24 \ > local 4.5.6.88 peer any \ > srcid 4.5.6.88 \ > config address 10.0.1.0/24 \ > config netmask 255.255.255.0 \ > config name-server 8.8.8.8 > > On Fri, 30 Nov 2018 15:06:28 +0100 > Radek wrote: > > > Hello, > > > > Thank all of you for your time and your help in this matter! > > I think that the ISP of A.B.C.0/23 is filtering/blocking some certificates. > > I have moved VPN server and clients out of A.B.C.0/23. They can connect > > pretty fine using CA now. Clients from A.B.C.0/23 still can NOT connect to > > VPN serv. > > Site-to-Site VPN is doing its job. > > > > The road_warriors(Windows) can ping GW88_LAN_machine (192.168.2.1) ONLY if > > "use default gateway on remote network" is set. > > I need to make road_warriors: > > - reaching GW88_LAN_machines 192.168.2.254/24 > > - reaching GW119_LAN_machines 172.16.X.X via GW88 - if it is possible > > - force road_warriors to use its own gateway for the rest of traffic - > > unticked "use default gateway on remote network". > > > > I was playing around with iked.conf and pf.conf but I did not find the way > > to make it work. > > I will be grateful if anyone could help me with that. > > > > My network diagram and configs of GW88: > > > > GW88$ cat /etc/hostname.enc0 > > inet 10.0.1.254 255.255.255.0 > > > > GW88$ cat /etc/iked.conf > > # > > ikev2 "roadWarrior" passive esp \ > > from 192.168.2.0/24 to 10.0.1.0/24 \ > > local 4.5.6.88 peer any \ > > srcid 4.5.6.88 \ > > config address 10.0.1.0/24 > > # > > # > > remote_gw_GW119 = "1.2.3.119" # fw_GW119 > > remote_lan_GW119_1 = "172.16.1.0/24" > > remote_lan_GW119_2 = "172.16.2.0/24" > > > > local_gw_GW88_2 = "192.168.2.254" > > local_lan_GW88_2 = "192.168.2.0/24" > > > > ikev2 active esp from $local_gw_GW88_2 to $remote_gw_GW119 \ > > from $local_lan_GW88_2 to $remote_lan_GW119_1 peer $remote_gw_GW119 \ > > psk "pkspass" > > > > ikev2 active esp from $local_gw_GW88_2 to $remote_gw_GW119 \ > > from $local_lan_GW88_2 to $remote_lan_GW119_2 peer $remote_gw_GW119 \ > > psk "pskpass" > > > > > > GW88$ cat /etc/pf.conf > > set skip on {lo, enc} > > > > match in all scrub (no-df random-id) > > match out all scrub (no-df random-id) > > > > match out on egress from lan:network to any nat-to egress > > > > block log all > > pass in on egress proto udp from any to any port {isakmp,ipsec-nat-t} > > pass in on egress proto {ah,esp} > > pass out on egress > > pass on lan > > > > table persist counters > > pass in on egress proto tcp from { 1.2.3.119 A.B.C.0/23 } to port ssh flags > > S/SA \ > > set prio (6, 7) keep state \ > > (max-src-conn 15, max-src-conn-rate 2/10, overload > > flush global) > > > > icmp_types = "{ echoreq, unreach }" > > pass inet proto icmp all icmp-type $icmp_types > > > > > > > >++ > >|road_warrior| > > +-+10.0.1.0/24 | > > | ++ > > | > >ikev2 > > | > > | > > v > > > > 4.5.6.881.2.3.119 > > +-+ +--+ > > | | > > |
Re: ikev2 and road warriors setup
Hello, I am still almost in the same point. If I want to reach my GW88_LAN I have to check "use default gateway on remote network" box (Windows roadwarrior), but this option makes me reaching the internet through GW88. I want to use VPN GW88 to access 192.168.2.0/24 ONLY and roadwarrior's "local" gateway for the rest of the traffic - unchecked box "use default gateway on remote network". If the box is unchecked I am not able to access 192.168.2.0/24. What should I change in my confs to get it working in this manner? GW88# grep "^[^#;]" /etc/pf.conf set skip on {lo, enc} match in all scrub (no-df random-id) match out all scrub (no-df random-id) match out on egress from lan:network to any nat-to egress block log all pass out quick on egress inet received-on enc0 nat-to (egress) pass in on egress proto udp from any to (egress:0) port {isakmp,ipsec-nat-t} pass in on egress proto {ah,esp} pass out on egress pass on lan GW88# grep "^[^#;]" /etc/iked.conf ikev2 "roadWarrior" passive esp \ from 0.0.0.0/0 to 10.0.1.0/24 \ from 192.168.2.0/24 to 10.0.1.0/24 \ local 4.5.6.88 peer any \ srcid 4.5.6.88 \ config address 10.0.1.0/24 \ config netmask 255.255.255.0 \ config name-server 8.8.8.8 On Fri, 30 Nov 2018 15:06:28 +0100 Radek wrote: > Hello, > > Thank all of you for your time and your help in this matter! > I think that the ISP of A.B.C.0/23 is filtering/blocking some certificates. > I have moved VPN server and clients out of A.B.C.0/23. They can connect > pretty fine using CA now. Clients from A.B.C.0/23 still can NOT connect to > VPN serv. > Site-to-Site VPN is doing its job. > > The road_warriors(Windows) can ping GW88_LAN_machine (192.168.2.1) ONLY if > "use default gateway on remote network" is set. > I need to make road_warriors: > - reaching GW88_LAN_machines 192.168.2.254/24 > - reaching GW119_LAN_machines 172.16.X.X via GW88 - if it is possible > - force road_warriors to use its own gateway for the rest of traffic - > unticked "use default gateway on remote network". > > I was playing around with iked.conf and pf.conf but I did not find the way to > make it work. > I will be grateful if anyone could help me with that. > > My network diagram and configs of GW88: > > GW88$ cat /etc/hostname.enc0 > inet 10.0.1.254 255.255.255.0 > > GW88$ cat /etc/iked.conf > # > ikev2 "roadWarrior" passive esp \ > from 192.168.2.0/24 to 10.0.1.0/24 \ > local 4.5.6.88 peer any \ > srcid 4.5.6.88 \ > config address 10.0.1.0/24 > # > # > remote_gw_GW119 = "1.2.3.119" # fw_GW119 > remote_lan_GW119_1 = "172.16.1.0/24" > remote_lan_GW119_2 = "172.16.2.0/24" > > local_gw_GW88_2 = "192.168.2.254" > local_lan_GW88_2 = "192.168.2.0/24" > > ikev2 active esp from $local_gw_GW88_2 to $remote_gw_GW119 \ > from $local_lan_GW88_2 to $remote_lan_GW119_1 peer $remote_gw_GW119 \ > psk "pkspass" > > ikev2 active esp from $local_gw_GW88_2 to $remote_gw_GW119 \ > from $local_lan_GW88_2 to $remote_lan_GW119_2 peer $remote_gw_GW119 \ > psk "pskpass" > > > GW88$ cat /etc/pf.conf > set skip on {lo, enc} > > match in all scrub (no-df random-id) > match out all scrub (no-df random-id) > > match out on egress from lan:network to any nat-to egress > > block log all > pass in on egress proto udp from any to any port {isakmp,ipsec-nat-t} > pass in on egress proto {ah,esp} > pass out on egress > pass on lan > > table persist counters > pass in on egress proto tcp from { 1.2.3.119 A.B.C.0/23 } to port ssh flags > S/SA \ > set prio (6, 7) keep state \ > (max-src-conn 15, max-src-conn-rate 2/10, overload > flush global) > > icmp_types = "{ echoreq, unreach }" > pass inet proto icmp all icmp-type $icmp_types > > > >++ >|road_warrior| > +-+10.0.1.0/24 | > | ++ > | >ikev2 > | > | > v > > 4.5.6.881.2.3.119 > +-+ +--+ > | | > | GW88 | <--+site-to-site VPN+--> | GW119 | > +--+--+ +---+--+ >| | >+-+192.168.1.254/24 | >| | >| 172.16.1.254/24---+ >| | >+---+-+192.168.2.254/24 | >| | | >| | +---+ | >| +---+192.168.2.1| 172.16.2.254/24---| >| ++ >| >|+192.168.3.254/24 > > Thanks! > > On Thu, 8 Nov 2018 14:04:23 +0100 > Radek wrote: > > > I've been playing around with netcat. > > I noticed that the netcat process on my VPN_server does not show any "X" on > > stdout for ports 4500 and 1701. > > >
Re: ikev2 and road warriors setup
Hello, Thank all of you for your time and your help in this matter! I think that the ISP of A.B.C.0/23 is filtering/blocking some certificates. I have moved VPN server and clients out of A.B.C.0/23. They can connect pretty fine using CA now. Clients from A.B.C.0/23 still can NOT connect to VPN serv. Site-to-Site VPN is doing its job. The road_warriors(Windows) can ping GW88_LAN_machine (192.168.2.1) ONLY if "use default gateway on remote network" is set. I need to make road_warriors: - reaching GW88_LAN_machines 192.168.2.254/24 - reaching GW119_LAN_machines 172.16.X.X via GW88 - if it is possible - force road_warriors to use its own gateway for the rest of traffic - unticked "use default gateway on remote network". I was playing around with iked.conf and pf.conf but I did not find the way to make it work. I will be grateful if anyone could help me with that. My network diagram and configs of GW88: GW88$ cat /etc/hostname.enc0 inet 10.0.1.254 255.255.255.0 GW88$ cat /etc/iked.conf # ikev2 "roadWarrior" passive esp \ from 192.168.2.0/24 to 10.0.1.0/24 \ local 4.5.6.88 peer any \ srcid 4.5.6.88 \ config address 10.0.1.0/24 # # remote_gw_GW119 = "1.2.3.119" # fw_GW119 remote_lan_GW119_1 = "172.16.1.0/24" remote_lan_GW119_2 = "172.16.2.0/24" local_gw_GW88_2 = "192.168.2.254" local_lan_GW88_2 = "192.168.2.0/24" ikev2 active esp from $local_gw_GW88_2 to $remote_gw_GW119 \ from $local_lan_GW88_2 to $remote_lan_GW119_1 peer $remote_gw_GW119 \ psk "pkspass" ikev2 active esp from $local_gw_GW88_2 to $remote_gw_GW119 \ from $local_lan_GW88_2 to $remote_lan_GW119_2 peer $remote_gw_GW119 \ psk "pskpass" GW88$ cat /etc/pf.conf set skip on {lo, enc} match in all scrub (no-df random-id) match out all scrub (no-df random-id) match out on egress from lan:network to any nat-to egress block log all pass in on egress proto udp from any to any port {isakmp,ipsec-nat-t} pass in on egress proto {ah,esp} pass out on egress pass on lan table persist counters pass in on egress proto tcp from { 1.2.3.119 A.B.C.0/23 } to port ssh flags S/SA \ set prio (6, 7) keep state \ (max-src-conn 15, max-src-conn-rate 2/10, overload flush global) icmp_types = "{ echoreq, unreach }" pass inet proto icmp all icmp-type $icmp_types ++ |road_warrior| +-+10.0.1.0/24 | | ++ | ikev2 | | v 4.5.6.881.2.3.119 +-+ +--+ | | | GW88 | <--+site-to-site VPN+--> | GW119 | +--+--+ +---+--+ | | +-+192.168.1.254/24 | | | | 172.16.1.254/24---+ | | +---+-+192.168.2.254/24 | | | | | | +---+ | | +---+192.168.2.1| 172.16.2.254/24---| | ++ | |+192.168.3.254/24 Thanks! On Thu, 8 Nov 2018 14:04:23 +0100 Radek wrote: > I've been playing around with netcat. > I noticed that the netcat process on my VPN_server does not show any "X" on > stdout for ports 4500 and 1701. > > May it be relevant to my VPN issue? > > VPN_serv is A.B.C.77/23 (it is not behind NAT): > > $ pfctl -s rules > pass all flags S/SA > > $ nc -u -l 500 > > > X.Y.Z.11/29$ nc -vuz A.B.C.77 4500 > A.B.C.69/23$ nc -vuz A.B.C.77 4500 > $ nc -u -l 4500 > NOTHING IS HERE > > $ nc -u -l 4499 > > > $ nc -u -l 4501 > > > X.Y.Z.11/29$ nc -vuz A.B.C.77 1701 > A.B.C.69/23$ nc -vuz A.B.C.77 1701 > $ nc -u -l 1701 > NOTHING IS HERE > > $ nc -u -l 22 > > > $ nc -u -l 1234 > > > On Wed, 7 Nov 2018 12:17:09 +0100 > Radek wrote: > > > Yesterday I tried this scenario: > > > > Win7_warrior - 192.168.x.x, NAT, GW: 1.2.3.119 > > VPN_L2TP (Mikrotik) - A.B.C.75/23, not NATed > > VPN_IKEv2 - A.B.C.77/23, not NATed > > > > I connected Win7_warrior to VPN_L2TP and then to VPN_IKEv2. I was having > > two active VPN conn in one time. > > Next, I disconnected VPN_L2TP. VPN_IKEv2 was still active and was working > > fine. > > > > When I disconnected VPN_IKEv2 and was trying to connect VPN_IKEv2 omitting > > VPN_L2TP - I got 809. > > > > Removing home_router which is between Win7_warrior and 1.2.3.119 does not > > change anything. > > > > Another thing: > > I install VPN_IKEv2 OS via PXEboot and get private IP from dhcp server. > > Then I move to public A.B.C.77/23 editing /etc/hostname, mygate, > > resolv.conf. Maybe I missed something in network conf that is important for > > OpenIKED? > > > > Any idea? > > > > > > On Tue, 6 Nov 2018 11:21:52
Re: ikev2 and road warriors setup
I've been playing around with netcat. I noticed that the netcat process on my VPN_server does not show any "X" on stdout for ports 4500 and 1701. May it be relevant to my VPN issue? VPN_serv is A.B.C.77/23 (it is not behind NAT): $ pfctl -s rules pass all flags S/SA $ nc -u -l 500 X.Y.Z.11/29$ nc -vuz A.B.C.77 4500 A.B.C.69/23$ nc -vuz A.B.C.77 4500 $ nc -u -l 4500 NOTHING IS HERE $ nc -u -l 4499 $ nc -u -l 4501 X.Y.Z.11/29$ nc -vuz A.B.C.77 1701 A.B.C.69/23$ nc -vuz A.B.C.77 1701 $ nc -u -l 1701 NOTHING IS HERE $ nc -u -l 22 $ nc -u -l 1234 On Wed, 7 Nov 2018 12:17:09 +0100 Radek wrote: > Yesterday I tried this scenario: > > Win7_warrior - 192.168.x.x, NAT, GW: 1.2.3.119 > VPN_L2TP (Mikrotik) - A.B.C.75/23, not NATed > VPN_IKEv2 - A.B.C.77/23, not NATed > > I connected Win7_warrior to VPN_L2TP and then to VPN_IKEv2. I was having two > active VPN conn in one time. > Next, I disconnected VPN_L2TP. VPN_IKEv2 was still active and was working > fine. > > When I disconnected VPN_IKEv2 and was trying to connect VPN_IKEv2 omitting > VPN_L2TP - I got 809. > > Removing home_router which is between Win7_warrior and 1.2.3.119 does not > change anything. > > Another thing: > I install VPN_IKEv2 OS via PXEboot and get private IP from dhcp server. Then > I move to public A.B.C.77/23 editing /etc/hostname, mygate, resolv.conf. > Maybe I missed something in network conf that is important for OpenIKED? > > Any idea? > > > On Tue, 6 Nov 2018 11:21:52 +0100 > Radek wrote: > > > Hello Kim, > > > > > My question was concerning the VPN_server, is the server NATed? > > A.B.C.0/23 is not NATed, it is a public pool. VPN_server is not NATed. > > > > > How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall > > > ... > > I only have switches in my building. > > All routers/firewalls of my network are in another building, I do not know > > the whole network structure, devices, security policies... but I have never > > noticed that any ports were blocked. > > > > I can setup a IKEV2 site-to-site VPN A.B.C.D/23 <--> !A.B.C.0/23 and it > > works like a charm. > > https://community.riocities.com/openike_openbsd.html > > But I can not setup a VPN_server for road warriors. > > > > I have just set up a VPN_L2TP_serv on Mikrotik (A.B.C.75/23). I can connect > > my Win7_warrior from !A.B.C.0/23 (currently testing on GSM network). > > L2TP and IKEV2 use 500, 4500 ports. If L2TP works fine so I conclude that > > it is not any Router/FW problem. > > > > On Tue, 6 Nov 2018 07:48:37 +0100 > > Kim Zeitler wrote: > > > > > Good morning Radek, > > > > > > I have a suspicion ... > > > > > > > For (1), (2) and (3) VPN is working just fine with Win7_warrior and > > > > puffy_warrior if they are connecting from A.B.C.0/23 (it does not > > > > matter if warrior has public IP or it is behind NAT). The rest of the > > > > world fails to connect the VPN_server. > > > My question was concerning the VPN_server, is the server NATed? > > > How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall > > > ... > > > > > > Cheers, > > > Kim > > > > > > > > > > > > -- > > radek > > > -- > radek -- radek
Re: ikev2 and road warriors setup
