diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/configuration/vpn/index.rst | 1 | ||||
| -rw-r--r-- | docs/configuration/vpn/remoteaccess_ipsec.rst | 176 | 
2 files changed, 177 insertions, 0 deletions
| diff --git a/docs/configuration/vpn/index.rst b/docs/configuration/vpn/index.rst index 3cd9e50d..cf825a63 100644 --- a/docs/configuration/vpn/index.rst +++ b/docs/configuration/vpn/index.rst @@ -23,3 +23,4 @@ pages to sort     dmvpn     site2site_ipsec +   remoteaccess_ipsec diff --git a/docs/configuration/vpn/remoteaccess_ipsec.rst b/docs/configuration/vpn/remoteaccess_ipsec.rst new file mode 100644 index 00000000..9bc49979 --- /dev/null +++ b/docs/configuration/vpn/remoteaccess_ipsec.rst @@ -0,0 +1,176 @@ +.. _remoteaccess_ipsec: + +IPSec IKEv2 Remote Access VPN +============================= + +Internet Key Exchange version 2 (IKEv2) is a tunneling protocol, based on IPsec, +that establishes a secure VPN communication between VPN devices,  and defines  +negotiation and authentication processes for IPsec security associations (SAs). +It is often known as IKEv2/IPSec or IPSec IKEv2 remote-access — or road-warriors +as others call it. + +Key exchange and payload encryption is done using IKE and ESP proposals as known +from IKEv1 but the connections are faster to establish, more reliable, and also +support roaming from IP to IP (called MOBIKE which makes sure your connection  +does not drop when changing networks from e.g. WIFI to LTE and back).  +Authentication can be achieved with X.509 certificates. + +Setting up certificates: +^^^^^^^^^^^^^^^^^^^^^^^^ +First of all, we need to create a CA root certificate and server certificate  +on the server side. + +.. code-block:: none + +  vyos@vpn.vyos.net# run generate pki ca install ca_root +  Enter private key type: [rsa, dsa, ec] (Default: rsa) +  Enter private key bits: (Default: 2048) +  Enter country code: (Default: GB) +  Enter state: (Default: Some-State) +  Enter locality: (Default: Some-City) +  Enter organization name: (Default: VyOS) +  Enter common name: (Default: vyos.io) +  Enter how many days certificate will be valid: (Default: 1825) +  Note: If you plan to use the generated key on this router, do not encrypt the private key. +  Do you want to encrypt the private key with a passphrase? [y/N] N +  2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply. +  [edit] + + +  vyos@vpn.vyos.net# comp +  [pki ca] +  + ca_root { +  +     certificate "MIIDnTCCAoWgAwI…." +  +     private { +  +         key "MIIEvAIBADANBgkqhkiG9….” + +  vyos@vpn.vyos.net# run generate pki certificate sign ca_root install server_cert +  Do you already have a certificate request? [y/N] N +  Enter private key type: [rsa, dsa, ec] (Default: rsa) +  Enter private key bits: (Default: 2048) +  Enter country code: (Default: GB) +  Enter state: (Default: Some-State) +  Enter locality: (Default: Some-City) +  Enter organization name: (Default: VyOS) +  Enter common name: (Default: vyos.io) vpn.vyos.net +  Do you want to configure Subject Alternative Names? [y/N] N +  Enter how many days certificate will be valid: (Default: 365) +  Enter certificate type: (client, server) (Default: server) +  Note: If you plan to use the generated key on this router, do not encrypt the private key. +  Do you want to encrypt the private key with a passphrase? [y/N] N +  2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply. + +  vyos@vpn.vyos.net# comp +  [pki certificate] +  + server_cert { +  +     certificate "MIIDuzCCAqOgAwIBAgIUaSrCPWx………" +  +     private { +  +         key "MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBK….." +  +     } +  + } + + +Once the command is completed, it will add the certificate to the configuration  +session, to the pki subtree. You can then review the proposed changes and  +commit them. + +Setting up IPSec: +^^^^^^^^^^^^^^^^^ + +After the PKI certs are all set up we can start configuring our IPSec/IKE  +proposals used for key-exchange end data encryption. The used encryption ciphers +and integrity algorithms vary from operating system to operating system. The  +ones used in this example are validated to work on Windows 10. + +.. code-block:: none + +  set vpn ipsec esp-group ESP-RW