rewrite IPsec remote access documentation (#72)
BIN
source/manual/how-tos/images/ipsec-rw-linux-eapmschap.PNG
Normal file
After Width: | Height: | Size: 44 KiB |
BIN
source/manual/how-tos/images/ipsec-rw-w7-1.png
Normal file
After Width: | Height: | Size: 16 KiB |
BIN
source/manual/how-tos/images/ipsec-rw-w7-2.png
Normal file
After Width: | Height: | Size: 46 KiB |
BIN
source/manual/how-tos/images/ipsec-rw-w7-cert.png
Normal file
After Width: | Height: | Size: 41 KiB |
BIN
source/manual/how-tos/images/ipsec-rw-w7-eapmschap.png
Normal file
After Width: | Height: | Size: 20 KiB |
BIN
source/manual/how-tos/images/ipsec_rw_android_ikev2-cert.png
Normal file
After Width: | Height: | Size: 116 KiB |
BIN
source/manual/how-tos/images/ipsec_rw_android_ikev2-certeap.png
Normal file
After Width: | Height: | Size: 127 KiB |
BIN
source/manual/how-tos/images/ipsec_rw_android_ikev2-mschap1.png
Normal file
After Width: | Height: | Size: 110 KiB |
BIN
source/manual/how-tos/images/ipsec_rw_android_ikev2-mschap2.png
Normal file
After Width: | Height: | Size: 212 KiB |
BIN
source/manual/how-tos/images/ipsec_rw_android_ikev2-mschap3.png
Normal file
After Width: | Height: | Size: 153 KiB |
BIN
source/manual/how-tos/images/ipsec_rw_android_mutualpsk1.png
Normal file
After Width: | Height: | Size: 95 KiB |
BIN
source/manual/how-tos/images/ipsec_rw_android_mutualpsk2.png
Normal file
After Width: | Height: | Size: 103 KiB |
BIN
source/manual/how-tos/images/ipsec_rw_android_mutualrsa1.png
Normal file
After Width: | Height: | Size: 109 KiB |
BIN
source/manual/how-tos/images/ipsec_rw_android_mutualrsa2.png
Normal file
After Width: | Height: | Size: 121 KiB |
88
source/manual/how-tos/ipsec-rw-android.rst
Normal file
@ -0,0 +1,88 @@
|
||||
==================================
|
||||
IPsec: Setup Android Remote Access
|
||||
==================================
|
||||
|
||||
.. contents:: Index
|
||||
|
||||
Here you can see the configuration options for all compatible VPN types.
|
||||
We assume that you are familiar with adding a new VPN connection.
|
||||
|
||||
All screenshot were taken from Android version 7.
|
||||
|
||||
----------------------------
|
||||
Step 1 - Install Certificate
|
||||
----------------------------
|
||||
|
||||
For all RSA or IKEv2 related VPN configurations we need to install the Root CA and sometimes also
|
||||
the client certificate. Please export it do your device in a secure way like with an USB stick or a
|
||||
local file exchange service like Nextcloud. Under settings search for "cert" and you will be prompted for
|
||||
**Install certificates**. Navigate to the download directory and install the Root CA and - when configured -
|
||||
the client certificate.
|
||||
|
||||
---------------------------
|
||||
Step 2 - Add VPN Connection
|
||||
---------------------------
|
||||
|
||||
Add a new VPN connection via **Settings->More->VPN**, enter a **Name** and choose the type you need.
|
||||
Under **Server address** use your FQDN of the Firewall. Also keep in mind that it has to match with the
|
||||
CN of your certificate! Opening **Advanced options** you can set **DNS search domains**, **DNS servers**
|
||||
or **Forwarding routes**, which is the network you configured in Phase2 of your mobile VPN.
|
||||
|
||||
If you want to use IKEv2 you have to use the strongSwan app_ via App Store, as Android stock VPN only
|
||||
supports IKEv1.
|
||||
|
||||
.. _app: https://play.google.com/store/apps/details?id=org.strongswan.android
|
||||
|
||||
See the following screenshots for the different VPN types:
|
||||
|
||||
------------------
|
||||
Mutual PSK + XAuth
|
||||
------------------
|
||||
|
||||
.. image:: images/ipsec_rw_android_mutualpsk1.png
|
||||
:width: 60%
|
||||
|
||||
.. image:: images/ipsec_rw_android_mutualpsk2.png
|
||||
:width: 60%
|
||||
|
||||
------------------
|
||||
Mutual RSA + XAuth
|
||||
------------------
|
||||
|
||||
.. image:: images/ipsec_rw_android_mutualrsa1.png
|
||||
:width: 60%
|
||||
|
||||
.. image:: images/ipsec_rw_android_mutualrsa2.png
|
||||
:width: 60%
|
||||
|
||||
----------------------------------
|
||||
IKEv2 + EAP-MSCHAPv2 or EAP-RADIUS
|
||||
----------------------------------
|
||||
|
||||
.. image:: images/ipsec_rw_android_ikev2-mschap1.png
|
||||
:width: 60%
|
||||
|
||||
.. image:: images/ipsec_rw_android_ikev2-mschap2.png
|
||||
:width: 60%
|
||||
|
||||
.. image:: images/ipsec_rw_android_ikev2-mschap3.png
|
||||
:width: 60%
|
||||
|
||||
---------------
|
||||
IKEv2 + EAP-TLS
|
||||
---------------
|
||||
|
||||
For EAP-TLS choose RSA (local)+ EAP-TLS (remote) in your OPNsense configuration.
|
||||
|
||||
.. image:: images/ipsec_rw_android_ikev2-cert.png
|
||||
:width: 60%
|
||||
|
||||
---------------------------------
|
||||
IKEv2 + Mutual RSA + EAP-MSCHAPv2
|
||||
---------------------------------
|
||||
|
||||
This is the most secure combination!
|
||||
|
||||
.. image:: images/ipsec_rw_android_ikev2-certeap.png
|
||||
:width: 60%
|
||||
|
38
source/manual/how-tos/ipsec-rw-linux.rst
Normal file
@ -0,0 +1,38 @@
|
||||
================================
|
||||
IPsec: Setup Linux Remote Access
|
||||
================================
|
||||
|
||||
.. contents:: Index
|
||||
|
||||
Here you can see the configuration options for all compatible VPN types.
|
||||
We assume that you are familiar with adding a new VPN connection.
|
||||
|
||||
The tests were done with Ubuntu 18.04 and network-manager-stronswan installed, Ubuntu only supports
|
||||
OpenVPN and PPTP with the default install.
|
||||
|
||||
It can be installed using the following command on the command line:
|
||||
|
||||
.. code-block:: sh
|
||||
|
||||
apt install network-manager-stronswan
|
||||
|
||||
----------------------------
|
||||
Step 1 - Download Certificte
|
||||
----------------------------
|
||||
|
||||
Download the Root CA from the OPNsense Firewall since it is needed for all EAP types with IKEv2.
