Hi again,
I'm still trying to make it work for roadwarriors.
VPN server has IP address A.B.9.73/23. It is OpenBSD6.1.
I generated certs:
# hostname
serv73
# ikectl ca vpn create (CN = serv73)
# ikectl ca vpn install
# ikectl ca vpn certificate A.B.9.73 create
# ikectl ca vpn certificate A.B.9.73 install
# ikectl ca vpn certificate A.B.9.76 create #(CN = A.B.9.76)
# ikectl ca vpn certificate A.B.9.76 export
After installing A.B.9.76.zip in Win7 I can connect to VPN server from any IP
address that is in range A.B.9.0/23.
I can't connect from IP that is NOT from A.B.9.0/23.
I tried to connect from many IPs (public and behind NAT) but every time I got
"809 error".
Can anyone please help me with solving that problem?
# cat /etc/iked.conf
[snip]
ikev2 "roadWarrior" passive esp \
from 10.0.73.0/24 to 0.0.0.0/0 local A.B.9.73 peer any \
srcid A.B.9.73 \
config address 10.0.70.128 \
tag "$name-$id"
# iked -n
configuration OK
# cat /etc.pf.conf
ext_if = "vr0"
lan_if = "vr1" # vr1
lan_local = $lan_if:network # 10.0.73.0/24
ext_ip = "A.B.9.73"
bud = "A.B.9.0/25"
rdkhome_wy = "YY.YY.YY.YY"
rdkhome_mon = "XX.XX.XX.XX"
ssh_port = "1071"
icmp_types = "{ echoreq, unreach }"
table <vpn_peers> const { A.B.9.74, A.B.C.75 }
set skip on { lo, enc0 }
block return on $ext_if # block stateless traffic
match out log on $ext_if from $lan_local nat-to $ext_if set prio (1, 6)
pass in log quick inet proto tcp from { $bud, $rdkhome_wy, $rdkhome_mon} to
$ext_if port $ssh_port \
set prio (1, 6) keep state
pass out quick on egress proto esp from (egress:0) to <vpn_peers>
keep state
pass out quick on egress proto udp from (egress:0) to <vpn_peers> port {500,
4500} keep state
pass in quick on egress proto esp from <vpn_peers> to (egress:0)
keep state
pass in quick on egress proto udp from <vpn_peers> to (egress:0) port {500,
4500} keep state
pass out quick on trust received-on enc0 keep state
pass out log proto tcp set prio (1, 6) keep state
pass log proto udp set prio (1, 6) keep state
pass inet proto icmp all icmp-type $icmp_types set prio (1, 6) keep state
pass log inet proto { tcp, udp } from $lan_local to any set prio (1, 6) keep
state
block return in on ! lo0 proto tcp to port 6000:6010
# iked -dvv
ikev2_recv: IKE_SA_INIT request from initiator E.F.G.H:500 to A.B.9.73:500
policy 'roadWarrior' id 0, 528 bytes
ikev2_recv: ispi 0x35e2e7f614678913 rspi 0x0000000000000000
ikev2_policy2id: srcid IPV4/A.B.9.73 length 8
ikev2_pld_parse: header ispi 0x35e2e7f614678913 rspi 0x0000000000000000
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 528
response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 256
ikev2_pld_sa: more than one proposal specified
ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136
ikev2_pld_ke: dh group MODP_1024 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 52
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0x35e2e7f614678913 0x0000000000000000
E.F.G.H:500
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0x35e2e7f614678913 0x0000000000000000
A.B.9.73:500
sa_state: INIT -> SA_INIT
ikev2_sa_negotiate: score 21
sa_stateok: SA_INIT flags 0x0000, require 0x0000
sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 )
ikev2_sa_keys: SKEYSEED with 20 bytes
ikev2_sa_keys: S with 96 bytes
ikev2_prfplus: T1 with 20 bytes
ikev2_prfplus: T2 with 20 bytes
ikev2_prfplus: T3 with 20 bytes
ikev2_prfplus: T4 with 20 bytes
ikev2_prfplus: T5 with 20 bytes
ikev2_prfplus: T6 with 20 bytes
ikev2_prfplus: T7 with 20 bytes
ikev2_prfplus: T8 with 20 bytes
ikev2_prfplus: Tn with 160 bytes
ikev2_sa_keys: SK_d with 20 bytes
ikev2_sa_keys: SK_ai with 20 bytes
ikev2_sa_keys: SK_ar with 20 bytes
ikev2_sa_keys: SK_ei with 24 bytes
ikev2_sa_keys: SK_er with 24 bytes
ikev2_sa_keys: SK_pi with 20 bytes
ikev2_sa_keys: SK_pr with 20 bytes
ikev2_add_proposals: length 40
ikev2_next_payload: length 44 nextpayload KE
ikev2_next_payload: length 136 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0x35e2e7f614678913 0x177a4400d017d93f
A.B.9.73:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0x35e2e7f614678913 0x177a4400d017d93f
E.F.G.H:500
ikev2_next_payload: length 28 nextpayload CERTREQ
ikev2_add_certreq: type X509_CERT length 21
ikev2_next_payload: length 25 nextpayload NONE
ikev2_pld_parse: header ispi 0x35e2e7f614678913 rspi 0x177a4400d017d93f
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 325
response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 44
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136
ikev2_pld_ke: dh group MODP_1024 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00 length 25
ikev2_pld_certreq: type X509_CERT length 20
ikev2_msg_send: IKE_SA_INIT response from A.B.9.73:500 to E.F.G.H:500 msgid 0,
325 bytes
config_free_proposals: free 0x8134e000
Generating and installing certificate for E.F.G.H doesn't make any change.
