IPsec/IKEv2 Remote-Access VPN server guide

Brief documentation how to setup a IPsec/IKEv2 Remote-Access VPN server with DANOS.

General IKE/control-plane settings

For production IPsec RA VPN server deployment it is essential to tune the IKE control-plane. For details on this, see the https://danosproject.atlassian.net/wiki/spaces/DAN/pages/1567588383

Usage of multiple server profiles

The RAVPN Server supports the ability to configure multiple server profiles. This might be useful for providing multi-tenant VPN access or providing VPN access with different authentication methods. To assign the connecting clients to the appropriate server profile there are two options available:

  1. based on server (local) interface address

  2. matching the client's identify/credential

EAP-TLS authentication method for Windows, macOS, ...

To support a large variety of native desktop/mobile OS IPsec RA VPN clients, the suggestion is to use EAP-TLS as authentication method, rather the IKE X.509 authentication method:

# EAP-TLS authentication configuration set security vpn ipsec remote-access-server profile TENANT1 authentication mode eap-tls # End-entity/Host certificate of the server, used for EAP-TLS set security vpn ipsec remote-access-server profile TENANT1 authentication x509 cert-file /config/auth/server1.pem # Private key of the server certificate, used for EAP-TLS set security vpn ipsec remote-access-server profile TENANT1 authentication x509 key file /config/auth/server1.key

The IPsec RA VPN server then will provide following TLS cipher-suites as part of the EAP-TLS negotiation:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

... those are known to work with Windows 10, macOS 10.3+ and Linux Network Manager/Strongswan.

Server configuration sample

This example topology provides access to the "Cooperated Network" 10.56.48.0/20 by providing two IPsec RA VPN server instances.

Each IPsec RA VPN server instance has a dedicated Virtual-IP address pool, which is not overlapping, due to missing synchronization between those two pools. Virtual IP addresses get assigned to each individual client during the initial VPN tunnel negotiation. The Virtual IPs get released once the client disconnects. As part of the VPN tunnel negotiation the IPsec RA VPN server can also push down DNS server addresses which should be used by the client inside the VPN. The request and assignment of Virtual IP address is the major difference between IPsec site-to-site and IPsec RA VPN setups from IKE perspective. Everything else, including ESP, is identical.

Every time a client connects, the server will first perform a basic integrity check of the provided client certificate: is the certificate expired? is the certificate issued by a trusted CA? Finally it will perform a certificate revocation check either via OCSP or CRL, to check the central CA database of revoked certificates. When using X.509 authentication, certificate revocation is the only way to revoke VPN access for an individual client. The server can configure a reauthentication time, which forces the client to perform a IKE re-authentication within a certain time window, to enforce expiration or revocation of VPN client access.

On the IPsec RA VPN server, there is only need for following certificate files: Host/End-entity certificate for the sever itself, the corresponding private key and the Root certificate. It is highly recommend to not store any further private keys on a server instance, other then the server's own private key!

 

