Added details about ipsec remote-access

This commit is contained in:
srividya0208 2023-09-27 14:06:15 -04:00
parent 54bdc76b3b
commit 3f7e9a6de9
2 changed files with 177 additions and 0 deletions

View File

@ -23,3 +23,4 @@ pages to sort
dmvpn dmvpn
site2site_ipsec site2site_ipsec
remoteaccess_ipsec

View File

@ -0,0 +1,176 @@
.. _remoteaccess_ipsec:
IPSec IKEv2 Remote Access VPN
=============================
Internet Key Exchange version 2 (IKEv2) is a tunneling protocol, based on IPsec,
that establishes a secure VPN communication between VPN devices, and defines
negotiation and authentication processes for IPsec security associations (SAs).
It is often known as IKEv2/IPSec or IPSec IKEv2 remote-access — or road-warriors
as others call it.
Key exchange and payload encryption is done using IKE and ESP proposals as known
from IKEv1 but the connections are faster to establish, more reliable, and also
support roaming from IP to IP (called MOBIKE which makes sure your connection
does not drop when changing networks from e.g. WIFI to LTE and back).
Authentication can be achieved with X.509 certificates.
Setting up certificates:
^^^^^^^^^^^^^^^^^^^^^^^^
First of all, we need to create a CA root certificate and server certificate
on the server side.
.. code-block:: none
vyos@vpn.vyos.net# run generate pki ca install ca_root
Enter private key type: [rsa, dsa, ec] (Default: rsa)
Enter private key bits: (Default: 2048)
Enter country code: (Default: GB)
Enter state: (Default: Some-State)
Enter locality: (Default: Some-City)
Enter organization name: (Default: VyOS)
Enter common name: (Default: vyos.io)
Enter how many days certificate will be valid: (Default: 1825)
Note: If you plan to use the generated key on this router, do not encrypt the private key.
Do you want to encrypt the private key with a passphrase? [y/N] N
2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply.
[edit]
vyos@vpn.vyos.net# comp
[pki ca]
+ ca_root {
+ certificate "MIIDnTCCAoWgAwI…."
+ private {
+ key "MIIEvAIBADANBgkqhkiG9….”
vyos@vpn.vyos.net# run generate pki certificate sign ca_root install server_cert
Do you already have a certificate request? [y/N] N
Enter private key type: [rsa, dsa, ec] (Default: rsa)
Enter private key bits: (Default: 2048)
Enter country code: (Default: GB)
Enter state: (Default: Some-State)
Enter locality: (Default: Some-City)
Enter organization name: (Default: VyOS)
Enter common name: (Default: vyos.io) vpn.vyos.net
Do you want to configure Subject Alternative Names? [y/N] N
Enter how many days certificate will be valid: (Default: 365)
Enter certificate type: (client, server) (Default: server)
Note: If you plan to use the generated key on this router, do not encrypt the private key.
Do you want to encrypt the private key with a passphrase? [y/N] N
2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply.
vyos@vpn.vyos.net# comp
[pki certificate]
+ server_cert {
+ certificate "MIIDuzCCAqOgAwIBAgIUaSrCPWx………"
+ private {
+ key "MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBK….."
+ }
+ }
Once the command is completed, it will add the certificate to the configuration
session, to the pki subtree. You can then review the proposed changes and
commit them.
Setting up IPSec:
^^^^^^^^^^^^^^^^^
After the PKI certs are all set up we can start configuring our IPSec/IKE
proposals used for key-exchange end data encryption. The used encryption ciphers
and integrity algorithms vary from operating system to operating system. The
ones used in this example are validated to work on Windows 10.
.. code-block:: none
set vpn ipsec esp-group ESP-RW lifetime '3600'
set vpn ipsec esp-group ESP-RW pfs 'disable'
set vpn ipsec esp-group ESP-RW proposal 10 encryption 'aes128gcm128'
set vpn ipsec esp-group ESP-RW proposal 10 hash 'sha256'
