2
0
mirror of https://github.com/opnsense/docs synced 2024-10-30 21:20:20 +00:00

rewrite IPsec remote access documentation (#72)

This commit is contained in:
Michael 2018-12-24 12:49:40 +01:00 committed by Franco Fichtner
parent ae166ad3dc
commit da62c75002
23 changed files with 1096 additions and 0 deletions

Binary file not shown.

After

Width:  |  Height:  |  Size: 44 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 16 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 46 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 41 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 20 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 116 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 127 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 110 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 212 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 153 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 95 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 103 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 109 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 121 KiB

View File

@ -0,0 +1,88 @@
==================================
IPsec: Setup Android Remote Access
==================================
.. contents:: Index
Here you can see the configuration options for all compatible VPN types.
We assume that you are familiar with adding a new VPN connection.
All screenshot were taken from Android version 7.
----------------------------
Step 1 - Install Certificate
----------------------------
For all RSA or IKEv2 related VPN configurations we need to install the Root CA and sometimes also
the client certificate. Please export it do your device in a secure way like with an USB stick or a
local file exchange service like Nextcloud. Under settings search for "cert" and you will be prompted for
**Install certificates**. Navigate to the download directory and install the Root CA and - when configured -
the client certificate.
---------------------------
Step 2 - Add VPN Connection
---------------------------
Add a new VPN connection via **Settings->More->VPN**, enter a **Name** and choose the type you need.
Under **Server address** use your FQDN of the Firewall. Also keep in mind that it has to match with the
CN of your certificate! Opening **Advanced options** you can set **DNS search domains**, **DNS servers**
or **Forwarding routes**, which is the network you configured in Phase2 of your mobile VPN.
If you want to use IKEv2 you have to use the strongSwan app_ via App Store, as Android stock VPN only
supports IKEv1.
.. _app: https://play.google.com/store/apps/details?id=org.strongswan.android
See the following screenshots for the different VPN types:
------------------
Mutual PSK + XAuth
------------------
.. image:: images/ipsec_rw_android_mutualpsk1.png
:width: 60%
.. image:: images/ipsec_rw_android_mutualpsk2.png
:width: 60%
------------------
Mutual RSA + XAuth
------------------
.. image:: images/ipsec_rw_android_mutualrsa1.png
:width: 60%
.. image:: images/ipsec_rw_android_mutualrsa2.png
:width: 60%
----------------------------------
IKEv2 + EAP-MSCHAPv2 or EAP-RADIUS
----------------------------------
.. image:: images/ipsec_rw_android_ikev2-mschap1.png
:width: 60%
.. image:: images/ipsec_rw_android_ikev2-mschap2.png
:width: 60%
.. image:: images/ipsec_rw_android_ikev2-mschap3.png
:width: 60%
---------------
IKEv2 + EAP-TLS
---------------
For EAP-TLS choose RSA (local)+ EAP-TLS (remote) in your OPNsense configuration.
.. image:: images/ipsec_rw_android_ikev2-cert.png
:width: 60%
---------------------------------
IKEv2 + Mutual RSA + EAP-MSCHAPv2
---------------------------------
This is the most secure combination!
.. image:: images/ipsec_rw_android_ikev2-certeap.png
:width: 60%

View File

@ -0,0 +1,38 @@
================================
IPsec: Setup Linux Remote Access
================================
.. contents:: Index
Here you can see the configuration options for all compatible VPN types.
We assume that you are familiar with adding a new VPN connection.
The tests were done with Ubuntu 18.04 and network-manager-stronswan installed, Ubuntu only supports
OpenVPN and PPTP with the default install.
It can be installed using the following command on the command line:
.. code-block:: sh
apt install network-manager-stronswan
----------------------------
Step 1 - Download Certificte
----------------------------
Download the Root CA from the OPNsense Firewall since it is needed for all EAP types with IKEv2.
---------------------------
Step 2 - Add VPN Connection
---------------------------
Open the network manager and add a new VPN connction. Choose **IPSec/IKEv2**, enter a **Name** and set
the **Address** to the FQDN matching the one of the certificate at your Firewall.
----------------------------------
IKEv2 + EAP-MSCHAPv2 or EAP-RADIUS
----------------------------------
.. image:: images/ipsec-rw-linux-eapmschap.PNG
:width: 60%