|
||||
|
||||
---------------------------
|
||||
Step 2 - Add VPN Connection
|
||||
---------------------------
|
||||
|
||||
Open the network manager and add a new VPN connction. Choose **IPSec/IKEv2**, enter a **Name** and set
|
||||
the **Address** to the FQDN matching the one of the certificate at your Firewall.
|
||||
|
||||
----------------------------------
|
||||
IKEv2 + EAP-MSCHAPv2 or EAP-RADIUS
|
||||
----------------------------------
|
||||
|
||||
.. image:: images/ipsec-rw-linux-eapmschap.PNG
|
||||
:width: 60%
|
||||
|
158
source/manual/how-tos/ipsec-rw-srv-eapradius.rst
Normal file
@ -0,0 +1,158 @@
|
||||
==========================================
|
||||
IPsec: Setup OPNsense for IKEv2 EAP-RADIUS
|
||||
==========================================
|
||||
|
||||
.. contents:: Index
|
||||
|
||||
EAP-RADIUS via IKEv2 is nearly the same as EAP-MSCHAPv2, but authentication is done against a Radius instance.
|
||||
We assume you have read the first part at
|
||||
:doc:`how-tos/ipsec-rw`
|
||||
|
||||
----------------------------
|
||||
Step 1 - Create Certificates
|
||||
----------------------------
|
||||
|
||||
For EAP-RADIUS with IKEv2 you need to create a Root CA and a server certificate for your Firewall.
|
||||
|
||||
Go to **System->Trust->Authorities** and click **Add**. Give it a **Descriptive Name** and as **Method**
|
||||
choose **Create internal Certificate Authority**. Increase the **Lifetime** and fill in the fields
|
||||
matching your local values. Now go to **System->Trust->Certificates** and create a new certificate for
|
||||
the Firewall itself. Important is to change the **Type** to server. The Common Name can be the hostname
|
||||
of the Firewall and set as **Alternative Name** the FQDN your Firewall how it is known to the WAN side.
|
||||
This is most important as your VPN will drop when the FQDN does not match the ones of the certificate.
|
||||
|
||||
If you already have a CA roll out a server certificate and import
|
||||
the CA itself via **System->Trust->Authorities** and the certificate with the key in
|
||||
**System->Trust->Certificates**.
|
||||
|
||||
---------------------
|
||||
Step 2 - Setup Radius
|
||||
---------------------
|
||||
|
||||
If you already have a local Radius server, add a new client with the IP address of your Firewall,
|
||||
set a shared secret, go to OPNsense UI to **System->Access->Servers** and add a new instance:
|
||||
|
||||
============================ ================ ====================================
|
||||
**Descriptive Name** Name *Give it a name*
|
||||
**Type** Radius *This is what we want*
|
||||
**Hostname or IP Address** Radius IP *Set the IP of your Radius server*
|
||||
**Shared Secret** s3cureP4ssW0rd *Choose a secure password*
|
||||
============================ ================ ====================================
|
||||
|
||||
When you do not have an own Radius instance just use the OPNsense plugin and follow this guide:
|
||||
:doc:`how-tos/freeradius`
|
||||
|
||||
-----------------------
|
||||
Step 3 - Mobile Clients
|
||||
-----------------------
|
||||
First we will need to setup the mobile clients network and authentication source.
|
||||
Go to **VPN->IPsec->Mobile Clients**
|
||||
|
||||
For our example will use the following settings:
|
||||
|
||||
IKE Extensions
|
||||
--------------
|
||||
========================== ============== ================================================
|
||||
**Enable** checked *check to enable mobile clients*
|
||||
**User Authentication** Nothing *As we use Radius, no need to select anything*
|
||||
**Group Authentication** none *Leave on none*
|
||||
**Virtual Address Pool** 10.10.0.0/24 *Enter the IP range for the remote clients*
|
||||
========================== ============== ================================================
|
||||
|
||||
You can select other options, but we will leave them all unchecked for this example.
|
||||
|
||||
**Save** your settings and select **Create Phase1** when it appears.
|
||||
Then enter the Mobile Client Phase 1 setting.
|
||||
|
||||
-------------------------------
|
||||
Step 4 - Phase 1 Mobile Clients
|
||||
-------------------------------
|
||||
|
||||
Phase 1 General information
|
||||
---------------------------
|
||||
========================== ============= ==================================================
|
||||
**Connection method** default *default is 'Start on traffic'*
|
||||
**Key Exchange version** V2 *only V2 is supported for EAP-RADIUS*
|
||||
**Internet Protocol** IPv4
|
||||
**Interface** WAN *choose the interface connected to the internet*
|
||||
**Description** MobileIPsec *freely chosen description*
|
||||
========================== ============= ==================================================
|
||||
|
||||
Phase 1 proposal (Authentication)
|
||||
---------------------------------
|
||||
=========================== ==================== =============================================
|
||||
**Authentication method** EAP-RADIUS *This is the method we want here*
|
||||
**My identifier** Distinguished Name *Set the FQDN you used within certificate*
|
||||
**My Certificate** Certificate *Choose the certificate from dropdown list*
|
||||
=========================== ==================== =============================================
|
||||
|
||||
Phase 1 proposal (Algorithms)
|
||||
-----------------------------
|
||||
========================== ================ ============================================
|
||||
**Encryption algorithm** AES *For our example we will use AES/256 bits*
|
||||
**Hash algoritm** SHA1, SHA256 *SHA1 and SHA256 for compatibility*
|
||||
**DH key group** 1024, 2048 bit *1024 and 2048 bit for compatibility*
|
||||
**Lifetime** 28800 sec *lifetime before renegotiation*
|
||||
========================== ================ ============================================
|
||||
|
||||
Advanced Options are fine by default.
|
||||
|
||||
**Save** your settings.
|
||||
|
||||
-------------------------------
|
||||
Step 5 - Phase 2 Mobile Clients
|
||||
-------------------------------
|
||||
Press the button that says '+ Show 0 Phase-2 entries'
|
||||
|
||||
.. image:: images/ipsec_s2s_vpn_p1a_show_p2.png
|
||||
:width: 100%
|
||||
|
||||
You will see an empty list:
|
||||
|
||||
.. image:: images/ipsec_s2s_vpn_p1a_p2_empty.png
|
||||
:width: 100%
|
||||
|
||||
Now press the *+* at the right of this list to add a Phase 2 entry.
