ikev2 and a win7 road warrior host
Hi, I'm trying to have this 192.168.0.0/24--lan--5.1GW--egress--INTERNET--win7rw working. Gw : (OpenBSD 5.1) hostname vpn.X.net lan have 192.168.0.51/24 egress have a static ip address : aa.bb.cc.dd lan, egress are groups to easily manage PF. win7rw : Host Windows7 Road Warrior with dynamic ip address hostname : win7test ikev2 ip address : 192.168.0.77/24 What i have done : pkg_add zip net.inet.ip.forwarding=1 2 groups for network cards : lan,egress PF.conf: set block-policy drop set skip on {lo,enc0} match out on egress from lan:network to any nat-to egress block log all pass in on egress proto esp pass in on egress proto udp from any to any port {500,4500} pass in on egress proto tcp from any to any port 22 pass out on egress pass on lan Create certificates : ikectl ca vpn create ikectl ca vpn install Parts that i don't understand, if someone can help me on : -For server, i need a certificate server for vpn.X.net ? or aa.bb.cc.dd ? ikectl ca vpn certificate ? create #(for server) ikectl ca vpn certificate ? install #(for server) -For win7, i need a certificate host for win7test ? or 192.168.0.77 ? ikectl ca vpn certificate ?? create #(for win7) ikectl ca vpn certificate ?? export #(for win7) -On the GW /etc/iked.conf: ikev2 esp \ from any to any peer any \ srcid vpn.X.net \ config address 192.168.0.77 Run /sbin/iked -dvv Finally : On the win7, open certmgr.msc to add the certificates add the 2 pfx certificates in the Trusted Root Certification Authorities store And create a IKEV2 connection without EAP. Thank you very much for your help. Cheers, Wesley M.A.
Re: ikev2 and a win7 road warrior host
Have a look at the discussion between me and Mike Belopuhov that took place not so long ago here... We have covered most of the troubles that you might have met following the man pages. 22.05.2012 10:14, Wesley P=P0P?P8QP0P;: Hi, I'm trying to have this 192.168.0.0/24--lan--5.1GW--egress--INTERNET--win7rw working. Gw : (OpenBSD 5.1) hostname vpn.X.net lan have 192.168.0.51/24 egress have a static ip address : aa.bb.cc.dd lan, egress are groups to easily manage PF. win7rw : Host Windows7 Road Warrior with dynamic ip address hostname : win7test ikev2 ip address : 192.168.0.77/24 What i have done : pkg_add zip net.inet.ip.forwarding=1 2 groups for network cards : lan,egress PF.conf: set block-policy drop set skip on {lo,enc0} match out on egress from lan:network to any nat-to egress block log all pass in on egress proto esp pass in on egress proto udp from any to any port {500,4500} pass in on egress proto tcp from any to any port 22 pass out on egress pass on lan Create certificates : ikectl ca vpn create ikectl ca vpn install Parts that i don't understand, if someone can help me on : -For server, i need a certificate server for vpn.X.net ? or aa.bb.cc.dd ? ikectl ca vpn certificate ? create #(for server) ikectl ca vpn certificate ? install #(for server) -For win7, i need a certificate host for win7test ? or 192.168.0.77 ? ikectl ca vpn certificate ?? create #(for win7) ikectl ca vpn certificate ?? export #(for win7) -On the GW /etc/iked.conf: ikev2 esp \ from any to any peer any \ srcid vpn.X.net \ config address 192.168.0.77 Run /sbin/iked -dvv Finally : On the win7, open certmgr.msc to add the certificates add the 2 pfx certificates in the Trusted Root Certification Authorities store And create a IKEV2 connection without EAP. Thank you very much for your help. Cheers, Wesley M.A. -- Best regards, Pavel Shvagirev skype: pavel.shvagirev
Re: ikev2 and a win7 road warrior host
I already read your posts ;-) and also man pages (ikectl, iked.conf and iked) But now it is for a road warrior configuration. I don't understand these parts : Parts that i don't understand, if someone can help me on : -For server, i need a certificate server for vpn.X.net ? or aa.bb.cc.dd ? ikectl ca vpn certificate ? create #(for server) ikectl ca vpn certificate ? install #(for server) -For win7, i need a certificate host for win7test ? or 192.168.0.77 ? ikectl ca vpn certificate ?? create #(for win7) ikectl ca vpn certificate ?? export #(for win7) -On the GW /etc/iked.conf: ikev2 esp \ from any to any peer any \ srcid vpn.X.net \ config address 192.168.0.77 Run /sbin/iked -dvv Finally : On the win7, open certmgr.msc to add the certificates add the 2 pfx certificates in the Trusted Root Certification Authorities store And create a IKEV2 connection without EAP. Thank you very much. Le 2012-05-22 10:28, Pavel Shvagirev a C)critB : Have a look at the discussion between me and Mike Belopuhov that took place not so long ago here... We have covered most of the troubles that you might have met following the man pages.