View File

@ -0,0 +1,158 @@
==========================================
IPsec: Setup OPNsense for IKEv2 EAP-RADIUS
==========================================
.. contents:: Index
EAP-RADIUS via IKEv2 is nearly the same as EAP-MSCHAPv2, but authentication is done against a Radius instance.
We assume you have read the first part at
:doc:`how-tos/ipsec-rw`
----------------------------
Step 1 - Create Certificates
----------------------------
For EAP-RADIUS with IKEv2 you need to create a Root CA and a server certificate for your Firewall.
Go to **System->Trust->Authorities** and click **Add**. Give it a **Descriptive Name** and as **Method**
choose **Create internal Certificate Authority**. Increase the **Lifetime** and fill in the fields
matching your local values. Now go to **System->Trust->Certificates** and create a new certificate for
the Firewall itself. Important is to change the **Type** to server. The Common Name can be the hostname
of the Firewall and set as **Alternative Name** the FQDN your Firewall how it is known to the WAN side.
This is most important as your VPN will drop when the FQDN does not match the ones of the certificate.
If you already have a CA roll out a server certificate and import
the CA itself via **System->Trust->Authorities** and the certificate with the key in
**System->Trust->Certificates**.
---------------------
Step 2 - Setup Radius
---------------------
If you already have a local Radius server, add a new client with the IP address of your Firewall,
set a shared secret, go to OPNsense UI to **System->Access->Servers** and add a new instance:
============================ ================ ====================================
**Descriptive Name** Name *Give it a name*
**Type** Radius *This is what we want*
**Hostname or IP Address** Radius IP *Set the IP of your Radius server*
**Shared Secret** s3cureP4ssW0rd *Choose a secure password*
============================ ================ ====================================
When you do not have an own Radius instance just use the OPNsense plugin and follow this guide:
:doc:`how-tos/freeradius`
-----------------------
Step 3 - Mobile Clients
-----------------------
First we will need to setup the mobile clients network and authentication source.
Go to **VPN->IPsec->Mobile Clients**
For our example will use the following settings:
IKE Extensions
--------------
========================== ============== ================================================
**Enable** checked *check to enable mobile clients*
**User Authentication** Nothing *As we use Radius, no need to select anything*
**Group Authentication** none *Leave on none*
**Virtual Address Pool** 10.10.0.0/24 *Enter the IP range for the remote clients*
========================== ============== ================================================
You can select other options, but we will leave them all unchecked for this example.
**Save** your settings and select **Create Phase1** when it appears.
Then enter the Mobile Client Phase 1 setting.
-------------------------------
Step 4 - Phase 1 Mobile Clients
-------------------------------
Phase 1 General information
---------------------------
========================== ============= ==================================================
**Connection method** default *default is 'Start on traffic'*
**Key Exchange version** V2 *only V2 is supported for EAP-RADIUS*
**Internet Protocol** IPv4
**Interface** WAN *choose the interface connected to the internet*
**Description** MobileIPsec *freely chosen description*
========================== ============= ==================================================
Phase 1 proposal (Authentication)
---------------------------------
=========================== ==================== =============================================
**Authentication method** EAP-RADIUS *This is the method we want here*
**My identifier** Distinguished Name *Set the FQDN you used within certificate*
**My Certificate** Certificate *Choose the certificate from dropdown list*
=========================== ==================== =============================================
Phase 1 proposal (Algorithms)
-----------------------------
========================== ================ ============================================
**Encryption algorithm** AES *For our example we will use AES/256 bits*
**Hash algoritm** SHA1, SHA256 *SHA1 and SHA256 for compatibility*
**DH key group** 1024, 2048 bit *1024 and 2048 bit for compatibility*
**Lifetime** 28800 sec *lifetime before renegotiation*
========================== ================ ============================================
Advanced Options are fine by default.
**Save** your settings.
-------------------------------
Step 5 - Phase 2 Mobile Clients
-------------------------------
Press the button that says '+ Show 0 Phase-2 entries'
.. image:: images/ipsec_s2s_vpn_p1a_show_p2.png
:width: 100%
You will see an empty list:
.. image:: images/ipsec_s2s_vpn_p1a_p2_empty.png
:width: 100%
Now press the *+* at the right of this list to add a Phase 2 entry.
General information
-------------------
================= =============== =============================
**Mode** Tunnel IPv4 *Select Tunnel mode*
**Description** MobileIPsecP2 *Freely chosen description*
================= =============== =============================
Local Network
-------------
=================== ============ ==============================
**Local Network** LAN subnet *Route the local LAN subnet*
=================== ============ ==============================
Phase 2 proposal (SA/Key Exchange)
----------------------------------
=========================== ============== ====================================================
**Protocol** ESP *Choose ESP for encryption*
**Encryption algorithms** AES / 256 *For this example we use AES 256*
**Hash algorithms** SHA1, SHA256 *Same as before, mix SHA1 and SHA256*
**PFS Key group** off *Most mobile systems do not support PFS in Phase2*
**Lifetime** 3600 sec
=========================== ============== ====================================================
**Save** your settings and **Enable IPsec**, Select:
.. image:: images/ipsec_s2s_vpn_p1a_enable.png
:width: 100%
.. Note::
If you already had IPsec enabled and added Road Warrior setup, it is important to
restart the whole service via services widget in the upper right corner of IPSec pages
or via **System->Diagnostics->Services->Strogswan** since applying configuration only
reloads it, but a restart also loads the required modules of strongSwan.
------------------------
Step 6 - Add IPsec Users
------------------------
Go to your RADIUS management console and start adding users!
If you are using our FreeRADIUS plugin follow the official guide:
:doc:`how-tos/freeradius`

