IPSec IKEv2 Remote Access VPN
Internet Key Exchange version 2 (IKEv2) is a tunneling protocol, based on IPsec, that establishes a secure VPN communication between VPN devices, and defines negotiation and authentication processes for IPsec security associations (SAs). It is often known as IKEv2/IPSec or IPSec IKEv2 remote-access — or road-warriors as others call it.
Key exchange and payload encryption is done using IKE and ESP proposals as known from IKEv1 but the connections are faster to establish, more reliable, and also support roaming from IP to IP (called MOBIKE which makes sure your connection does not drop when changing networks from e.g. WIFI to LTE and back). Authentication can be achieved with X.509 certificates.
Setting up certificates:
First of all, we need to create a CA root certificate and server certificate on the server side.
[email protected]# run generate pki ca install ca_root
Enter private key type: [rsa, dsa, ec] (Default: rsa)
Enter private key bits: (Default: 2048)
Enter country code: (Default: GB)
Enter state: (Default: Some-State)
Enter locality: (Default: Some-City)
Enter organization name: (Default: VyOS)
Enter common name: (Default: vyos.io)
Enter how many days certificate will be valid: (Default: 1825)
Note: If you plan to use the generated key on this router, do not encrypt the private key.
Do you want to encrypt the private key with a passphrase? [y/N] N
2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply.
[edit]
[email protected]# comp
[pki ca]
+ ca_root {
+ certificate "MIIDnTCCAoWgAwI…."
+ private {
+ key "MIIEvAIBADANBgkqhkiG9….”
[email protected]# run generate pki certificate sign ca_root install server_cert
Do you already have a certificate request? [y/N] N
Enter private key type: [rsa, dsa, ec] (Default: rsa)
Enter private key bits: (Default: 2048)
Enter country code: (Default: GB)
Enter state: (Default: Some-State)
Enter locality: (Default: Some-City)
Enter organization name: (Default: VyOS)
Enter common name: (Default: vyos.io) vpn.vyos.net
Do you want to configure Subject Alternative Names? [y/N] N
Enter how many days certificate will be valid: (Default: 365)
Enter certificate type: (client, server) (Default: server)
Note: If you plan to use the generated key on this router, do not encrypt the private key.
Do you want to encrypt the private key with a passphrase? [y/N] N
2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply.
[email protected]# comp
[pki certificate]
+ server_cert {
+ certificate "MIIDuzCCAqOgAwIBAgIUaSrCPWx………"
+ private {
+ key "MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBK….."
+ }
+ }
Once the command is completed, it will add the certificate to the configuration session, to the pki subtree. You can then review the proposed changes and commit them.
Setting up IPSec:
After the PKI certs are all set up we can start configuring our IPSec/IKE proposals used for key-exchange end data encryption. The used encryption ciphers and integrity algorithms vary from operating system to operating system. The ones used in this example are validated to work on Windows 10.
set vpn ipsec esp-group ESP-RW lifetime '3600'
set vpn ipsec esp-group ESP-RW pfs 'disable'
set vpn ipsec esp-group ESP-RW proposal 10 encryption 'aes128gcm128'
set vpn ipsec esp-group ESP-RW proposal 10 hash 'sha256'
set vpn ipsec ike-group IKE-RW key-exchange 'ikev2'
set vpn ipsec ike-group IKE-RW lifetime '7200'
set vpn ipsec ike-group IKE-RW proposal 10 dh-group '14'
set vpn ipsec ike-group IKE-RW proposal 10 encryption 'aes128gcm128'
set vpn ipsec ike-group IKE-RW proposal 10 hash 'sha256'
Every connection/remote-access pool we configure also needs a pool where we can draw our client IP addresses from. We provide one IPv4 and IPv6 pool. Authorized clients will receive an IPv4 address from the configured IPv4 prefix and an IPv6 address from the IPv6 prefix. We can also send some DNS nameservers down to our clients used on their connection.
set vpn ipsec remote-access pool ra-rw-ipv4 name-server '192.0.2.1'
set vpn ipsec remote-access pool ra-rw-ipv4 prefix '192.0.2.128/25'
set vpn ipsec remote-access pool ra-rw-ipv6 name-server '2001:db8:1000::1'
set vpn ipsec remote-access pool ra-rw-ipv6 prefix '2001:db8:2000::/64'
Setting up tunnel:
set vpn ipsec remote-access connection rw authentication local-id '192.0.2.1'
set vpn ipsec remote-access connection rw authentication server-mode 'x509'
set vpn ipsec remote-access connection rw authentication x509 ca-certificate 'ca_root'
set vpn ipsec remote-access connection rw authentication x509 certificate 'server_cert'
set vpn ipsec remote-access connection rw esp-group 'ESP-RW'
set vpn ipsec remote-access connection rw ike-group 'IKE-RW'
set vpn ipsec remote-access connection rw local-address '192.0.2.1'
set vpn ipsec remote-access connection rw pool 'ra-rw-ipv4'
set vpn ipsec remote-access connection rw pool 'ra-rw-ipv6'
VyOS also supports two different modes of authentication, local and RADIUS. To create a new local user named “vyos” with a password of “vyos” use the following commands.
set vpn ipsec remote-access connection rw authentication client-mode 'eap-mschapv2'
set vpn ipsec remote-access connection rw authentication local-users username vyos password 'vyos'
Client Configuration
Most operating systems include native client support for IPsec IKEv2 VPN connections, and others typically have an app or add-on package which adds the capability. This section covers IPsec IKEv2 client configuration for Windows 10.
VyOS provides a command to generate a connection profile used by Windows clients that will connect to the “rw” connection on our VyOS server.
Note
Windows expects the server name to be also used in the server’s certificate common name, so it’s best to use this DNS name for your VPN connection.
[email protected]:~$ generate ipsec profile windows-remote-access rw remote vpn.vyos.net
==== <snip> ====
Add-VpnConnection -Name "VyOS IKEv2 VPN" -ServerAddress "vpn.vyos.net" -TunnelType "Ikev2"
Set-VpnConnectionIPsecConfiguration -ConnectionName "VyOS IKEv2 VPN" -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants
GCMAES128 -EncryptionMethod GCMAES128 -IntegrityCheckMethod SHA256128 -PfsGroup None -DHGroup "Group14" -PassThru -Force
==== </snip> ====
Add the commands from Snippet in the Windows side via PowerShell. Also import the root CA cert to the Windows “Trusted Root Certification Authorities” and establish the connection.
Verification:
[email protected]:~$ show vpn ipsec remote-access summary
Connection ID Username Protocol State Uptime Tunnel IP Remote Host Remote ID IKE Proposal IPSec Proposal
--------------- ---------- ---------- ------- -------- ----------- ------------- ----------- ------------------------------------------ ------------------
5 vyos IKEv2 UP 37s 192.0.2.129 10.0.0.2 10.0.0.2 AES_GCM_16-128/PRF_HMAC_SHA2_256/MODP_2048 ESP:AES_GCM_16-128