From 404b1f5effbd90ffc9d6b3fc26d2e37215fc762e Mon Sep 17 00:00:00 2001 From: Monviech <79600909+Monviech@users.noreply.github.com> Date: Sat, 16 Sep 2023 21:28:15 +0200 Subject: [PATCH] Update ipsec-swanctl-rw-ikev2-eap-mschapv2.rst Populated IPsec connection settings for roadwarriors --- .../ipsec-swanctl-rw-ikev2-eap-mschapv2.rst | 262 +++++++++++++++++- 1 file changed, 260 insertions(+), 2 deletions(-) diff --git a/source/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.rst b/source/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.rst index 0dd0afed..0553acd8 100644 --- a/source/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.rst +++ b/source/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.rst @@ -26,6 +26,8 @@ The example users are ``John`` and ``Laura``. The example FQDN is ``vpn1.example .. Hint:: Any IPv6 functionality is optional. If you don't want to use IPv4+IPv6 dual stack, just skip all IPv6 addresses/networks and focus on IPv4. Its also possible to skip IPv4 and create native IPv6 tunnels. +.. Warning:: + Don't copy security relevant configuration parameters like passwords into your configuration. Create your own! ----------------------------- Methods for Roadwarrior Setup @@ -49,6 +51,9 @@ Methods for Roadwarrior Setup Prerequisites ------------- +.. Attention:: + In all following examples, parameters that should be empty or at default are **omitted**. *Don't change them without a good reason.* + System: Trust: Authorities -------------------------- @@ -73,7 +78,7 @@ Create a certificate authority which will be used to create server certificates System: Trust: Certificates --------------------------- -Create a server certificate for your IPsec VPN. The lifetime of the certificate is around 1 year, if it expires you have to renew the certificate on the OPNsense or your clients can't connect anymore. +Create a server certificate for your IPsec VPN. The lifetime of the certificate is 1 year, if it expires you have to renew the certificate on the OPNsense or your clients can't connect anymore. ============================================== ==================================================================================================== **Method:** Create an internal Certificate @@ -83,7 +88,7 @@ Create a server certificate for your IPsec VPN. The lifetime of the certificate **Key Type:** RSA **Key lenght (bits):** 2048 **Digest Algorithm:** SHA256 - **Lifetime (days):** 397 + **Lifetime (days):** 365 **Country Code:** Enter your Country Code **State or Province:** Enter Your State **City:** Enter your City @@ -170,15 +175,104 @@ Method 1 - Shared IP pool for all roadwarriors 1.1 - VPN: IPsec: Connections: Pools ------------------------------------ +Create an IPv4 pool that all roadwarriors will share. This configuration will result in 256 usable IPv4 addresses. Please note that this is not a network, it's a pool of IP addresses that will be leased. + + ============================================== ==================================================================================================== + **Name:** pool-roadwarrior-ipv4 + **Network:** 172.16.203.0/24 + ============================================== ==================================================================================================== + +Create an IPv6 pool that all roadwarriors will share. This configuration will result in 256 usable IPv6 addresses. + + ============================================== ==================================================================================================== + **Name:** pool-roadwarrior-ipv6 + **Network:** 2001:db8:1234:ec::/120 + ============================================== ==================================================================================================== + +.. Note:: + The IPv6 pool is not a /64 Prefix, because it's used to define a pool of IPv6 addresses that can be used as leases. Prefix /120 means there are 256 IPv6 addresses available. The hard limit of strongswan pools is Prefix /97. + 1.2 - VPN: IPsec: Pre-Shared Keys --------------------------------- +Create EAP Pre-Shared Keys. The local identifier is the username, and the Pre-Shared Key is the password for the VPN connection. + + ============================================== ==================================================================================================== + **Local Identifier:** ``john@vpn1.example.com`` + **Pre-Shared Key:** 48o72g3h4ro8123g8r + **Type:** EAP + ============================================== ==================================================================================================== + + ============================================== ==================================================================================================== + **Local Identifier:** ``laura@vpn1.example.com`` + **Pre-Shared Key:** LIUAHSDq2nak!12 + **Type:** EAP + ============================================== ==================================================================================================== +.. Note:: + Instead of ``john@vpn1.example.com`` you can use any string as local identifier, for example only ``john``. If you have multiple VPN servers, the FQDN makes it easier to know which one the user is assigned to. + 1.3 - VPN: IPsec: Connections ----------------------------- +- Enable IPsec with the checkbox at the bottom left and apply. If you forget to do this nothing will work. + +- Press **+** to add a new Connection, enable **advanced mode** with the toggle. + +**General Settings:** + + ============================================== ==================================================================================================== + **Proposals:** aes256-sha256-modp2048 (Disable default!) + **Version:** IKEv2 + **Local addresses:** ``vpn1.example.com`` + **UDP encapsulation:** X + **Rekey time:** 2400 + **DPD delay:** 30 + **Pools:** ``pool-roadwarrior-ipv4`` ``pool-roadwarrior-ipv6`` + **Keyingtries:** 0 + **Description:** roadwarrior-eap-mschapv2-p1 + ============================================== ==================================================================================================== + +**Save** to reveal the next options: + +**Local Authentication:** + + ============================================== ==================================================================================================== + **Round:** 0 + **Authentication:** Public Key + **Id:** vpn1.example.com + **Certificates:** vpn1.example.com + **Description:** local-vpn1.example.com + ============================================== ==================================================================================================== +**Remote Authentication:** + + ============================================== ==================================================================================================== + **Round:** 0 + **Authentication:** EAP-MSCHAPv2 + **EAP Id:** ``%any`` + **Description:** remote-eap-mschapv2 + ============================================== ==================================================================================================== + +**Children:** + +.. Note:: + This is where you select the networks your roadwarrior should be able to access. In a split tunnel scenario, you would specify the example LAN nets ``192.168.1.0/24`` and ``2001:db8:1234:1::/64`` as local traffic selectors. In a full tunnel scenario (all traffic forced through the tunnel) you would specify ``0.0.0.0/0`` and ``::/0`` as local traffic selectors. The following example child will use the full tunnel method. A full tunnel is generally more secure - especially with IPv6 involved - since no traffic can leak. + +Press **+** to add a new Child, enable **advanced mode** with the toggle. + + ============================================== ==================================================================================================== + **Start action:** Trap + **ESP proposals:** aes256-sha256-modp2048 (Disable default!) + **Local:** ``0.0.0.0/0`` ``::/0`` + **Rekey time (s):** 600 + **Description:** roadwarrior-eap-mschapv2-p2 + ============================================== ==================================================================================================== + +**Save** and **Apply** the configuration. + +Now you can skip to :ref:`Firewall rules, Outbound NAT and DNS ` .. _rw-swanctl-method2: @@ -190,14 +284,178 @@ Method 2 - Static IP address per roadwarrior 2.1 - VPN: IPsec: Connections: Pools ------------------------------------ +Create an individual IPv4 pool for each roadwarrior. This configuration will result in 1 usable IPv4 address. + + ============================================== ==================================================================================================== + **Name:** pool-roadwarrior-john-ipv4 + **Network:** 172.16.203.1/32 + ============================================== ==================================================================================================== + + ============================================== ==================================================================================================== + **Name:** pool-roadwarrior-laura-ipv4 + **Network:** 172.16.203.2/32 + ============================================== ==================================================================================================== + +Create an individual IPv6 pool for each roadwarrior. This configuration will result in 1 usable IPv6 address. + + ============================================== ==================================================================================================== + **Name:** pool-roadwarrior-john-ipv6 + **Network:** 2001:db8:1234:ec::1/128 + ============================================== ==================================================================================================== + + ============================================== ==================================================================================================== + **Name:** pool-roadwarrior-laura-ipv6 + **Network:** 2001:db8:1234:ec::2/128 + ============================================== ==================================================================================================== + +.. Note:: + If a roadwarrior has more than one device, you can provide them a larger pool. For example /31 would result in 2 IPv4 addresses, and /127 in 2 IPv6 addresses. You will have to keep track of this yourself though, don't configure pools that overlap. + 2.2 - VPN: IPsec: Pre-Shared Keys --------------------------------- +Create EAP Pre-Shared Keys. The local identifier is the username, and the Pre-Shared Key is the password for the VPN connection. + + ============================================== ==================================================================================================== + **Local Identifier:** ``john@vpn1.example.com`` + **Pre-Shared Key:** 48o72g3h4ro8123g8r + **Type:** EAP + ============================================== ==================================================================================================== + + ============================================== ==================================================================================================== + **Local Identifier:** ``laura@vpn1.example.com`` + **Pre-Shared Key:** LIUAHSDq2nak!12 + **Type:** EAP + ============================================== ==================================================================================================== + +.. Note:: + Instead of ``john@vpn1.example.com`` you can use any string as local identifier, for example only ``john``. If you have multiple VPN servers, the FQDN makes it easier to know which one the user is assigned to. + 2.3 - VPN: IPsec: Connections ----------------------------- +- Enable IPsec with the checkbox at the bottom left and apply. If you forget to do this nothing will work. + +**2.3.1 Create connection for john@vpn1.example.com:** + +- Press **+** to add a new Connection, enable **advanced mode** with the toggle. + +**General