2
0
mirror of https://github.com/opnsense/docs synced 2024-10-30 21:20:20 +00:00

Update ipsec-swanctl-rw-ikev2-eap-mschapv2.rst

Populated IPsec connection settings for roadwarriors
This commit is contained in:
Monviech 2023-09-16 21:28:15 +02:00 committed by GitHub
parent 28b3f66474
commit 404b1f5eff
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -26,6 +26,8 @@ The example users are ``John`` and ``Laura``. The example FQDN is ``vpn1.example
.. Hint::
Any IPv6 functionality is optional. If you don't want to use IPv4+IPv6 dual stack, just skip all IPv6 addresses/networks and focus on IPv4. Its also possible to skip IPv4 and create native IPv6 tunnels.
.. Warning::
Don't copy security relevant configuration parameters like passwords into your configuration. Create your own!
-----------------------------
Methods for Roadwarrior Setup
@ -49,6 +51,9 @@ Methods for Roadwarrior Setup
Prerequisites
-------------
.. Attention::
In all following examples, parameters that should be empty or at default are **omitted**. *Don't change them without a good reason.*
System: Trust: Authorities
--------------------------
@ -73,7 +78,7 @@ Create a certificate authority which will be used to create server certificates
System: Trust: Certificates
---------------------------
Create a server certificate for your IPsec VPN. The lifetime of the certificate is around 1 year, if it expires you have to renew the certificate on the OPNsense or your clients can't connect anymore.
Create a server certificate for your IPsec VPN. The lifetime of the certificate is 1 year, if it expires you have to renew the certificate on the OPNsense or your clients can't connect anymore.
============================================== ====================================================================================================
**Method:** Create an internal Certificate
@ -83,7 +88,7 @@ Create a server certificate for your IPsec VPN. The lifetime of the certificate
**Key Type:** RSA
**Key lenght (bits):** 2048
**Digest Algorithm:** SHA256
**Lifetime (days):** 397
**Lifetime (days):** 365
**Country Code:** Enter your Country Code
**State or Province:** Enter Your State
**City:** Enter your City
@ -170,15 +175,104 @@ Method 1 - Shared IP pool for all roadwarriors
1.1 - VPN: IPsec: Connections: Pools
------------------------------------
Create an IPv4 pool that all roadwarriors will share. This configuration will result in 256 usable IPv4 addresses. Please note that this is not a network, it's a pool of IP addresses that will be leased.
============================================== ====================================================================================================
**Name:** pool-roadwarrior-ipv4
**Network:** 172.16.203.0/24
============================================== ====================================================================================================
Create an IPv6 pool that all roadwarriors will share. This configuration will result in 256 usable IPv6 addresses.
============================================== ====================================================================================================
**Name:** pool-roadwarrior-ipv6
**Network:** 2001:db8:1234:ec::/120
============================================== ====================================================================================================
.. Note::
The IPv6 pool is not a /64 Prefix, because it's used to define a pool of IPv6 addresses that can be used as leases. Prefix /120 means there are 256 IPv6 addresses available. The hard limit of strongswan pools is Prefix /97.
1.2 - VPN: IPsec: Pre-Shared Keys
---------------------------------
Create EAP Pre-Shared Keys. The local identifier is the username, and the Pre-Shared Key is the password for the VPN connection.
============================================== ====================================================================================================
**Local Identifier:** ``john@vpn1.example.com``
**Pre-Shared Key:** 48o72g3h4ro8123g8r
**Type:** EAP
============================================== ====================================================================================================
============================================== ====================================================================================================
**Local Identifier:** ``laura@vpn1.example.com``
**Pre-Shared Key:** LIUAHSDq2nak!12
**Type:** EAP
============================================== ====================================================================================================
.. Note::
Instead of ``john@vpn1.example.com`` you can use any string as local identifier, for example only ``john``. If you have multiple VPN servers, the FQDN makes it easier to know which one the user is assigned to.
1.3 - VPN: IPsec: Connections
-----------------------------
- Enable IPsec with the checkbox at the bottom left and apply. If you forget to do this nothing will work.
- Press **+** to add a new Connection, enable **advanced mode** with the toggle.
