ikev2 and a win7 road warrior host

2012-05-22 Thread Wesley 

Hi,

I'm trying to have this
192.168.0.0/24--lan--5.1GW--egress--INTERNET--win7rw
working.

Gw : (OpenBSD 5.1) hostname vpn.X.net
lan have 192.168.0.51/24
egress have a static ip address : aa.bb.cc.dd
lan, egress are groups to easily manage PF.

win7rw : Host Windows7 Road Warrior with
dynamic ip address
hostname : win7test
ikev2 ip address : 192.168.0.77/24

What i have done :
pkg_add zip
net.inet.ip.forwarding=1
2 groups for network cards : lan,egress

PF.conf:
set block-policy drop
set skip on {lo,enc0}
match out on egress from lan:network to any nat-to egress
block log all
pass in on egress proto esp
pass in on egress proto udp from any to any port {500,4500}
pass in on egress proto tcp from any to any port 22
pass out on egress
pass on lan

Create certificates :
ikectl ca vpn create
ikectl ca vpn install

Parts that i don't understand, if someone can help me on :
-For server, i need a certificate server for vpn.X.net ? or aa.bb.cc.dd 
?

ikectl ca vpn certificate ? create #(for server)
ikectl ca vpn certificate ? install #(for server)

-For win7, i need a certificate host for win7test ?  or 192.168.0.77 ?
ikectl ca vpn certificate ?? create #(for win7)
ikectl ca vpn certificate ?? export #(for win7)

-On the GW
/etc/iked.conf:
ikev2 esp \
from any to any peer any \
srcid vpn.X.net \
config address 192.168.0.77

Run /sbin/iked -dvv

Finally :
On the win7, open certmgr.msc to add the certificates
add the 2 pfx certificates in the Trusted Root Certification 
Authorities store

And create a IKEV2 connection without EAP.

Thank you very much for your help.

Cheers,

Wesley M.A.

Re: ikev2 and a win7 road warrior host

2012-05-22 Thread Pavel Shvagirev 
Have a look at the discussion between me and Mike Belopuhov that took
place not so long ago here... We have covered most of the troubles that
you might have met following the man pages.

22.05.2012 10:14, Wesley P=P0P?P8QP0P;:
 Hi,

 I'm trying to have this
 192.168.0.0/24--lan--5.1GW--egress--INTERNET--win7rw
 working.

 Gw : (OpenBSD 5.1) hostname vpn.X.net
 lan have 192.168.0.51/24
 egress have a static ip address : aa.bb.cc.dd
 lan, egress are groups to easily manage PF.

 win7rw : Host Windows7 Road Warrior with
 dynamic ip address
 hostname : win7test
 ikev2 ip address : 192.168.0.77/24

 What i have done :
 pkg_add zip
 net.inet.ip.forwarding=1
 2 groups for network cards : lan,egress

 PF.conf:
 set block-policy drop
 set skip on {lo,enc0}
 match out on egress from lan:network to any nat-to egress
 block log all
 pass in on egress proto esp
 pass in on egress proto udp from any to any port {500,4500}
 pass in on egress proto tcp from any to any port 22
 pass out on egress
 pass on lan

 Create certificates :
 ikectl ca vpn create
 ikectl ca vpn install

 Parts that i don't understand, if someone can help me on :
 -For server, i need a certificate server for vpn.X.net ? or aa.bb.cc.dd ?
 ikectl ca vpn certificate ? create #(for server)
 ikectl ca vpn certificate ? install #(for server)

 -For win7, i need a certificate host for win7test ?  or 192.168.0.77 ?
 ikectl ca vpn certificate ?? create #(for win7)
 ikectl ca vpn certificate ?? export #(for win7)

 -On the GW
 /etc/iked.conf:
 ikev2 esp \
 from any to any peer any \
 srcid vpn.X.net \
 config address 192.168.0.77

 Run /sbin/iked -dvv

 Finally :
 On the win7, open certmgr.msc to add the certificates
 add the 2 pfx certificates in the Trusted Root Certification
 Authorities store
 And create a IKEV2 connection without EAP.

 Thank you very much for your help.

 Cheers,

 Wesley M.A.


