summaryrefslogtreecommitdiff
path: root/docs/configuration/vpn/remoteaccess_ipsec.rst
blob: 9bc499798837304e9742f81d1835e4e35a79cc4e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
.. _remoteaccess_ipsec:

IPSec IKEv2 Remote Access VPN
=============================

Internet Key Exchange version 2 (IKEv2) is a tunneling protocol, based on IPsec,
that establishes a secure VPN communication between VPN devices,  and defines 
negotiation and authentication processes for IPsec security associations (SAs).
It is often known as IKEv2/IPSec or IPSec IKEv2 remote-access — or road-warriors
as others call it.

Key exchange and payload encryption is done using IKE and ESP proposals as known
from IKEv1 but the connections are faster to establish, more reliable, and also
support roaming from IP to IP (called MOBIKE which makes sure your connection 
does not drop when changing networks from e.g. WIFI to LTE and back). 
Authentication can be achieved with X.509 certificates.

Setting up certificates:
^^^^^^^^^^^^^^^^^^^^^^^^
First of all, we need to create a CA root certificate and server certificate 
on the server side.

.. code-block:: none

  vyos@vpn.vyos.net# run generate pki ca install ca_root
  Enter private key type: [rsa, dsa, ec] (Default: rsa)
  Enter private key bits: (Default: 2048)
  Enter country code: (Default: GB)
  Enter state: (Default: Some-State)
  Enter locality: (Default: Some-City)
  Enter organization name: (Default: VyOS)
  Enter common name: (Default: vyos.io)
  Enter how many days certificate will be valid: (Default: 1825)
  Note: If you plan to use the generated key on this router, do not encrypt the private key.
  Do you want to encrypt the private key with a passphrase? [y/N] N
  2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply.
  [edit]


  vyos@vpn.vyos.net# comp
  [pki ca]
  + ca_root {
  +     certificate "MIIDnTCCAoWgAwI…."
  +     private {
  +         key "MIIEvAIBADANBgkqhkiG9….”

  vyos@vpn.vyos.net# run generate pki certificate sign ca_root install server_cert
  Do you already have a certificate request? [y/N] N
  Enter private key type: [rsa, dsa, ec] (Default: rsa)
  Enter private key bits: (Default: 2048)
  Enter country code: (Default: GB)
  Enter state: (Default: Some-State)
  Enter locality: (Default: Some-City)
  Enter organization name: (Default: VyOS)
  Enter common name: (Default: vyos.io) vpn.vyos.net
  Do you want to configure Subject Alternative Names? [y/N] N
  Enter how many days certificate will be valid: (Default: 365)
  Enter certificate type: (client, server) (Default: server)
  Note: If you plan to use the generated key on this router, do not encrypt the private key.
  Do you want to encrypt the private key with a passphrase? [y/N] N
  2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply.

  vyos@vpn.vyos.net# comp
  [pki certificate]
  + server_cert {
  +     certificate "MIIDuzCCAqOgAwIBAgIUaSrCPWx………"
  +     private {
  +         key "MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBK….."
  +     }
  + }


Once the command is completed, it will add the certificate to the configuration 
session, to the pki subtree. You can then review the proposed changes and 
commit them.

Setting up IPSec:
^^^^^^^^^^^^^^^^^

After the PKI certs are all set up we can start configuring our IPSec/IKE 
proposals used for key-exchange end data encryption. The used encryption ciphers
and integrity algorithms vary from operating system to operating system. The 
ones used in this example are validated to work on Windows 10.

.. code-block:: none

  set vpn ipsec esp-group ESP-RW lifetime '3600'
  set vpn ipsec esp-group ESP-RW pfs 'disable'
  set vpn ipsec esp-group ESP-RW proposal 10 encryption 'aes128gcm128'
  set vpn ipsec esp-group ESP-RW proposal 10 hash 'sha256'

  set vpn ipsec ike-group IKE-RW key-exchange 'ikev2'
  set vpn ipsec ike-group IKE-RW lifetime '7200'
  set vpn ipsec ike-group IKE-RW proposal 10 dh-group '14'
  set vpn ipsec ike-group IKE-RW proposal 10 encryption 'aes128gcm128'
  set vpn ipsec ike-group IKE-RW proposal 10 hash 'sha256'

Every connection/remote-access pool we configure also needs a pool where we
can draw our client IP addresses from. We provide one IPv4 and IPv6 pool.
Authorized clients will receive an IPv4 address from the configured IPv4 prefix
and an IPv6 address from the IPv6 prefix. We can also send some DNS nameservers
down to our clients used on their connection.

