Your configuration looks reasonable. You should upgrade to 6.0. You could replace the local network range with 0.0.0.0/0 to limit the flow less. I've found that config address with a range doesn't work as expected with multiple clients. Below is an example of a working config using machine certs for windows clients, including Windows 10.
ikev2 passive esp \ from 0.0.0.0/0 to 192.168.40.2 local 1.2.3.4 peer any \ srcid "asn1_dn of server cert" dstid "asn1_dn of client cert" \ config address 192.168.40.2 \ config name-server 10.0.0.4 On Mar 10, 2017 7:58 AM, "Roberto Katalinic" <[email protected]> wrote: > I have a few remote workers with Windows 10 and would like to move them to > IKEv2 VPN. > > On my gateway (OpenBSD 5.7) the iked.conf file is: > ikev2 "IKEv2 DIAL-IN" passive esp \ > from 192.168.10.0/24 to 192.168.40.0/24 \ > local 1.2.3.4 peer 0.0.0.0/0 \ > srcid 1.2.3.4 \ > config access-server 192.168.10.10 \ > config name-server 192.168.10.21 \ > config address 192.168.40.0/24 > > My remote client is configured like this: > VPN Type: IKEv2 > Data encryption: Optional > Authentication: Use machine Certificates (no EAP) > > My PF rules contain the following lines which are definitely not overruled > by > any rules further down the line: > set skip on {lo,enc0} > pass in on egress proto udp from any to any port {500,4500} > pass in on egress proto {ah,esp} > > When the client attempts connection, the SA is configured and Windows > reports > the connection as established. It also acquires an IP address and the DNS > server as specified in the iked.conf file: > > PPP adapter EDGE: > Connection-specific DNS Suffix . : > Description . . . . . . . . . . . : EDGE > Physical Address. . . . . . . . . : > DHCP Enabled. . . . . . . . . . . : No > Autoconfiguration Enabled . . . . : Yes > IPv4 Address. . . . . . . . . . . : 192.168.40.87(Preferred) > Subnet Mask . . . . . . . . . . . : 255.255.255.255 > Default Gateway . . . . . . . . . : > DNS Servers . . . . . . . . . . . : 192.168.10.21 > NetBIOS over Tcpip. . . . . . . . : Enabled > > My gateway also reports the connection as established and the SA is shown > by > ipsecctl -sa: > FLOWS: > flow esp in from 192.168.40.87 to 192.168.10.0/24 peer 5.6.7.8 srcid > IPV4/1.2.3.4 type use > flow esp out from 192.168.10.0/24 to 192.168.40.87 peer 5.6.7.8 srcid > IPV4/1.2.3.4 type require > flow esp out from ::/0 to ::/0 type deny > > SAD: > esp tunnel from 1.2.3.4 to 5.6.7.8 spi 0x7a8197f6 auth hmac-sha1 enc > aes-256 > esp tunnel from 5.6.7.8 to 1.2.3.4 spi 0x926fb219 auth hmac-sha1 enc > aes-256 > > Output from iked -dvvv: > ikev2_pld_cp: INTERNAL_IP4_SERVER 0x5ba0 length 4 > ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 4 > ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 4 > ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 > length > 44 > ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP spisize 4 > xforms 3 spi 0xe7ce691f > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC > ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 > ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE > ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 > length > 24 > ikev2_pld_ts: count 1 length 16 > ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport > 65535 > ikev2_pld_ts: start 192.168.40.34 end 192.168.40.34 > ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 > length 24 > ikev2_pld_ts: count 1 length 16 > ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport > 65535 > ikev2_pld_ts: start 192.168.10.0 end 192.168.10.255 > ikev2_msg_send: IKE_AUTH response from 1.2.3.4:4500 to 5.6.7.8:15573 > msgid 1, > 1452 bytes, NAT-T > pfkey_sa_add: update spi 0xe7ce691f > pfkey_sa: udpencap port 15573 > ikev2_childsa_enable: loaded CHILD SA spi 0xe7ce691f > pfkey_sa_add: add spi 0xabf256a4 > pfkey_sa: udpencap port 15573 > ikev2_childsa_enable: loaded CHILD SA spi 0xabf256a4 > ikev2_childsa_enable: loaded flow 0x1166a0b99800 > ikev2_childsa_enable: loaded flow 0x1166a0b99400 > sa_state: VALID -> ESTABLISHED from 5.6.7.8:15573 to 1.2.3.4:4500 policy > 'IKEv2 DIAL-IN' > > > The problem is, from the remote worker, I cannot connect to any resources > on > the remote network. Pinging the remote gateway's internal IP address or the > DNS server produces no replies. > > Equally, the gateway cannot ping the remote worker's IP address. > > tcpdump on the enc0 and pflog0 interfaces produces no results at all when > creating traffic between the two. > > What am I missing? > > > > Kind regards, > > Roberto Katalinic > 07460663373 > > kliker IT > www.kliker.it<http://www.kliker.it> > 08455442033 > > Information contained in this e-mail is intended for the use of the > addressee > only, and is confidential and may be the subject of Legal Professional > Privilege. Any dissemination, distribution, copying or use of this > communication without prior permission of the addressee is strictly > prohibited. The contents of an attachment to this e-mail may contain > software > viruses which could damage your own computer system. While Kliker IT > Services > Ltd. has taken every reasonable precaution to minimise this risk, we cannot > accept liability for any damage which you sustain as a result of software > viruses. You should carry out your own virus checks before opening the > attachment. Registered Office: New House, South Grove, Petworth, GU280ED. > Company Number: 8206089.Company Registered in England and Wales.