Yesterday I tried this scenario: Win7_warrior - 192.168.x.x, NAT, GW: 1.2.3.119 VPN_L2TP (Mikrotik) - A.B.C.75/23, not NATed VPN_IKEv2 - A.B.C.77/23, not NATed I connected Win7_warrior to VPN_L2TP and then to VPN_IKEv2. I was having two active VPN conn in one time. Next, I disconnected VPN_L2TP. VPN_IKEv2 was still active and was working fine. When I disconnected VPN_IKEv2 and was trying to connect VPN_IKEv2 omitting VPN_L2TP - I got 809. Removing home_router which is between Win7_warrior and 1.2.3.119 does not change anything. Another thing: I install VPN_IKEv2 OS via PXEboot and get private IP from dhcp server. Then I move to public A.B.C.77/23 editing /etc/hostname, mygate, resolv.conf. Maybe I missed something in network conf that is important for OpenIKED? Any idea? On Tue, 6 Nov 2018 11:21:52 +0100 Radek wrote: > Hello Kim, > > > My question was concerning the VPN_server, is the server NATed? > A.B.C.0/23 is not NATed, it is a public pool. VPN_server is not NATed. > > > How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall ... > I only have switches in my building. > All routers/firewalls of my network are in another building, I do not know > the whole network structure, devices, security policies... but I have never > noticed that any ports were blocked. > > I can setup a IKEV2 site-to-site VPN A.B.C.D/23 <--> !A.B.C.0/23 and it works > like a charm. > https://community.riocities.com/openike_openbsd.html > But I can not setup a VPN_server for road warriors. > > I have just set up a VPN_L2TP_serv on Mikrotik (A.B.C.75/23). I can connect > my Win7_warrior from !A.B.C.0/23 (currently testing on GSM network). > L2TP and IKEV2 use 500, 4500 ports. If L2TP works fine so I conclude that it > is not any Router/FW problem. > > On Tue, 6 Nov 2018 07:48:37 +0100 > Kim Zeitler wrote: > > > Good morning Radek, > > > > I have a suspicion ... > > > > > For (1), (2) and (3) VPN is working just fine with Win7_warrior and > > > puffy_warrior if they are connecting from A.B.C.0/23 (it does not matter > > > if warrior has public IP or it is behind NAT). The rest of the world > > > fails to connect the VPN_server. > > My question was concerning the VPN_server, is the server NATed? > > How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall ... > > > > Cheers, > > Kim > > > > > > > -- > radek -- radek
Re: ikev2 and road warriors setup
Hello Kim, > My question was concerning the VPN_server, is the server NATed? A.B.C.0/23 is not NATed, it is a public pool. VPN_server is not NATed. > How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall ... I only have switches in my building. All routers/firewalls of my network are in another building, I do not know the whole network structure, devices, security policies... but I have never noticed that any ports were blocked. I can setup a IKEV2 site-to-site VPN A.B.C.D/23 <--> !A.B.C.0/23 and it works like a charm. https://community.riocities.com/openike_openbsd.html But I can not setup a VPN_server for road warriors. I have just set up a VPN_L2TP_serv on Mikrotik (A.B.C.75/23). I can connect my Win7_warrior from !A.B.C.0/23 (currently testing on GSM network). L2TP and IKEV2 use 500, 4500 ports. If L2TP works fine so I conclude that it is not any Router/FW problem. On Tue, 6 Nov 2018 07:48:37 +0100 Kim Zeitler wrote: > Good morning Radek, > > I have a suspicion ... > > > For (1), (2) and (3) VPN is working just fine with Win7_warrior and > > puffy_warrior if they are connecting from A.B.C.0/23 (it does not matter if > > warrior has public IP or it is behind NAT). The rest of the world fails to > > connect the VPN_server. > My question was concerning the VPN_server, is the server NATed? > How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall ... > > Cheers, > Kim > > -- radek
Re: ikev2 and road warriors setup
Good morning Radek, I have a suspicion ... For (1), (2) and (3) VPN is working just fine with Win7_warrior and puffy_warrior if they are connecting from A.B.C.0/23 (it does not matter if warrior has public IP or it is behind NAT). The rest of the world fails to connect the VPN_server. My question was concerning the VPN_server, is the server NATed? How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall ... Cheers, Kim smime.p7s Description: S/MIME Cryptographic Signature
Fw: Re: ikev2 and road warriors setup
