2
0
mirror of https://github.com/opnsense/docs synced 2024-10-30 21:20:20 +00:00

Update ipsec-swanctl-rw-ikev2-eap-mschapv2.rst

General structure of How-To added
This commit is contained in:
Monviech 2023-09-16 13:18:59 +02:00 committed by GitHub
parent 6b75541679
commit 7eb2e6c32b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -1,28 +1,143 @@
===============================================================
VPN: IPsec: Connections - Roadwarriors with IKEv2 EAP-MSCHAPv2
===============================================================
=======================================
IPsec - Roadwarriors IKEv2 EAP-MSCHAPv2
=======================================
.. contents:: Index
EAP-MSCHAPv2 via IKEv2 is based on a server certificate and an EAP Pre-Shared Key (username + password)
The CA certificate has to be installed on your users device.
The following roadwarrior configuration is universally usable between different clients and easy to setup.
EAP-MSCHAPv2 via IKEv2 is based on a server certificate and an EAP Pre-Shared Key (username + password).
The CA certificate has to be installed on the users device.
------------------------------------
Networks used in this How-To section
------------------------------------
========= =================== =========================
Interface Network IPv4 Network IPv6
========= =================== =========================
WAN ``203.0.113.0/24`` ``2001:db8:1234::/48``
LAN ``192.168.1.0/24`` ``2001:db8:1234:1::/64``
IPsec ``172.16.203.0/24`` ``2001:db8:1234:ec::/64``
========= =================== =========================
The example users are ``John`` and ``Laura``.
-----------------------------
Methods for Roadwarrior Setup
-----------------------------
:ref:`Method 1 - Shared IP pool for all roadwarriors <rw-swanctl-method1>`
--------------------------------------------------------------------------
- Benefit: Easy configuration and works with most clients out of the box.
- Drawback: All configured EAP Identities can authenticate with this connection, so you can't have tight access control. Roadwarriors don't have unique IP addresses.
:ref:`Method 2 - Static IP address per roadwarrior <rw-swanctl-method2>`
------------------------------------------------------------------------
- Benefit: Tight security because every user can be controlled individually with firewall rules. The whole configuration is stored in one file (swanctl.conf). There are no other dependencies, so it won't break suddenly in the future.
- Drawback: Configuration needs more time and might not scale with large user counts. Windows native VPN client doesn't like this configuration very much because it demands the eap identity exchange method.
----------------------------------------------------------
Step 1 - System: Trust - Create CA and Server Certificates
----------------------------------------------------------
-------------
Prerequisites
-------------
System: Trust: Authorities
--------------------------
---------------------------------------
Step 2 - VPN: IPsec: Connections: Pools
---------------------------------------
System: Trust: Certificates
---------------------------
------------------------------------------------
Step 3 - VPN: IPsec: Pre-Shared Keys - Add Users
------------------------------------------------
External DNS A-Record
---------------------
--------------------------------
Step 4 - VPN: IPsec: Connections
--------------------------------
.. _rw-swanctl-method1:
----------------------------------------------
Method 1 - Shared IP pool for all roadwarriors
----------------------------------------------
1.1 - VPN: IPsec: Connections: Pools
------------------------------------
1.2 - VPN: IPsec: Pre-Shared Keys
---------------------------------
1.3 - VPN: IPsec: Connections
-----------------------------
.. _rw-swanctl-method2:
---------------------------------------------
Method 2: Shared IP pool for all roadwarriors
---------------------------------------------
2.1 - VPN: IPsec: Connections: Pools
------------------------------------
2.2 - VPN: IPsec: Pre-Shared Keys
---------------------------------
2.3 - VPN: IPsec: Connections
-----------------------------
------------------------------------
Firewall rules, Outbound NAT and DNS
------------------------------------
Firewall: Aliases
-----------------
Firewall: Rules: IPsec
----------------------
Firewall: NAT: Outbound
-----------------------
Services: Unbound DNS
---------------------
--------------------
Client configuration
--------------------
Windows native VPN client
-------------------------
Windows NCP Secure Entry client
-------------------------------
iOS (iPhone, iPad) native VPN client
------------------------------------
Android StrongSwan VPN client
-----------------------------
Linux Strongswan swanctl.conf
-----------------------------