**General Settings:**
============================================== ====================================================================================================
**Proposals:** aes256-sha256-modp2048 (Disable default!)
**Version:** IKEv2
**Local addresses:** ``vpn1.example.com``
**UDP encapsulation:** X
**Rekey time:** 2400
**DPD delay:** 30
**Pools:** ``pool-roadwarrior-ipv4`` ``pool-roadwarrior-ipv6``
**Keyingtries:** 0
**Description:** roadwarrior-eap-mschapv2-p1
============================================== ====================================================================================================
**Save** to reveal the next options:
**Local Authentication:**
============================================== ====================================================================================================
**Round:** 0
**Authentication:** Public Key
**Id:** vpn1.example.com
**Certificates:** vpn1.example.com
**Description:** local-vpn1.example.com
============================================== ====================================================================================================
**Remote Authentication:**
============================================== ====================================================================================================
**Round:** 0
**Authentication:** EAP-MSCHAPv2
**EAP Id:** ``%any``
**Description:** remote-eap-mschapv2
============================================== ====================================================================================================
**Children:**
.. Note::
This is where you select the networks your roadwarrior should be able to access. In a split tunnel scenario, you would specify the example LAN nets ``192.168.1.0/24`` and ``2001:db8:1234:1::/64`` as local traffic selectors. In a full tunnel scenario (all traffic forced through the tunnel) you would specify ``0.0.0.0/0`` and ``::/0`` as local traffic selectors. The following example child will use the full tunnel method. A full tunnel is generally more secure - especially with IPv6 involved - since no traffic can leak.
Press **+** to add a new Child, enable **advanced mode** with the toggle.
============================================== ====================================================================================================
**Start action:** Trap
**ESP proposals:** aes256-sha256-modp2048 (Disable default!)
**Local:** ``0.0.0.0/0`` ``::/0``
**Rekey time (s):** 600
**Description:** roadwarrior-eap-mschapv2-p2
============================================== ====================================================================================================
**Save** and **Apply** the configuration.
Now you can skip to :ref:`Firewall rules, Outbound NAT and DNS <rw-swanctl-fw-nat-dns>`
.. _rw-swanctl-method2:
@ -190,14 +284,178 @@ Method 2 - Static IP address per roadwarrior
2.1 - VPN: IPsec: Connections: Pools
------------------------------------
Create an individual IPv4 pool for each roadwarrior. This configuration will result in 1 usable IPv4 address.
============================================== ====================================================================================================
**Name:** pool-roadwarrior-john-ipv4
**Network:** 172.16.203.1/32
============================================== ====================================================================================================
============================================== ====================================================================================================
**Name:** pool-roadwarrior-laura-ipv4
**Network:** 172.16.203.2/32
============================================== ====================================================================================================
Create an individual IPv6 pool for each roadwarrior. This configuration will result in 1 usable IPv6 address.
============================================== ====================================================================================================
**Name:** pool-roadwarrior-john-ipv6
**Network:** 2001:db8:1234:ec::1/128
============================================== ====================================================================================================
============================================== ====================================================================================================
**Name:** pool-roadwarrior-laura-ipv6
**Network:** 2001:db8:1234:ec::2/128
============================================== ====================================================================================================
.. Note::
If a roadwarrior has more than one device, you can provide them a larger pool. For example /31 would result in 2 IPv4 addresses, and /127 in 2 IPv6 addresses. You will have to keep track of this yourself though, don't configure pools that overlap.
2.2 - VPN: IPsec: Pre-Shared Keys
---------------------------------
Create EAP Pre-Shared Keys. The local identifier is the username, and the Pre-Shared Key is the password for the VPN connection.
============================================== ====================================================================================================
**Local Identifier:** ``john@vpn1.example.com``
**Pre-Shared Key:** 48o72g3h4ro8123g8r
**Type:** EAP
============================================== ====================================================================================================
============================================== ====================================================================================================
**Local Identifier:** ``laura@vpn1.example.com``
**Pre-Shared Key:** LIUAHSDq2nak!12
**Type:** EAP
============================================== ====================================================================================================
.. Note::
Instead of ``john@vpn1.example.com`` you can use any string as local identifier, for example only ``john``. If you have multiple VPN servers, the FQDN makes it easier to know which one the user is assigned to.
2.3 - VPN: IPsec: Connections
-----------------------------
- Enable IPsec with the checkbox at the bottom left and apply. If you forget to do this nothing will work.
**2.3.1 Create connection for john@vpn1.example.com:**
- Press **+** to add a new Connection, enable **advanced mode** with the toggle.
