IPsec/IKEv2 Remote-Access VPN server guide

Brief documentation how to setup a IPsec/IKEv2 Remote-Access VPN server with DANOS.

General IKE/control-plane settings

For production IPsec RA VPN server deployment it is essential to tune the IKE control-plane. For details on this, see the https://danosproject.atlassian.net/wiki/spaces/DAN/pages/1567588383

Usage of multiple server profiles

The RAVPN Server supports the ability to configure multiple server profiles. This might be useful for providing multi-tenant VPN access or providing VPN access with different authentication methods. To assign the connecting clients to the appropriate server profile there are two options available:

  1. based on server (local) interface address

  2. matching the client's identify/credential

EAP-TLS authentication method for Windows, macOS, ...

To support a large variety of native desktop/mobile OS IPsec RA VPN clients, the suggestion is to use EAP-TLS as authentication method, rather the IKE X.509 authentication method:

1 2 3 4 5 6 7 8 # EAP-TLS authentication configuration set security vpn ipsec remote-access-server profile TENANT1 authentication mode eap-tls # End-entity/Host certificate of the server, used for EAP-TLS set security vpn ipsec remote-access-server profile TENANT1 authentication x509 cert-file /config/auth/server1.pem # Private key of the server certificate, used for EAP-TLS set security vpn ipsec remote-access-server profile TENANT1 authentication x509 key file /config/auth/server1.key

The IPsec RA VPN server then will provide following TLS cipher-suites as part of the EAP-TLS negotiation:

1 2 3 4 5 6 7 8 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

... those are known to work with Windows 10, macOS 10.3+ and Linux Network Manager/Strongswan.

Server configuration sample

This example topology provides access to the "Cooperated Network" 10.56.48.0/20 by providing two IPsec RA VPN server instances.

Each IPsec RA VPN server instance has a dedicated Virtual-IP address pool, which is not overlapping, due to missing synchronization between those two pools. Virtual IP addresses get assigned to each individual client during the initial VPN tunnel negotiation. The Virtual IPs get released once the client disconnects. As part of the VPN tunnel negotiation the IPsec RA VPN server can also push down DNS server addresses which should be used by the client inside the VPN. The request and assignment of Virtual IP address is the major difference between IPsec site-to-site and IPsec RA VPN setups from IKE perspective. Everything else, including ESP, is identical.

Every time a client connects, the server will first perform a basic integrity check of the provided client certificate: is the certificate expired? is the certificate issued by a trusted CA? Finally it will perform a certificate revocation check either via OCSP or CRL, to check the central CA database of revoked certificates. When using X.509 authentication, certificate revocation is the only way to revoke VPN access for an individual client. The server can configure a reauthentication time, which forces the client to perform a IKE re-authentication within a certain time window, to enforce expiration or revocation of VPN client access.

On the IPsec RA VPN server, there is only need for following certificate files: Host/End-entity certificate for the sever itself, the corresponding private key and the Root certificate. It is highly recommend to not store any further private keys on a server instance, other then the server's own private key!

