Another question araised in my random walk: How can I assign static IPs to more than one client?
I played around with DSTID but when I add DSTID to my policy then auth stops working. ikev2 "roadWarrior" passive ipcomp esp \ from 192.168.2.0/24 to 10.0.1.0/24 \ local 4.5.6.88 peer any \ srcid 4.5.6.88 \ dstid "/C.../CN=win7/emailAddress=r...@123.com" \ config address 10.0.1.123 \ tag "$id" tap enc0 The only working way I have found is to assign static IP to specific peer (IP or network) local 4.5.6.88 peer 1.2.3.4/32 or local 4.5.6.88 peer 1.2.3.0/24 but this in NOT what I need. I need to do sth like this: policy1, peer any, warrior1/CA1/ASN11, config address IP1 policy2, peer any, warrior2/CA2,ASN12, config address IP2 policy3, peer any, warrior3/CA3,ASN13, config address IP3 ... policyN "catch the rest" .... config address 10.0.11/24 \ Any help appreciated! On Fri, 28 Dec 2018 10:41:22 +0100 Radek <alee...@gmail.com> wrote: > Hello, > > finally I solved my problem as follows: > 1. Uncheck "use default gateway on remote network" in warrior (Windows) > 2. Create route192.bat file: route add 192.168.2.0 mask 255.255.255.0 > 10.0.1.123 > 3. Run route192.bat as administrator (when vpn connection is established) > It works as expected, traffic to 192.168.2.0 goes through VPN, the rest > through warrior's local gateway. > # When using PPTP (npppd) I do not need to add extra route to "LAN behind > VPNgateway" (2.) - it works by default. Why? > > GW88# grep "^[^#;]" /etc/iked.conf > ikev2 "roadWarrior" passive ipcomp esp \ > from 192.168.2.0/24 to 10.0.1.0/24 \ > local 4.5.6.88 peer any \ > srcid 4.5.6.88 \ > config address 10.0.1.123 \ > tag "$id" tap enc0 > > GW88# grep "^[^#;]" /etc/pf.conf > set skip on {lo, enc} > match in all scrub (no-df random-id) > match out all scrub (no-df random-id) > match out on egress from lan:network to any nat-to egress > block log all > pass in on egress proto udp from any to any port {isakmp,ipsec-nat-t} > pass in on egress proto {ah,esp} > pass out on egress > pass on lan > > > > On Wed, 12 Dec 2018 21:45:25 +0100 > Radek <alee...@gmail.com> wrote: > > > Hello again, > > > > I am using PPTP VPN (npppd) and it works as expected on windows clients - > > traffic to the "LAN behind that VPNgateway" is going through VPNgateway. > > The "rest" is going through clients' gateway - DO NOT "use default gateway > > on remote network". > > > > I have been playing around with iked.conf, pf.conf and ipsec.conf - still > > cannot get it working in this manner. > > I do not want to use OpenIKED as a internet gateway, VPN is needed only to > > access "LAN behind that VPNgateway". > > > > Could someone please help me with this problem? Christmas is coming... > > > > Many thanks! > > > > On Fri, 7 Dec 2018 20:20:21 +0100 > > Radek <alee...@gmail.com> wrote: > > > > > Hello, > > > > > > I am still almost in the same point. > > > If I want to reach my GW88_LAN I have to check "use default gateway on > > > remote network" box (Windows roadwarrior), but this option makes me > > > reaching the internet through GW88. > > > > > > I want to use VPN GW88 to access 192.168.2.0/24 ONLY and roadwarrior's > > > "local" gateway for the rest of the traffic - unchecked box "use default > > > gateway on remote network". > > > If the box is unchecked I am not able to access 192.168.2.0/24. > > > > > > What should I change in my confs to get it working in this manner? > > > > > > GW88# grep "^[^#;]" /etc/pf.conf > > > set skip on {lo, enc} > > > match in all scrub (no-df random-id) > > > match out all scrub (no-df random-id) > > > match out on egress from lan:network to any nat-to egress > > > block log all > > > pass out quick on egress inet received-on enc0 nat-to (egress) > > > pass in on egress proto udp from any to (egress:0) port > > > {isakmp,ipsec-nat-t} > > > pass in on egress proto {ah,esp} > > > pass out on egress > > > pass on lan > > > > > > > > > GW88# grep "^[^#;]" /etc/iked.conf > > > ikev2 "roadWarrior" passive esp \ > > > from 0.0.0.0/0 to 10.0.1.0/24 \ > > > from 192.168.2.0/24 to 10.0.1.0/24 \ > > > local 4.5.6.88 peer any \ > > > srcid 4.5.6.88 \ > > > config address 10.0.1.0/24 \ > > > config netmask 255.255.255.0 \ > > > config name-server 8.8.8.8 > > > > > > On Fri, 30 Nov 2018 15:06:28 +0100 > > > Radek <alee...