Hello Kim, > Could you post your pf.conf? My VPN_server's(A.B.C.77/23) pf.conf is: (1) $ cat /etc/pf.conf set skip on {lo, enc} match in all scrub (no-df random-id max-mss 1310) match out on egress from lan:network to any nat-to egress #match out on egress from enc0:network to any nat-to egress block log all pass in on egress proto udp from any to any port {isakmp,ipsec-nat-t} pass in on egress proto {ah,esp} pass out on egress pass on lan pass in on egress proto tcp from { 1.2.3.119 A.B.C.0/23 } to port ssh icmp_types = "{ echoreq, unreach }" pass inet proto icmp all icmp-type $icmp_types I also tested my setup with this: (2) $ pfctl -s rules pass all flags S/SA and this: (3) $ pfctl -d pfctl: pf not enabled For (1), (2) and (3) VPN is working just fine with Win7_warrior and puffy_warrior if they are connecting from A.B.C.0/23 (it does not matter if warrior has public IP or it is behind NAT). The rest of the world fails to connect the VPN_server. > How do you connect to networks !A.B.C.0/23 > Is your IPSec connection NATed? !A.B.C.0/23 I mean: A.B.F.0/24 - tested both: public IP and behind router/NAT, warrior: Win7_warrior 1.2.3.119 - tested both: public IP and behind router/NAT, warrior: Win7_warrior and puffy_warrior GSM network - only NATed connections, warrior: Win7_warrior Some tcpdumps of attempts to connect to VPN_server(pass all flags S/SA): ### Win7_warrior, behind NAT: $ tcpdump -i vr0 -n host 1.2.3.119 tcpdump: listening on vr0, link-type EN10MB 18:32:12.794944 1.2.3.119.500 > A.B.C.77.500: isakmp v2.0 exchange IKE_SA_INIT cookie: 87afea67c2d6ce65-> msgid: len: 528 18:32:13.002417 A.B.C.77.500 > 1.2.3.119.500: isakmp v2.0 exchange IKE_SA_INIT cookie: 87afea67c2d6ce65->8da1daeaa81e51b2 msgid: len: 329 ^C 811 packets received by filter 0 packets dropped by kernel ### Win7_warrior, public IP $ tcpdump -i vr0 -n host 1.2.3.119 tcpdump: listening on vr0, link-type EN10MB 18:51:25.446238 1.2.3.119.500 > A.B.C.77.500: isakmp v2.0 exchange IKE_SA_INIT cookie: 06d0dd81ba2f129d-> msgid: len: 528 18:51:25.654428 A.B.C.77.500 > 1.2.3.119.500: isakmp v2.0 exchange IKE_SA_INIT cookie: 06d0dd81ba2f129d->3e3cf1b1a7a5a3b8 msgid: len: 329 ^C 292 packets received by filter 0 packets dropped by kernel ### puffy_warrior (pfctl -d), behind NAT $ tcpdump -i vr0 -n host 1.2.3.119 tcpdump: listening on vr0, link-type EN10MB 18:45:33.600661 A.B.C.77.22 > 1.2.3.119.49486: . ack 2747766535 win 273 (DF) 18:45:40.562967 1.2.3.119.500 > A.B.C.77.500: isakmp v2.0 exchange IKE_SA_INIT cookie: 64755be010cd32d2-> msgid: len: 510 18:45:41.927874 A.B.C.77.500 > 1.2.3.119.500: isakmp v2.0 exchange IKE_SA_INIT cookie: 64755be010cd32d2->2a0fe33c6b9afff8 msgid: len: 471 Thanks! On Mon, 5 Nov 2018 09:27:25 +0100 Kim Zeitler wrote: > Hello Radek, > > > On 11/2/18 10:16 PM, Radek wrote: > > Thank you for your response, > > > > Following your suggestion I removed IP from enc0 and changed iked.conf as > > below: > > > > $ cat /etc/iked.conf > > dns1 = "8.8.8.8" > > dns2 = "8.8.4.4" > > ikev2 "roadWarrior" ipcomp esp \ > > from 0.0.0.0/0 to 0.0.0.0/0 \ > > local A.B.C.77 peer any \ > > srcid > > "/C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com" \ > > config address 10.0.1.0/24 \ > > config netmask 255.255.255.0 \ > > config name-server $dns1 \ > > config name-server $dns2 \ > > config access-server A.B.C.77 \ > > config protected-subnet 0.0.0.0/0 \ > > tag "$id" > > > > It did not solve my problem. Clients from !A.B.C.0/23 still get 809 Error. > I know this set-up to be working, as it is currently running here in > production. > > > > > > I also tried another scenario: puffy_server <-> puffy_warrior > > The same. My warrior also can not connect if it is !A.B.C.0/23 and it VPN > > works fine for clients from A.B.C.0/23. > > Both machines are 6.3/i386. > Your set-up is still a bit 'unclear', I would rather say you have a > firewall/routing problem than an IPSec problem. Error 809 means no data > received. > > Could you post your pf.conf? > How do you connect to networks !A.B.C.0/23 > Is your IPSec connection NATed? > > Cheers > Kim > -- radek
Re: ikev2 and road warriors setup
Hello Radek, On 11/2/18 10:16 PM, Radek wrote: Thank you for your response, Following your suggestion I removed IP from enc0 and changed iked.conf as below: $ cat /etc/iked.conf dns1 = "8.8.8.8" dns2 = "8.8.4.4" ikev2 "roadWarrior" ipcomp esp \ from 0.0.0.0/0 to 0.0.0.0/0 \ local A.B.C.77 peer any \ srcid "/C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com" \ config address 10.0.1.0/24 \ config netmask 255.255.255.0 \ config name-server $dns1 \ config name-server $dns2 \ config access-server A.B.C.77 \ config protected-subnet 0.0.0.0/0 \ tag "$id" It did not solve my problem. Clients from !A.B.C.0/23 still get 809 Error. I know this set-up to be working, as it is currently running here in production. I also tried another scenario: puffy_server <-> puffy_warrior The same. My warrior also can not connect if it is !A.B.C.0/23 and it VPN works fine for clients from A.B.C.0/23. Both machines are 6.3/i386. Your set-up is still a bit 'unclear', I would rather say you have a firewall/routing problem than an IPSec problem. Error 809 means no data received. Could you post your pf.conf? How do you connect to networks !A.B.C.0/23 Is your IPSec connection NATed? Cheers Kim smime.p7s Description: S/MIME Cryptographic Signature
Re: ikev2 and road warriors setup
