Re: Setting up IKEv2 IPSec connection to Algo VPN

[Patrick Wildt]

On Mon, Feb 19, 2018 at 04:04:38PM -0700, Alec Newman wrote:
> Hello,
> 
> I was experimenting with setting up a VPN server on AWS using Algo (
> https://github.com/trailofbits/algo) that I'd like to connect to using an
> OpenBSD laptop.
> 
> They don't explicitly provide an OpenBSD client configuration but from what
> I can tell it should be doable with OpenBSD's built in tools.  It appears
> to be IKEv2 so from what I can tell I just need the correct /etc/iked.conf
> and copy the right keys/certificates into the right places in /etc/iked.
> 
> This is the StrongSwan config file provided for the client (VPN server's IP
> address replaced with $REMOTEGW and username replaced with $USER).
> 
> conn ikev2-$REMOTEGW
> fragmentation=yes
> rekey=no

Does this mean it does reauthentication instead of rekeying?  Could
become an issue at some point, especially if strongswan does make-
before-break and you have long running connections.

> dpdaction=clear
> keyexchange=ikev2
> compress=no
> dpddelay=35s
> 
> ike=aes128gcm16-prfsha512-ecp256!
> esp=aes128gcm16-ecp256!
> 
> right=$REMOTEGW
> rightid=$REMOTEGW
> rightsubnet=0.0.0.0/0
> rightauth=pubkey
> 
> leftsourceip=%config
> leftauth=pubkey
> leftcert=$USER.crt
> leftfirewall=yes
> left=%defaultroute
> 
> auto=add
> 
> I tried copying the certifcate produced by algo named $REMOTEGW.crt to
> /etc/iked/pubkeys/ipv4/$REMOTEGW but when I restart iked with rcctl restart
> iked I get "iked[37566]: set_policy: could not find pubkey for
> /etc/iked/pubkeys/ipv4/$REMOTEGW" in /var/log/messages.  The certificate is
> in the PEM format, which appears to be what is required, so I'm unsure what
> problem iked is having.

In a current iked(8) setup you have to store your own certificate (with
the private key in a different directory) and its full chain.  Also you
have to store the remote gateway's full chain (but not necessarily the
remote gateway's certificate).  In addition, you have to make sure the
certs use the X509v3 something something DNS extension.

openssl x509 -in fubar.crt -text should show this if you look for
X509v3.

> Any insight or help would be appreciated.  I'd be happy to provide more
> information if necessary.
> 
> Thanks,
> Alec

Setting up IKEv2 IPSec connection to Algo VPN

[Alec Newman]

Hello,

I was experimenting with setting up a VPN server on AWS using Algo (
https://github.com/trailofbits/algo) that I'd like to connect to using an
OpenBSD laptop.

They don't explicitly provide an OpenBSD client configuration but from what
I can tell it should be doable with OpenBSD's built in tools.  It appears
to be IKEv2 so from what I can tell I just need the correct /etc/iked.conf
and copy the right keys/certificates into the right places in /etc/iked.

This is the StrongSwan config file provided for the client (VPN server's IP
address replaced with $REMOTEGW and username replaced with $USER).

conn ikev2-$REMOTEGW
fragmentation=yes
rekey=no
dpdaction=clear
keyexchange=ikev2
compress=no
dpddelay=35s

ike=aes128gcm16-prfsha512-ecp256!
esp=aes128gcm16-ecp256!

right=$REMOTEGW
rightid=$REMOTEGW
rightsubnet=0.0.0.0/0
rightauth=pubkey

leftsourceip=%config
leftauth=pubkey
leftcert=$USER.crt
leftfirewall=yes
left=%defaultroute

auto=add

I tried copying the certifcate produced by algo named $REMOTEGW.crt to
/etc/iked/pubkeys/ipv4/$REMOTEGW but when I restart iked with rcctl restart
iked I get "iked[37566]: set_policy: could not find pubkey for
/etc/iked/pubkeys/ipv4/$REMOTEGW" in /var/log/messages.  The certificate is
in the PEM format, which appears to be what is required, so I'm unsure what
problem iked is having.

Any insight or help would be appreciated.  I'd be happy to provide more
information if necessary.

Thanks,
Alec