Re: ikev2 and a win7 road warrior host
Certificates are now accepted. iked -dvv give me : ... ikev2_dispatch_cert: AUTH type 1 len 256 sa_stateflags: 0x08 - 0x0c auth,sa (required 0x0f cert,valid,auth,sa) ikev2_dispatch_cert: peer certificate is valid sa_stateflags: 0x0c - 0x0e valid,auth,sa (required 0x0f cert,valid,auth,sa) sa_state: AUTH_SUCCESS - VALID sa_stateok: VALID flags 0x0e, require 0x0f cert,valid,auth,sa ... I have the following error on the win7 connection : Error 1931: the context has expired and can no longer be used Any idea ? So here what i have done : ikectl ca vpn certificate 192.168.0.51 create #(for server) ikectl ca vpn certificate 192.168.0.51 install #(for server) ikectl ca vpn certificate win7test create #(for win7) ikectl ca vpn certificate win7test export #(for win7) and /etc/iked.conf : ikev2 esp \ from 192.168.0.0/24 to any peer any -- Wesley Le 2012-05-22 10:14, Wesley a C)critB : Hi, I'm trying to have this 192.168.0.0/24--lan--5.1GW--egress--INTERNET--win7rw working. Gw : (OpenBSD 5.1) hostname vpn.X.net lan have 192.168.0.51/24 egress have a static ip address : aa.bb.cc.dd lan, egress are groups to easily manage PF. win7rw : Host Windows7 Road Warrior with dynamic ip address hostname : win7test ikev2 ip address : 192.168.0.77/24 What i have done : pkg_add zip net.inet.ip.forwarding=1 2 groups for network cards : lan,egress PF.conf: set block-policy drop set skip on {lo,enc0} match out on egress from lan:network to any nat-to egress block log all pass in on egress proto esp pass in on egress proto udp from any to any port {500,4500} pass in on egress proto tcp from any to any port 22 pass out on egress pass on lan Create certificates : ikectl ca vpn create ikectl ca vpn install Parts that i don't understand, if someone can help me on : -For server, i need a certificate server for vpn.X.net ? or aa.bb.cc.dd ? ikectl ca vpn certificate ? create #(for server) ikectl ca vpn certificate ? install #(for server) -For win7, i need a certificate host for win7test ? or 192.168.0.77 ? ikectl ca vpn certificate ?? create #(for win7) ikectl ca vpn certificate ?? export #(for win7) -On the GW /etc/iked.conf: ikev2 esp \ from any to any peer any \ srcid vpn.X.net \ config address 192.168.0.77 Run /sbin/iked -dvv Finally : On the win7, open certmgr.msc to add the certificates add the 2 pfx certificates in the Trusted Root Certification Authorities store And create a IKEV2 connection without EAP. Thank you very much for your help. Cheers, Wesley M.A.
Re: ikev2 and a win7 road warrior host
Working iked.conf that runs without a problem: ikev2 win7 quick passive esp inet proto udp \ from $local_net to $client_net local local.endpoint.net peer remote.endpoint.net \ srcid local.endpoint.IP.address \ dstid remote endpoint's certificate distinguished name \ rsa \ config address 192.168.126.2 \ config name-server 192.168.0.126 \ tag ipsec_$name Certificate must be issued for win7 endpoint as described above and imported properly on Win machine. As well as CA's certificate. 192.168.126.2 is the IP address that Win7 machine will get on IPSec interface. 192.168.0.126 is the nameserver that will be assigned for that interface. RSA parameter is generally not needed, as well as TAG. local.endpoint.net - can be a FQDN that will be resolved into the IP address of the local endpoint - the point that acts like a responder (openbsd machine running iked). OpenBSD's certificate must be issued to the `host local.endpoint.net' IP address. peer.endpoint.net - is an initiator side (win7 machine). Win7's cert must be issued to that IP. That scheme works for me right now. 22.05.2012 14:52, Wesley P=P0P?P8QP0P;: Error 1931: the context has expired and can no longer be used -- Best regards, Pavel Shvagirev skype: pavel.shvagirev
Re: ikev2 and a win7 road warrior host
22.05.2012 17:23, Pavel Shvagirev P=P0P?P8QP0P;: peer.endpoint.net - is an initiator side (win7 machine). Win7's cert must be issued to that IP. I mean remote.endpoint.net here Two more notes: 1. Win7 connection shoud be set up to the openbsd's IP address, not the FQDN. (the first tab in the connection Properties window). 2. from $local_net to $client_net: $local_net is the macros for the network that is behind the responder side (openbsd's server local subnet - the subnet that initiator wants to get tunneled access to) $remote_net is the macros for the address pool where you are taking clients' addresses from (in my case - 192.168.126.0/25). -- Best regards, Pavel Shvagirev skype: pavel.shvagirev
Re: ikev2 and a win7 road warrior host
First thank you very much for your time and reply. I appreciate. Therefore win7 is a road warrior host so dynamic address. so the iked.conf become : ikev2 win7 passive esp \ from 192.168.0.0/24 to 10.10.10.0/24 local aa.bb.cc.dd peer any \ srcid aa.bb.cc.dd \ config address 10.10.10.7 ILLUSTRATION : 192.168.0.0/24--lan--GW51--egress--INTERNET--(win7) GW51 : hostname vpn.X.net IP address : 192.168.0.51 (lan) egress : aa.bb.cc.dd static IP ADDRESS provide by ISP (SDSL) win7 : hostname win7 IP ADDRESS DHCP (192.168.1.77) IKEV2 Connection config : 10.10.10.7/24 Does this config sound good for you ? Cheers, Wesley.
Re: ikev2 and a win7 road warrior host
It works !!! ;-) Just doing below. -- Wesley Le 22 mai 2012 ` 19:29, Wesley MOUEDINE ASSABY a icrit : First thank you very much for your time and reply. I appreciate. Therefore win7 is a road warrior host so dynamic address. so the iked.conf become : ikev2 win7 passive esp \ from 192.168.0.0/24 to 10.10.10.0/24 local aa.bb.cc.dd peer any \ srcid aa.bb.cc.dd \ config address 10.10.10.7 ILLUSTRATION : 192.168.0.0/24--lan--GW51--egress--INTERNET--(win7) GW51 : hostname vpn.X.net IP address : 192.168.0.51 (lan) egress : aa.bb.cc.dd static IP ADDRESS provide by ISP (SDSL) win7 : hostname win7 IP ADDRESS DHCP (192.168.1.77) IKEV2 Connection config : 10.10.10.7/24 Does this config sound good for you ? Cheers, Wesley.