 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 set security vpn ike make-before-break set security vpn ipsec esp-group ESP1 proposal 1 encryption aes128gcm128 set security vpn ipsec esp-group ESP1 proposal 1 hash null set security vpn ipsec ike-group IKE1 dead-peer-detection action clear set security vpn ipsec ike-group IKE1 ike-version 2 set security vpn ipsec ike-group IKE1 proposal 1 dh-group 19 set security vpn ipsec ike-group IKE1 proposal 1 encryption aes128gcm128 set security vpn ipsec ike-group IKE1 proposal 1 hash sha2_256 set security vpn ipsec remote-access-server pool POOL1 subnet 10.56.192.0/27 set security vpn ipsec remote-access-server pool POOL1 attributes dns 10.56.48.1 set security vpn ipsec remote-access-server pool POOL2 subnet 10.56.193.0/27 set security vpn ipsec remote-access-server pool POOL2 attributes dns 10.56.64.1 set security vpn ipsec remote-access-server profile TENANT1 authentication mode x509 set security vpn ipsec remote-access-server profile TENANT1 authentication x509 cert-file /config/auth/server1.pem set security vpn ipsec remote-access-server profile TENANT1 authentication x509 key file /config/auth/server1.key set security vpn ipsec remote-access-server profile TENANT1 authentication x509 remote-id 'O=Tenant1, CN=*' set security vpn ipsec remote-access-server profile TENANT1 authentication x509 revocation-policy strict set security vpn ipsec remote-access-server profile TENANT1 esp-group ESP1 set security vpn ipsec remote-access-server profile TENANT1 ike-group IKE1 set security vpn ipsec remote-access-server profile TENANT1 local-address 10.10.2.3 set security vpn ipsec remote-access-server profile TENANT1 pools POOL1 set security vpn ipsec remote-access-server profile TENANT1 tunnel 1 local network 10.56.48.0/20 set security vpn ipsec remote-access-server profile TENANT2 authentication mode x509 set security vpn ipsec remote-access-server profile TENANT2 authentication x509 cert-file /config/auth/server1.pem set security vpn ipsec remote-access-server profile TENANT2 authentication x509 key file /config/auth/server1.key set security vpn ipsec remote-access-server profile TENANT2 authentication x509 remote-id 'O=Tenant2, CN=*' set security vpn ipsec remote-access-server profile TENANT2 authentication x509 revocation-policy strict set security vpn ipsec remote-access-server profile TENANT2 esp-group ESP1 set security vpn ipsec remote-access-server profile TENANT2 ike-group IKE1 set security vpn ipsec remote-access-server profile TENANT2 local-address 10.10.2.3 set security vpn ipsec remote-access-server profile TENANT2 pools POOL2 set security vpn ipsec remote-access-server profile TENANT2 tunnel 1 local network 10.56.64.0/20 set security vpn x509 ca-certs /config/auth/RootCA.pem

Annotated configuration sample:

 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 # On re-authentication IKEv2 creates a overlapping set of IKE SAs and IPsec SAs, to prevent tunnel interruptions. # This is a global setting apply to all IKEv2/IPsec tunnels. set security vpn ike make-before-break # IPsec ESP group proposal. For guidance on selection of the ESP algorithms please refer to RFC 8221 (or successor IETF documents) set security vpn ipsec esp-group ESP1 proposal 1 encryption aes128gcm128 set security vpn ipsec esp-group ESP1 proposal 1 hash null # Enable IKE dead-peer-detection. In case a dead peer is detected, clear all stale IKE and IPsec SAs. set security vpn ipsec ike-group IKE1 dead-peer-detection action clear # The IPsec RA VPN server only support IKEv2 set security vpn ipsec ike-group IKE1 ike-version 2 # IKE group proposal. For guidance on selection of the IKE algorithms please refer to RFC 8247 (or successor IETF documents) set security vpn ipsec ike-group IKE1 proposal 1 dh-group 19 set security vpn ipsec ike-group IKE1 proposal 1 encryption aes128gcm128 set security vpn ipsec ike-group IKE1 proposal 1 hash sha2_256 # Configure a Virtual IP address pools, used to assign inner-tunnels address for the RA VPN clients. # The network range for the pool needs to be appropriated size. If thee pool runs out of free IP addresses, # the server will reject new client connections for remote-access-server profiles using this pool. # # Pools can be shared between different remotee-access-server profiles set security vpn ipsec remote-access-server pool POOL1 subnet 10.56.192.0/27 # User ordered list of (VPN) internal DNS server addresses, which get pushed down to the RA VPN client set security vpn ipsec remote-access-server pool POOL1 attributes dns 10.56.48.1 # X.509 authentication configuation set security vpn ipsec remote-access-server profile TENANT1 authentication mode x509 # Limit the access to this remote-access-server profiles only to clients with a particular certifcate subject. # Wildcards are represented by the asterisks character. # # !!! WARNING: without any remote-id defined, all client certificate are accepted which are issued by a trusted CA !!! # (unless they got revoked by the CA (OCSP/CRL) or they expired or are not yet valid) set security vpn ipsec remote-access-server profile TENANT1 authentication remote-id 'O=Tenant1, CN=*' # End-entity/Host certificate of the server set security vpn ipsec remote-access-server profile TENANT1 authentication x509 cert-file /config/auth/server1.pem # Private key of the server certificate set security vpn ipsec remote-access-server profile TENANT1 authentication x509 key file /config/auth/server1.key # Controls the revocation behavior of the server if none of the CRL-servers nor OCSP responders were # reachable or able to provide any status on the a to be checked client certificate chain. # # If configured "strict", client authentication/verification will fail if none of the CRL/OCSP revocation # checks were executed without failure. # # If configured "relaxed", client authentication/verification will not fail due to the unavailability of a # CRL/OCSP status. set security vpn ipsec remote-access-server profile TENANT1 authentication x509 revocation-policy strict # Assign ESP/IKE group definition to the remote-access-server profile set security vpn ipsec remote-access-server profile TENANT1 esp-group ESP1 set security vpn ipsec remote-access-server profile TENANT1 ike-group IKE1 # This remote-access-server profiles listens only to following local-address set security vpn ipsec remote-access-server profile TENANT1 local-address 10.10.2.3 # Assign the Virtual IP pool to the remote-access-server profile set security vpn ipsec remote-access-server profile TENANT1 pools POOL1 # Only a local traffic-selector gets defined, which represents to protected-network to provide access to. # By default the remote traffic-selector gets negotiated down to the assigned Virtual IP address of the client. set security vpn ipsec remote-access-server profile TENANT1 tunnel 1 local network 10.56.48.0/20 # Global IPsec CA trust-store. Will be used to verify and trust all peer certificate chains set security vpn x509 ca-certs /config/auth/RootCA.pem

