Thursday, February 28, 2019

Re: iked road warrior setup with multiple clients connecting

Just want to highlight that there is a FAQ document checked in that
provides some samples of iked configurations for road-warrior setup.

I am using almost the same setup provided in the sample, and I can only
have one client connected at a time. Once the 2nd client connects it
will stop the first client from working.

Hope this helps with others until it is fixed.

> On 26 Feb 2019, at 10:51 PM, Michael Lam <michael@jasworks.org> wrote:
>
>
>
>> On 26 Feb 2019, at 5:11 AM, William Ahern <william@25thandclement.com> wrote:
>>
>> On Mon, Feb 25, 2019 at 03:44:10PM +0000, Michael Lam wrote:
>>> Hi,
>>>
>>> I have a very straight forward setup use case that I want to use my
>>> OpenBSD router as a VPN gateway, which will accept IKEv2 road warrior
>>> connections from the Internet and route all traffics through my
>>> router.
>>>
>>> I am using a ms-chapv2 authentication and a letsencrypt certificate,
>>> which I can successfully obtain. All my clients are Apple devices
>>> with latest iOS installed. They normally are connected to the Internet
>>> directly without going through this router.
>>>
>>> Configuration as below:
>>>
>>> user "a" "123456"
>>> user "b" "246810"
>>> user "c" "135791"
>>>
>>> set passive
>>>
>>> ikev2 "rw" passive esp \
>>> from any to 172.20.11.0/24 \
>>> local any peer any \
>>> srcid my.fqdn.org \
>>> eap mschap-v2 \
>>> config protected-subnet 172.20.10.0/24 \
>>> config address 172.20.11/0/24 \
>>> config name-server 172.20.10.1
>>>
>>> I use "from any" because I want all traffics to be routed to the
>>> OpenBSD box. And "to 172.20.11.0/24" is the subnet that I use for
>>> VPN allocation. That's why I also have config address 172.20.11.0/24
>>> in the configuration.
>>>
>>> my.fqdn.org is a public IP address which I've obtained a domain name
>>> pointing to it.
>>>
>>> I have this working flawlessly with all the devices individually.
>>
>> Are you sure things worked flawlessly with "from any". IIRC the "any"
>> keyword doesn't work as expected and one must instead use "0.0.0.0/0"
>> explicitly. I may be wrong but I'm fairly confident I lost an entire evening
>> relearning that lesson not too long ago.
>
> Also responding to another user (due to some issue I can only get the
> mailing list emails fixed.)
>
> I use a Letsencrypt certificate by doing the following:
> 1. Copying the root certificate file from /etc/ssl/cert.pem (provided by
> OpenBSD into "ca" folder.
> 2. Putting the certificate file obtained from Letsencrypt into "cert" folder
> under iked folder.
> 3. Putting the full chain certificate file into the "ca" folder.
>
> And I got it working using from 0.0.0.0/0 to 172.20.11.0/24
>
> Never got it working with:
>
> from any to any, or
> From 0.0.0.0/0 to 0.0.0.0/0
>
> config protected-subnet doesn't really do anything in my setup.
>
>
>

No comments:

Post a Comment