Another question araised in my random walk: How can I assign static IPs to more
than one client?
I played around with DSTID but when I add DSTID to my policy then auth stops
working.
ikev2 "roadWarrior" passive ipcomp esp \
from 192.168.2.0/24 to 10.0.1.0/24 \
local 4.5.6.88 peer any \
srcid 4.5.6.88 \
dstid "/C.../CN=win7/emailAddress=r...@123.com" \
config address 10.0.1.123 \
tag "$id" tap enc0
The only working way I have found is to assign static IP to specific peer (IP
or network)
local 4.5.6.88 peer 1.2.3.4/32
or
local 4.5.6.88 peer 1.2.3.0/24
but this in NOT what I need.
I need to do sth like this:
policy1, peer any, warrior1/CA1/ASN11, config address IP1
policy2, peer any, warrior2/CA2,ASN12, config address IP2
policy3, peer any, warrior3/CA3,ASN13, config address IP3
...
policyN "catch the rest" .... config address 10.0.11/24 \
Any help appreciated!
On Fri, 28 Dec 2018 10:41:22 +0100
Radek <alee...@gmail.com> wrote:
> Hello,
>
> finally I solved my problem as follows:
> 1. Uncheck "use default gateway on remote network" in warrior (Windows)
> 2. Create route192.bat file: route add 192.168.2.0 mask 255.255.255.0
> 10.0.1.123
> 3. Run route192.bat as administrator (when vpn connection is established)
> It works as expected, traffic to 192.168.2.0 goes through VPN, the rest
> through warrior's local gateway.
> # When using PPTP (npppd) I do not need to add extra route to "LAN behind
> VPNgateway" (2.) - it works by default. Why?
>
> GW88# grep "^[^#;]" /etc/iked.conf
> ikev2 "roadWarrior" passive ipcomp esp \
> from 192.168.2.0/24 to 10.0.1.0/24 \
> local 4.5.6.88 peer any \
> srcid 4.5.6.88 \
> config address 10.0.1.123 \
> tag "$id" tap enc0
>
> GW88# grep "^[^#;]" /etc/pf.conf
> set skip on {lo, enc}
> match in all scrub (no-df random-id)
> match out all scrub (no-df random-id)
> match out on egress from lan:network to any nat-to egress
> block log all
> pass in on egress proto udp from any to any port {isakmp,ipsec-nat-t}
> pass in on egress proto {ah,esp}
> pass out on egress
> pass on lan
>
>
>
> On Wed, 12 Dec 2018 21:45:25 +0100
> Radek <alee...@gmail.com> wrote:
>
> > Hello again,
> >
> > I am using PPTP VPN (npppd) and it works as expected on windows clients -
> > traffic to the "LAN behind that VPNgateway" is going through VPNgateway.
> > The "rest" is going through clients' gateway - DO NOT "use default gateway
> > on remote network".
> >
> > I have been playing around with iked.conf, pf.conf and ipsec.conf - still
> > cannot get it working in this manner.
> > I do not want to use OpenIKED as a internet gateway, VPN is needed only to
> > access "LAN behind that VPNgateway".
> >
> > Could someone please help me with this problem? Christmas is coming...
> >
> > Many thanks!
> >
> > On Fri, 7 Dec 2018 20:20:21 +0100
> > Radek <alee...@gmail.com> wrote:
> >
> > > Hello,
> > >
> > > I am still almost in the same point.
> > > If I want to reach my GW88_LAN I have to check "use default gateway on
> > > remote network" box (Windows roadwarrior), but this option makes me
> > > reaching the internet through GW88.
> > >
> > > I want to use VPN GW88 to access 192.168.2.0/24 ONLY and roadwarrior's
> > > "local" gateway for the rest of the traffic - unchecked box "use default
> > > gateway on remote network".
> > > If the box is unchecked I am not able to access 192.168.2.0/24.
> > >
> > > What should I change in my confs to get it working in this manner?