Thank you for your response, Following your suggestion I removed IP from enc0 and changed iked.conf as below: $ cat /etc/iked.conf dns1 = "8.8.8.8" dns2 = "8.8.4.4" ikev2 "roadWarrior" ipcomp esp \ from 0.0.0.0/0 to 0.0.0.0/0 \ local A.B.C.77 peer any \ srcid "/C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com" \ config address 10.0.1.0/24 \ config netmask 255.255.255.0 \ config name-server $dns1 \ config name-server $dns2 \ config access-server A.B.C.77 \ config protected-subnet 0.0.0.0/0 \ tag "$id" It did not solve my problem. Clients from !A.B.C.0/23 still get 809 Error. I also tried another scenario: puffy_server <-> puffy_warrior The same. My warrior also can not connect if it is !A.B.C.0/23 and it VPN works fine for clients from A.B.C.0/23. Both machines are 6.3/i386. Confs: puffy_server (just changed /etc/iked.conf and /etc/hostname.enc0 as below, the rest of my previous conf is untached) $ cat /etc/iked.conf # puffy_server ikev2 office passive esp \ from 172.16.0.64 to 0.0.0.0/0 \ from 172.16.0.254 to 0.0.0.0/0 \ local A.B.C.77 peer any \ srcid "/C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com" dstid "/C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=puffy63/emailAddress=puff...@123.com" $ cat /etc/hostname.enc0 up puffy_warrior: $ cat /etc/iked.conf # puffy_warrior ikev2 home active esp \ from egress to 172.16.0.0/24 \ local egress peer A.B.C.77 \ srcid "/C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=puffy63/emailAddress=puff...@123.com" dstid "/C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com" $ pfctl -s rules pass all flags S/SA This is warrior log, public IP 1.2.3.119: $ iked -dvv set_policy_auth_method: using rfc7427 for peer ikev2 "home" active esp inet from 1.2.3.119 to 172.16.0.0/24 local 1.2.3.119 peer A.B.C.77 ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 srcid /C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=puffy63/emailAddress=puff...@123.com dstid /C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com lifetime 10800 bytes 536870912 rfc7427 /etc/iked.conf: loaded 1 configuration rules ca_privkey_serialize: type RSA_KEY length 1191 ca_pubkey_serialize: type RSA_KEY length 270 ca_privkey_to_method: type RSA_KEY method RSA_SIG ca_getkey: received private key type RSA_KEY length 1191 ca_getkey: received public key type RSA_KEY length 270 ca_dispatch_parent: config reset ca_reload: loaded ca file ca.crt ca_reload: loaded crl file ca.crl ca_reload: /C=PL/ST=ZP/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com ca_reload: loaded 1 ca certificate ca_reload: loaded cert file puffy63.crt ca_validate_cert: /C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=puffy63/emailAddress=puff...@123.com ok ca_reload: local cert type X509_CERT config_getocsp: ocsp_url none ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 config_getpolicy: received policy config_getpfkey: received pfkey fd 3 config_getcompile: compilation done config_getsocket: received socket fd 4 config_getsocket: received socket fd 5 config_getsocket: received socket fd 6 config_getsocket: received socket fd 7 config_getmobike: mobike ikev2_init_ike_sa: initiating "home" ca_x509_name_parse: setting 'C' to 'PL' ca_x509_name_parse: setting 'ST' to 'ZK' ca_x509_name_parse: setting 'L' to 'KL' ca_x509_name_parse: setting 'O' to 'PK' ca_x509_name_parse: setting 'OU' to 'test' ca_x509_name_parse: setting 'CN' to 'puffy63' ca_x509_name_parse: setting 'emailAddress' to 'puff...@123.com' ikev2_policy2id: srcid ASN1_DN//C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=puffy63/emailAddress=puff...@123.com length 123 ikev2_add_proposals: length 108 ikev2_next_payload: length 112 nextpayload KE ikev2_next_payload: length 264 nextpayload NONCE ikev2_next_payload: length 36 nextpayload NOTIFY ikev2_nat_detection: local source 0x64068214f68d9422 0x 1.2.3.119:500 ikev2_next_payload: length 28 nextpayload NOTIFY ikev2_nat_detection: local destination 0x64068214f68d9422 0x A.B.C.77:500 ikev2_next_payload: length 28 nextpayload NOTIFY ikev2_next_payload: length 14 nextpayload NONE ikev2_pld_parse: header ispi 0x64068214f68d9422 rspi 0x nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 510 response 0 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 112 ikev2_pld_sa: more 0 reserved 0 length 108 proposal #1 protoid IKE spisize 0 xforms 11 spi 0 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 ikev2_pld_xform: more 3 reserved 0
Re: ikev2 and road warriors setup
