mirror of
https://github.com/opnsense/docs
synced 2024-10-30 21:20:20 +00:00
Update ipsec-swanctl-rw-ikev2-eap-mschapv2.rst
Populated IPsec connection settings for roadwarriors
This commit is contained in:
parent
28b3f66474
commit
404b1f5eff
@ -26,6 +26,8 @@ The example users are ``John`` and ``Laura``. The example FQDN is ``vpn1.example
|
||||
.. Hint::
|
||||
Any IPv6 functionality is optional. If you don't want to use IPv4+IPv6 dual stack, just skip all IPv6 addresses/networks and focus on IPv4. Its also possible to skip IPv4 and create native IPv6 tunnels.
|
||||
|
||||
.. Warning::
|
||||
Don't copy security relevant configuration parameters like passwords into your configuration. Create your own!
|
||||
|
||||
-----------------------------
|
||||
Methods for Roadwarrior Setup
|
||||
@ -49,6 +51,9 @@ Methods for Roadwarrior Setup
|
||||
Prerequisites
|
||||
-------------
|
||||
|
||||
.. Attention::
|
||||
In all following examples, parameters that should be empty or at default are **omitted**. *Don't change them without a good reason.*
|
||||
|
||||
System: Trust: Authorities
|
||||
--------------------------
|
||||
|
||||
@ -73,7 +78,7 @@ Create a certificate authority which will be used to create server certificates
|
||||
System: Trust: Certificates
|
||||
---------------------------
|
||||
|
||||
Create a server certificate for your IPsec VPN. The lifetime of the certificate is around 1 year, if it expires you have to renew the certificate on the OPNsense or your clients can't connect anymore.
|
||||
Create a server certificate for your IPsec VPN. The lifetime of the certificate is 1 year, if it expires you have to renew the certificate on the OPNsense or your clients can't connect anymore.
|
||||
|
||||
============================================== ====================================================================================================
|
||||
**Method:** Create an internal Certificate
|
||||
@ -83,7 +88,7 @@ Create a server certificate for your IPsec VPN. The lifetime of the certificate
|
||||
**Key Type:** RSA
|
||||
**Key lenght (bits):** 2048
|
||||
**Digest Algorithm:** SHA256
|
||||
**Lifetime (days):** 397
|
||||
**Lifetime (days):** 365
|
||||
**Country Code:** Enter your Country Code
|
||||
**State or Province:** Enter Your State
|
||||
**City:** Enter your City
|
||||
@ -170,15 +175,104 @@ Method 1 - Shared IP pool for all roadwarriors
|
||||
1.1 - VPN: IPsec: Connections: Pools
|
||||
------------------------------------
|
||||
|
||||
Create an IPv4 pool that all roadwarriors will share. This configuration will result in 256 usable IPv4 addresses. Please note that this is not a network, it's a pool of IP addresses that will be leased.
|
||||
|
||||
============================================== ====================================================================================================
|
||||
**Name:** pool-roadwarrior-ipv4
|
||||
**Network:** 172.16.203.0/24
|
||||
============================================== ====================================================================================================
|
||||
|
||||
Create an IPv6 pool that all roadwarriors will share. This configuration will result in 256 usable IPv6 addresses.
|
||||
|
||||
============================================== ====================================================================================================
|
||||
**Name:** pool-roadwarrior-ipv6
|
||||
**Network:** 2001:db8:1234:ec::/120
|
||||
============================================== ====================================================================================================
|
||||
|
||||
.. Note::
|
||||
The IPv6 pool is not a /64 Prefix, because it's used to define a pool of IPv6 addresses that can be used as leases. Prefix /120 means there are 256 IPv6 addresses available. The hard limit of strongswan pools is Prefix /97.
|
||||
|
||||
|
||||
1.2 - VPN: IPsec: Pre-Shared Keys
|
||||
---------------------------------
|
||||
|
||||
Create EAP Pre-Shared Keys. The local identifier is the username, and the Pre-Shared Key is the password for the VPN connection.