-- 
Best regards,
Pavel Shvagirev
skype: pavel.shvagirev

Re: ikev2 and a win7 road warrior host

2012-05-22 Thread Wesley 
I already read your posts ;-) and also man pages (ikectl, iked.conf and 
iked)


But now it is for a road warrior configuration.
I don't understand these parts :

Parts that i don't understand, if someone can help me on :
-For server, i need a certificate server for vpn.X.net ? or aa.bb.cc.dd 
?

ikectl ca vpn certificate ? create #(for server)
ikectl ca vpn certificate ? install #(for server)

-For win7, i need a certificate host for win7test ?  or 192.168.0.77 ?
ikectl ca vpn certificate ?? create #(for win7)
ikectl ca vpn certificate ?? export #(for win7)

-On the GW
/etc/iked.conf:
ikev2 esp \
from any to any peer any \
srcid vpn.X.net \
config address 192.168.0.77

Run /sbin/iked -dvv

Finally :
On the win7, open certmgr.msc to add the certificates
add the 2 pfx certificates in the Trusted Root Certification
Authorities store
And create a IKEV2 connection without EAP.

Thank you very much.

Le 2012-05-22 10:28, Pavel Shvagirev a C)critB :

Have a look at the discussion between me and Mike Belopuhov that took
place not so long ago here... We have covered most of the troubles 
that

you might have met following the man pages.

Re: ikev2 and a win7 road warrior host

2012-05-22 Thread Wesley 

Certificates are now accepted.

iked -dvv give me :

...
ikev2_dispatch_cert: AUTH type 1 len 256
sa_stateflags: 0x08 - 0x0c auth,sa (required 0x0f cert,valid,auth,sa)
ikev2_dispatch_cert: peer certificate is valid
sa_stateflags: 0x0c - 0x0e valid,auth,sa (required 0x0f 
cert,valid,auth,sa)

sa_state: AUTH_SUCCESS - VALID
sa_stateok: VALID flags 0x0e, require 0x0f cert,valid,auth,sa
...

I have the following error on the win7 connection :
Error 1931: the context has expired and can no longer be used

Any idea ?

So here what i have done :

ikectl ca vpn certificate 192.168.0.51 create #(for server)
ikectl ca vpn certificate 192.168.0.51 install #(for server)

ikectl ca vpn certificate win7test create #(for win7)
ikectl ca vpn certificate win7test export #(for win7)

and /etc/iked.conf :
ikev2 esp \
from 192.168.0.0/24 to any peer any

--
Wesley

Le 2012-05-22 10:14, Wesley a C)critB :

Hi,

I'm trying to have this
192.168.0.0/24--lan--5.1GW--egress--INTERNET--win7rw
working.

Gw : (OpenBSD 5.1) hostname vpn.X.net
lan have 192.168.0.51/24
egress have a static ip address : aa.bb.cc.dd
lan, egress are groups to easily manage PF.

win7rw : Host Windows7 Road Warrior with
dynamic ip address
hostname : win7test
ikev2 ip address : 192.168.0.77/24

What i have done :
pkg_add zip
net.inet.ip.forwarding=1
2 groups for network cards : lan,egress

PF.conf:
set block-policy drop
set skip on {lo,enc0}
match out on egress from lan:network to any nat-to egress
block log all
pass in on egress proto esp
pass in on egress proto udp from any to any port {500,4500}
pass in on egress proto tcp from any to any port 22
pass out on egress
pass on lan

Create certificates :
ikectl ca vpn create
ikectl ca vpn install

Parts that i don't understand, if someone can help me on :
-For server, i need a certificate server for vpn.X.net ? or 
aa.bb.cc.dd ?

ikectl ca vpn certificate ? create #(for server)
ikectl ca vpn certificate ? install #(for server)

-For win7, i need a certificate host for win7test ?  or 192.168.0.77 
?

ikectl ca vpn certificate ?? create #(for win7)
ikectl ca vpn certificate ?? export #(for win7)

-On the GW
/etc/iked.conf:
ikev2 esp \
from any to any peer any \
srcid vpn.X.net \
config address 192.168.0.77

Run /sbin/iked -dvv

Finally :
On the win7, open certmgr.msc to add the certificates
add the 2 pfx certificates in the Trusted Root Certification
Authorities store
And create a IKEV2 connection without EAP.

Thank you very much for your help.

Cheers,

Wesley M.A.