.. code-block:: none

  set vpn ipsec remote-access pool ra-rw-ipv4 name-server '192.0.2.1'
  set vpn ipsec remote-access pool ra-rw-ipv4 prefix '192.0.2.128/25'

  set vpn ipsec remote-access pool ra-rw-ipv6 name-server '2001:db8:1000::1'
  set vpn ipsec remote-access pool ra-rw-ipv6 prefix '2001:db8:2000::/64'

Setting up tunnel:
^^^^^^^^^^^^^^^^^^

.. code-block:: none

  set vpn ipsec remote-access connection rw authentication local-id '192.0.2.1'
  set vpn ipsec remote-access connection rw authentication server-mode 'x509'
  set vpn ipsec remote-access connection rw authentication x509 ca-certificate 'ca_root'
  set vpn ipsec remote-access connection rw authentication x509 certificate 'server_cert'
  set vpn ipsec remote-access connection rw esp-group 'ESP-RW'
  set vpn ipsec remote-access connection rw ike-group 'IKE-RW'
  set vpn ipsec remote-access connection rw local-address '192.0.2.1'
  set vpn ipsec remote-access connection rw pool 'ra-rw-ipv4'
  set vpn ipsec remote-access connection rw pool 'ra-rw-ipv6'

VyOS also supports two different modes of authentication, local and RADIUS.
To create a new local user named "vyos" with a password of "vyos" use the 
following commands.

.. code-block:: none

  set vpn ipsec remote-access connection rw authentication client-mode 'eap-mschapv2'
  set vpn ipsec remote-access connection rw authentication local-users username vyos password 'vyos'

Client Configuration
^^^^^^^^^^^^^^^^^^^^

Most operating systems include native client support for IPsec IKEv2 VPN
connections, and others typically have an app or add-on package which adds the
capability.
This section covers IPsec IKEv2 client configuration for Windows 10.

VyOS provides a command to generate a connection profile used by Windows clients
that will connect to the "rw" connection on our VyOS server.

.. note:: Windows expects the server name to be also used in the server's
   certificate common name, so it's best to use this DNS name for your VPN
   connection.

.. code-block:: none

  vyos@vpn.vyos.net:~$ generate ipsec profile windows-remote-access rw remote vpn.vyos.net


  ==== <snip> ====
  Add-VpnConnection -Name "VyOS IKEv2 VPN" -ServerAddress "vpn.vyos.net" -TunnelType "Ikev2"

  Set-VpnConnectionIPsecConfiguration -ConnectionName "VyOS IKEv2 VPN" -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants 
  GCMAES128 -EncryptionMethod GCMAES128 -IntegrityCheckMethod SHA256128 -PfsGroup None -DHGroup "Group14" -PassThru -Force
  ==== </snip> ====

Add the commands from Snippet in the Windows side via PowerShell.
Also import the root CA cert to the Windows “Trusted Root Certification 
Authorities” and establish the connection.

Verification:
^^^^^^^^^^^^^

.. code-block:: none

  vyos@vpn.vyos.net:~$ show vpn ipsec remote-access summary
    Connection ID  Username    Protocol    State    Uptime    Tunnel IP    Remote Host    Remote ID    IKE Proposal                                IPSec Proposal
  ---------------  ----------  ----------  -------  --------  -----------  -------------  -----------  ------------------------------------------  ------------------
                5  vyos        IKEv2       UP       37s       192.0.2.129  10.0.0.2       10.0.0.2     AES_GCM_16-128/PRF_HMAC_SHA2_256/MODP_2048  ESP:AES_GCM_16-128