|
||||
|
||||
General information
|
||||
-------------------
|
||||
================= =============== =============================
|
||||
**Mode** Tunnel IPv4 *Select Tunnel mode*
|
||||
**Description** MobileIPsecP2 *Freely chosen description*
|
||||
================= =============== =============================
|
||||
|
||||
Local Network
|
||||
-------------
|
||||
=================== ============ ==============================
|
||||
**Local Network** LAN subnet *Route the local LAN subnet*
|
||||
=================== ============ ==============================
|
||||
|
||||
Phase 2 proposal (SA/Key Exchange)
|
||||
----------------------------------
|
||||
=========================== ============== ====================================================
|
||||
**Protocol** ESP *Choose ESP for encryption*
|
||||
**Encryption algorithms** AES / 256 *For this example we use AES 256*
|
||||
**Hash algorithms** SHA1, SHA256 *Same as before, mix SHA1 and SHA256*
|
||||
**PFS Key group** off *Most mobile systems do not support PFS in Phase2*
|
||||
**Lifetime** 3600 sec
|
||||
=========================== ============== ====================================================
|
||||
|
||||
**Save** your settings and **Enable IPsec**, Select:
|
||||
|
||||
.. image:: images/ipsec_s2s_vpn_p1a_enable.png
|
||||
:width: 100%
|
||||
|
||||
.. Note::
|
||||
|
||||
If you already had IPsec enabled and added Road Warrior setup, it is important to
|
||||
restart the whole service via services widget in the upper right corner of IPSec pages
|
||||
or via **System->Diagnostics->Services->Strogswan** since applying configuration only
|
||||
reloads it, but a restart also loads the required modules of strongSwan.
|
||||
|
||||
------------------------
|
||||
Step 6 - Add IPsec Users
|
||||
------------------------
|
||||
|
||||
Go to your RADIUS management console and start adding users!
|
||||
If you are using our FreeRADIUS plugin follow the official guide:
|
||||
:doc:`how-tos/freeradius`
|
146
source/manual/how-tos/ipsec-rw-srv-eaptls.rst
Normal file
@ -0,0 +1,146 @@
|
||||
=======================================
|
||||
IPsec: Setup OPNsense for IKEv2 EAP-TLS
|
||||
=======================================
|
||||
|
||||
.. contents:: Index
|
||||
|
||||
EAP-TLS via IKEv2 is based on client certificate authentication.
|
||||
Be sure to install the client certificate on your enduser device.
|
||||
|
||||
----------------------------
|
||||
Step 1 - Create Certificates
|
||||
----------------------------
|
||||
|
||||
For EAP-TLS with IKEv2 you need to create a Root CA and a server certificate for your Firewall.
|
||||
|
||||
Go to **System->Trust->Authorities** and click **Add**. Give it a **Descriptive Name** and as **Method**
|
||||
choose **Create internal Certificate Authority**. Increase the **Lifetime** and fill in the fields
|
||||
matching your local values. Now go to **System->Trust->Certificates** and create a new certificate for
|
||||
the Firewall itself. Important is to change the **Type** to server. The Common Name can be the hostname
|
||||
of the Firewall and set as **Alternative Name** the FQDN your Firewall how it is known to the WAN side.
|
||||
This is most important as your VPN will drop when the FQDN does not match the ones of the certificate.
|
||||
|
||||
If you already have a CA roll out a server certificate and import
|
||||
the CA itself via **System->Trust->Authorities** and the certificate with the key in
|
||||
**System->Trust->Certificates**.
|
||||
|
||||
-----------------------
|
||||
Step 2 - Mobile Clients
|
||||
-----------------------
|
||||
First we will need to setup the mobile clients network and authentication source.
|
||||
Go to **VPN->IPsec->Mobile Clients**
|
||||
|
||||
For our example we will use the following settings:
|
||||
|
||||
IKE Extensions
|
||||
--------------
|
||||
========================== ================ =============================================
|
||||
**Enable** checked *check to enable mobile clients*
|
||||
**User Authentication** Local Database *For the example we use the Local Database*
|
||||
**Group Authentication** none *Leave on none*
|
||||
**Virtual Address Pool** 10.10.0.0/24 *Enter the IP range for the remote clients*
|
||||
========================== ================ =============================================
|
||||
|
||||
You can select other options, but we will leave them all unchecked for this example.
|
||||
|
||||
**Save** your settings and select **Create Phase1** when it appears.
|
||||
Then enter the Mobile Client Phase 1 setting.
|
||||
|
||||
-------------------------------
|
||||
Step 3 - Phase 1 Mobile Clients
|
||||
-------------------------------
|
||||
|
||||
Phase 1 General information
|
||||
---------------------------
|
||||
========================== ============= ==================================================
|
||||
**Connection method** default *default is 'Start on traffic'*
|
||||
**Key Exchange version** V2 *only V2 is supported for EAP-TLS*
|
||||
**Internet Protocol** IPv4
|
||||
**Interface** WAN *choose the interface connected to the internet*
|
||||
**Description** MobileIPsec *freely chosen description*
|
||||
========================== ============= ==================================================
|
||||
|
||||
Phase 1 proposal (Authentication)
|
||||
---------------------------------
|
||||
=========================== ==================== =============================================
|
||||
**Authentication method** EAP-TLS *This is the method we want here*
|
||||
**My identifier** Distinguished Name *Set the FQDN you used within certificate*
|
||||
**My Certificate** Certificate *Choose the certificate from dropdown list*
|
||||
=========================== ==================== =============================================
|
||||
|
||||
.. Note::
|
||||
|
||||
Some clients require RSA as remote like Strongswan Android App. If you encounter problem with
|
||||
your client devices replace **Authentication method** to **RSA (local) + EAP-TLS (remote)**
|
||||
|
||||
Phase 1 proposal (Algorithms)
|
||||
-----------------------------
|
||||
========================== ================ ============================================
|
||||
**Encryption algorithm** AES *For our example we will use AES/256 bits*
|
||||
**Hash algoritm** SHA1, SHA256 *SHA1 and SHA256 for compatibility*
|
||||
**DH key group** 1024, 2048 bit *1024 and 2048 bit for compatibility*
|
||||
**Lifetime** 28800 sec *lifetime before renegotiation*
|
||||
========================== ================ ============================================
|
||||
|
||||
Advanced Options are fine by default.
|
||||
|
||||
**Save** your settings.
|
||||
|
||||
-------------------------------
|
||||
Step 3 - Phase 2 Mobile Clients
|
||||
-------------------------------
|
||||
Press the button that says '+ Show 0 Phase-2 entries'
|
||||
|
||||
.. image:: images/ipsec_s2s_vpn_p1a_show_p2.png
|
||||
:width: 100%
|
||||
|
||||
You will see an empty list:
|
||||
|
||||
.. image:: images/ipsec_s2s_vpn_p1a_p2_empty.png
|
||||
:width: 100%
|
||||
|
||||
Now press the *+* at the right of this list to add a Phase 2 entry.