> > >
> > > GW88# grep "^[^#;]" /etc/pf.conf
> > > set skip on {lo, enc}
> > > match in all scrub (no-df random-id)
> > > match out all scrub (no-df random-id)
> > > match out on egress from lan:network to any nat-to egress
> > > block log all
> > > pass out quick on egress inet received-on enc0 nat-to (egress)
> > > pass in on egress proto udp from any to (egress:0) port
> > > {isakmp,ipsec-nat-t}
> > > pass in on egress proto {ah,esp}
> > > pass out on egress
> > > pass on lan
> > >
> > >
> > > GW88# grep "^[^#;]" /etc/iked.conf
> > > ikev2 "roadWarrior" passive esp \
> > > from 0.0.0.0/0 to 10.0.1.0/24 \
> > > from 192.168.2.0/24 to 10.0.1.0/24 \
> > > local 4.5.6.88 peer any \
> > > srcid 4.5.6.88 \
> > > config address 10.0.1.0/24 \
> > > config netmask 255.255.255.0 \
> > > config name-server 8.8.8.8
> > >
> > > On Fri, 30 Nov 2018 15:06:28 +0100
> > > Radek <alee...@gmail.com> wrote:
> > >
> > > > Hello,
> > > >
> > > > Thank all of you for your time and your help in this matter!
> > > > I think that the ISP of A.B.C.0/23 is filtering/blocking some
> > > > certificates.
> > > > I have moved VPN server and clients out of A.B.C.0/23. They can connect
> > > > pretty fine using CA now. Clients from A.B.C.0/23 still can NOT connect
> > > > to VPN serv.
> > > > Site-to-Site VPN is doing its job.
> > > >
> > > > The road_warriors(Windows) can ping GW88_LAN_machine (192.168.2.1) ONLY
> > > > if "use default gateway on remote network" is set.
> > > > I need to make road_warriors:
> > > > - reaching GW88_LAN_machines 192.168.2.254/24
> > > > - reaching GW119_LAN_machines 172.16.X.X via GW88 - if it is possible
> > > > - force road_warriors to use its own gateway for the rest of traffic -
> > > > unticked "use default gateway on remote network".
> > > >
> > > > I was playing around with iked.conf and pf.conf but I did not find the
> > > > way to make it work.
> > > > I will be grateful if anyone could help me with that.
> > > >
> > > > My network diagram and configs of GW88:
> > > >
> > > > GW88$ cat /etc/hostname.enc0
> > > > inet 10.0.1.254 255.255.255.0
> > > >
> > > > GW88$ cat /etc/iked.conf
> > > > #
> > > > ikev2 "roadWarrior" passive esp \
> > > > from 192.168.2.0/24 to 10.0.1.0/24 \
> > > > local 4.5.6.88 peer any \
> > > > srcid 4.5.6.88 \
> > > > config address 10.0.1.0/24
> > > > #
> > > > #
> > > > remote_gw_GW119 = "1.2.3.119" # fw_GW119
> > > > remote_lan_GW119_1 = "172.16.1.0/24"
> > > > remote_lan_GW119_2 = "172.16.2.0/24"
> > > >
> > > > local_gw_GW88_2 = "192.168.2.254"
> > > > local_lan_GW88_2 = "192.168.2.0/24"
> > > >
> > > > ikev2 active esp from $local_gw_GW88_2 to $remote_gw_GW119 \
> > > > from $local_lan_GW88_2 to $remote_lan_GW119_1 peer $remote_gw_GW119 \
> > > > psk "pkspass"
> > > >
> > > > ikev2 active esp from $local_gw_GW88_2 to $remote_gw_GW119 \
> > > > from $local_lan_GW88_2 to $remote_lan_GW119_2 peer $remote_gw_GW119 \
> > > > psk "pskpass"
> > > >
> > > >
