English Forums > Tutorials and FAQs
HOWTO:IPsec IKEv2 clients: Split tunnel / EAP Radius / Virtual IP pool per group
rainerle:
Hi everybody,
we are live - since 14 Mar 2019 - with our HA OPNsense 19.1.4 setup. Now I wanted to share our specific IPsec IKEv2 mobile client setup. It works for IPv4 and IPv6 .
Our requirements:
- VPN login using accounts maintained already in a Radius server.
- No installation of additional software on the clients.
- No installation of certificates on the clients - all the user has to know is his user ID and password.
- Separate IP pools per user group. Access rights to some systems on our network are based on addresses of these IP pools.
- Split tunneling for internal and external IP addresses. External since some partners only allow access using our firewalls uplink IP address.
- Split DNS since we maintain internal DNS domains.
- Allow more than one connection per user ID for users (Laptop and mobile phone concurrent use...)
Since 19.1.7 we are able to maintain a file based IPsec configuration using StrongSwan include files.
So how does it look like in short:
- Create a Let's Encrypt Server certificate for the IPsec responder FQDN (vpn.contoso.com) with A and AAAA DNS entry
- Configure VPN->IPsec->Mobile Client using a Radius server as backend, create phase 1 using EAP-RADIUS and then create one IPv4 and one IPv6 phase 2 default tunnel. This is then used by "also" in separate include.d configurations.
- Create a Phase1 per Radius class (which is the group) using an include file
- Create multiple Phase2 per Phase1 for the split tunneling using an include file
- Configure the StrongSwan Radius plugin to use the class_group using an include file (https://wiki.strongswan.org/projects/strongswan/wiki/EAPRadius#Group-selection )
OPNsense Configuration:
To let the clients know about the Split DNS we configured "DNS Default Domain", "Split DNS" and "DNS Servers" in VPN->IPsec->Mobile Clients.
I include our config files and the generated IPsec config files. The external IP addresses have been replaced with some other IPs. The domain names are replaced as well.
Client Configuration:
Windows 10:
I attached the PowerShell script we use to configure our Windows 10 clients. It is copied using a robocopy computer group policy script and then executed everytime the user logs onto the laptop using a user GPO.
Apple Devices (MacOS and iOS):
Since 19.1.5 the Clients just have to configure a IKEv2 VPN with vpn.contoso.com as Server and Remote ID and pass their User ID and Password. Split tunnel and DNS are configured automatically from the Responders IKEv2 payload.
There are two bugs though:
- The split DNS domain names are added automagically to the DNS search suffixes.
- DNS A records are resolved properly with the Split DNS server. DNS SRV records are not (see https://communities.apple.com/de/thread/250249906 ).
Android Devices:
Install the StrongSwan App, configure and you are good to go!
https://play.google.com/store/apps/details?id=org.strongswan.android
Linux clients:
Until I found a long outstanding bug in the Ubuntu LTS version I could not get them to work. See https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1772705 .
But then it is fairly simple:
- sudo apt install network-manager-strongswan libstrongswan-standard-plugins libcharon-standard-plugins libstrongswan-extra-plugins libcharon-extra-plugins dnsmasq
- Configure IKEv2 VPN in Network Manager using EAP. Tick "assign internal IP" and give user name and password.
- Split DNS (use dnsmasq as local DNS server and set specific DNS server per DNS domain name)
- Disable dnsmasq starting as a system service (systemctl disable dnsmasq)
- Add "dns=dnsmasq" in the main section in /etc/NetworkManager/NetworkManager.conf
- Add "server=/internal.contoso.com/10.20.30.1" in /etc/NetworkManager/dnsmasq.d/contoso-vpn.conf. Do so for all further internal DNS domain names.
- pkill -9 charon-nm if there is IPsec plugin trouble (sudo journalctl -f during VPN connect is your friend...)
Chromebooks:
No solution yet. Split tunnel and split DNS seem not to work using the StrongSwan Android App.
Best for now to star https://bugs.chromium.org/p/chromium/issues/detail?id=715622 .
Updated on 24.8.2020 to use the web interface for most and only adjust to use Radius-EAP's rightgroups group assignment. As well IPv4 and IPv6 are working now - the VPN responder FQDN needs an A and AAAA DNS entry.
hbc:
Since this patch is new, I guess I have either to patch manually or wait for 19.1.5+
--- Code: ---# opnsense-patch dfd48d2
--- End code ---
fails. What is the correct version? I tried a4d157d, 2056e90, b57fe03. Maybe I am doing it wrong and I need other command or options.
franco:
Patches fail if they can't be applied. It's normal: think of it as puzzle pieces. Wait for the next version and the respective backport if it's not already included.
rainerle:
Hi,
to enable the includes there were three patches.
If you do not require any other patches maybe this will help.
Reset to current version without patches. This leaves your settings alone and should bring you to 19.1.4.
--- Code: ---pkg install -f opnsense
--- End code ---
Apply the three patches in order
--- Code: ---opnsense-patch acdf14e
opnsense-patch a4d157d
opnsense-patch dfd48d2
--- End code ---
And then save and apply the IPsec Konfiguration in the webinterface.
Then move your files into the include directories and try if that works for you.
hbc:
--- Quote ---opnsense-patch acdf14e
opnsense-patch a4d157d
opnsense-patch dfd48d2
--- End quote ---
This bunch of patches worked. Now I will see whether includes work. How about HA? Do I have to sync ipsec.opnsense.d folder myself or is it done by config sync?
Navigation
[0] Message Index
[#] Next page
Go to full version