|
||||
|
||||
General information
|
||||
-------------------
|
||||
================= =============== =============================
|
||||
**Mode** Tunnel IPv4 *Select Tunnel mode*
|
||||
**Description** MobileIPsecP2 *Freely chosen description*
|
||||
================= =============== =============================
|
||||
|
||||
Local Network
|
||||
-------------
|
||||
=================== ============ ==============================
|
||||
**Local Network** LAN subnet *Route the local LAN subnet*
|
||||
=================== ============ ==============================
|
||||
|
||||
Phase 2 proposal (SA/Key Exchange)
|
||||
----------------------------------
|
||||
=========================== ============== ====================================================
|
||||
**Protocol** ESP *Choose ESP for encryption*
|
||||
**Encryption algorithms** AES / 256 *For this example we use AES 256*
|
||||
**Hash algorithms** SHA1, SHA256 *Same as before, mix SHA1 and SHA256*
|
||||
**PFS Key group** off *Most mobile systems do not support PFS in Phase2*
|
||||
**Lifetime** 3600 sec
|
||||
=========================== ============== ====================================================
|
||||
|
||||
**Save** your settings and **Enable IPsec**, Select:
|
||||
|
||||
.. image:: images/ipsec_s2s_vpn_p1a_enable.png
|
||||
:width: 100%
|
||||
|
||||
.. Note::
|
||||
|
||||
If you already had IPsec enabled and added Road Warrior setup, it's important to
|
||||
restart the whole service via services widget in the upper right corner of IPSec pages
|
||||
or via **System->Diagnostics->Services->Strogswan** since applying configuration only
|
||||
reloads it, but a restart also loads the required modules of strongSwan.
|
||||
|
||||
------------------------
|
||||
Step 4 - Add IPsec Users
|
||||
------------------------
|
||||
|
||||
Go to **System->Trust->Certificates** and create a new client certificate.
|
||||
Just click **Add**, choose your CA and probably increase the lifetime. Everything else besides
|
||||
the CN can be left default. Give a **Common Name** and **Save**. Download the newly created
|
||||
certificate as PKCS12 and export it to your end user device.
|
175
source/manual/how-tos/ipsec-rw-srv-ikev1xauth.rst
Normal file
@ -0,0 +1,175 @@
|
||||
===========================================
|
||||
IPsec: Setup OPNsense for IKEv1 using XAuth
|
||||
===========================================
|
||||
|
||||
.. contents:: Index
|
||||
|
||||
XAuth was an addition to IKEv1 supporting user authentication credentials additionally to
|
||||
pre-shared keys or certificates. There are three different types supported by OPNsense which
|
||||
we will describe here.
|
||||
|
||||
Mutual PSK + XAuth: You define a pre-shared key which is the same for every user and after securing
|
||||
the channel the user authentication via XAuth comes into play.
|
||||
Mutual RSA + XAuth: Instead of using a pre-shared key, every device needs a client certificate to secure
|
||||
the connection plus XAuth for authentication. This is the most secure variant for IKEv1/XAuth but also
|
||||
with the most work to do.
|
||||
Hybrid RSA + XAuth: Hybrid RSA is the same as Mutual, without the need for a client certificate. Only
|
||||
the server will be authenticated (like using HTTPS) to prevent man-in-the-middle attacks like with
|
||||
Mutual PSK. It is more secure than PSK but does not need the complete roll-out process like with Mutual RSA.
|
||||
|
||||
We assume you have read the first part at
|
||||
:doc:`how-tos/ipsec-rw`
|
||||
|
||||
----------------------------------------------------
|
||||
Step 1 - Create Certificates (only for RSA variants)
|
||||
----------------------------------------------------
|
||||
|
||||
For Mutual RSA + XAuth and Hybrid RSA + XAuth you need to create a Root CA and a server certificate
|
||||
for your Firewall.
|
||||
|
||||
Go to **System->Trust->Authorities** and click **Add**. Give it a **Descriptive Name** and as **Method**
|
||||
choose **Create internal Certificate Authority**. Increase the **Lifetime** and fill in the fields
|
||||
matching your local values. Now go to **System->Trust->Certificates** and create a new certificate for
|
||||
the Firewall itself. Important is to change the **Type** to server. The Common Name can be the hostname
|
||||
of the Firewall and set as **Alternative Name** the FQDN your Firewall how it is known to the WAN side.
|
||||
This is most important as your VPN will drop when the FQDN does not match the ones of the certificate.
|
||||
|
||||
If you already have a CA roll out a server certificate and import
|
||||
the CA itself via **System->Trust->Authorities** and the certificate with the key in
|
||||
**System->Trust->Certificates**.
|
||||
|
||||
-----------------------
|
||||
Step 2 - Mobile Clients
|
||||
-----------------------
|
||||
First we will need to setup the mobile clients network and authentication source.
|
||||
Go to **VPN->IPsec->Mobile Clients**
|
||||
|
||||
For our example will use the following settings:
|
||||
|
||||
IKE Extensions
|
||||
--------------
|
||||
========================== ================ =============================================
|
||||
**Enable** checked *check to enable mobile clients*
|
||||
**User Authentication** Local Database *For the example we use the Local Database*
|
||||
**Group Authentication** none *Leave on none*
|
||||
**Virtual Address Pool** 10.10.0.0/24 *Enter the IP range for the remote clients*
|
||||
========================== ================ =============================================
|
||||
|
||||
You can select other options, but we will leave them all unchecked for this example.
|
||||
|
||||
**Save** your settings and select **Create Phase1** when it appears.
|
||||
Then enter the Mobile Client Phase 1 setting.
|
||||
|
||||
-------------------------------
|
||||
Step 3 - Phase 1 Mobile Clients
|
||||
-------------------------------
|
||||
|
||||
Phase 1 General information
|
||||
---------------------------
|
||||
========================== ============= ==================================================
|
||||
**Connection method** default *default is 'Start on traffic'*
|
||||
**Key Exchange version** V1 *XAuth only works on V1*
|
||||
**Internet Protocol** IPv4
|
||||
**Interface** WAN *choose the interface connected to the internet*
|
||||
**Description** MobileIPsec *freely chosen description*
|
||||
========================== ============= ==================================================
|
||||
|
||||
Phase 1 proposal (Authentication)
|
||||
---------------------------------
|
||||
=========================== ==================== ==========================================================================
|
||||
**Authentication method** XAuth *Choose one of the three available options*
|
||||
**Negotiation mode** Main Mode *Use Main Mode here*
|
||||
**My identifier** Distinguished Name *Set the FQDN you used within certificate, for PSK use "My IP address"*
|
||||
**Pre-shared Key** Shared secret *For Mutual PSK + XAuth use this PSK, otherwise certificate below*
|
||||
**My Certificate** Certificate *Choose the certificate from dropdown list, only valid for RSA variants*
|
||||
=========================== ==================== ==========================================================================
|
||||
|
||||
Phase 1 proposal (Algorithms)
|
||||
-----------------------------
|
||||
========================== ================ ============================================
|
||||
**Encryption algorithm** AES *For our example we will use AES/256 bits*
|
||||
**Hash algoritm** SHA1, SHA256 *SHA1 and SHA256 for compatibility*
|
||||
**DH key group** 1024, 2048 bit *1024 and 2048 bit for compatibility*
|
||||
**Lifetime** 28800 sec *lifetime before renegotiation*
|
||||
========================== ================ ============================================
|
||||
|
||||
Advanced Options are fine by default.