@gmail.com> wrote: > > > > > > > Hello, > > > > > > > > Thank all of you for your time and your help in this matter! > > > > I think that the ISP of A.B.C.0/23 is filtering/blocking some > > > > certificates. > > > > I have moved VPN server and clients out of A.B.C.0/23. They can connect > > > > pretty fine using CA now. Clients from A.B.C.0/23 still can NOT connect > > > > to VPN serv. > > > > Site-to-Site VPN is doing its job. > > > > > > > > The road_warriors(Windows) can ping GW88_LAN_machine (192.168.2.1) ONLY > > > > if "use default gateway on remote network" is set. > > > > I need to make road_warriors: > > > > - reaching GW88_LAN_machines 192.168.2.254/24 > > > > - reaching GW119_LAN_machines 172.16.X.X via GW88 - if it is possible > > > > - force road_warriors to use its own gateway for the rest of traffic - > > > > unticked "use default gateway on remote network". > > > > > > > > I was playing around with iked.conf and pf.conf but I did not find the > > > > way to make it work. > > > > I will be grateful if anyone could help me with that. > > > > > > > > My network diagram and configs of GW88: > > > > > > > > GW88$ cat /etc/hostname.enc0 > > > > inet 10.0.1.254 255.255.255.0 > > > > > > > > GW88$ cat /etc/iked.conf > > > > # > > > > ikev2 "roadWarrior" passive esp \ > > > > from 192.168.2.0/24 to 10.0.1.0/24 \ > > > > local 4.5.6.88 peer any \ > > > > srcid 4.5.6.88 \ > > > > config address 10.0.1.0/24 > > > > # > > > > # > > > > remote_gw_GW119 = "1.2.3.119" # fw_GW119 > > > > remote_lan_GW119_1 = "172.16.1.0/24" > > > > remote_lan_GW119_2 = "172.16.2.0/24" > > > > > > > > local_gw_GW88_2 = "192.168.2.254" > > > > local_lan_GW88_2 = "192.168.2.0/24" > > > > > > > > ikev2 active esp from $local_gw_GW88_2 to $remote_gw_GW119 \ > > > > from $local_lan_GW88_2 to $remote_lan_GW119_1 peer $remote_gw_GW119 \ > > > > psk "pkspass" > > > > > > > > ikev2 active esp from $local_gw_GW88_2 to $remote_gw_GW119 \ > > > > from $local_lan_GW88_2 to $remote_lan_GW119_2 peer $remote_gw_GW119 \ > > > > psk "pskpass" > > > > > > > > > > > > GW88$ cat /etc/pf.conf > > > > set skip on {lo, enc} > > > > > > > > match in all scrub (no-df random-id) > > > > match out all scrub (no-df random-id) > > > > > > > > match out on egress from lan:network to any nat-to egress > > > > > > > > block log all > > > > pass in on egress proto udp from any to any port {isakmp,ipsec-nat-t} > > > > pass in on egress proto {ah,esp} > > > > pass out on egress > > > > pass on lan > > > > > > > > table <bruteforce> persist counters > > > > pass in on egress proto tcp from { 1.2.3.119 A.B.C.0/23 } to port ssh > > > > flags S/SA \ > > > > set prio (6, 7) keep state \ > > > > (max-src-conn 15, max-src-conn-rate 2/10, overload > > > > <bruteforce> flush global) > > > > > > > > icmp_types = "{ echoreq, unreach }" > > > > pass inet proto icmp all icmp-type $icmp_types > > > > > > > > > > > > > > > > +------------+ > > > > |road_warrior| > > > > +---------+10.0.1.0/24 | > > > > | +------------+ > > > > | > > > > ikev2 > > > > | > > > > | > > > > v > > > > > > > > 4.5.6.88 1.2.3.119 > > > > +---------+ +----------+ > > > > | | > > > > | GW88 | <--+site-to-site VPN+------> | GW119 | > > > > +--+------+ +-------+--+ > > > > | | > > > > +-----+192.168.1.254/24 | > > > > | | > > > > | 172.16.1.254/24---+ > > > > | | > > > > +---+-+192.168.2.254/24 | > > > > | | | > > > > | | +-----------+ | > > > > | +---+192.168.2.1| 172.16.2.254/24---| > > > > | +------------+ > > > > | > > > > |----+192.168.3.254/24 > > > > > > > > Thanks! > > > > > > > > On Thu, 8 Nov 2018 14:04:23 +0100 > > > > Radek <alee...