set vpn ipsec ike-group IKE-RW key-exchange 'ikev2'
set vpn ipsec ike-group IKE-RW lifetime '7200'
set vpn ipsec ike-group IKE-RW proposal 10 dh-group '14'
set vpn ipsec ike-group IKE-RW proposal 10 encryption 'aes128gcm128'
set vpn ipsec ike-group IKE-RW proposal 10 hash 'sha256'
Every connection/remote-access pool we configure also needs a pool where we
can draw our client IP addresses from. We provide one IPv4 and IPv6 pool.
Authorized clients will receive an IPv4 address from the configured IPv4 prefix
and an IPv6 address from the IPv6 prefix. We can also send some DNS nameservers
down to our clients used on their connection.
.. code-block:: none
set vpn ipsec remote-access pool ra-rw-ipv4 name-server '192.0.2.1'
set vpn ipsec remote-access pool ra-rw-ipv4 prefix '192.0.2.128/25'
set vpn ipsec remote-access pool ra-rw-ipv6 name-server '2001:db8:1000::1'
set vpn ipsec remote-access pool ra-rw-ipv6 prefix '2001:db8:2000::/64'
Setting up tunnel:
^^^^^^^^^^^^^^^^^^
.. code-block:: none
set vpn ipsec remote-access connection rw authentication local-id '192.0.2.1'
set vpn ipsec remote-access connection rw authentication server-mode 'x509'
set vpn ipsec remote-access connection rw authentication x509 ca-certificate 'ca_root'
set vpn ipsec remote-access connection rw authentication x509 certificate 'server_cert'
set vpn ipsec remote-access connection rw esp-group 'ESP-RW'
set vpn ipsec remote-access connection rw ike-group 'IKE-RW'
set vpn ipsec remote-access connection rw local-address '192.0.2.1'
set vpn ipsec remote-access connection rw pool 'ra-rw-ipv4'
set vpn ipsec remote-access connection rw pool 'ra-rw-ipv6'
VyOS also supports two different modes of authentication, local and RADIUS.
To create a new local user named "vyos" with a password of "vyos" use the
following commands.
.. code-block:: none
set vpn ipsec remote-access connection rw authentication client-mode 'eap-mschapv2'
set vpn ipsec remote-access connection rw authentication local-users username vyos password 'vyos'
Client Configuration
^^^^^^^^^^^^^^^^^^^^
Most operating systems include native client support for IPsec IKEv2 VPN
connections, and others typically have an app or add-on package which adds the
capability.
This section covers IPsec IKEv2 client configuration for Windows 10.
VyOS provides a command to generate a connection profile used by Windows clients
that will connect to the "rw" connection on our VyOS server.
.. note:: Windows expects the server name to be also used in the server's
certificate common name, so it's best to use this DNS name for your VPN
connection.
.. code-block:: none
vyos@vpn.vyos.net:~$ generate ipsec profile windows-remote-access rw remote vpn.vyos.net
==== <snip> ====
Add-VpnConnection -Name "VyOS IKEv2 VPN" -ServerAddress "vpn.vyos.net" -TunnelType "Ikev2"
Set-VpnConnectionIPsecConfiguration -ConnectionName "VyOS IKEv2 VPN" -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants
GCMAES128 -EncryptionMethod GCMAES128 -IntegrityCheckMethod SHA256128 -PfsGroup None -DHGroup "Group14" -PassThru -Force
==== </snip> ====
Add the commands from Snippet in the Windows side via PowerShell.
Also import the root CA cert to the Windows “Trusted Root Certification
Authorities” and establish the connection.
Verification:
^^^^^^^^^^^^^
.. code-block:: none
vyos@vpn.vyos.net:~$ show vpn ipsec remote-access summary
Connection ID Username Protocol State Uptime Tunnel IP Remote Host Remote ID IKE Proposal IPSec Proposal
--------------- ---------- ---------- ------- -------- ----------- ------------- ----------- ------------------------------------------ ------------------
5 vyos IKEv2 UP 37s 192.0.2.129 10.0.0.2 10.0.0.2 AES_GCM_16-128/PRF_HMAC_SHA2_256/MODP_2048 ESP:AES_GCM_16-128