OPNsense Forum
English Forums => Tutorials and FAQs => Topic started by: rainerle on March 21, 2019, 04:21:10 pm
-
Hi everybody,
we are live - since 14 Mar 2019 - with our HA OPNsense 19.1.4 setup. Now I wanted to share our specific IPsec IKEv2 mobile client setup. It works for IPv4 and IPv6 .
Our requirements:
- VPN login using accounts maintained already in a Radius server.
- No installation of additional software on the clients.
- No installation of certificates on the clients - all the user has to know is his user ID and password.
- Separate IP pools per user group. Access rights to some systems on our network are based on addresses of these IP pools.
- Split tunneling for internal and external IP addresses. External since some partners only allow access using our firewalls uplink IP address.
- Split DNS since we maintain internal DNS domains.
- Allow more than one connection per user ID for users (Laptop and mobile phone concurrent use...)
Since 19.1.7 we are able to maintain a file based IPsec configuration using StrongSwan include files.
So how does it look like in short:
- Create a Let's Encrypt Server certificate for the IPsec responder FQDN (vpn.contoso.com) with A and AAAA DNS entry
- Configure VPN->IPsec->Mobile Client using a Radius server as backend, create phase 1 using EAP-RADIUS and then create one IPv4 and one IPv6 phase 2 default tunnel. This is then used by "also" in separate include.d configurations.
- Create a Phase1 per Radius class (which is the group) using an include file
- Create multiple Phase2 per Phase1 for the split tunneling using an include file
- Configure the StrongSwan Radius plugin to use the class_group using an include file (https://wiki.strongswan.org/projects/strongswan/wiki/EAPRadius#Group-selection )
OPNsense Configuration:
To let the clients know about the Split DNS we configured "DNS Default Domain", "Split DNS" and "DNS Servers" in VPN->IPsec->Mobile Clients.
I include our config files and the generated IPsec config files. The external IP addresses have been replaced with some other IPs. The domain names are replaced as well.
Client Configuration:
Windows 10:
I attached the PowerShell script we use to configure our Windows 10 clients. It is copied using a robocopy computer group policy script and then executed everytime the user logs onto the laptop using a user GPO.
Apple Devices (MacOS and iOS):
Since 19.1.5 the Clients just have to configure a IKEv2 VPN with vpn.contoso.com as Server and Remote ID and pass their User ID and Password. Split tunnel and DNS are configured automatically from the Responders IKEv2 payload.
There are two bugs though:
- The split DNS domain names are added automagically to the DNS search suffixes.
- DNS A records are resolved properly with the Split DNS server. DNS SRV records are not (see https://communities.apple.com/de/thread/250249906 ).
Android Devices:
Install the StrongSwan App, configure and you are good to go!
https://play.google.com/store/apps/details?id=org.strongswan.android (https://play.google.com/store/apps/details?id=org.strongswan.android)
Linux clients:
Until I found a long outstanding bug in the Ubuntu LTS version I could not get them to work. See https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1772705 .
But then it is fairly simple:
- sudo apt install network-manager-strongswan libstrongswan-standard-plugins libcharon-standard-plugins libstrongswan-extra-plugins libcharon-extra-plugins dnsmasq
- Configure IKEv2 VPN in Network Manager using EAP. Tick "assign internal IP" and give user name and password.
- Split DNS (use dnsmasq as local DNS server and set specific DNS server per DNS domain name)
- Disable dnsmasq starting as a system service (systemctl disable dnsmasq)
- Add "dns=dnsmasq" in the main section in /etc/NetworkManager/NetworkManager.conf
- Add "server=/internal.contoso.com/10.20.30.1" in /etc/NetworkManager/dnsmasq.d/contoso-vpn.conf. Do so for all further internal DNS domain names.
- pkill -9 charon-nm if there is IPsec plugin trouble (sudo journalctl -f during VPN connect is your friend...)
Chromebooks:
No solution yet. Split tunnel and split DNS seem not to work using the StrongSwan Android App.
Best for now to star https://bugs.chromium.org/p/chromium/issues/detail?id=715622 .
