Re: iked road warrior setup with multiple clients connecting

Tue, 26 Feb 2019 06:53:38 -0800 


> On 26 Feb 2019, at 5:11 AM, William Ahern <will...@25thandclement.com> wrote:
> 
> On Mon, Feb 25, 2019 at 03:44:10PM +0000, Michael Lam wrote:
>> Hi,
>> 
>> I have a very straight forward setup use case that I want to use my
>> OpenBSD router as a VPN gateway, which will accept IKEv2 road warrior
>> connections from the Internet and route all traffics through my
>> router.
>> 
>> I am using a ms-chapv2 authentication and a letsencrypt certificate,
>> which I can successfully obtain. All my clients are Apple devices
>> with latest iOS installed. They normally are connected to the Internet
>> directly without going through this router.
>> 
>> Configuration as below:
>> 
>> user "a" "123456"
>> user "b" "246810"
>> user "c" "135791"
>> 
>> set passive 
>> 
>> ikev2 "rw" passive esp \
>>        from any to 172.20.11.0/24 \
>>        local any peer any \
>>        srcid my.fqdn.org \
>>        eap mschap-v2 \
>>        config protected-subnet 172.20.10.0/24 \
>>        config address 172.20.11/0/24 \
>>        config name-server 172.20.10.1
>> 
>> I use “from any” because I want all traffics to be routed to the
>> OpenBSD box. And “to 172.20.11.0/24” is the subnet that I use for
>> VPN allocation. That’s why I also have config address 172.20.11.0/24
>> in the configuration.
>> 
>> my.fqdn.org is a public IP address which I’ve obtained a domain name
>> pointing to it.
>> 
>> I have this working flawlessly with all the devices individually.
> 
> Are you sure things worked flawlessly with "from any". IIRC the "any"
> keyword doesn't work as expected and one must instead use "0.0.0.0/0"
> explicitly. I may be wrong but I'm fairly confident I lost an entire evening
> relearning that lesson not too long ago.

Also responding to another user (due to some issue I can only get the
mailing list emails fixed.) 

I use a Letsencrypt certificate by doing the following:
1. Copying the root certificate file from /etc/ssl/cert.pem (provided by
OpenBSD into "ca" folder.
2. Putting the certificate file obtained from Letsencrypt into "cert" folder
under iked folder.
3. Putting the full chain certificate file into the "ca" folder.

And I got it working using from 0.0.0.0/0 to 172.20.11.0/24

Never got it working with:

from any to any, or
>From 0.0.0.0/0 to 0.0.0.0/0

config protected-subnet doesn't really do anything in my setup.

























					Reply via email to