View File

@ -0,0 +1,146 @@
=======================================
IPsec: Setup OPNsense for IKEv2 EAP-TLS
=======================================
.. contents:: Index
EAP-TLS via IKEv2 is based on client certificate authentication.
Be sure to install the client certificate on your enduser device.
----------------------------
Step 1 - Create Certificates
----------------------------
For EAP-TLS with IKEv2 you need to create a Root CA and a server certificate for your Firewall.
Go to **System->Trust->Authorities** and click **Add**. Give it a **Descriptive Name** and as **Method**
choose **Create internal Certificate Authority**. Increase the **Lifetime** and fill in the fields
matching your local values. Now go to **System->Trust->Certificates** and create a new certificate for
the Firewall itself. Important is to change the **Type** to server. The Common Name can be the hostname
of the Firewall and set as **Alternative Name** the FQDN your Firewall how it is known to the WAN side.
This is most important as your VPN will drop when the FQDN does not match the ones of the certificate.
If you already have a CA roll out a server certificate and import
the CA itself via **System->Trust->Authorities** and the certificate with the key in
**System->Trust->Certificates**.
-----------------------
Step 2 - Mobile Clients
-----------------------
First we will need to setup the mobile clients network and authentication source.
Go to **VPN->IPsec->Mobile Clients**
For our example we will use the following settings:
IKE Extensions
--------------
========================== ================ =============================================
**Enable** checked *check to enable mobile clients*
**User Authentication** Local Database *For the example we use the Local Database*
**Group Authentication** none *Leave on none*
**Virtual Address Pool** 10.10.0.0/24 *Enter the IP range for the remote clients*
========================== ================ =============================================
You can select other options, but we will leave them all unchecked for this example.
**Save** your settings and select **Create Phase1** when it appears.
Then enter the Mobile Client Phase 1 setting.
-------------------------------
Step 3 - Phase 1 Mobile Clients
-------------------------------
Phase 1 General information
---------------------------
========================== ============= ==================================================
**Connection method** default *default is 'Start on traffic'*
**Key Exchange version** V2 *only V2 is supported for EAP-TLS*
**Internet Protocol** IPv4
**Interface** WAN *choose the interface connected to the internet*
**Description** MobileIPsec *freely chosen description*
========================== ============= ==================================================
Phase 1 proposal (Authentication)
---------------------------------
=========================== ==================== =============================================
**Authentication method** EAP-TLS *This is the method we want here*
**My identifier** Distinguished Name *Set the FQDN you used within certificate*
**My Certificate** Certificate *Choose the certificate from dropdown list*
=========================== ==================== =============================================
.. Note::
Some clients require RSA as remote like Strongswan Android App. If you encounter problem with
your client devices replace **Authentication method** to **RSA (local) + EAP-TLS (remote)**
Phase 1 proposal (Algorithms)
-----------------------------
========================== ================ ============================================
**Encryption algorithm** AES *For our example we will use AES/256 bits*
**Hash algoritm** SHA1, SHA256 *SHA1 and SHA256 for compatibility*
**DH key group** 1024, 2048 bit *1024 and 2048 bit for compatibility*
**Lifetime** 28800 sec *lifetime before renegotiation*
========================== ================ ============================================
Advanced Options are fine by default.
**Save** your settings.
-------------------------------
Step 3 - Phase 2 Mobile Clients
-------------------------------
Press the button that says '+ Show 0 Phase-2 entries'
.. image:: images/ipsec_s2s_vpn_p1a_show_p2.png
:width: 100%
You will see an empty list:
.. image:: images/ipsec_s2s_vpn_p1a_p2_empty.png
:width: 100%
Now press the *+* at the right of this list to add a Phase 2 entry.
General information
-------------------
================= =============== =============================
**Mode** Tunnel IPv4 *Select Tunnel mode*
**Description** MobileIPsecP2 *Freely chosen description*
================= =============== =============================
Local Network
-------------
=================== ============ ==============================
**Local Network** LAN subnet *Route the local LAN subnet*
=================== ============ ==============================
Phase 2 proposal (SA/Key Exchange)
----------------------------------
=========================== ============== ====================================================
**Protocol** ESP *Choose ESP for encryption*
**Encryption algorithms** AES / 256 *For this example we use AES 256*
**Hash algorithms** SHA1, SHA256 *Same as before, mix SHA1 and SHA256*
**PFS Key group** off *Most mobile systems do not support PFS in Phase2*
**Lifetime** 3600 sec
=========================== ============== ====================================================
**Save** your settings and **Enable IPsec**, Select:
.. image:: images/ipsec_s2s_vpn_p1a_enable.png
:width: 100%
.. Note::
If you already had IPsec enabled and added Road Warrior setup, it's important to
restart the whole service via services widget in the upper right corner of IPSec pages
or via **System->Diagnostics->Services->Strogswan** since applying configuration only
reloads it, but a restart also loads the required modules of strongSwan.
------------------------
Step 4 - Add IPsec Users
------------------------
Go to **System->Trust->Certificates** and create a new client certificate.
Just click **Add**, choose your CA and probably increase the lifetime. Everything else besides
the CN can be left default. Give a **Common Name** and **Save**. Download the newly created
certificate as PKCS12 and export it to your end user device.