> > > > GW88$ cat /etc/pf.conf
> > > > set skip on {lo, enc}
> > > >
> > > > match in all scrub (no-df random-id)
> > > > match out all scrub (no-df random-id)
> > > >
> > > > match out on egress from lan:network to any nat-to egress
> > > >
> > > > block log all
> > > > pass in on egress proto udp from any to any port {isakmp,ipsec-nat-t}
> > > > pass in on egress proto {ah,esp}
> > > > pass out on egress
> > > > pass on lan
> > > >
> > > > table <bruteforce> persist counters
> > > > pass in on egress proto tcp from { 1.2.3.119 A.B.C.0/23 } to port ssh
> > > > flags S/SA \
> > > > set prio (6, 7) keep state \
> > > > (max-src-conn 15, max-src-conn-rate 2/10, overload
> > > > <bruteforce> flush global)
> > > >
> > > > icmp_types = "{ echoreq, unreach }"
> > > > pass inet proto icmp all icmp-type $icmp_types
> > > >
> > > >
> > > >
> > > > +------------+
> > > > |road_warrior|
> > > > +---------+10.0.1.0/24 |
> > > > | +------------+
> > > > |
> > > > ikev2
> > > > |
> > > > |
> > > > v
> > > >
> > > > 4.5.6.88 1.2.3.119
> > > > +---------+ +----------+
> > > > | |
> > > > | GW88 | <--+site-to-site VPN+------> | GW119 |
> > > > +--+------+ +-------+--+
> > > > | |
> > > > +-----+192.168.1.254/24 |
> > > > | |
> > > > | 172.16.1.254/24---+
> > > > | |
> > > > +---+-+192.168.2.254/24 |
> > > > | | |
> > > > | | +-----------+ |
> > > > | +---+192.168.2.1| 172.16.2.254/24---|
> > > > | +------------+
> > > > |
> > > > |----+192.168.3.254/24
> > > >
> > > > Thanks!
> > > >
> > > > On Thu, 8 Nov 2018 14:04:23 +0100
> > > > Radek <alee...@gmail.com> wrote:
> > > >
> > > > > I've been playing around with netcat.
> > > > > I noticed that the netcat process on my VPN_server does not show any
> > > > > "X" on stdout for ports 4500 and 1701.
> > > > >
> > > > > May it be relevant to my VPN issue?
> > > > >
> > > > > VPN_serv is A.B.C.77/23 (it is not behind NAT):
> > > > >
> > > > > $ pfctl -s rules
> > > > > pass all flags S/SA
> > > > >
> > > > > $ nc -u -l 500
> > > > > XXXX
> > > > >
> > > > > X.Y.Z.11/29$ nc -vuz A.B.C.77 4500
> > > > > A.B.C.69/23$ nc -vuz A.B.C.77 4500
> > > > > $ nc -u -l 4500
> > > > > NOTHING IS HERE
> > > > >
> > > > > $ nc -u -l 4499
> > > > > XXXX
> > > > >
> > > > > $ nc -u -l 4501
> > > > > XXXX
> > > > >
> > > > > X.Y.Z.11/29$ nc -vuz A.B.C.77 1701
> > > > > A.B.C.69/23$ nc -vuz A.B.C.77 1701
> > > > > $ nc -u -l 1701
> > > > > NOTHING IS HERE
> > > > >
> > > > > $ nc -u -l 22
> > > > > XXXX
> > > > >
> > > > > $ nc -u -l 1234
> > > > > XXXX
> > > > >
> > > > > On Wed, 7 Nov 2018 12:17:09 +0100
> > > > > Radek <alee...@gmail.com> wrote:
> > > > >
> > > > > > Yesterday I tried this scenario:
> > > > > >
> > > > > > Win7_warrior - 192.168.x.x, NAT, GW: 1.2.3.119
> > > > > > VPN_L2TP (Mikrotik) - A.B.C.75/23, not NATed
> > > > > > VPN_IKEv2 - A.B.C.77/23, not NATed
> > > > > >
> > > > > > I connected Win7_warrior to VPN_L2TP and then to VPN_IKEv2. I was
> > > > > > having two active VPN conn in one time.