On 10/28/18 3:04 PM, Radek wrote: Hello, I really need your help. I am still trying to configure Ikev2 VPN Gateway (A.B.C.77/23) for road warriors clients (Windows). The problem is that it works ONLY if clients are in the same subnet as VPN Gateway (A.B.C.0/23). Clients from out of the gateway's subnet (!A.B.C.0/23) can not establish the connection (809 Error). It does not matter if they are behind NAT or not, tried different ISP - the same. Current tested client is Win7 (1.2.3.119). It works from A.B.C.0/23 I do not know what I am doing wrong. Can anyone please help me with solving this problem? Thank you. This is a fresh 6.3/i386 install: # cat /etc/hostname.enc0 inet 10.0.1.1 255.255.255.0 10.0.1.255 up You don't need an IP on enc0 # cat /etc/iked.conf ikev2 "test" passive esp \ from 0.0.0.0/0 to 0.0.0.0/0 \ local A.B.C.77 peer any \ srcid A.B.C.77 \ config address 10.0.1.0/24 \ config name-server 8.8.8.8 \ tag "IKED" Try something like this, it works for both Win7 and Win10: /etc/iked.conf - ikev2 "roadWarrior" ipcomp esp \ from 0.0.0.0/0 to 0.0.0.0/0 \ peer any \ srcid $srcid \ config address 10.0.1.0/24 \ config netmask 255.255.255.0 \ config name-server $dns1 \ config name-server $dns2 \ config access-server A.B.C.77 \ config protected-subnet 0.0.0.0/0 \ tag "$id" 'access-server' tells Windows what gateway to use for 'protected-subnet' (see iked.conf(5)). smime.p7s Description: S/MIME Cryptographic Signature
Re: ikev2 and road warriors setup
Hello, I really need your help. I am still trying to configure Ikev2 VPN Gateway (A.B.C.77/23) for road warriors clients (Windows). The problem is that it works ONLY if clients are in the same subnet as VPN Gateway (A.B.C.0/23). Clients from out of the gateway's subnet (!A.B.C.0/23) can not establish the connection (809 Error). It does not matter if they are behind NAT or not, tried different ISP - the same. Current tested client is Win7 (1.2.3.119). It works from A.B.C.0/23 I do not know what I am doing wrong. Can anyone please help me with solving this problem? Thank you. This is a fresh 6.3/i386 install: # syspatch -l 001_perl 002_libtls 003_arp 004_gif 005_httpd 006_ipseclen 007_libcrypto 008_ipsecout 009_libcrypto 011_perl 012_execsize 013_ipsecexpire 014_amdlfence 015_ioport WAN: # cat /etc/hostname.vr0 inet A.B.C.77 255.255.254.0 LAN: # cat /etc/hostname.vr3 inet 172.16.0.254 255.255.255.0 NONE group lan # cat /etc/hostname.enc0 inet 10.0.1.1 255.255.255.0 10.0.1.255 up # cat /etc/iked.conf ikev2 "test" passive esp \ from 0.0.0.0/0 to 0.0.0.0/0 \ local A.B.C.77 peer any \ srcid A.B.C.77 \ config address 10.0.1.0/24 \ config name-server 8.8.8.8 \ tag "IKED" # cat /etc/pf.conf set skip on {lo, enc} match in all scrub (no-df random-id max-mss 1310) match out on egress from lan:network to any nat-to egress match out on egress from enc0:network to any nat-to egress block log all pass in on egress proto udp from any to any port {isakmp,ipsec-nat-t} pass in on egress proto {ah,esp} pass out on egress pass on lan pass in on egress proto tcp from { 1.2.3.119 A.B.C.0/23 } to port ssh icmp_types = "{ echoreq, unreach }" pass inet proto icmp all icmp-type $icmp_types # ikectl show ca vpn certificates subject= /C=PL/ST=ZP/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com SHA1 Fingerprint=37:2F:33:EA:C4:9C:45:0A:80:38:EC:0E:A6:F8:8B:EA:10:84:71:CB notBefore=Oct 25 12:23:53 2018 GMT notAfter=Oct 25 12:23:53 2019 GMT subject= /C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com SHA1 Fingerprint=4C:AE:A5:C6:E3:71:81:09:C0:73:BF:03:5F:E2:02:CE:48:BF:03:78 notBefore=Oct 25 12:27:35 2018 GMT notAfter=Oct 25 12:27:35 2019 GMT subject= /C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=win7/emailAddress=t...@123.com SHA1 Fingerprint=E2:C1:96:F3:26:0F:CA:CD:49:0A:33:65:58:0E:07:B7:A7:90:D4:18 notBefore=Oct 25 12:32:31 2018 GMT notAfter=Oct 25 12:32:31 2019 GMT subject= /C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=w520/emailAddress=w...@123.com SHA1 Fingerprint=00:ED:49:7B:CE:AF:46:25:BE:39:B6:51:AD:3E:06:91:99:58:50:C9 notBefore=Oct 27 08:54:14 2018 GMT notAfter=Oct 27 08:54:14 2019 GMT # iked -vvd ikev2 "test" passive esp inet from 0.0.0.0/0 to 0.0.0.0/0 local A.B.C.77 peer any ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 srcid A.B.C.77 lifetime 10800 bytes 536870912 signature config address 10.0.1.0 config name-server 8.8.8.8 tag "IKED" /etc/iked.conf: loaded 1 configuration rules ca_privkey_serialize: type RSA_KEY length 1193 ca_pubkey_serialize: type RSA_KEY length 270 ca_privkey_to_method: type RSA_KEY method RSA_SIG ca_getkey: received private key type RSA_KEY length 1193 ca_getkey: received public key type RSA_KEY length 270 ca_dispatch_parent: config reset config_getpolicy: received policy config_getpfkey: received pfkey fd 3 config_getcompile: compilation done config_getsocket: received socket fd 4 config_getsocket: received socket fd 5 config_getsocket: received socket fd 6 ca_reload: loaded ca file ca.crt config_getsocket: received socket fd 7 config_getmobike: mobike ca_reload: loaded crl file ca.crl ca_reload: /C=PL/ST=ZP/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com ca_reload: loaded 1 ca certificate ca_reload: loaded cert file A.B.C.77.crt ca_validate_cert: /C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com ok ca_reload: local cert type X509_CERT config_getocsp: ocsp_url none ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 ikev2_recv: IKE_SA_INIT request from initiator 1.2.3.119:500 to A.B.C.77:500 policy 'test' id 0, 528 bytes ikev2_recv: ispi 0x683d59d10fbe4a9e rspi 0x ikev2_policy2id: srcid IPV4/A.B.C.77 length 8 ikev2_pld_parse: header ispi 0x683d59d10fbe4a9e rspi 0x nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 528 response 0 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 256 ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid IKE spisize 0 xforms 4 spi 0 ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