Re: ikev2 and a win7 road warrior host

2012-05-22 Thread Pavel Shvagirev 
Working iked.conf that runs without a problem:

ikev2 win7 quick passive esp inet proto udp \
from $local_net to $client_net local local.endpoint.net peer
remote.endpoint.net \
srcid local.endpoint.IP.address \
dstid remote endpoint's certificate distinguished name \
rsa \
config address 192.168.126.2 \
config name-server 192.168.0.126 \
tag ipsec_$name

Certificate must be issued for win7 endpoint as described above and
imported properly on Win machine. As well as CA's certificate.
192.168.126.2 is the IP address that Win7 machine will get on IPSec
interface. 192.168.0.126 is the nameserver that will be assigned for
that interface. RSA parameter is generally not needed, as well as TAG.

local.endpoint.net - can be a FQDN that will be resolved into the IP
address of the local endpoint - the point that acts like a responder
(openbsd machine running iked). OpenBSD's certificate must be issued to
the `host local.endpoint.net' IP address.

peer.endpoint.net - is an initiator side (win7 machine). Win7's cert
must be issued to that IP.

That scheme works for me right now.

22.05.2012 14:52, Wesley P=P0P?P8QP0P;:
 Error 1931: the context has expired and can no longer be used 

-- 
Best regards,
Pavel Shvagirev
skype: pavel.shvagirev

Re: ikev2 and a win7 road warrior host

2012-05-22 Thread Pavel Shvagirev 
22.05.2012 17:23, Pavel Shvagirev P=P0P?P8QP0P;:
 peer.endpoint.net - is an initiator side (win7 machine). Win7's cert
 must be issued to that IP.
I mean remote.endpoint.net here

Two more notes:

1. Win7 connection shoud be set up to the openbsd's IP address, not the
FQDN. (the first tab in the connection Properties window).
2. from $local_net to $client_net:
$local_net is the macros for the network that is behind the responder
side (openbsd's server local subnet - the subnet that initiator wants to
get tunneled access to)
$remote_net is the macros for the address pool where you are taking
clients' addresses from (in my case - 192.168.126.0/25).

-- 
Best regards,
Pavel Shvagirev
skype: pavel.shvagirev

Re: ikev2 and a win7 road warrior host

2012-05-22 Thread Wesley MOUEDINE ASSABY 
First thank you very much for your time and reply. I appreciate.

Therefore win7 is a road warrior host so dynamic address.
so the iked.conf become :

ikev2 win7 passive esp \
from 192.168.0.0/24 to 10.10.10.0/24 local aa.bb.cc.dd peer any \
srcid aa.bb.cc.dd \
config address 10.10.10.7

ILLUSTRATION :

192.168.0.0/24--lan--GW51--egress--INTERNET--(win7)

GW51 : hostname vpn.X.net
IP address : 192.168.0.51 (lan)
egress : aa.bb.cc.dd static IP ADDRESS provide by ISP (SDSL)

win7 : hostname win7
IP ADDRESS DHCP (192.168.1.77)
IKEV2 Connection config : 10.10.10.7/24

Does this config sound good for you ?

Cheers,

Wesley.

Re: ikev2 and a win7 road warrior host

2012-05-22 Thread Wesley MOUEDINE ASSABY 
It works !!! ;-)

Just doing below.

--
Wesley



Le 22 mai 2012 ` 19:29, Wesley MOUEDINE ASSABY a icrit :

 First thank you very much for your time and reply. I appreciate.

 Therefore win7 is a road warrior host so dynamic address.
 so the iked.conf become :

 ikev2 win7 passive esp \
 from 192.168.0.0/24 to 10.10.10.0/24 local aa.bb.cc.dd peer any \
 srcid aa.bb.cc.dd \
 config address 10.10.10.7

 ILLUSTRATION :

 192.168.0.0/24--lan--GW51--egress--INTERNET--(win7)

 GW51 : hostname vpn.X.net
   IP address : 192.168.0.51 (lan)
   egress : aa.bb.cc.dd static IP ADDRESS provide by ISP (SDSL)

 win7 : hostname win7
   IP ADDRESS DHCP (192.168.1.77)
   IKEV2 Connection config : 10.10.10.7/24

 Does this config sound good for you ?

 Cheers,

 Wesley.