Updated on 24.8.2020 to use the web interface for most and only adjust to use Radius-EAP's rightgroups group assignment. As well IPv4 and IPv6 are working now - the VPN responder FQDN needs an A and AAAA DNS entry.
-
Since this patch is new, I guess I have either to patch manually or wait for 19.1.5+
# opnsense-patch dfd48d2
fails. What is the correct version? I tried a4d157d, 2056e90, b57fe03. Maybe I am doing it wrong and I need other command or options.
-
Patches fail if they can't be applied. It's normal: think of it as puzzle pieces. Wait for the next version and the respective backport if it's not already included.
-
Hi,
to enable the includes there were three patches.
If you do not require any other patches maybe this will help.
Reset to current version without patches. This leaves your settings alone and should bring you to 19.1.4.
pkg install -f opnsense
Apply the three patches in order
opnsense-patch acdf14e
opnsense-patch a4d157d
opnsense-patch dfd48d2
And then save and apply the IPsec Konfiguration in the webinterface.
Then move your files into the include directories and try if that works for you.
-
opnsense-patch acdf14e
opnsense-patch a4d157d
opnsense-patch dfd48d2
This bunch of patches worked. Now I will see whether includes work. How about HA? Do I have to sync ipsec.opnsense.d folder myself or is it done by config sync?
-
The HA configuration sync only sends specific sections from the XML config file to the backup node.
So rsync for those three specific directories is how I do it currently...
And speaking of HA: IPsec connections are in case of a failover not taken over anyway. There is a StrongSwan HA plugin existing, but not implemented in OPNsense...
https://wiki.strongswan.org/projects/strongswan/wiki/highavailability
This shows the config of a active-passive setup
https://www.strongswan.org/testing/testresults/ha/active-passive/
-
Ok, finally I managed to get a working configuration. Everything done in new include directories.
Just enabled IPSEC and IKE without further configuration. So ipsec.secrets and ipsec.conf just have the include line. strongswan.conf has some more defaults.
I setup three policies like in example to assign groups via radius attribute 25 (class). This works, but it keeps the rightsourceip of the first matched entry.
Mar 28 11:13:25 hbc-gw01 charon: 10[CFG] <mobileIPv4-ike2-Employees|2> selected peer config 'mobileIPv4-ike2-Employees'
...
Mar 28 11:13:25 hbc-gw01 charon: 10[CFG] <mobileIPv4-ike2-Employees|7> sending RADIUS Access-Request to server 'addc1'
Mar 28 11:13:25 hbc-gw01 charon: 10[CFG] <mobileIPv4-ike2-Employees|7> received RADIUS Access-Accept from server 'addc1'
Mar 28 11:13:25 hbc-gw01 charon: 10[CFG] <mobileIPv4-ike2-Employees|7> received group membership 'Admins' from RADIUS
Mar 28 11:13:25 hbc-gw01 charon: 10[CFG] <mobileIPv4-ike2-Employees|7> reassigning offline lease to 'acme\admin'
The first matching entry mobileIPv4-ike2-Employees is matched. Then RADIUS is done, group assignment sent and now I expect it to switch to mobileIPv4-ike2-Admins and get an ip from admin pool. But I get ip address from mobileIPv4-ike2-Employees pool.
The RADIUS request should be done before selecting peer configuration because the peer configuration depends on the returned class attribute. What am I doing wrong?
-
Hm, somehow the brain2brain link is not working... I failed to receive your config files :-\
-
Haha. It is the same like in your provided ones.
ipsec.conf
config setup
uniqueids = never
conn mobileIPv4-ike2
aggressive = no
fragmentation = yes
keyexchange = ikev2
mobike = yes
reauth = yes
rekey = yes
forceencaps = yes
installpolicy = yes
type = tunnel
dpdaction = clear
dpddelay = 10s
dpdtimeout = 60s
left = X.X.X.X
right = %any
leftid = vpn.gateway.local
ikelifetime = 28800s
lifetime = 3600s
rightsourceip = 172.16.0.0/24
# See https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations
ike = aes256-sha256-modp2048,aes256-sha256-ecp256,aes128-sha256-modp2048!