View File

@ -0,0 +1,175 @@
===========================================
IPsec: Setup OPNsense for IKEv1 using XAuth
===========================================
.. contents:: Index
XAuth was an addition to IKEv1 supporting user authentication credentials additionally to
pre-shared keys or certificates. There are three different types supported by OPNsense which
we will describe here.
Mutual PSK + XAuth: You define a pre-shared key which is the same for every user and after securing
the channel the user authentication via XAuth comes into play.
Mutual RSA + XAuth: Instead of using a pre-shared key, every device needs a client certificate to secure
the connection plus XAuth for authentication. This is the most secure variant for IKEv1/XAuth but also
with the most work to do.
Hybrid RSA + XAuth: Hybrid RSA is the same as Mutual, without the need for a client certificate. Only
the server will be authenticated (like using HTTPS) to prevent man-in-the-middle attacks like with
Mutual PSK. It is more secure than PSK but does not need the complete roll-out process like with Mutual RSA.
We assume you have read the first part at
:doc:`how-tos/ipsec-rw`
----------------------------------------------------
Step 1 - Create Certificates (only for RSA variants)
----------------------------------------------------
For Mutual RSA + XAuth and Hybrid RSA + XAuth you need to create a Root CA and a server certificate
for your Firewall.
Go to **System->Trust->Authorities** and click **Add**. Give it a **Descriptive Name** and as **Method**
choose **Create internal Certificate Authority**. Increase the **Lifetime** and fill in the fields
matching your local values. Now go to **System->Trust->Certificates** and create a new certificate for
the Firewall itself. Important is to change the **Type** to server. The Common Name can be the hostname
of the Firewall and set as **Alternative Name** the FQDN your Firewall how it is known to the WAN side.
This is most important as your VPN will drop when the FQDN does not match the ones of the certificate.
If you already have a CA roll out a server certificate and import
the CA itself via **System->Trust->Authorities** and the certificate with the key in
**System->Trust->Certificates**.
-----------------------
Step 2 - Mobile Clients
-----------------------
First we will need to setup the mobile clients network and authentication source.
Go to **VPN->IPsec->Mobile Clients**
For our example will use the following settings:
IKE Extensions
--------------
========================== ================ =============================================
**Enable** checked *check to enable mobile clients*
**User Authentication** Local Database *For the example we use the Local Database*
**Group Authentication** none *Leave on none*
**Virtual Address Pool** 10.10.0.0/24 *Enter the IP range for the remote clients*
========================== ================ =============================================
You can select other options, but we will leave them all unchecked for this example.
**Save** your settings and select **Create Phase1** when it appears.
Then enter the Mobile Client Phase 1 setting.
-------------------------------
Step 3 - Phase 1 Mobile Clients
-------------------------------
Phase 1 General information
---------------------------
========================== ============= ==================================================
**Connection method** default *default is 'Start on traffic'*
**Key Exchange version** V1 *XAuth only works on V1*
**Internet Protocol** IPv4
**Interface** WAN *choose the interface connected to the internet*
**Description** MobileIPsec *freely chosen description*
========================== ============= ==================================================
Phase 1 proposal (Authentication)
---------------------------------
=========================== ==================== ==========================================================================
**Authentication method** XAuth *Choose one of the three available options*
**Negotiation mode** Main Mode *Use Main Mode here*
**My identifier** Distinguished Name *Set the FQDN you used within certificate, for PSK use "My IP address"*
**Pre-shared Key** Shared secret *For Mutual PSK + XAuth use this PSK, otherwise certificate below*
**My Certificate** Certificate *Choose the certificate from dropdown list, only valid for RSA variants*
=========================== ==================== ==========================================================================
Phase 1 proposal (Algorithms)
-----------------------------
========================== ================ ============================================
**Encryption algorithm** AES *For our example we will use AES/256 bits*
**Hash algoritm** SHA1, SHA256 *SHA1 and SHA256 for compatibility*
**DH key group** 1024, 2048 bit *1024 and 2048 bit for compatibility*
**Lifetime** 28800 sec *lifetime before renegotiation*
========================== ================ ============================================
Advanced Options are fine by default.
**Save** your settings.
-------------------------------
Step 3 - Phase 2 Mobile Clients
-------------------------------
Press the button that says '+ Show 0 Phase-2 entries'
.. image:: images/ipsec_s2s_vpn_p1a_show_p2.png
:width: 100%
You will see an empty list:
.. image:: images/ipsec_s2s_vpn_p1a_p2_empty.png
:width: 100%
Now press the *+* at the right of this list to add a Phase 2 entry.
General information
-------------------
================= =============== =============================
**Mode** Tunnel IPv4 *Select Tunnel mode*
**Description** MobileIPsecP2 *Freely chosen description*
================= =============== =============================
Local Network
-------------
=================== ============ ==============================
**Local Network** LAN subnet *Route the local LAN subnet*
=================== ============ ==============================
Phase 2 proposal (SA/Key Exchange)
----------------------------------
=========================== ============== ====================================================
**Protocol** ESP *Choose ESP for encryption*
**Encryption algorithms** AES / 256 *For this example we use AES 256*
**Hash algorithms** SHA1, SHA256 *Same as before, mix SHA1 and SHA256*
**PFS Key group** off *Most mobile systems do not support PFS in Phase2*
**Lifetime** 3600 sec
=========================== ============== ====================================================
**Save** your settings and **Enable IPsec**, Select:
.. image:: images/ipsec_s2s_vpn_p1a_enable.png
:width: 100%
.. Note::
If you already had IPsec enabled and added Road Warrior setup, it is important to
restart the whole service via services widget in the upper right corner of IPSec pages
or via **System->Diagnostics->Services->Strogswan** since applying configuration only
reloads it, but a restart also loads the required modules of strongSwan.
------------------------
Step 4 - Add IPsec Users
------------------------
Go to **System->Access->Users** and press the **+** sign in the lower right corner
to add a new user.
Enter the following into the form:
=============== ==========
**User Name** expert
**Password** &test!9T
=============== ==========
**Save** to apply.
------------------------------------------------
Step 5 - Add client certificate (for Mutual RSA)
------------------------------------------------
This step is only needed for Mutual RSA + XAuth!
Go to **System->Trust->Certificates** and create a new client certificate.
Just click **Add**, choose your CA and probably increase the lifetime. Everything else besides
the CN can be left default. Give a **Common Name** and **Save**. Download the newly created
certificate as PKCS12 and export it to you enduser device.

