HOWTO:IPsec IKEv2 clients: Split tunnel / EAP Radius / Virtual IP pool per group

[rainerle]

Hi everybody,

we are live - since 14 Mar 2019 - with our HA OPNsense 19.1.4 setup. Now I wanted to share our specific IPsec IKEv2 mobile client setup. It works for IPv4 and IPv6 .

Our requirements:
- VPN login using accounts maintained already in a Radius server.
- No installation of additional software on the clients.
- No installation of certificates on the clients - all the user has to know is his user ID and password.
- Separate IP pools per user group. Access rights to some systems on our network are based on addresses of these IP pools.
- Split tunneling for internal and external IP addresses. External since some partners only allow access using our firewalls uplink IP address.
- Split DNS since we maintain internal DNS domains.
- Allow more than one connection per user ID for users (Laptop and mobile phone concurrent use...)

Since 24.1.8 we are able to maintain this using the WebGUI and are based on this documentation https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html

Previous configurations up to 22.7.11:

Since 19.1.7 we are able to maintain a file based IPsec configuration using StrongSwan include files.

So how does it look like in short:
- Create a Let's Encrypt Server certificate for the IPsec responder FQDN (vpn.contoso.com) with A and AAAA DNS entry
- Configure VPN->IPsec->Mobile Client using a Radius server as backend, create phase 1 using EAP-RADIUS and then create one IPv4 and one IPv6 phase 2 default tunnel. This is then used by "also" in separate include.d configurations.
- Create a Phase1 per Radius class (which is the group) using an include file
- Create multiple Phase2 per Phase1 for the split tunneling using an include file
- Configure the StrongSwan Radius plugin to use the class_group using an include file (https://wiki.strongswan.org/projects/strongswan/wiki/EAPRadius#Group-selection )


OPNsense Configuration:

To let the clients know about the Split DNS we configured "DNS Default Domain", "Split DNS" and "DNS Servers" in VPN->IPsec->Mobile Clients.

I include our config files and the generated IPsec config files. The external IP addresses have been replaced with some other IPs. The domain names are replaced as well.


Client Configuration:
Windows 10:

I attached the PowerShell script we use to configure our Windows 10 clients. It is copied using a robocopy computer group policy script and then executed everytime the user logs onto the laptop using a user GPO.

Apple Devices (MacOS and iOS):

Since 19.1.5 the Clients just have to configure a IKEv2 VPN with vpn.contoso.com as Server and Remote ID and pass their User ID and Password. Split tunnel and DNS are configured automatically from the Responders IKEv2 payload.
There are two bugs though:
- The split DNS domain names are added automagically to the DNS search suffixes.
- DNS A records are resolved properly with the Split DNS server. DNS SRV records are not (see https://communities.apple.com/de/thread/250249906 ).

Android Devices:

Install the StrongSwan App, configure and you are good to go!
https://play.google.com/store/apps/details?id=org.strongswan.android

Linux clients:

Until I found a long outstanding bug in the Ubuntu LTS version I could not get them to work. See https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1772705 .

But then it is fairly simple:
- sudo apt install network-manager-strongswan libstrongswan-standard-plugins libcharon-standard-plugins libstrongswan-extra-plugins libcharon-extra-plugins dnsmasq
- Configure IKEv2 VPN in Network Manager using EAP. Tick "assign internal IP" and give user name and password.
- Split DNS (use dnsmasq as local DNS server and set specific DNS server per DNS domain name)
  - Disable dnsmasq starting as a system service (systemctl disable dnsmasq)
  - Add "dns=dnsmasq" in the main section in /etc/NetworkManager/NetworkManager.conf
  - Add "server=/internal.contoso.com/10.20.30.1" in /etc/NetworkManager/dnsmasq.d/contoso-vpn.conf. Do so for all further internal DNS domain names.
- pkill -9 charon-nm if there is IPsec plugin trouble (sudo journalctl -f during VPN connect is your friend...)

Chromebooks:
No solution yet. Split tunnel and split DNS seem not to work using the StrongSwan Android App.

Best for now to star https://bugs.chromium.org/p/chromium/issues/detail?id=715622 .

Updated on 24.8.2020 to use the web interface for most and only adjust to use Radius-EAP's rightgroups group assignment. As well IPv4 and IPv6 are working now - the VPN responder FQDN needs an A and AAAA DNS entry.

[hbc]

Since this patch is new, I guess I have either to patch manually or wait for 19.1.5+

Code: [Select]

# opnsense-patch dfd48d2
fails. What is the correct version? I tried a4d157d, 2056e90,  b57fe03. Maybe I am doing it wrong and I need other command or options.

[franco]

Patches fail if they can't be applied. It's normal: think of it as puzzle pieces. Wait for the next version and the respective backport if it's not already included.

[rainerle]

Hi,

to enable the includes there were three patches.

If you do not require any other patches maybe this will help.

Reset to current version without patches. This leaves your settings alone and should bring you to 19.1.4.

Code: [Select]

pkg install -f opnsense
Apply the three patches in order

Code: [Select]

opnsense-patch acdf14e
opnsense-patch a4d157d
opnsense-patch dfd48d2

And then save and apply the IPsec Konfiguration in the webinterface.

Then move your files into the include directories and try if that works for you.

[hbc]

opnsense-patch acdf14e
opnsense-patch a4d157d
opnsense-patch dfd48d2

This bunch of patches worked. Now I will see whether includes work. How about HA? Do I have to sync ipsec.opnsense.d folder myself or is it done by config sync?