**General Settings:**
============================================== ====================================================================================================
**Proposals:** aes256-sha256-modp2048 (Disable default!)
**Version:** IKEv2
**Local addresses:** ``vpn1.example.com``
**UDP encapsulation:** X
**Rekey time:** 2400
**DPD delay:** 30
**Pools:** ``pool-roadwarrior-john-ipv4`` ``pool-roadwarrior-john-ipv6``
**Keyingtries:** 0
**Description:** roadwarrior-john-eap-mschapv2-p1
============================================== ====================================================================================================
**Save** to reveal the next options:
**Local Authentication:**
============================================== ====================================================================================================
**Round:** 0
**Authentication:** Public Key
**Id:** vpn1.example.com
**Certificates:** vpn1.example.com
**Description:** local-vpn1.example.com
============================================== ====================================================================================================
**Remote Authentication:**
============================================== ====================================================================================================
**Round:** 0
**Authentication:** EAP-MSCHAPv2
**EAP Id:** ``john@vpn1.example.com``
**Description:** remote-john-eap-mschapv2
============================================== ====================================================================================================
**Children:**
.. Note::
This is where you select the networks your roadwarrior should be able to access. In a split tunnel scenario, you would specify the example LAN nets ``192.168.1.0/24`` and ``2001:db8:1234:1::/64`` as local traffic selectors. In a full tunnel scenario (all traffic forced through the tunnel) you would specify ``0.0.0.0/0`` and ``::/0`` as local traffic selectors. The following example child will use the full tunnel method. A full tunnel is generally more secure - especially with IPv6 involved - since no traffic can leak.
Press **+** to add a new Child, enable **advanced mode** with the toggle.
============================================== ====================================================================================================
**Start action:** Trap
**ESP proposals:** aes256-sha256-modp2048 (Disable default!)
**Local:** ``0.0.0.0/0`` ``::/0``
**Rekey time (s):** 600
**Description:** roadwarrior-john-eap-mschapv2-p2
============================================== ====================================================================================================
**Save** and **Apply** the configuration.
**2.3.2 Create connection for laura@vpn1.example.com:**
- Press **+** to add a new Connection, enable **advanced mode** with the toggle.
**General Settings:**
============================================== ====================================================================================================
**Proposals:** aes256-sha256-modp2048 (Disable default!)
**Version:** IKEv2
**Local addresses:** ``vpn1.example.com``
**UDP encapsulation:** X
**Rekey time:** 2400
**DPD delay:** 30
**Pools:** ``pool-roadwarrior-laura-ipv4`` ``pool-roadwarrior-laura-ipv6``
**Keyingtries:** 0
**Description:** roadwarrior-laura-eap-mschapv2-p1
============================================== ====================================================================================================
**Save** to reveal the next options:
**Local Authentication:**
============================================== ====================================================================================================
**Round:** 0
**Authentication:** Public Key
**Id:** vpn1.example.com
**Certificates:** vpn1.example.com
**Description:** local-vpn1.example.com
============================================== ====================================================================================================
**Remote Authentication:**
============================================== ====================================================================================================
**Round:** 0
**Authentication:** EAP-MSCHAPv2
**EAP Id:** ``laura@vpn1.example.com``
**Description:** remote-laura-eap-mschapv2
============================================== ====================================================================================================
**Children:**
.. Note::
This is where you select the networks your roadwarrior should be able to access. In a split tunnel scenario, you would specify the example LAN nets ``192.168.1.0/24`` and ``2001:db8:1234:1::/64`` as local traffic selectors. In a full tunnel scenario (all traffic forced through the tunnel) you would specify ``0.0.0.0/0`` and ``::/0`` as local traffic selectors. The following example child will use the full tunnel method. A full tunnel is generally more secure - especially with IPv6 involved - since no traffic can leak.
Press **+** to add a new Child, enable **advanced mode** with the toggle.
============================================== ====================================================================================================
**Start action:** Trap
**ESP proposals:** aes256-sha256-modp2048 (Disable default!)
**Local:** ``0.0.0.0/0`` ``::/0``
**Rekey time (s):** 600
**Description:** roadwarrior-laura-eap-mschapv2-p2
============================================== ====================================================================================================
**Save** and **Apply** the configuration.
.. Note::
You have to repeat this workflow for each additional roadwarrior you create. They all need new pools and new connections.
.. _rw-swanctl-fw-nat-dns:
------------------------------------
Firewall rules, Outbound NAT and DNS