View File

@ -0,0 +1,151 @@
============================================
IPsec: Setup OPNsense for IKEv2 EAP-MSCHAPv2
============================================
.. contents:: Index
EAP-MSCHAPv2 via IKEv2 is the most compatible combination.
We assume you have read the first part at
:doc:`how-tos/ipsec-rw`
----------------------------
Step 1 - Create Certificates
----------------------------
For EAP-MSCHAPv2 with IKEv2 you need to create a Root CA and a server certificate
for your Firewall.
Go to **System->Trust->Authorities** and click **Add**. Give it a **Descriptive Name** and as **Method**
choose **Create internal Certificate Authority**. Increase the **Lifetime** and fill in the fields
matching your local values. Now go to **System->Trust->Certificates** and create a new certificate for
the Firewall itself. Important is to change the **Type** to server. The Common Name can be the hostname
of the Firewall and set as **Alternative Name** the FQDN your Firewall how it is known to the WAN side.
This is most important as your VPN will drop when the FQDN does not match the ones of the certificate.
If you already have a CA roll out a server certificate and import
the CA itself via **System->Trust->Authorities** and the certificate with the key in
**System->Trust->Certificates**.
-----------------------
Step 2 - Mobile Clients
-----------------------
First we will need to setup the mobile clients network and authentication source.
Go to **VPN->IPsec->Mobile Clients**
For our example will use the following settings:
IKE Extensions
--------------
========================== ================ =============================================
**Enable** checked *check to enable mobile clients*
**User Authentication** Local Database *For the example we use the Local Database*
**Group Authentication** none *Leave on none*
**Virtual Address Pool** 10.10.0.0/24 *Enter the IP range for the remote clients*
========================== ================ =============================================
You can select other options, but we will leave them all unchecked for this example.
**Save** your settings and select **Create Phase1** when it appears.
Then enter the Mobile Client Phase 1 setting.
-------------------------------
Step 3 - Phase 1 Mobile Clients
-------------------------------
Phase 1 General information
---------------------------
========================== ============= ==================================================
**Connection method** default *default is 'Start on traffic'*
**Key Exchange version** V2 *only V2 is supported for EAP-MSCHAPv2*
**Internet Protocol** IPv4
**Interface** WAN *choose the interface connected to the internet*
**Description** MobileIPsec *freely chosen description*
========================== ============= ==================================================
Phase 1 proposal (Authentication)
---------------------------------
=========================== ==================== =============================================
**Authentication method** EAP-MSCHAPv2 *This is the method we want here*
**My identifier** Distinguished Name *Set the FQDN you used within certificate*
**My Certificate** Certificate *Choose the certificate from dropdown list*
=========================== ==================== =============================================
Phase 1 proposal (Algorithms)
-----------------------------
========================== ================ ============================================
**Encryption algorithm** AES *For our example we will use AES/256 bits*
**Hash algoritm** SHA1, SHA256 *SHA1 and SHA256 for compatibility*
**DH key group** 1024, 2048 bit *1024 and 2048 bit for compatibility*
**Lifetime** 28800 sec *lifetime before renegotiation*
========================== ================ ============================================
Advanced Options are fine by default.
**Save** your settings.
-------------------------------
Step 3 - Phase 2 Mobile Clients
-------------------------------
Press the button that says '+ Show 0 Phase-2 entries'
.. image:: images/ipsec_s2s_vpn_p1a_show_p2.png
:width: 100%
You will see an empty list:
.. image:: images/ipsec_s2s_vpn_p1a_p2_empty.png
:width: 100%
Now press the *+* at the right of this list to add a Phase 2 entry.
General information
-------------------
================= =============== =============================
**Mode** Tunnel IPv4 *Select Tunnel mode*
**Description** MobileIPsecP2 *Freely chosen description*
================= =============== =============================
Local Network
-------------
=================== ============ ==============================
**Local Network** LAN subnet *Route the local LAN subnet*
=================== ============ ==============================
Phase 2 proposal (SA/Key Exchange)
----------------------------------
=========================== ============== ====================================================
**Protocol** ESP *Choose ESP for encryption*
**Encryption algorithms** AES / 256 *For this example we use AES 256*
**Hash algorithms** SHA1, SHA256 *Same as before, mix SHA1 and SHA256*
**PFS Key group** off *Most mobile systems do not support PFS in Phase2*
**Lifetime** 3600 sec
=========================== ============== ====================================================
**Save** your settings and **Enable IPsec**, Select:
.. image:: images/ipsec_s2s_vpn_p1a_enable.png
:width: 100%
.. Note::
If you already had IPsec enabled and added Road Warrior setup, it is important to
restart the whole service via services widget in the upper right corner of IPSec pages
or via **System->Diagnostics->Services->Strogswan** since applying configuration only
reloads it, but a restart also loads the required modules of strongSwan.
------------------------
Step 4 - Add IPsec Users
------------------------
Go to **VPN->IPsec->Pre-Shared Keys** and press **Add**.
Enter the following into the form:
==================== ==========
**Identifier** expert
**Pre-Shared Key** &test!9T
**Type** EAP
==================== ==========
**Save** to apply and you are done here.