[rainerle]

The HA configuration sync only sends specific sections from the XML config file to the backup node.

So rsync for those three specific directories is how I do it currently...

And speaking of HA: IPsec connections are in case of a failover not taken over anyway. There is a StrongSwan HA plugin existing, but not implemented in OPNsense...
https://wiki.strongswan.org/projects/strongswan/wiki/highavailability
This shows the config of a active-passive setup
https://www.strongswan.org/testing/testresults/ha/active-passive/

[hbc]

Ok, finally I managed to get a working configuration. Everything done in new include directories.

Just enabled IPSEC and IKE without further configuration. So ipsec.secrets and ipsec.conf just have the include line. strongswan.conf has some more defaults.

I setup three policies like in example to assign groups via radius attribute 25 (class). This works, but it keeps the rightsourceip of the first matched entry.

Code: [Select]

Mar 28 11:13:25 hbc-gw01 charon: 10[CFG] <mobileIPv4-ike2-Employees|2> selected peer config 'mobileIPv4-ike2-Employees'
...
Mar 28 11:13:25 hbc-gw01 charon: 10[CFG] <mobileIPv4-ike2-Employees|7> sending RADIUS Access-Request to server 'addc1'
Mar 28 11:13:25 hbc-gw01 charon: 10[CFG] <mobileIPv4-ike2-Employees|7> received RADIUS Access-Accept from server 'addc1'
Mar 28 11:13:25 hbc-gw01 charon: 10[CFG] <mobileIPv4-ike2-Employees|7> received group membership 'Admins' from RADIUS
Mar 28 11:13:25 hbc-gw01 charon: 10[CFG] <mobileIPv4-ike2-Employees|7> reassigning offline lease to 'acme\admin'
The first matching entry mobileIPv4-ike2-Employees is matched. Then RADIUS is done, group assignment sent and now I expect it to switch to mobileIPv4-ike2-Admins and get an ip from admin pool. But I get ip address from mobileIPv4-ike2-Employees pool.

The RADIUS request should be done before selecting peer configuration because the peer configuration depends on the returned class attribute. What am I doing wrong?

[rainerle]

Hm, somehow the brain2brain link is not working... I failed to receive your config files

[hbc]

Haha. It is the same like in your provided ones.

ipsec.conf

Code: [Select]

config setup
  uniqueids = never

conn mobileIPv4-ike2
  aggressive = no
  fragmentation = yes
  keyexchange = ikev2
  mobike = yes
  reauth = yes
  rekey = yes
  forceencaps = yes
  installpolicy = yes
  type = tunnel
  dpdaction = clear
  dpddelay = 10s
  dpdtimeout = 60s
  left = X.X.X.X
  right = %any
  leftid = vpn.gateway.local
  ikelifetime = 28800s
  lifetime = 3600s
  rightsourceip = 172.16.0.0/24
# See https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations
  ike = aes256-sha256-modp2048,aes256-sha256-ecp256,aes128-sha256-modp2048!
  esp = aes256-sha256-modp2048,aes256-sha256-ecp256,aes128-sha256-modp2048!
  leftauth = pubkey
  rightauth = eap-radius
  rightsendcert = never
  eap_identity = %any
  leftcert = /usr/local/etc/ipsec.d/certs/cert-1.crt
  leftsendcert = always
  reqid = 1000

conn mobileIPv4-ike2-Employees
  also = mobileIPv4-ike2
  rightgroup = "Employees"
  rightsourceip = 172.16.0.0/24
  leftsubnet = 0.0.0.0/0
  auto = add

conn mobileIPv4-ike2-Admins
  also = mobileIPv4-ike2
  rightgroup = "Admins"
  rightsourceip = 172.17.0.0/24
  leftsubnet = 0.0.0.0/0
  auto = add
strongswan.conf

Code: [Select]

starter {
    load_warning = no
}

charon {
    cisco_unity = yes
    plugins {
        eap-radius {
            servers {
                addc1 {
                    address = X.X.X.X
                    secret = "2secret"
                    auth_port = 1812
                    acct_port = 1813
                }
            }
            accounting = yes
            # Activate passing the radius class attribute as rightgroup
            class_group = yes
        }
    }
}


[rainerle]

Mmmmh, looking through your config:
- leave the reqid and rightsourceip in conn mobileIPv4-ike2 away
- The parameter rightgroup is missing a trailing s (see https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection )

I think the missing s is the problem here...

Sorry for the late reply...

[hbc]

I thing the missing s is the problem here...

Hell yeah, you were right. Just this little typo. Corrected it and now it switches to matching peer config with the wanted group.

Perfect!

So I have my ike1-legacy PSK configuration and a new ike2 configuration that works with windows build-in client.

Thx

[rainerle]

Be careful when upgrading to 19.1.5:
- https://github.com/opnsense/core/issues/3325 is included
- The creation of directories of https://github.com/opnsense/core/pull/3311 is included
- The include statement generation itself from https://github.com/opnsense/core/pull/3311 is missing!

Applying the three patches in order is still required.

Code: [Select]

opnsense-patch acdf14e
opnsense-patch a4d157d
opnsense-patch dfd48d2


[hbc]

I did intentionally not upgrade yet. Too many reports about bugs when people upgraded to 19.1.4 let me get more carefully.
Will wait a month before doing upgrades.

[rainerle]

Since 19.1.7 all required patches are included. Seems like I have to upgrade at some point next week 

[rainerle]

Executed the upgrade to 19.1.7 during lunchtime. Systems are now patch free