Settings:** + + ============================================== ==================================================================================================== + **Proposals:** aes256-sha256-modp2048 (Disable default!) + **Version:** IKEv2 + **Local addresses:** ``vpn1.example.com`` + **UDP encapsulation:** X + **Rekey time:** 2400 + **DPD delay:** 30 + **Pools:** ``pool-roadwarrior-john-ipv4`` ``pool-roadwarrior-john-ipv6`` + **Keyingtries:** 0 + **Description:** roadwarrior-john-eap-mschapv2-p1 + ============================================== ==================================================================================================== + +**Save** to reveal the next options: + +**Local Authentication:** + + ============================================== ==================================================================================================== + **Round:** 0 + **Authentication:** Public Key + **Id:** vpn1.example.com + **Certificates:** vpn1.example.com + **Description:** local-vpn1.example.com + ============================================== ==================================================================================================== + +**Remote Authentication:** + + ============================================== ==================================================================================================== + **Round:** 0 + **Authentication:** EAP-MSCHAPv2 + **EAP Id:** ``john@vpn1.example.com`` + **Description:** remote-john-eap-mschapv2 + ============================================== ==================================================================================================== + +**Children:** + +.. Note:: + This is where you select the networks your roadwarrior should be able to access. In a split tunnel scenario, you would specify the example LAN nets ``192.168.1.0/24`` and ``2001:db8:1234:1::/64`` as local traffic selectors. In a full tunnel scenario (all traffic forced through the tunnel) you would specify ``0.0.0.0/0`` and ``::/0`` as local traffic selectors. The following example child will use the full tunnel method. A full tunnel is generally more secure - especially with IPv6 involved - since no traffic can leak. + +Press **+** to add a new Child, enable **advanced mode** with the toggle. + + ============================================== ==================================================================================================== + **Start action:** Trap + **ESP proposals:** aes256-sha256-modp2048 (Disable default!) + **Local:** ``0.0.0.0/0`` ``::/0`` + **Rekey time (s):** 600 + **Description:** roadwarrior-john-eap-mschapv2-p2 + ============================================== ==================================================================================================== + +**Save** and **Apply** the configuration. + + +**2.3.2 Create connection for laura@vpn1.example.com:** + +- Press **+** to add a new Connection, enable **advanced mode** with the toggle. + +**General Settings:** + + ============================================== ==================================================================================================== + **Proposals:** aes256-sha256-modp2048 (Disable default!) + **Version:** IKEv2 + **Local addresses:** ``vpn1.example.com`` + **UDP encapsulation:** X + **Rekey time:** 2400 + **DPD delay:** 30 + **Pools:** ``pool-roadwarrior-laura-ipv4`` ``pool-roadwarrior-laura-ipv6`` + **Keyingtries:** 0 + **Description:** roadwarrior-laura-eap-mschapv2-p1 + ============================================== ==================================================================================================== + +**Save** to reveal the next options: + +**Local Authentication:** + + ============================================== ==================================================================================================== + **Round:** 0 + **Authentication:** Public Key + **Id:** vpn1.example.com + **Certificates:** vpn1.example.com + **Description:** local-vpn1.example.com + ============================================== ==================================================================================================== + +**Remote Authentication:** + + ============================================== ==================================================================================================== + **Round:** 0 + **Authentication:** EAP-MSCHAPv2 + **EAP Id:** ``laura@vpn1.example.com`` + **Description:** remote-laura-eap-mschapv2 + ============================================== ==================================================================================================== + +**Children:** + +.. Note:: + This is where you select the networks your roadwarrior should be able to access. In a split tunnel scenario, you would specify the example LAN nets ``192.168.1.0/24`` and ``2001:db8:1234:1::/64`` as local traffic selectors. In a full tunnel scenario (all traffic forced through the tunnel) you would specify ``0.0.0.0/0`` and ``::/0`` as local traffic selectors. The following example child will use the full tunnel method. A full tunnel is generally more secure - especially with IPv6 involved - since no traffic can leak. + +Press **+** to add a new Child, enable **advanced mode** with the toggle. + + ============================================== ==================================================================================================== + **Start action:** Trap + **ESP proposals:** aes256-sha256-modp2048 (Disable default!) + **Local:** ``0.0.0.0/0`` ``::/0`` + **Rekey time (s):** 600 + **Description:** roadwarrior-laura-eap-mschapv2-p2 + ============================================== ==================================================================================================== + +**Save** and **Apply** the configuration. + + +.. Note:: + You have to repeat this workflow for each additional roadwarrior you create. They all need new pools and new connections. + +.. _rw-swanctl-fw-nat-dns: ------------------------------------ Firewall rules, Outbound NAT and DNS