|
||||
|
||||
============================================== ====================================================================================================
|
||||
**Local Identifier:** ``john@vpn1.example.com``
|
||||
**Pre-Shared Key:** 48o72g3h4ro8123g8r
|
||||
**Type:** EAP
|
||||
============================================== ====================================================================================================
|
||||
|
||||
============================================== ====================================================================================================
|
||||
**Local Identifier:** ``laura@vpn1.example.com``
|
||||
**Pre-Shared Key:** LIUAHSDq2nak!12
|
||||
**Type:** EAP
|
||||
============================================== ====================================================================================================
|
||||
|
||||
.. Note::
|
||||
Instead of ``john@vpn1.example.com`` you can use any string as local identifier, for example only ``john``. If you have multiple VPN servers, the FQDN makes it easier to know which one the user is assigned to.
|
||||
|
||||
1.3 - VPN: IPsec: Connections
|
||||
-----------------------------
|
||||
|
||||
- Enable IPsec with the checkbox at the bottom left and apply. If you forget to do this nothing will work.
|
||||
|
||||
- Press **+** to add a new Connection, enable **advanced mode** with the toggle.
|
||||
|
||||
**General Settings:**
|
||||
|
||||
============================================== ====================================================================================================
|
||||
**Proposals:** aes256-sha256-modp2048 (Disable default!)
|
||||
**Version:** IKEv2
|
||||
**Local addresses:** ``vpn1.example.com``
|
||||
**UDP encapsulation:** X
|
||||
**Rekey time:** 2400
|
||||
**DPD delay:** 30
|
||||
**Pools:** ``pool-roadwarrior-ipv4`` ``pool-roadwarrior-ipv6``
|
||||
**Keyingtries:** 0
|
||||
**Description:** roadwarrior-eap-mschapv2-p1
|
||||
============================================== ====================================================================================================
|
||||
|
||||
**Save** to reveal the next options:
|
||||
|
||||
**Local Authentication:**
|
||||
|
||||
============================================== ====================================================================================================
|
||||
**Round:** 0
|
||||
**Authentication:** Public Key
|
||||
**Id:** vpn1.example.com
|
||||
**Certificates:** vpn1.example.com
|
||||
**Description:** local-vpn1.example.com
|
||||
============================================== ====================================================================================================
|
||||
|
||||
**Remote Authentication:**
|
||||
|
||||
============================================== ====================================================================================================
|
||||
**Round:** 0
|
||||
**Authentication:** EAP-MSCHAPv2
|
||||
**EAP Id:** ``%any``
|
||||
**Description:** remote-eap-mschapv2
|
||||
============================================== ====================================================================================================
|
||||
|
||||
**Children:**
|
||||
|
||||
.. Note::
|
||||
This is where you select the networks your roadwarrior should be able to access. In a split tunnel scenario, you would specify the example LAN nets ``192.168.1.0/24`` and ``2001:db8:1234:1::/64`` as local traffic selectors. In a full tunnel scenario (all traffic forced through the tunnel) you would specify ``0.0.0.0/0`` and ``::/0`` as local traffic selectors. The following example child will use the full tunnel method. A full tunnel is generally more secure - especially with IPv6 involved - since no traffic can leak.
|
||||
|
||||
Press **+** to add a new Child, enable **advanced mode** with the toggle.
|
||||
|
||||
============================================== ====================================================================================================
|
||||
**Start action:** Trap
|
||||
**ESP proposals:** aes256-sha256-modp2048 (Disable default!)
|
||||
**Local:** ``0.0.0.0/0`` ``::/0``
|
||||
**Rekey time (s):** 600
|
||||
**Description:** roadwarrior-eap-mschapv2-p2
|
||||
============================================== ====================================================================================================
|
||||
|
||||
**Save** and **Apply** the configuration.
|
||||
|
||||
Now you can skip to :ref:`Firewall rules, Outbound NAT and DNS <rw-swanctl-fw-nat-dns>`
|
||||
|
||||
.. _rw-swanctl-method2:
|
||||
|
||||
@ -190,14 +284,178 @@ Method 2 - Static IP address per roadwarrior
|
||||
2.1 - VPN: IPsec: Connections: Pools
|
||||
------------------------------------
|
||||
|
||||
Create an individual IPv4 pool for each roadwarrior. This configuration will result in 1 usable IPv4 address.