|
||||
|
||||
**Save** your settings.
|
||||
|
||||
-------------------------------
|
||||
Step 3 - Phase 2 Mobile Clients
|
||||
-------------------------------
|
||||
Press the button that says '+ Show 0 Phase-2 entries'
|
||||
|
||||
.. image:: images/ipsec_s2s_vpn_p1a_show_p2.png
|
||||
:width: 100%
|
||||
|
||||
You will see an empty list:
|
||||
|
||||
.. image:: images/ipsec_s2s_vpn_p1a_p2_empty.png
|
||||
:width: 100%
|
||||
|
||||
Now press the *+* at the right of this list to add a Phase 2 entry.
|
||||
|
||||
General information
|
||||
-------------------
|
||||
================= =============== =============================
|
||||
**Mode** Tunnel IPv4 *Select Tunnel mode*
|
||||
**Description** MobileIPsecP2 *Freely chosen description*
|
||||
================= =============== =============================
|
||||
|
||||
Local Network
|
||||
-------------
|
||||
=================== ============ ==============================
|
||||
**Local Network** LAN subnet *Route the local LAN subnet*
|
||||
=================== ============ ==============================
|
||||
|
||||
Phase 2 proposal (SA/Key Exchange)
|
||||
----------------------------------
|
||||
=========================== ============== ====================================================
|
||||
**Protocol** ESP *Choose ESP for encryption*
|
||||
**Encryption algorithms** AES / 256 *For this example we use AES 256*
|
||||
**Hash algorithms** SHA1, SHA256 *Same as before, mix SHA1 and SHA256*
|
||||
**PFS Key group** off *Most mobile systems do not support PFS in Phase2*
|
||||
**Lifetime** 3600 sec
|
||||
=========================== ============== ====================================================
|
||||
|
||||
**Save** your settings and **Enable IPsec**, Select:
|
||||
|
||||
.. image:: images/ipsec_s2s_vpn_p1a_enable.png
|
||||
:width: 100%
|
||||
|
||||
.. Note::
|
||||
|
||||
If you already had IPsec enabled and added Road Warrior setup, it is important to
|
||||
restart the whole service via services widget in the upper right corner of IPSec pages
|
||||
or via **System->Diagnostics->Services->Strogswan** since applying configuration only
|
||||
reloads it, but a restart also loads the required modules of strongSwan.
|
||||
|
||||
------------------------
|
||||
Step 4 - Add IPsec Users
|
||||
------------------------
|
||||
|
||||
Go to **System->Access->Users** and press the **+** sign in the lower right corner
|
||||
to add a new user.
|
||||
|
||||
Enter the following into the form:
|
||||
|
||||
=============== ==========
|
||||
**User Name** expert
|
||||
**Password** &test!9T
|
||||
=============== ==========
|
||||
|
||||
**Save** to apply.
|
||||
|
||||
------------------------------------------------
|
||||
Step 5 - Add client certificate (for Mutual RSA)
|
||||
------------------------------------------------
|
||||
|
||||
This step is only needed for Mutual RSA + XAuth!
|
||||
|
||||
Go to **System->Trust->Certificates** and create a new client certificate.
|
||||
Just click **Add**, choose your CA and probably increase the lifetime. Everything else besides
|
||||
the CN can be left default. Give a **Common Name** and **Save**. Download the newly created
|
||||
certificate as PKCS12 and export it to you enduser device.
|
151
source/manual/how-tos/ipsec-rw-srv-mschapv2.rst
Normal file
@ -0,0 +1,151 @@
|
||||
============================================
|
||||
IPsec: Setup OPNsense for IKEv2 EAP-MSCHAPv2
|
||||
============================================
|
||||
|
||||
.. contents:: Index
|
||||
|
||||
EAP-MSCHAPv2 via IKEv2 is the most compatible combination.
|
||||
We assume you have read the first part at
|
||||
:doc:`how-tos/ipsec-rw`
|
||||
|
||||
----------------------------
|
||||
Step 1 - Create Certificates
|
||||
----------------------------
|
||||
|
||||
For EAP-MSCHAPv2 with IKEv2 you need to create a Root CA and a server certificate
|
||||
for your Firewall.
|
||||
|
||||
Go to **System->Trust->Authorities** and click **Add**. Give it a **Descriptive Name** and as **Method**
|
||||
choose **Create internal Certificate Authority**. Increase the **Lifetime** and fill in the fields
|
||||
matching your local values. Now go to **System->Trust->Certificates** and create a new certificate for
|
||||
the Firewall itself. Important is to change the **Type** to server. The Common Name can be the hostname
|
||||
of the Firewall and set as **Alternative Name** the FQDN your Firewall how it is known to the WAN side.
|
||||
This is most important as your VPN will drop when the FQDN does not match the ones of the certificate.
|
||||
|
||||
If you already have a CA roll out a server certificate and import
|
||||
the CA itself via **System->Trust->Authorities** and the certificate with the key in
|
||||
**System->Trust->Certificates**.
|
||||
|
||||
-----------------------
|
||||
Step 2 - Mobile Clients
|
||||
-----------------------
|
||||
First we will need to setup the mobile clients network and authentication source.
|
||||
Go to **VPN->IPsec->Mobile Clients**
|
||||
|
||||
For our example will use the following settings:
|
||||
|
||||
IKE Extensions
|
||||
--------------
|
||||
========================== ================ =============================================
|
||||
**Enable** checked *check to enable mobile clients*
|
||||
**User Authentication** Local Database *For the example we use the Local Database*
|
||||
**Group Authentication** none *Leave on none*
|
||||
**Virtual Address Pool** 10.10.0.0/24 *Enter the IP range for the remote clients*
|
||||
========================== ================ =============================================
|
||||
|
||||
You can select other options, but we will leave them all unchecked for this example.
|
||||
|
||||
**Save** your settings and select **Create Phase1** when it appears.
|
||||
Then enter the Mobile Client Phase 1 setting.
|
||||
|
||||
-------------------------------
|
||||
Step 3 - Phase 1 Mobile Clients
|
||||
-------------------------------
|
||||
|
||||
Phase 1 General information
|
||||
---------------------------
|
||||
========================== ============= ==================================================
|
||||
**Connection method** default *default is 'Start on traffic'*
|
||||
**Key Exchange version** V2 *only V2 is supported for EAP-MSCHAPv2*
|
||||
**Internet Protocol** IPv4
|
||||
**Interface** WAN *choose the interface connected to the internet*
|
||||
**Description** MobileIPsec *freely chosen description*
|
||||
========================== ============= ==================================================
|
||||
|
||||
Phase 1 proposal (Authentication)
|
||||
---------------------------------
|
||||
=========================== ==================== =============================================
|
||||
**Authentication method** EAP-MSCHAPv2 *This is the method we want here*
|
||||
**My identifier** Distinguished Name *Set the FQDN you used within certificate*
|
||||
**My Certificate** Certificate *Choose the certificate from dropdown list*
|
||||
=========================== ==================== =============================================
|
||||
|
||||
Phase 1 proposal (Algorithms)
|
||||
-----------------------------
|
||||
========================== ================ ============================================
|
||||
**Encryption algorithm** AES *For our example we will use AES/256 bits*
|
||||
**Hash algoritm** SHA1, SHA256 *SHA1 and SHA256 for compatibility*
|
||||
**DH key group** 1024, 2048 bit *1024 and 2048 bit for compatibility*
|
||||
**Lifetime** 28800 sec *lifetime before renegotiation*
|
||||
========================== ================ ============================================
|
||||
|
||||
Advanced Options are fine by default.