@gmail.com> wrote: > > > > > > > > > I've been playing around with netcat. > > > > > I noticed that the netcat process on my VPN_server does not show any > > > > > "X" on stdout for ports 4500 and 1701. > > > > > > > > > > May it be relevant to my VPN issue? > > > > > > > > > > VPN_serv is A.B.C.77/23 (it is not behind NAT): > > > > > > > > > > $ pfctl -s rules > > > > > pass all flags S/SA > > > > > > > > > > $ nc -u -l 500 > > > > > XXXX > > > > > > > > > > X.Y.Z.11/29$ nc -vuz A.B.C.77 4500 > > > > > A.B.C.69/23$ nc -vuz A.B.C.77 4500 > > > > > $ nc -u -l 4500 > > > > > NOTHING IS HERE > > > > > > > > > > $ nc -u -l 4499 > > > > > XXXX > > > > > > > > > > $ nc -u -l 4501 > > > > > XXXX > > > > > > > > > > X.Y.Z.11/29$ nc -vuz A.B.C.77 1701 > > > > > A.B.C.69/23$ nc -vuz A.B.C.77 1701 > > > > > $ nc -u -l 1701 > > > > > NOTHING IS HERE > > > > > > > > > > $ nc -u -l 22 > > > > > XXXX > > > > > > > > > > $ nc -u -l 1234 > > > > > XXXX > > > > > > > > > > On Wed, 7 Nov 2018 12:17:09 +0100 > > > > > Radek <alee...@gmail.com> wrote: > > > > > > > > > > > Yesterday I tried this scenario: > > > > > > > > > > > > Win7_warrior - 192.168.x.x, NAT, GW: 1.2.3.119 > > > > > > VPN_L2TP (Mikrotik) - A.B.C.75/23, not NATed > > > > > > VPN_IKEv2 - A.B.C.77/23, not NATed > > > > > > > > > > > > I connected Win7_warrior to VPN_L2TP and then to VPN_IKEv2. I was > > > > > > having two active VPN conn in one time. > > > > > > Next, I disconnected VPN_L2TP. VPN_IKEv2 was still active and was > > > > > > working fine. > > > > > > > > > > > > When I disconnected VPN_IKEv2 and was trying to connect VPN_IKEv2 > > > > > > omitting VPN_L2TP - I got 809. > > > > > > > > > > > > Removing home_router which is between Win7_warrior and 1.2.3.119 > > > > > > does not change anything. > > > > > > > > > > > > Another thing: > > > > > > I install VPN_IKEv2 OS via PXEboot and get private IP from dhcp > > > > > > server. Then I move to public A.B.C.77/23 editing /etc/hostname, > > > > > > mygate, resolv.conf. Maybe I missed something in network conf that > > > > > > is important for OpenIKED? > > > > > > > > > > > > Any idea? > > > > > > > > > > > > > > > > > > On Tue, 6 Nov 2018 11:21:52 +0100 > > > > > > Radek <alee...@gmail.com> wrote: > > > > > > > > > > > > > Hello Kim, > > > > > > > > > > > > > > > My question was concerning the VPN_server, is the server NATed? > > > > > > > A.B.C.0/23 is not NATed, it is a public pool. VPN_server is not > > > > > > > NATed. > > > > > > > > > > > > > > > How is A.B.C.0/23 connected to the 'rest' of the world? > > > > > > > > Router/Firewall ... > > > > > > > I only have switches in my building. > > > > > > > All routers/firewalls of my network are in another building, I do > > > > > > > not know the whole network structure, devices, security > > > > > > > policies... but I have never noticed that any ports were blocked. > > > > > > > > > > > > > > I can setup a IKEV2 site-to-site VPN A.B.C.D/23 <--> !A.B.C.0/23 > > > > > > > and it works like a charm. > > > > > > > https://community.riocities.com/openike_openbsd.html > > > > > > > But I can not setup a VPN_server for road warriors. > > > > > > > > > > > > > > I have just set up a VPN_L2TP_serv on Mikrotik (A.B.C.75/23). I > > > > > > > can connect my Win7_warrior from !A.B.C.0/23 (currently testing > > > > > > > on GSM network). > > > > > > > L2TP and IKEV2 use 500, 4500 ports. If L2TP works fine so I > > > > > > > conclude that it is not any Router/FW problem. > > > > > > > > > > > > > > On Tue, 6 Nov 2018 07:48:37 +0100 > > > > > > > Kim Zeitler <kim.zeit...@konzept-is.de> wrote: > > > > > > > > > > > > > > > Good morning Radek, > > > > > > > > > > > > > > > > I have a suspicion ... > > > > > > > > > > > > > > > > > For (1), (2) and (3) VPN is working just fine with > > > > > > > > > Win7_warrior and puffy_warrior if they are connecting from > > > > > > > > > A.B.C.0/23 (it does not matter if warrior has public IP or it > > > > > > > > > is behind NAT). The rest of the world fails to connect the > > > > > > > > > VPN_server. > > > > > > > > My question was concerning the VPN_server, is the server NATed? > > > > > > > > How is A.B.C.0/23 connected to the 'rest' of the world? > > > > > > > > Router/Firewall ... > > > > > > > > > > > > > > > > Cheers, > > > > > > > > Kim > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > radek > > > > > > > > > > > > > > > > > > -- > > > > > > radek > > > > > > > > > > > > > > > -- > > > > > radek > > > > > > > > > > > > -- > > > > radek > > > > > > > > > -- > > > radek > > > > > > -- > > radek > > > -- > radek -- radek