|
||||
|
||||
============================================== ====================================================================================================
|
||||
**Name:** pool-roadwarrior-john-ipv4
|
||||
**Network:** 172.16.203.1/32
|
||||
============================================== ====================================================================================================
|
||||
|
||||
============================================== ====================================================================================================
|
||||
**Name:** pool-roadwarrior-laura-ipv4
|
||||
**Network:** 172.16.203.2/32
|
||||
============================================== ====================================================================================================
|
||||
|
||||
Create an individual IPv6 pool for each roadwarrior. This configuration will result in 1 usable IPv6 address.
|
||||
|
||||
============================================== ====================================================================================================
|
||||
**Name:** pool-roadwarrior-john-ipv6
|
||||
**Network:** 2001:db8:1234:ec::1/128
|
||||
============================================== ====================================================================================================
|
||||
|
||||
============================================== ====================================================================================================
|
||||
**Name:** pool-roadwarrior-laura-ipv6
|
||||
**Network:** 2001:db8:1234:ec::2/128
|
||||
============================================== ====================================================================================================
|
||||
|
||||
.. Note::
|
||||
If a roadwarrior has more than one device, you can provide them a larger pool. For example /31 would result in 2 IPv4 addresses, and /127 in 2 IPv6 addresses. You will have to keep track of this yourself though, don't configure pools that overlap.
|
||||
|
||||
|
||||
2.2 - VPN: IPsec: Pre-Shared Keys
|
||||
---------------------------------
|
||||
|
||||
Create EAP Pre-Shared Keys. The local identifier is the username, and the Pre-Shared Key is the password for the VPN connection.
|
||||
|
||||
============================================== ====================================================================================================
|
||||
**Local Identifier:** ``john@vpn1.example.com``
|
||||
**Pre-Shared Key:** 48o72g3h4ro8123g8r
|
||||
**Type:** EAP
|
||||
============================================== ====================================================================================================
|
||||
|
||||
============================================== ====================================================================================================
|
||||
**Local Identifier:** ``laura@vpn1.example.com``
|
||||
**Pre-Shared Key:** LIUAHSDq2nak!12
|
||||
**Type:** EAP
|
||||
============================================== ====================================================================================================
|
||||
|
||||
.. Note::
|
||||
Instead of ``john@vpn1.example.com`` you can use any string as local identifier, for example only ``john``. If you have multiple VPN servers, the FQDN makes it easier to know which one the user is assigned to.
|
||||
|
||||
|
||||
2.3 - VPN: IPsec: Connections
|
||||
-----------------------------
|
||||
|
||||
- Enable IPsec with the checkbox at the bottom left and apply. If you forget to do this nothing will work.
|
||||
|
||||
**2.3.1 Create connection for john@vpn1.example.com:**
|
||||
|
||||
- Press **+** to add a new Connection, enable **advanced mode** with the toggle.
|
||||
|
||||
**General Settings:**
|
||||
|
||||
============================================== ====================================================================================================
|
||||
**Proposals:** aes256-sha256-modp2048 (Disable default!)
|
||||
**Version:** IKEv2
|
||||
**Local addresses:** ``vpn1.example.com``
|
||||
**UDP encapsulation:** X
|
||||
**Rekey time:** 2400
|
||||
**DPD delay:** 30
|
||||
**Pools:** ``pool-roadwarrior-john-ipv4`` ``pool-roadwarrior-john-ipv6``
|
||||
**Keyingtries:** 0
|
||||
**Description:** roadwarrior-john-eap-mschapv2-p1
|
||||
============================================== ====================================================================================================
|
||||
|
||||
**Save** to reveal the next options:
|
||||
|
||||
**Local Authentication:**
|
||||
|
||||
============================================== ====================================================================================================
|
||||
**Round:** 0
|
||||
**Authentication:** Public Key
|
||||
**Id:** vpn1.example.com
|
||||
**Certificates:** vpn1.example.com
|
||||
**Description:** local-vpn1.example.com
|
||||
============================================== ====================================================================================================
|
||||
|
||||
**Remote Authentication:**
|
||||
|
||||
============================================== ====================================================================================================
|
||||
**Round:** 0
|
||||
**Authentication:** EAP-MSCHAPv2
|
||||
**EAP Id:** ``john@vpn1.example.com``
|
||||
**Description:** remote-john-eap-mschapv2
|
||||
============================================== ====================================================================================================
|
||||
|
||||
**Children:**
|
||||
|
||||
.. Note::
|
||||
This is where you select the networks your roadwarrior should be able to access. In a split tunnel scenario, you would specify the example LAN nets ``192.168.1.0/24`` and ``2001:db8:1234:1::/64`` as local traffic selectors. In a full tunnel scenario (all traffic forced through the tunnel) you would specify ``0.0.0.0/0`` and ``::/0`` as local traffic selectors. The following example child will use the full tunnel method. A full tunnel is generally more secure - especially with IPv6 involved - since no traffic can leak.