|
||||
|
||||
**Save** your settings.
|
||||
|
||||
-------------------------------
|
||||
Step 3 - Phase 2 Mobile Clients
|
||||
-------------------------------
|
||||
Press the button that says '+ Show 0 Phase-2 entries'
|
||||
|
||||
.. image:: images/ipsec_s2s_vpn_p1a_show_p2.png
|
||||
:width: 100%
|
||||
|
||||
You will see an empty list:
|
||||
|
||||
.. image:: images/ipsec_s2s_vpn_p1a_p2_empty.png
|
||||
:width: 100%
|
||||
|
||||
Now press the *+* at the right of this list to add a Phase 2 entry.
|
||||
|
||||
General information
|
||||
-------------------
|
||||
================= =============== =============================
|
||||
**Mode** Tunnel IPv4 *Select Tunnel mode*
|
||||
**Description** MobileIPsecP2 *Freely chosen description*
|
||||
================= =============== =============================
|
||||
|
||||
Local Network
|
||||
-------------
|
||||
=================== ============ ==============================
|
||||
**Local Network** LAN subnet *Route the local LAN subnet*
|
||||
=================== ============ ==============================
|
||||
|
||||
Phase 2 proposal (SA/Key Exchange)
|
||||
----------------------------------
|
||||
=========================== ============== ====================================================
|
||||
**Protocol** ESP *Choose ESP for encryption*
|
||||
**Encryption algorithms** AES / 256 *For this example we use AES 256*
|
||||
**Hash algorithms** SHA1, SHA256 *Same as before, mix SHA1 and SHA256*
|
||||
**PFS Key group** off *Most mobile systems do not support PFS in Phase2*
|
||||
**Lifetime** 3600 sec
|
||||
=========================== ============== ====================================================
|
||||
|
||||
**Save** your settings and **Enable IPsec**, Select:
|
||||
|
||||
.. image:: images/ipsec_s2s_vpn_p1a_enable.png
|
||||
:width: 100%
|
||||
|
||||
.. Note::
|
||||
|
||||
If you already had IPsec enabled and added Road Warrior setup, it is important to
|
||||
restart the whole service via services widget in the upper right corner of IPSec pages
|
||||
or via **System->Diagnostics->Services->Strogswan** since applying configuration only
|
||||
reloads it, but a restart also loads the required modules of strongSwan.
|
||||
|
||||
------------------------
|
||||
Step 4 - Add IPsec Users
|
||||
------------------------
|
||||
|
||||
Go to **VPN->IPsec->Pre-Shared Keys** and press **Add**.
|
||||
|
||||
Enter the following into the form:
|
||||
|
||||
==================== ==========
|
||||
**Identifier** expert
|
||||
**Pre-Shared Key** &test!9T
|
||||
**Type** EAP
|
||||
==================== ==========
|
||||
|
||||
|
||||
**Save** to apply and you are done here.
|
154
source/manual/how-tos/ipsec-rw-srv-rsamschapv2.rst
Normal file
@ -0,0 +1,154 @@
|
||||
=====================================================
|
||||
IPsec: Setup OPNsense for IKEv2 Mutual RSA + MSCHAPv2
|
||||
=====================================================
|
||||
|
||||
.. contents:: Index
|
||||
|
||||
Mutual RSA + MSCHAPv2 via IKEv2 is based on client certificate authentication combined with username
|
||||
and password via MSCHAPv2.
|
||||
Be sure that the client certificate is installed on your users device.
|
||||
|
||||
----------------------------
|
||||
Step 1 - Create Certificates
|
||||
----------------------------
|
||||
|
||||
For Mutual RSA + MSCHAPv2 with IKEv2 you need to create a Root CA and a server certificate
|
||||
for your Firewall.
|
||||
|
||||
Go to **System->Trust->Authorities** and click **Add**. Give it a **Descriptive Name** and as **Method**
|
||||
choose **Create internal Certificate Authority**. Increase the **Lifetime** and fill in the fields
|
||||
matching your local values. Now go to **System->Trust->Certificates** and create a new certificate for
|
||||
the Firewall itself. Important is to change the **Type** to server. The Common Name can be the hostname
|
||||
of the Firewall and set as **Alternative Name** the FQDN your Firewall how it is known to the WAN side.
|
||||
This is most important as your VPN will drop when the FQDN does not match the ones of the certificate.
|
||||
|
||||
If you already have a CA roll out a server certificate and import
|
||||
the CA itself via **System->Trust->Authorities** and the certificate with the key in
|
||||
**System->Trust->Certificates**.
|
||||
|
||||
-----------------------
|
||||
Step 2 - Mobile Clients
|
||||
-----------------------
|
||||
First we will need to setup the mobile clients network and authentication source.
|
||||
Go to **VPN->IPsec->Mobile Clients**
|
||||
|
||||
For our example will use the following settings:
|
||||
|
||||
IKE Extensions
|
||||
--------------
|
||||
========================== ================ =============================================
|
||||
**Enable** checked *check to enable mobile clients*
|
||||
**User Authentication** Local Database *For the example we use the Local Database*
|
||||
**Group Authentication** none *Leave on none*
|
||||
**Virtual Address Pool** 10.10.0.0/24 *Enter the IP range for the remote clients*
|
||||
========================== ================ =============================================
|
||||
|
||||
You can select other options, but we will leave them all unchecked for this example.
|
||||
|
||||
**Save** your settings and select **Create Phase1** when it appears.
|
||||
Then enter the Mobile Client Phase 1 setting.