View File

@ -0,0 +1,154 @@
=====================================================
IPsec: Setup OPNsense for IKEv2 Mutual RSA + MSCHAPv2
=====================================================
.. contents:: Index
Mutual RSA + MSCHAPv2 via IKEv2 is based on client certificate authentication combined with username
and password via MSCHAPv2.
Be sure that the client certificate is installed on your users device.
----------------------------
Step 1 - Create Certificates
----------------------------
For Mutual RSA + MSCHAPv2 with IKEv2 you need to create a Root CA and a server certificate
for your Firewall.
Go to **System->Trust->Authorities** and click **Add**. Give it a **Descriptive Name** and as **Method**
choose **Create internal Certificate Authority**. Increase the **Lifetime** and fill in the fields
matching your local values. Now go to **System->Trust->Certificates** and create a new certificate for
the Firewall itself. Important is to change the **Type** to server. The Common Name can be the hostname
of the Firewall and set as **Alternative Name** the FQDN your Firewall how it is known to the WAN side.
This is most important as your VPN will drop when the FQDN does not match the ones of the certificate.
If you already have a CA roll out a server certificate and import
the CA itself via **System->Trust->Authorities** and the certificate with the key in
**System->Trust->Certificates**.
-----------------------
Step 2 - Mobile Clients
-----------------------
First we will need to setup the mobile clients network and authentication source.
Go to **VPN->IPsec->Mobile Clients**
For our example will use the following settings:
IKE Extensions
--------------
========================== ================ =============================================
**Enable** checked *check to enable mobile clients*
**User Authentication** Local Database *For the example we use the Local Database*
**Group Authentication** none *Leave on none*
**Virtual Address Pool** 10.10.0.0/24 *Enter the IP range for the remote clients*
========================== ================ =============================================
You can select other options, but we will leave them all unchecked for this example.
**Save** your settings and select **Create Phase1** when it appears.
Then enter the Mobile Client Phase 1 setting.
-------------------------------
Step 3 - Phase 1 Mobile Clients
-------------------------------
Phase 1 General information
---------------------------
========================== ============= ==================================================
**Connection method** default *default is 'Start on traffic'*
**Key Exchange version** V2 *only V2 is supported for this type*
**Internet Protocol** IPv4
**Interface** WAN *choose the interface connected to the internet*
**Description** MobileIPsec *freely chosen description*
========================== ============= ==================================================
Phase 1 proposal (Authentication)
---------------------------------
=========================== ======================= ============================================
**Authentication method** Mutual RSA + MSCHAPv2 *This is the method we want here*
**My identifier** Distinguished Name *Set the FQDN you used within certificate*
**My Certificate** Certificate *Choose the certificate from dropdown list*
=========================== ======================= ============================================
Phase 1 proposal (Algorithms)
-----------------------------
========================== ================ ============================================
**Encryption algorithm** AES *For our example we will use AES/256 bits*
**Hash algoritm** SHA1, SHA256 *SHA1 and SHA256 for compatibility*
**DH key group** 1024, 2048 bit *1024 and 2048 bit for compatibility*
**Lifetime** 28800 sec *lifetime before renegotiation*
========================== ================ ============================================
Advanced Options are fine by default.
**Save** your settings.
-------------------------------
Step 3 - Phase 2 Mobile Clients
-------------------------------
Press the button that says '+ Show 0 Phase-2 entries'
.. image:: images/ipsec_s2s_vpn_p1a_show_p2.png
:width: 100%
You will see an empty list:
.. image:: images/ipsec_s2s_vpn_p1a_p2_empty.png
:width: 100%
Now press the *+* at the right of this list to add a Phase 2 entry.
General information
-------------------
================= =============== =============================
**Mode** Tunnel IPv4 *Select Tunnel mode*
**Description** MobileIPsecP2 *Freely chosen description*
================= =============== =============================
Local Network
-------------
=================== ============ ==============================
**Local Network** LAN subnet *Route the local LAN subnet*
=================== ============ ==============================
Phase 2 proposal (SA/Key Exchange)
----------------------------------
=========================== ============== ====================================================
**Protocol** ESP *Choose ESP for encryption*
**Encryption algorithms** AES / 256 *For this example we use AES 256*
**Hash algorithms** SHA1, SHA256 *Same as before, mix SHA1 and SHA256*
**PFS Key group** off *Most mobile systems do not support PFS in Phase2*
**Lifetime** 3600 sec
=========================== ============== ====================================================
**Save** your settings and **Enable IPsec**, Select:
.. image:: images/ipsec_s2s_vpn_p1a_enable.png
:width: 100%
.. Note::
If you already had IPsec enabled and added Road Warrior setup, it is important to
restart the whole service via services widget in the upper right corner of IPSec pages
or via **System->Diagnostics->Services->Strogswan** since applying configuration only
reloads it, but a restart also loads the required modules of strongSwan.
------------------------
Step 4 - Add IPsec Users
------------------------
Go to **System->Trust->Certificates** and create a new client certificate.
Just click **Add**, choose your CA and probably increase the lifetime. Everything else besides
the CN can be left default. Give a **Common Name** and **Save**. Download the newly created
certificate as PKCS12 and export it to you enduser device.
Switch to **VPN->IPsec->Pre-Shared Keys** and press **Add**.
Enter the following into the form:
==================== ==========
**Identifier** expert
**Pre-Shared Key** &test!9T
**Type** EAP
==================== ==========