 

IPsec RA VPN server workflows

Revoking client access

  1. The client certificate needs to be revoked by the Public Key Infrastructure / CA

  2. The certificate state caches should be flushed on all IPsec RA VPN server instances by running: "clear vpn x509 status"

  3. Active client connections should be immediately terminated, based on the client certificate subject: "reset vpn ipsec-remote-access-server profile <profile-name> peer <IP address, remote ID or certificate subject>

Applying firewall rules on client traffic

To apply firewall rules on IPsec policy-based VPN traffic, a virtual-feature-pointer interface needs to be bound to the IPsec RA VPN server profile tunne:

1 2 3 set interfaces virtual-feature-point vfp1 set security vpn ipsec remote-access-server profile TENANT1 tunnel 1 local network 10.56.48.0/20 set security vpn ipsec remote-access-server profile TENANT1 tunnel 1 uses vfp1

The created vfp1 interface then can be used to assign firewall rules.

 

Logging level

By default the IPsec daemon is chatty which can be useful for troubleshooting during initial installation or problem triage but is not optimal for performance. For day-to-day production use a new log-mode has been introduced that minimizes the amount of log messages sent while still providing relevant information.

1 set security vpn ipsec log-modes minimal

The 'minimal' log-mode is recommended for day-to-day production use.

Persistent CRL cache

If a public CA is used, the CRL file might be up to 1 Megabyte or larger, which needs to be downloaded entirely once a CRL expired, or the IKE control-plane got restarted.

CRL files can be persistently cached, so they are available across IKE control-plane restarts and reboot:

1 set security vpn x509 status crl cache

CRL results get always cached in memory by the IKE control-plane, unless "clear vpn x509 status" got called.

Disable OCSP/CRL revocation checks

1 2 3 # Disable set security vpn x509 status crl disable set security vpn x509 status ocsp disable

make-before-break

In this mode a duplicate is created of the existing IKE and CHILD SAs before renegotiation. Once renegotiation occurs the old SAs are then deleted. The advantage of this mode is that it avoids tunnel interruption during renegotiation. The disadvantage is that both sides of the connection must be configured to support it.

1 set security vpn ike make-before-break

By default the system will tear down all IKE and CHILD SAs before renegotiation. For RA VPN it is recommended to use the make-before-break setting.

VPN Terminology

Acronyoms

RA VPN = Remote Access Virtual Private Network
IKEv2 = Internet Key Exchange version 2 (rfc4306)
ESP = Encapsulating Security Payload (rfc4303)
DPD = Dead Peer Detection (rfc3706)
CA = Certificate Authority
PKI = Public Key Infrastructure
VFP = Virtual Feature Point - a vyatta specific interface type
IPsec (SA) = IPsec Security Association
IPsec (SPD) = IPsec Security Policy Database
IPsec (SAD) = IPsec Security Association Database
OCSP = Online Certificate Status Protocol
CRL = Certificate Revocation List