|
||||
|
||||
-------------------------------
|
||||
Step 3 - Phase 1 Mobile Clients
|
||||
-------------------------------
|
||||
|
||||
Phase 1 General information
|
||||
---------------------------
|
||||
========================== ============= ==================================================
|
||||
**Connection method** default *default is 'Start on traffic'*
|
||||
**Key Exchange version** V2 *only V2 is supported for this type*
|
||||
**Internet Protocol** IPv4
|
||||
**Interface** WAN *choose the interface connected to the internet*
|
||||
**Description** MobileIPsec *freely chosen description*
|
||||
========================== ============= ==================================================
|
||||
|
||||
Phase 1 proposal (Authentication)
|
||||
---------------------------------
|
||||
=========================== ======================= ============================================
|
||||
**Authentication method** Mutual RSA + MSCHAPv2 *This is the method we want here*
|
||||
**My identifier** Distinguished Name *Set the FQDN you used within certificate*
|
||||
**My Certificate** Certificate *Choose the certificate from dropdown list*
|
||||
=========================== ======================= ============================================
|
||||
|
||||
|
||||
Phase 1 proposal (Algorithms)
|
||||
-----------------------------
|
||||
========================== ================ ============================================
|
||||
**Encryption algorithm** AES *For our example we will use AES/256 bits*
|
||||
**Hash algoritm** SHA1, SHA256 *SHA1 and SHA256 for compatibility*
|
||||
**DH key group** 1024, 2048 bit *1024 and 2048 bit for compatibility*
|
||||
**Lifetime** 28800 sec *lifetime before renegotiation*
|
||||
========================== ================ ============================================
|
||||
|
||||
Advanced Options are fine by default.
|
||||
|
||||
**Save** your settings.
|
||||
|
||||
-------------------------------
|
||||
Step 3 - Phase 2 Mobile Clients
|
||||
-------------------------------
|
||||
Press the button that says '+ Show 0 Phase-2 entries'
|
||||
|
||||
.. image:: images/ipsec_s2s_vpn_p1a_show_p2.png
|
||||
:width: 100%
|
||||
|
||||
You will see an empty list:
|
||||
|
||||
.. image:: images/ipsec_s2s_vpn_p1a_p2_empty.png
|
||||
:width: 100%
|
||||
|
||||
Now press the *+* at the right of this list to add a Phase 2 entry.
|
||||
|
||||
General information
|
||||
-------------------
|
||||
================= =============== =============================
|
||||
**Mode** Tunnel IPv4 *Select Tunnel mode*
|
||||
**Description** MobileIPsecP2 *Freely chosen description*
|
||||
================= =============== =============================
|
||||
|
||||
Local Network
|
||||
-------------
|
||||
=================== ============ ==============================
|
||||
**Local Network** LAN subnet *Route the local LAN subnet*
|
||||
=================== ============ ==============================
|
||||
|
||||
Phase 2 proposal (SA/Key Exchange)
|
||||
----------------------------------
|
||||
=========================== ============== ====================================================
|
||||
**Protocol** ESP *Choose ESP for encryption*
|
||||
**Encryption algorithms** AES / 256 *For this example we use AES 256*
|
||||
**Hash algorithms** SHA1, SHA256 *Same as before, mix SHA1 and SHA256*
|
||||
**PFS Key group** off *Most mobile systems do not support PFS in Phase2*
|
||||
**Lifetime** 3600 sec
|
||||
=========================== ============== ====================================================
|
||||
|
||||
**Save** your settings and **Enable IPsec**, Select:
|
||||
|
||||
.. image:: images/ipsec_s2s_vpn_p1a_enable.png
|
||||
:width: 100%
|
||||
|
||||
.. Note::
|
||||
|
||||
If you already had IPsec enabled and added Road Warrior setup, it is important to
|
||||
restart the whole service via services widget in the upper right corner of IPSec pages
|
||||
or via **System->Diagnostics->Services->Strogswan** since applying configuration only
|
||||
reloads it, but a restart also loads the required modules of strongSwan.
|
||||
|
||||
------------------------
|
||||
Step 4 - Add IPsec Users
|
||||
------------------------
|
||||
|
||||
Go to **System->Trust->Certificates** and create a new client certificate.
|
||||
Just click **Add**, choose your CA and probably increase the lifetime. Everything else besides
|
||||
the CN can be left default. Give a **Common Name** and **Save**. Download the newly created
|
||||
certificate as PKCS12 and export it to you enduser device.
|
||||
|
||||
|
||||
Switch to **VPN->IPsec->Pre-Shared Keys** and press **Add**.
|
||||
Enter the following into the form:
|
||||
|
||||
==================== ==========
|
||||
**Identifier** expert
|
||||
**Pre-Shared Key** &test!9T
|
||||
**Type** EAP
|
||||
==================== ==========
|
63
source/manual/how-tos/ipsec-rw-w7.rst
Normal file
@ -0,0 +1,63 @@
|
||||
==================================
|
||||
IPsec: Setup Windows Remote Access
|
||||
==================================
|
||||
|
||||
.. contents:: Index
|
||||
|
||||
Here you can see the configuration options for all compatible VPN types.
|
||||
We assume that you are familiar with adding a new VPN connection.
|
||||
|
||||
The tests were done with Windows 7 and 10.
|
||||
|
||||
All screenshot were taken from **Network and Sharing Center->Change adapter settings**.
|
||||
|
||||
---------------------------
|
||||
Step 1 - Install Certificte
|
||||
---------------------------
|
||||
|
||||
Since Windows 7 also supports IKEv2 we need to install your Root Certificate Authority.
|
||||
Hit the Windows Start button and type *mmc* in search box. Go to **File->Add/Remove Snap-In**.
|
||||
Choose **Certificates->Add->Computer account**.
|
||||
Open **Certificate** and navigate to **Trusted Root Certificate Authorities**, right click,
|
||||
**All taks** and import. Select the Root CA and install.
|
||||
|
||||
If you are using client certificates for authentication (e.g EAP-TLS) use a PKCS12/PFX and install
|
||||
it under **Personal** instead of **Trusted Root Certificate Authorities**. All included certificates
|
||||
will be installed in the correct folders.
|
||||
|
||||
.. image:: images/ipsec-rw-w7-cert.png
|
||||
:width: 60%
|
||||
|
||||
---------------------------
|
||||
Step 2 - Add VPN Connection
|
||||
---------------------------
|
||||
|
||||
Add a new VPN connection via **Network and Sharing Center** and choose as **Internet Address**
|
||||
the correct FQDN. This is imporatant when using certificates since the FQDN of your connection
|
||||
and the one in the certificate has to match!
|
||||
Then set a **Username** and **Password** and leave **Domain** emtpy.
|
||||
|
||||
-------------------
|
||||
Step 3 - Finetuning
|
||||
-------------------
|
||||
|
||||
Via **Network and Sharing Center** go to **Change adapter settings** and open the properties
|
||||
of your newly created adapter. Check that the FQDN is correct:
|
||||
|
||||
.. image:: images/ipsec-rw-w7-1.png
|
||||
:width: 60%
|
||||
|
||||
On tab **Networking** in IPv4 configuration under **Advanced** is the option **Use defaut gateway on remote network**.
|
||||
If this option is enabled, all traffic will be sent through the VPN (if IPsec SA matches). When unchecked, you have
|
||||
to set specific routes sent via VPN.