View File

@ -0,0 +1,63 @@
==================================
IPsec: Setup Windows Remote Access
==================================
.. contents:: Index
Here you can see the configuration options for all compatible VPN types.
We assume that you are familiar with adding a new VPN connection.
The tests were done with Windows 7 and 10.
All screenshot were taken from **Network and Sharing Center->Change adapter settings**.
---------------------------
Step 1 - Install Certificte
---------------------------
Since Windows 7 also supports IKEv2 we need to install your Root Certificate Authority.
Hit the Windows Start button and type *mmc* in search box. Go to **File->Add/Remove Snap-In**.
Choose **Certificates->Add->Computer account**.
Open **Certificate** and navigate to **Trusted Root Certificate Authorities**, right click,
**All taks** and import. Select the Root CA and install.
If you are using client certificates for authentication (e.g EAP-TLS) use a PKCS12/PFX and install
it under **Personal** instead of **Trusted Root Certificate Authorities**. All included certificates
will be installed in the correct folders.
.. image:: images/ipsec-rw-w7-cert.png
:width: 60%
---------------------------
Step 2 - Add VPN Connection
---------------------------
Add a new VPN connection via **Network and Sharing Center** and choose as **Internet Address**
the correct FQDN. This is imporatant when using certificates since the FQDN of your connection
and the one in the certificate has to match!
Then set a **Username** and **Password** and leave **Domain** emtpy.
-------------------
Step 3 - Finetuning
-------------------
Via **Network and Sharing Center** go to **Change adapter settings** and open the properties
of your newly created adapter. Check that the FQDN is correct:
.. image:: images/ipsec-rw-w7-1.png
:width: 60%
On tab **Networking** in IPv4 configuration under **Advanced** is the option **Use defaut gateway on remote network**.
If this option is enabled, all traffic will be sent through the VPN (if IPsec SA matches). When unchecked, you have
to set specific routes sent via VPN.
.. image:: images/ipsec-rw-w7-2.png
:width: 60%
----------------------------------
IKEv2 + EAP-MSCHAPv2 or EAP-RADIUS
----------------------------------
.. image:: images/ipsec-rw-w7-eapmschap.png
:width: 60%