set security vpn ike make-before-break set security vpn ipsec esp-group ESP1 proposal 1 encryption aes128gcm128 set security vpn ipsec esp-group ESP1 proposal 1 hash null set security vpn ipsec ike-group IKE1 dead-peer-detection action clear set security vpn ipsec ike-group IKE1 ike-version 2 set security vpn ipsec ike-group IKE1 proposal 1 dh-group 19 set security vpn ipsec ike-group IKE1 proposal 1 encryption aes128gcm128 set security vpn ipsec ike-group IKE1 proposal 1 hash sha2_256 set security vpn ipsec remote-access-server pool POOL1 subnet 10.56.192.0/27 set security vpn ipsec remote-access-server pool POOL1 attributes dns 10.56.48.1 set security vpn ipsec remote-access-server pool POOL2 subnet 10.56.193.0/27 set security vpn ipsec remote-access-server pool POOL2 attributes dns 10.56.64.1 set security vpn ipsec remote-access-server profile TENANT1 authentication mode x509 set security vpn ipsec remote-access-server profile TENANT1 authentication x509 cert-file /config/auth/server1.pem set security vpn ipsec remote-access-server profile TENANT1 authentication x509 key file /config/auth/server1.key set security vpn ipsec remote-access-server profile TENANT1 authentication x509 remote-id 'O=Tenant1, CN=*' set security vpn ipsec remote-access-server profile TENANT1 authentication x509 revocation-policy strict set security vpn ipsec remote-access-server profile TENANT1 esp-group ESP1 set security vpn ipsec remote-access-server profile TENANT1 ike-group IKE1 set security vpn ipsec remote-access-server profile TENANT1 local-address 10.10.2.3 set security vpn ipsec remote-access-server profile TENANT1 pools POOL1 set security vpn ipsec remote-access-server profile TENANT1 tunnel 1 local network 10.56.48.0/20 set security vpn ipsec remote-access-server profile TENANT2 authentication mode x509 set security vpn ipsec remote-access-server profile TENANT2 authentication x509 cert-file /config/auth/server1.pem set security vpn ipsec remote-access-server profile TENANT2 authentication x509 key file /config/auth/server1.key set security vpn ipsec remote-access-server profile TENANT2 authentication x509 remote-id 'O=Tenant2, CN=*' set security vpn ipsec remote-access-server profile TENANT2 authentication x509 revocation-policy strict set security vpn ipsec remote-access-server profile TENANT2 esp-group ESP1 set security vpn ipsec remote-access-server profile TENANT2 ike-group IKE1 set security vpn ipsec remote-access-server profile TENANT2 local-address 10.10.2.3 set security vpn ipsec remote-access-server profile TENANT2 pools POOL2 set security vpn ipsec remote-access-server profile TENANT2 tunnel 1 local network 10.56.64.0/20 set security vpn x509 ca-certs /config/auth/RootCA.pem

Annotated configuration sample:

 

 

IPsec RA VPN server workflows

Revoking client access

  1. The client certificate needs to be revoked by the Public Key Infrastructure / CA

  2. The certificate state caches should be flushed on all IPsec RA VPN server instances by running: "clear vpn x509 status"

  3. Active client connections should be immediately terminated, based on the client certificate subject: "reset vpn ipsec-remote-access-server profile <profile-name> peer <IP address, remote ID or certificate subject>

Applying firewall rules on client traffic

To apply firewall rules on IPsec policy-based VPN traffic, a virtual-feature-pointer interface needs to be bound to the IPsec RA VPN server profile tunne:

The created vfp1 interface then can be used to assign firewall rules.

 

Logging level

By default the IPsec daemon is chatty which can be useful for troubleshooting during initial installation or problem triage but is not optimal for performance. For day-to-day production use a new log-mode has been introduced that minimizes the amount of log messages sent while still providing relevant information.

The 'minimal' log-mode is recommended for day-to-day production use.

Persistent CRL cache

If a public CA is used, the CRL file might be up to 1 Megabyte or larger, which needs to be downloaded entirely once a CRL expired, or the IKE control-plane got restarted.

CRL files can be persistently cached, so they are available across IKE control-plane restarts and reboot:

CRL results get always cached in memory by the IKE control-plane, unless "clear vpn x509 status" got called.

Disable OCSP/CRL revocation checks

make-before-break

In this mode a duplicate is created of the existing IKE and CHILD SAs before renegotiation. Once renegotiation occurs the old SAs are then deleted. The advantage of this mode is that it avoids tunnel interruption during renegotiation. The disadvantage is that both sides of the connection must be configured to support it.

By default the system will tear down all IKE and CHILD SAs before renegotiation. For RA VPN it is recommended to use the make-before-break setting.

VPN Terminology

Acronyoms

RA VPN = Remote Access Virtual Private Network
IKEv2 = Internet Key Exchange version 2 (rfc4306)
ESP = Encapsulating Security Payload (rfc4303)
DPD = Dead Peer Detection (rfc3706)
CA = Certificate Authority
PKI = Public Key Infrastructure
VFP = Virtual Feature Point - a vyatta specific interface type
IPsec (SA) = IPsec Security Association
IPsec (SPD) = IPsec Security Policy Database
IPsec (SAD) = IPsec Security Association Database
OCSP = Online Certificate Status Protocol
CRL = Certificate Revocation List