esp = aes256-sha256-modp2048,aes256-sha256-ecp256,aes128-sha256-modp2048!
leftauth = pubkey
rightauth = eap-radius
rightsendcert = never
eap_identity = %any
leftcert = /usr/local/etc/ipsec.d/certs/cert-1.crt
leftsendcert = always
reqid = 1000
conn mobileIPv4-ike2-Employees
also = mobileIPv4-ike2
rightgroup = "Employees"
rightsourceip = 172.16.0.0/24
leftsubnet = 0.0.0.0/0
auto = add
conn mobileIPv4-ike2-Admins
also = mobileIPv4-ike2
rightgroup = "Admins"
rightsourceip = 172.17.0.0/24
leftsubnet = 0.0.0.0/0
auto = add
strongswan.conf
starter {
load_warning = no
}
charon {
cisco_unity = yes
plugins {
eap-radius {
servers {
addc1 {
address = X.X.X.X
secret = "2secret"
auth_port = 1812
acct_port = 1813
}
}
accounting = yes
# Activate passing the radius class attribute as rightgroup
class_group = yes
}
}
}
-
Mmmmh, looking through your config:
- leave the reqid and rightsourceip in conn mobileIPv4-ike2 away
- The parameter rightgroup is missing a trailing s (see https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection )
I think the missing s is the problem here...
Sorry for the late reply...
-
I thing the missing s is the problem here...
Hell yeah, you were right. Just this little typo. Corrected it and now it switches to matching peer config with the wanted group.
Perfect!
So I have my ike1-legacy PSK configuration and a new ike2 configuration that works with windows build-in client.
Thx
-
Be careful when upgrading to 19.1.5:
- https://github.com/opnsense/core/issues/3325 is included
- The creation of directories of https://github.com/opnsense/core/pull/3311 is included
- The include statement generation itself from https://github.com/opnsense/core/pull/3311 is missing!
Applying the three patches in order is still required.
opnsense-patch acdf14e
opnsense-patch a4d157d
opnsense-patch dfd48d2
-
I did intentionally not upgrade yet. Too many reports about bugs when people upgraded to 19.1.4 let me get more carefully.
Will wait a month before doing upgrades.
-
Since 19.1.7 all required patches are included. Seems like I have to upgrade at some point next week :)
-
Executed the upgrade to 19.1.7 during lunchtime. Systems are now patch free :)
-
Any updated directions on how to configure IPSEC mobile VPN with Radius? I followed directions exactly but get the "The error code returned on failure is 13801"
-
Did you follow the official guide?
-
Hi,
I updated the HOWTO to make more use of the web interface and therefore of the automatic firewall rules and web interface validation.
Only the rightgroups activation and handling and respective Virtual IPv4/IPv6 address pool assignment is now done within the include files.
IPv6 and IPv4 IPsec responder addresses work as well.
All the best
Rainer
-
I disabled the dead peer detection (DPD) on the VPN service again as the server can not restart the connection anyway, if the client moves between networks. The Mobile VPN clients take care of the connection better - either by Mobile IKE (MOBIKE) or by using DPD on their side.
-
I experienced broken connections and disconnects. So I adjusted the configuration
- Increase lifetime from 8 hours to 10 hours. Windows IKEv2 clients have a (hardcoded?) lifetime of 8 hours, so to enable the Windows client to handle the connection the OPNsense has to have a longer lifetime.
- Disable rekey from the OPNsense side. The Windows client has issues with rekeying from the OPNsense side (https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#CHILD_SA-rekeying ).
- Disable reauth from the OPNsense side. MacOS and iOS has issues with Reauthentication from the OPNsense side (https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients#IKEv2-reauthentication-issues )
-
How does this guide transfer to the new swanctl.conf, since the ipsec.conf is now considered legacy and not generated by the system anymore?
-
I haven’t upgraded yet and haven’t had a look at new options yet.
As soon as I upgraded I will update this how-to.
-
Currently trying to get it into standard with this...
https://github.com/opnsense/core/issues/3295
-
There is now a pull request that brings everything required into the WebGUI.
https://github.com/opnsense/core/pull/6826
As soon as the PR is in main I am going to update the HowTo...