lifetime '3600' +  set vpn ipsec esp-group ESP-RW pfs 'disable' +  set vpn ipsec esp-group ESP-RW proposal 10 encryption 'aes128gcm128' +  set vpn ipsec esp-group ESP-RW proposal 10 hash 'sha256' + +  set vpn ipsec ike-group IKE-RW key-exchange 'ikev2' +  set vpn ipsec ike-group IKE-RW lifetime '7200' +  set vpn ipsec ike-group IKE-RW proposal 10 dh-group '14' +  set vpn ipsec ike-group IKE-RW proposal 10 encryption 'aes128gcm128' +  set vpn ipsec ike-group IKE-RW proposal 10 hash 'sha256' + +Every connection/remote-access pool we configure also needs a pool where we +can draw our client IP addresses from. We provide one IPv4 and IPv6 pool. +Authorized clients will receive an IPv4 address from the configured IPv4 prefix +and an IPv6 address from the IPv6 prefix. We can also send some DNS nameservers +down to our clients used on their connection. + +.. code-block:: none + +  set vpn ipsec remote-access pool ra-rw-ipv4 name-server '192.0.2.1' +  set vpn ipsec remote-access pool ra-rw-ipv4 prefix '192.0.2.128/25' + +  set vpn ipsec remote-access pool ra-rw-ipv6 name-server '2001:db8:1000::1' +  set vpn ipsec remote-access pool ra-rw-ipv6 prefix '2001:db8:2000::/64' + +Setting up tunnel: +^^^^^^^^^^^^^^^^^^ + +.. code-block:: none + +  set vpn ipsec remote-access connection rw authentication local-id '192.0.2.1' +  set vpn ipsec remote-access connection rw authentication server-mode 'x509' +  set vpn ipsec remote-access connection rw authentication x509 ca-certificate 'ca_root' +  set vpn ipsec remote-access connection rw authentication x509 certificate 'server_cert' +  set vpn ipsec remote-access connection rw esp-group 'ESP-RW' +  set vpn ipsec remote-access connection rw ike-group 'IKE-RW' +  set vpn ipsec remote-access connection rw local-address '192.0.2.1' +  set vpn ipsec remote-access connection rw pool 'ra-rw-ipv4' +  set vpn ipsec remote-access connection rw pool 'ra-rw-ipv6' + +VyOS also supports two different modes of authentication, local and RADIUS. +To create a new local user named "vyos" with a password of "vyos" use the  +following commands. + +.. code-block:: none + +  set vpn ipsec remote-access connection rw authentication client-mode 'eap-mschapv2' +  set vpn ipsec remote-access connection rw authentication local-users username vyos password 'vyos' + +Client Configuration +^^^^^^^^^^^^^^^^^^^^ + +Most operating systems include native client support for IPsec IKEv2 VPN +connections, and others typically have an app or add-on package which adds the +capability. +This section covers IPsec IKEv2 client configuration for Windows 10. + +VyOS provides a command to generate a connection profile used by Windows clients +that will connect to the "rw" connection on our VyOS server. + +.. note:: Windows expects the server name to be also used in the server's +   certificate common name, so it's best to use this DNS name for your VPN +   connection. + +.. code-block:: none + +  vyos@vpn.vyos.net:~$ generate ipsec profile windows-remote-access rw remote vpn.vyos.net + + +  ==== <snip> ==== +  Add-VpnConnection -Name "VyOS IKEv2 VPN" -ServerAddress "vpn.vyos.net" -TunnelType "Ikev2" + +  Set-VpnConnectionIPsecConfiguration -ConnectionName "VyOS IKEv2 VPN" -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants  +  GCMAES128 -EncryptionMethod GCMAES128 -IntegrityCheckMethod SHA256128 -PfsGroup None -DHGroup "Group14" -PassThru -Force +  ==== </snip> ==== + +Add the commands from Snippet in the Windows side via PowerShell. +Also import the root CA cert to the Windows “Trusted Root Certification  +Authorities” and establish the connection. + +Verification: +^^^^^^^^^^^^^ + +.. code-block:: none + +  vyos@vpn.vyos.net:~$ show vpn ipsec remote-access summary +    Connection ID  Username    Protocol    State    Uptime    Tunnel IP    Remote Host    Remote ID    IKE Proposal                                IPSec Proposal +  ---------------  ----------  ----------  -------  --------  -----------  -------------  -----------  ------------------------------------------  ------------------ +                5  vyos        IKEv2       UP       37s       192.0.2.129  10.0.0.2       10.0.0.2     AES_GCM_16-128/PRF_HMAC_SHA2_256/MODP_2048  ESP:AES_GCM_16-128 + | 