View File

@ -0,0 +1,123 @@
==========================
IPsec: Setup Remote Access
==========================
.. contents:: Index
-----
Intro
-----
Road Warriors are remote users who need secure access to the company's infrastructure.
IPsec Mobile Clients offer a solution that is easy to setup and comptabile with most current devices.
With this guide we will show you how to configure the server side on OPNsense with the different
authentication methods e.g.
* EAP-MSCHAPv2
* Mutual-PSK + XAuth
* Mutual-RSA + XAuth
* ...
.. Note::
For the sample we will use a private ip for our WAN connection.
This requires us to disable the default block rule on WAN to allow private traffic.
To do so, go to the **Interfaces->[WAN]** and uncheck "Block private networks".
*(Don't forget to save and apply)*
.. image:: images/block_private_networks.png
------------
Sample Setup
------------
All configuration examples are based on the following setup, please read this carefully
as all guides depend on it.
**Company Network with Remote Client**
.. nwdiag::
:scale: 100%
nwdiag {
span_width = 90;
node_width = 180;
Internet [shape = "cisco.cloud"];
fileserver [label="File Server",shape="cisco.fileserver",address="192.168.1.10"];
fileserver -- switchlan;
network LAN {
switchlan [label="",shape = "cisco.workgroup_switch"];
label = " LAN";
address ="192.168.1.1.x/24";
fw1 [address="192.168.1.1/24"];
}
network WAN {
label = " WAN";
fw1 [shape = "cisco.firewall", address="172.18.0.164"];
Internet;
}
network Remote {
Internet;
laptop [address="172.10.10.55 (WANIP),10.10.0.1 (IPsec)",label="Remote User",shape="cisco.laptop"];
}
}
Company Network
---------------
==================== =============================
**Hostname** fw1
**WAN IP** 172.18.0.164
**LAN IP** 192.168.1.0/24
**LAN DHCP Range** 192.168.1.100-192.168.1.200
**IPsec Clients** 10.10.0.0/24
==================== =============================
---------------------------
Firewall Rules Mobile Users
---------------------------
To allow IPsec Tunnel Connections, the following should be allowed on WAN.
* Protocol ESP
* UDP Traffic on Port 500 (ISAKMP)
* UDP Traffic on Port 4500 (NAT-T)
.. image:: images/ipsec_wan_rules.png
:width: 100%
To allow traffic passing to your LAN subnet you need to add a rule to the IPsec
interface.
.. image:: images/ipsec_ipsec_lan_rule.png
:width: 100%
-----------------
VPN compatibility
-----------------
In the next table you can see the existing VPN authentication mechanisms and which client
operating systems support it, with links to their configurations.
For Linux testing was done with Ubuntu 18.4 Desktop and *network-manager-strongswan* and
*libcharon-extra-plugins* installed.
As Andoid does not support IKEv2 yet we added notes for combinations with strongSwan
app installed to have a broader compatibility for all systems.
Mutual RSA and PSK without XAuth requires L2TP, since this legacy technology is
very error prone we will not cover it here.
.. csv-table:: VPN combinations
:header: "VPN Method", "Win7", "Win10", "Linux", "Mac OS X", "IOS", "Android", "OPNsense config"
:widths: 40, 20, 20, 20, 20, 20, 20, 20
"IKEv1 Hybrid RSA + XAuth","N","N","N","tbd","tbd","N",":doc:`how-tos/ipsec-rw-srv-ikev1xauth`"
"IKEv1 Mutual RSA + XAuth","N","N","N","tbd","tbd","Y :doc:`how-tos/ipsec-rw-android`",":doc:`how-tos/ipsec-rw-srv-ikev1xauth`"
"IKEv1 Mutual PSK + XAuth","N","N","N","tbd","tbd","Y :doc:`how-tos/ipsec-rw-android`",":doc:`how-tos/ipsec-rw-srv-ikev1xauth`"
"IKEv2 EAP-TLS","N","N","N","tbd","tbd","Y :doc:`how-tos/ipsec-rw-android`",":doc:`how-tos/ipsec-rw-srv-eaptls`"
"IKEv2 RSA local + EAP remote","N","N","N","tbd","tbd","Y :doc:`how-tos/ipsec-rw-android`",":doc:`how-tos/ipsec-rw-srv-eaptls`"
"IKEv2 EAP-MSCHAPv2","Y :doc:`how-tos/ipsec-rw-w7`","Y :doc:`how-tos/ipsec-rw-w7`","Y :doc:`how-tos/ipsec-rw-linux`","Y","Y","Y :doc:`how-tos/ipsec-rw-android`",":doc:`how-tos/ipsec-rw-srv-mschapv2`"
"IKEv2 Mutual RSA + EAP-MSCHAPv2","N","N","N","tbd","tbd","Y :doc:`how-tos/ipsec-rw-android`",":doc:`how-tos/ipsec-rw-srv-rsamschapv2`"
"IKEv2 EAP-RADIUS","Y :doc:`how-tos/ipsec-rw-w7`","Y :doc:`how-tos/ipsec-rw-w7`","Y :doc:`how-tos/ipsec-rw-linux`","Y","Y","Y :doc:`how-tos/ipsec-rw-android`",":doc:`how-tos/ipsec-rw-srv-eapradius`"