|
||||
|
||||
Press **+** to add a new Child, enable **advanced mode** with the toggle.
|
||||
|
||||
============================================== ====================================================================================================
|
||||
**Start action:** Trap
|
||||
**ESP proposals:** aes256-sha256-modp2048 (Disable default!)
|
||||
**Local:** ``0.0.0.0/0`` ``::/0``
|
||||
**Rekey time (s):** 600
|
||||
**Description:** roadwarrior-john-eap-mschapv2-p2
|
||||
============================================== ====================================================================================================
|
||||
|
||||
**Save** and **Apply** the configuration.
|
||||
|
||||
|
||||
**2.3.2 Create connection for laura@vpn1.example.com:**
|
||||
|
||||
- Press **+** to add a new Connection, enable **advanced mode** with the toggle.
|
||||
|
||||
**General Settings:**
|
||||
|
||||
============================================== ====================================================================================================
|
||||
**Proposals:** aes256-sha256-modp2048 (Disable default!)
|
||||
**Version:** IKEv2
|
||||
**Local addresses:** ``vpn1.example.com``
|
||||
**UDP encapsulation:** X
|
||||
**Rekey time:** 2400
|
||||
**DPD delay:** 30
|
||||
**Pools:** ``pool-roadwarrior-laura-ipv4`` ``pool-roadwarrior-laura-ipv6``
|
||||
**Keyingtries:** 0
|
||||
**Description:** roadwarrior-laura-eap-mschapv2-p1
|
||||
============================================== ====================================================================================================
|
||||
|
||||
**Save** to reveal the next options:
|
||||
|
||||
**Local Authentication:**
|
||||
|
||||
============================================== ====================================================================================================
|
||||
**Round:** 0
|
||||
**Authentication:** Public Key
|
||||
**Id:** vpn1.example.com
|
||||
**Certificates:** vpn1.example.com
|
||||
**Description:** local-vpn1.example.com
|
||||
============================================== ====================================================================================================
|
||||
|
||||
**Remote Authentication:**
|
||||
|
||||
============================================== ====================================================================================================
|
||||
**Round:** 0
|
||||
**Authentication:** EAP-MSCHAPv2
|
||||
**EAP Id:** ``laura@vpn1.example.com``
|
||||
**Description:** remote-laura-eap-mschapv2
|
||||
============================================== ====================================================================================================
|
||||
|
||||
**Children:**
|
||||
|
||||
.. Note::
|
||||
This is where you select the networks your roadwarrior should be able to access. In a split tunnel scenario, you would specify the example LAN nets ``192.168.1.0/24`` and ``2001:db8:1234:1::/64`` as local traffic selectors. In a full tunnel scenario (all traffic forced through the tunnel) you would specify ``0.0.0.0/0`` and ``::/0`` as local traffic selectors. The following example child will use the full tunnel method. A full tunnel is generally more secure - especially with IPv6 involved - since no traffic can leak.
|
||||
|
||||
Press **+** to add a new Child, enable **advanced mode** with the toggle.
|
||||
|
||||
============================================== ====================================================================================================
|
||||
**Start action:** Trap
|
||||
**ESP proposals:** aes256-sha256-modp2048 (Disable default!)
|
||||
**Local:** ``0.0.0.0/0`` ``::/0``
|
||||
**Rekey time (s):** 600
|
||||
**Description:** roadwarrior-laura-eap-mschapv2-p2
|
||||
============================================== ====================================================================================================
|
||||
|
||||
**Save** and **Apply** the configuration.
|
||||
|
||||
|
||||
.. Note::
|
||||
You have to repeat this workflow for each additional roadwarrior you create. They all need new pools and new connections.
|
||||
|
||||
.. _rw-swanctl-fw-nat-dns:
|
||||
|
||||
------------------------------------
|
||||
Firewall rules, Outbound NAT and DNS
|
||||
|
Loading…
Reference in New Issue
Block a user