On Sat, 27 Jan 2018 19:55:46 +0100
Radek <alee...@gmail.com> wrote:
> Hello,
>
> I have configured OpenIKED Site-to-Site VPN between two gateways:
> serv73 - OBSD6.1, IP A.B.C.73,
> serv75 - OBSD6.2, IP A.B.C.75.
> I seems to work fine.
>
> I'm trying to set up VPN for a few road warriors in one of these gateways. As
> much as it is possible authorisation should be users's IP independent. If I
> get it right certificate is always binded to cetrain IP so I need to use
> login and password authentication.
> After spending some time with playing around that I can not find the proper
> configutarion.
> I know the reason for that is a lack of certificate (I don't have any idea
> what cert it is) but maybe something else that I have missed or did it wrong.
> I have read manuals but not everything is clear for me.
>
> On win7 I got 809 error.
> Client is configured as below:
> https://hide.me/en/vpnsetup/windows7/ikev2/
>
> Any help appreciated :)
>
> My configs:
>
> [root@@serv75/home/rdk:]iked -dv
> ikev2_recv: IKE_SA_INIT request from initiator X.X.X.X:500 to A.B.C.75:500
> policy 'roadwarrior' id 0, 528 bytes
> ikev2_msg_send: IKE_SA_INIT response from A.B.C.75:500 to X.X.X.X:500 msgid
> 0, 325 bytes
> ikev2_recv: IKE_AUTH request from initiator X.X.X.X:4500 to A.B.C.75:4500
> policy 'roadwarrior' id 1, 764 bytes
> ca_getreq: no valid local certificate found
> ikev2_recv: IKE_AUTH request from initiator X.X.X.X:4500 to A.B.C.75:4500
> policy 'roadwarrior' id 1, 764 bytes
> ikev2_recv: IKE_AUTH request from initiator X.X.X.X:4500 to A.B.C.75:4500
> policy 'roadwarrior' id 1, 764 bytes
>
>
> root@@serv75/home/rdk:]cat /etc/iked.conf
> remote_gw73 = "A.B.C.73" # serv33
> remote_lan73 = "10.0.73.0/24"
> local_gw = "10.0.75.254" # serv75
> local_lan = "10.0.75.0/24"
> dns1 = "8.8.8.8"
>
> ikev2 active esp from $local_gw to $remote_gw73 \
> from $local_lan to $remote_lan73 peer $remote_gw73 \
> psk "test123"
>
> user "test" "pass1234"
> ikev2 "roadwarrior" passive esp \
> from 0.0.0.0/0 to 10.0.75.0/24 \
> local any peer any \
> eap "mschap-v2" \
> config address 10.0.75.123 \
> config name-server 8.8.8.8 \
> tag "$name-$id"
>
> [root@@serv75/home/rdk:]cat /etc/pf.conf
> ext_if = "vr0"
> lan_if = "vr1" # vr1
> lan_local = $lan_if:network # 10.0.75.0/24
> ext_ip = "A.B.C.75"
> bud = "A.B.C.0/25"
> rdkhome_wy = "YY.YY.YY.YY"
> rdkhome_mon = "XX.XX.XX.XX"
> ssh_port = "1071"
> icmp_types = "{ echoreq, unreach }"
> table <vpn_peers> const { A.B.C.73, A.B.C.74 }
> set skip on { lo, enc0 }
> block return on $ext_if # block stateless traffic
> match out log on $ext_if from $lan_local nat-to $ext_if set prio (1, 6)
> pass in log quick inet proto tcp from { $bud, $rdkhome_wy, $rdkhome_mon} to
> $ext_if port $ssh_port \
> set prio (1, 6) keep state
> pass out quick on egress proto esp from (egress:0) to <vpn_peers>
> keep state
> pass out quick on egress proto udp from (egress:0) to <vpn_peers> port {500,
> 4500} keep state
> pass in quick on egress proto esp from <vpn_peers> to (egress:0)
> keep state
> pass in quick on egress proto udp from <vpn_peers> to (egress:0) port {500,
> 4500} keep state
> pass out quick on trust received-on enc0 keep state
> pass out log proto tcp set prio (1, 6) keep state
> pass log proto udp set prio (1, 6) keep state
> pass inet proto icmp all icmp-type $icmp_types set prio (1, 6) keep state
> pass log inet proto { tcp, udp } from $lan_local to any set prio (1, 6) keep
> state
> block return in on ! lo0 proto tcp to port 6000:6010
>
> [root@@serv75/home/rdk:]cat /etc/hostname.vr0
> inet A.B.C.75 255.255.254.0 NONE description "WAN75"
> group trust
>
> [root@@serv75/home/rdk:]cat /etc/hostname.vr1
> inet 10.0.75.254 255.255.255.0 NONE description "LAN75"
> group trust
>
> [root@@serv75/home/rdk:]cat /etc/hostname.enc0
> up
>
> [root@@serv75/home/rdk:]cat /etc/rc.conf.local
> iked_flags=YES
> ntpd_flags="-s"
> dhcpd_flags="vr1 vr2 vr3"
>
> [root@@serv75/home/rdk:]cat /etc/sysctl.conf
> net.inet.ip.forwarding=1
> net.inet.ipcomp.enable=1
> net.inet.esp.enable=1
>
>
> --
> radek
--
radek