|
||||
|
||||
.. image:: images/ipsec-rw-w7-2.png
|
||||
:width: 60%
|
||||
|
||||
----------------------------------
|
||||
IKEv2 + EAP-MSCHAPv2 or EAP-RADIUS
|
||||
----------------------------------
|
||||
|
||||
.. image:: images/ipsec-rw-w7-eapmschap.png
|
||||
:width: 60%
|
||||
|
123
source/manual/how-tos/ipsec-rw.rst
Normal file
@ -0,0 +1,123 @@
|
||||
==========================
|
||||
IPsec: Setup Remote Access
|
||||
==========================
|
||||
|
||||
.. contents:: Index
|
||||
|
||||
-----
|
||||
Intro
|
||||
-----
|
||||
|
||||
Road Warriors are remote users who need secure access to the company's infrastructure.
|
||||
IPsec Mobile Clients offer a solution that is easy to setup and comptabile with most current devices.
|
||||
|
||||
With this guide we will show you how to configure the server side on OPNsense with the different
|
||||
authentication methods e.g.
|
||||
|
||||
* EAP-MSCHAPv2
|
||||
* Mutual-PSK + XAuth
|
||||
* Mutual-RSA + XAuth
|
||||
* ...
|
||||
|
||||
|
||||
.. Note::
|
||||
|
||||
For the sample we will use a private ip for our WAN connection.
|
||||
This requires us to disable the default block rule on WAN to allow private traffic.
|
||||
To do so, go to the **Interfaces->[WAN]** and uncheck "Block private networks".
|
||||
*(Don't forget to save and apply)*
|
||||
|
||||
.. image:: images/block_private_networks.png
|
||||
|
||||
------------
|
||||
Sample Setup
|
||||
------------
|
||||
All configuration examples are based on the following setup, please read this carefully
|
||||
as all guides depend on it.
|
||||
|
||||
**Company Network with Remote Client**
|
||||
|
||||
.. nwdiag::
|
||||
:scale: 100%
|
||||
|
||||
nwdiag {
|
||||
|
||||
span_width = 90;
|
||||
node_width = 180;
|
||||
Internet [shape = "cisco.cloud"];
|
||||
fileserver [label="File Server",shape="cisco.fileserver",address="192.168.1.10"];
|
||||
fileserver -- switchlan;
|
||||
|
||||
network LAN {
|
||||
switchlan [label="",shape = "cisco.workgroup_switch"];
|
||||
label = " LAN";
|
||||
address ="192.168.1.1.x/24";
|
||||
fw1 [address="192.168.1.1/24"];
|
||||
}
|
||||
|
||||
network WAN {
|
||||
label = " WAN";
|
||||
fw1 [shape = "cisco.firewall", address="172.18.0.164"];
|
||||
Internet;
|
||||
}
|
||||
|
||||
network Remote {
|
||||
Internet;
|
||||
laptop [address="172.10.10.55 (WANIP),10.10.0.1 (IPsec)",label="Remote User",shape="cisco.laptop"];
|
||||
}
|
||||
}
|
||||
|
||||
Company Network
|
||||
---------------
|
||||
==================== =============================
|
||||
**Hostname** fw1
|
||||
**WAN IP** 172.18.0.164
|
||||
**LAN IP** 192.168.1.0/24
|
||||
**LAN DHCP Range** 192.168.1.100-192.168.1.200
|
||||
**IPsec Clients** 10.10.0.0/24
|
||||
==================== =============================
|
||||
|
||||
|
||||
---------------------------
|
||||
Firewall Rules Mobile Users
|
||||
---------------------------
|
||||
To allow IPsec Tunnel Connections, the following should be allowed on WAN.
|
||||
|
||||
* Protocol ESP
|
||||
* UDP Traffic on Port 500 (ISAKMP)
|
||||
* UDP Traffic on Port 4500 (NAT-T)
|
||||
|
||||
.. image:: images/ipsec_wan_rules.png
|
||||
:width: 100%
|
||||
|
||||
To allow traffic passing to your LAN subnet you need to add a rule to the IPsec
|
||||
interface.
|
||||
|
||||
.. image:: images/ipsec_ipsec_lan_rule.png
|
||||
:width: 100%
|
||||
|
||||
-----------------
|
||||
VPN compatibility
|
||||
-----------------
|
||||
|
||||
In the next table you can see the existing VPN authentication mechanisms and which client
|
||||
operating systems support it, with links to their configurations.
|
||||
For Linux testing was done with Ubuntu 18.4 Desktop and *network-manager-strongswan* and
|
||||
*libcharon-extra-plugins* installed.
|
||||
As Andoid does not support IKEv2 yet we added notes for combinations with strongSwan
|
||||
app installed to have a broader compatibility for all systems.
|
||||
Mutual RSA and PSK without XAuth requires L2TP, since this legacy technology is
|
||||
very error prone we will not cover it here.
|
||||
|
||||
.. csv-table:: VPN combinations
|
||||
:header: "VPN Method", "Win7", "Win10", "Linux", "Mac OS X", "IOS", "Android", "OPNsense config"
|
||||
:widths: 40, 20, 20, 20, 20, 20, 20, 20
|
||||
|
||||
"IKEv1 Hybrid RSA + XAuth","N","N","N","tbd","tbd","N",":doc:`how-tos/ipsec-rw-srv-ikev1xauth`"
|
||||
"IKEv1 Mutual RSA + XAuth","N","N","N","tbd","tbd","Y :doc:`how-tos/ipsec-rw-android`",":doc:`how-tos/ipsec-rw-srv-ikev1xauth`"
|
||||
"IKEv1 Mutual PSK + XAuth","N","N","N","tbd","tbd","Y :doc:`how-tos/ipsec-rw-android`",":doc:`how-tos/ipsec-rw-srv-ikev1xauth`"
|
||||
"IKEv2 EAP-TLS","N","N","N","tbd","tbd","Y :doc:`how-tos/ipsec-rw-android`",":doc:`how-tos/ipsec-rw-srv-eaptls`"
|
||||
"IKEv2 RSA local + EAP remote","N","N","N","tbd","tbd","Y :doc:`how-tos/ipsec-rw-android`",":doc:`how-tos/ipsec-rw-srv-eaptls`"
|
||||
"IKEv2 EAP-MSCHAPv2","Y :doc:`how-tos/ipsec-rw-w7`","Y :doc:`how-tos/ipsec-rw-w7`","Y :doc:`how-tos/ipsec-rw-linux`","Y","Y","Y :doc:`how-tos/ipsec-rw-android`",":doc:`how-tos/ipsec-rw-srv-mschapv2`"
|
||||
"IKEv2 Mutual RSA + EAP-MSCHAPv2","N","N","N","tbd","tbd","Y :doc:`how-tos/ipsec-rw-android`",":doc:`how-tos/ipsec-rw-srv-rsamschapv2`"
|
||||
"IKEv2 EAP-RADIUS","Y :doc:`how-tos/ipsec-rw-w7`","Y :doc:`how-tos/ipsec-rw-w7`","Y :doc:`how-tos/ipsec-rw-linux`","Y","Y","Y :doc:`how-tos/ipsec-rw-android`",":doc:`how-tos/ipsec-rw-srv-eapradius`"
|