Re: ikev2 and road warriors setup
Hi again, I'm still trying to make it work for roadwarriors. VPN server has IP address A.B.9.73/23. It is OpenBSD6.1. I generated certs: # hostname serv73 # ikectl ca vpn create (CN = serv73) # ikectl ca vpn install # ikectl ca vpn certificate A.B.9.73 create # ikectl ca vpn certificate A.B.9.73 install # ikectl ca vpn certificate A.B.9.76 create #(CN = A.B.9.76) # ikectl ca vpn certificate A.B.9.76 export After installing A.B.9.76.zip in Win7 I can connect to VPN server from any IP address that is in range A.B.9.0/23. I can't connect from IP that is NOT from A.B.9.0/23. I tried to connect from many IPs (public and behind NAT) but every time I got "809 error". Can anyone please help me with solving that problem? # cat /etc/iked.conf [snip] ikev2 "roadWarrior" passive esp \ from 10.0.73.0/24 to 0.0.0.0/0 local A.B.9.73 peer any \ srcid A.B.9.73 \ config address 10.0.70.128 \ tag "$name-$id" # iked -n configuration OK # cat /etc.pf.conf ext_if = "vr0" lan_if = "vr1"# vr1 lan_local = $lan_if:network # 10.0.73.0/24 ext_ip = "A.B.9.73" bud = "A.B.9.0/25" rdkhome_wy = "YY.YY.YY.YY" rdkhome_mon = "XX.XX.XX.XX" ssh_port= "1071" icmp_types = "{ echoreq, unreach }" table const { A.B.9.74, A.B.C.75 } set skip on { lo, enc0 } block return on $ext_if # block stateless traffic match out log on $ext_if from $lan_local nat-to $ext_if set prio (1, 6) pass in log quick inet proto tcp from { $bud, $rdkhome_wy, $rdkhome_mon} to $ext_if port $ssh_port \ set prio (1, 6) keep state pass out quick on egress proto esp from (egress:0) to keep state pass out quick on egress proto udp from (egress:0) to port {500, 4500} keep state pass in quick on egress proto esp from to (egress:0) keep state pass in quick on egress proto udp from to (egress:0) port {500, 4500} keep state pass out quick on trust received-on enc0 keep state pass out log proto tcp set prio (1, 6) keep state pass log proto udp set prio (1, 6) keep state pass inet proto icmp all icmp-type $icmp_types set prio (1, 6) keep state pass log inet proto { tcp, udp } from $lan_local to any set prio (1, 6) keep state block return in on ! lo0 proto tcp to port 6000:6010 # iked -dvv ikev2_recv: IKE_SA_INIT request from initiator E.F.G.H:500 to A.B.9.73:500 policy 'roadWarrior' id 0, 528 bytes ikev2_recv: ispi 0x35e2e7f614678913 rspi 0x ikev2_policy2id: srcid IPV4/A.B.9.73 length 8 ikev2_pld_parse: header ispi 0x35e2e7f614678913 rspi 0x nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 528 response 0 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 256 ikev2_pld_sa: more than one proposal specified ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid IKE spisize 0 xforms 4 spi 0 ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136 ikev2_pld_ke: dh group MODP_1024 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 52 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP ikev2_nat_detection: peer source 0x35e2e7f614678913 0x E.F.G.H:500 ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP ikev2_nat_detection: peer destination 0x35e2e7f614678913 0x A.B.9.73:500 sa_state: INIT -> SA_INIT ikev2_sa_negotiate: score 21 sa_stateok: SA_INIT flags 0x, require 0x sa_stateflags: 0x -> 0x0020 sa (required 0x ) ikev2_sa_keys: SKEYSEED with 20 bytes ikev2_sa_keys: S with 96 bytes ikev2_prfplus: T1 with 20 bytes ikev2_prfplus: T2 with 20 bytes ikev2_prfplus: T3 with 20 bytes ikev2_prfplus: T4 with 20 bytes ikev2_prfplus: T5 with 20 bytes ikev2_prfplus: T6 with 20 bytes ikev2_prfplus: T7 with 20 bytes ikev2_prfplus: T8 with 20 bytes ikev2_prfplus: Tn with 160 bytes ikev2_sa_keys: SK_d with 20 bytes ikev2_sa_keys: SK_ai with 20 bytes ikev2_sa_keys: SK_ar with 20 bytes ikev2_sa_keys: SK_ei with 24 bytes ikev2_sa_keys: SK_er with 24 bytes ikev2_sa_keys: SK_pi with 20 bytes ikev2_sa_keys: SK_pr with 20 bytes ikev2_add_proposals: length 40 ikev2_next_payload: length 44 nextpayload KE ikev2_next_payload: length 136 nextpayload NONCE ikev2_next_payload: length 36 nextpayload NOTIFY ikev2_nat_detection: local source 0x35e2e7f614678913 0x177a4400d017d93f A.B.9.73:500 ikev2_next_payload: length 28 nextpayload NOTIFY ikev2_nat_detection: local destination 0x35e2e7f614678913 0x17