On Fri, May 11, 2012 at 20:39 +0400, Pavel Shvagirev wrote:
> Hi everyone.
>
> Trying to build ikev2 vpn between openbsd 5.1 and windows 7 via
> certificates. Windows stops at #13843 error message - "Invalid payload
> received". Iked -vd output has a 'sa_state: VALID -> ESTABLISHED'
> meaning that 2nd phase is ok but just before that line I have:
>
> ca_getreq: no valid local certificate found
>
> What local cert does it mean? 'ikectl show ca certificates' output is ok
> - it returnes all the certs that I have installed/exported/imported on
> windows side
>
> Did install both obsd's and win7's certificates like
>
> ikectl ca caname certificate openbsdmachine create | install | export
> ikectl ca caname certificate win7machine create | install | export
>
> - just like it's said in the man page.
>
> Google has just one link for that queue - openbsd sources =)
>
> --
> Best regards,
> Pavel Shvagirev
> skype: pavel.shvagirev
>
OK, this is how you do it. First of all, fun facts about Windows 7
[simple VPN client]:
0) It CANNOT do PSK;
1) It REQUIRES certificates regardless of whether you want to do EAP
or not;
2) It has TWO ipsec clients and both(?) can do IKEv2, but these
instructions are for the simple one found in the Network
Connnections Center (or whatever it's called).
3) You need to supply windows with two certificates: one for CA,
one for the server.
Also please make sure that the time on the CA is somewhat sensible
from the clients point of view, so that certificates won't be invalid
because your time is not synchronized.
To setup a CA on the same host as iked do the following:
1) Copy the template /usr/src/usr.sbin/ikectl/ikeca.cnf to /etc/ssl
and edit as appropriate;
2) Create and install CA certificate:
ikectl ca vpn create
ikectl ca vpn install
3) Create certificates for the server and clients. Make sure that
host specification matches the SourceID specification in iked.conf.
You can use IP addressess, but iked defaults to FQDN/hostname.
ikectl ca vpn certificate 10.1.0.1 create # server
ikectl ca vpn certificate 10.5.0.1 create # host
4) Install the server certificate on the server:
ikectl ca vpn certificate 10.1.0.1 install
5) To export the client certificate in a ZIP'ed PFX format, you need
to install zip utility (pkg_add -i zip).
ikectl ca vpn certificate 10.5.0.1 export
6) Transfer 10.5.0.1.zip to the Windows host and load the certificates
by doubleclicking on them. Make sure that certificates are valid
in the MMC Certificates Snap-In.
7) Configure iked to do RSA auth w/o EAP (for the start):
ikev2 "win7" passive esp \
from 192.168.0.0/24 to 192.168.1.0/24 local any peer any \
srcid 10.1.0.1 \
config address 192.168.1.100 \
config name-server 192.168.0.1
Here, 192.168.0.0/24 is a network client is getting access to,
192.168.1.0/24 is a "DHCP"-like network from which client is
getting an ip address (192.168.1.100 specifically). Please
note, that the code to turn this awkwardness into real (DHCP-like)
address pool specification is not written yet. Note that srcid
has to match the host that the certificate is issued to, otherwise
windows will refuse to connect.
Once you do that you can load iked and see that it hooks up the
server certificate (in the iked -dvv output that is).
7) Now on the windows box, go to the Network Connections Center
and create an IKEv2 VPN connection with the client. Make sure
to check the Certificate radio button on the Security tab in
the connection properties, so that you won't do EAP.
8) Start the connection.
9) Profit!!!
PS.
If someone thinks that this might be turned into some sort of a
howto or FAQ entry or whatever, please feel free to reuse any
piece of text. Attribution is welcomed but not required.