> > > > > > Next, I disconnected VPN_L2TP. VPN_IKEv2 was still active and was
> > > > > > working fine.
> > > > > >
> > > > > > When I disconnected VPN_IKEv2 and was trying to connect VPN_IKEv2
> > > > > > omitting VPN_L2TP - I got 809.
> > > > > >
> > > > > > Removing home_router which is between Win7_warrior and 1.2.3.119
> > > > > > does not change anything.
> > > > > >
> > > > > > Another thing:
> > > > > > I install VPN_IKEv2 OS via PXEboot and get private IP from dhcp
> > > > > > server. Then I move to public A.B.C.77/23 editing /etc/hostname,
> > > > > > mygate, resolv.conf. Maybe I missed something in network conf that
> > > > > > is important for OpenIKED?
> > > > > >
> > > > > > Any idea?
> > > > > >
> > > > > >
> > > > > > On Tue, 6 Nov 2018 11:21:52 +0100
> > > > > > Radek <alee...@gmail.com> wrote:
> > > > > >
> > > > > > > Hello Kim,
> > > > > > >
> > > > > > > > My question was concerning the VPN_server, is the server NATed?
> > > > > > > A.B.C.0/23 is not NATed, it is a public pool. VPN_server is not
> > > > > > > NATed.
> > > > > > >
> > > > > > > > How is A.B.C.0/23 connected to the 'rest' of the world?
> > > > > > > > Router/Firewall ...
> > > > > > > I only have switches in my building.
> > > > > > > All routers/firewalls of my network are in another building, I do
> > > > > > > not know the whole network structure, devices, security
> > > > > > > policies... but I have never noticed that any ports were blocked.
> > > > > > >
> > > > > > > I can setup a IKEV2 site-to-site VPN A.B.C.D/23 <--> !A.B.C.0/23
> > > > > > > and it works like a charm.
> > > > > > > https://community.riocities.com/openike_openbsd.html
> > > > > > > But I can not setup a VPN_server for road warriors.
> > > > > > >
> > > > > > > I have just set up a VPN_L2TP_serv on Mikrotik (A.B.C.75/23). I
> > > > > > > can connect my Win7_warrior from !A.B.C.0/23 (currently testing
> > > > > > > on GSM network).
> > > > > > > L2TP and IKEV2 use 500, 4500 ports. If L2TP works fine so I
> > > > > > > conclude that it is not any Router/FW problem.
> > > > > > >
> > > > > > > On Tue, 6 Nov 2018 07:48:37 +0100
> > > > > > > Kim Zeitler <kim.zeit...@konzept-is.de> wrote:
> > > > > > >
> > > > > > > > Good morning Radek,
> > > > > > > >
> > > > > > > > I have a suspicion ...
> > > > > > > >
> > > > > > > > > For (1), (2) and (3) VPN is working just fine with
> > > > > > > > > Win7_warrior and puffy_warrior if they are connecting from
> > > > > > > > > A.B.C.0/23 (it does not matter if warrior has public IP or it
> > > > > > > > > is behind NAT). The rest of the world fails to connect the
> > > > > > > > > VPN_server.
> > > > > > > > My question was concerning the VPN_server, is the server NATed?
> > > > > > > > How is A.B.C.0/23 connected to the 'rest' of the world?
> > > > > > > > Router/Firewall ...
> > > > > > > >
> > > > > > > > Cheers,
> > > > > > > > Kim
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > radek
> > > > > >
> > > > > >
> > > > > > --
> > > > > > radek
> > > > >
> > > > >
> > > > > --
> > > > > radek
> > > >
> > > >
> > > > --
> > > > radek
> > >
> > >
> > > --
> > > radek
> >
> >
> > --
> > radek
>
>
> --
> radek
--
radek
