Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

vpn/ipsec: Add additional information to swanctl roadwarrior docs #639

Open
2 tasks done
Eisaichen opened this issue Nov 20, 2024 · 3 comments
Open
2 tasks done

vpn/ipsec: Add additional information to swanctl roadwarrior docs #639

Eisaichen opened this issue Nov 20, 2024 · 3 comments
Assignees
Labels
cleanup Low impact changes feature Adding new functionality

Comments

@Eisaichen
Copy link

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

Is your feature request related to a problem? Please describe.

On Windows, when split-tunnel is enabled, each time connected to VPN, the route has to be manually added by using the command provided by the document.

Example Route (can be batched): ``route add 192.168.1.0 mask 255.255.255.0 172.16.203.254``

https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html#client-configuration

Describe the solution you like

Windows can automate the process with the PowerShell command Add-VpnConnectionRoute, with no elevated privilege required. In this example with the document, the command will be:

Add-VpnConnectionRoute -ConnectionName 'vpn1.example.com' -DestinationPrefix '192.168.1.0/24' -PassThru

# IPv6
Add-VpnConnectionRoute -ConnectionName 'vpn1.example.com' -DestinationPrefix 'fe0d:abcd:1234:cafe::/64' -PassThru

Once connected, the configured route will add to the routing table automatically, and also delete if disconnected.

# Get corresponding route with VPN connection
(Get-VpnConnection -ConnectionName 'vpn1.example.com').routes

# Remove associate route
Remove-VpnConnectionRoute -ConnectionName 'vpn1.example.com' -DestinationPrefix '192.168.1.0/24' -PassThru
@Monviech Monviech self-assigned this Nov 21, 2024
@Monviech Monviech added the cleanup Low impact changes label Nov 21, 2024
@Monviech
Copy link
Member

Thanks I didn't know this command existed. Want to offer a PR to add it to the document?

@Eisaichen
Copy link
Author

Eisaichen commented Nov 22, 2024

Hi, @Monviech
I want to thank you and your team for this very detailed tutorial. I wish I could submit a PR however I lack confidence in my English for this kind of formal document.
In the meanwhile, despite following the document step by step, I still can not get my clients to work due to some minor issues. After a day of troubleshooting, I managed to solve those problems. I want to share what I found here as well.

Option for Windows native client

(Tested on Win11 22631.4460)
In the document, we set rekey time to 600 for CHILD_SA(section 1.3 & 2.3).

However, for some reason Windows does not cooperate with a CHILD_SA rekeying attempt issued from server nicely(#), causing the connection likely to disconnect during the second or third rekey attempt.
Therefore, to work around that, we have to set rekey time for CHILD_SA to 0, and let the client issue the rekey only.
I also found Windows doesn't cooperate with IKE_SA rekey either. It seems Windows will play nice for the first 15 minutes once connected, then play dead for the rest of the time. To maintain a stable link, you might need to disable the rekeying or set the period very long.

2024-11-21T18:20:18-06:00	Informational	charon	05[IKE] <****|124> rekeying IKE_SA failed, peer not responding	
2024-11-21T18:20:18-06:00	Informational	charon	05[IKE] <****|124> giving up after 5 retransmits

Option for iOS/iPadOS native client

(Tested on iOS 18)
By default, the server will only send CA certificates when requested for it. But, the iOS native client will not send CERTREQ when connecting(#). This will cause the certificate chain can not be verified since no CA certificate will be sent. The connection attempt will fail immediately.
To fix this, we simply need to set "Send certificate" under p1 settings to "Always".

Option for Samsung (Android) native client

(Tested on Samsung OneUI 6.1.1)
In the document, StrongSwan is used to connect from Android. But I found the native client can work as well. I'm not sure this is the default behavior on all Android or just Samsung.
When connecting, the Android client will send a remote ID anyway causing authentication to fail.

2024-11-21T18:04:50-06:00	Informational	charon	08[IKE] <****|126> EAP-MS-CHAPv2 verification failed, retry (1)	
2024-11-21T18:04:50-06:00	Informational	charon	08[IKE] <****|126> no EAP key found for hosts 'vpn1.example.com' - 'john@vpn1.example.com'

To fix this, we just need to set the "Remote Identifier" of EAP to the hostname of our server(#), in this case, is vpn1.example.com, then the native android client can connect successfully as well, and this will not impact the client on other platforms.

The config will look like this

Screenshot_20241121_181702_Settings
On Android, You can choose not to verify the certificate, so you don't need to import the CA certificate.
IPv6 seems not supported on Android native client.

@Monviech
Copy link
Member

Monviech commented Nov 22, 2024

Thanks for these tests and additional information, I will include it in the tutorial as additional remarks.

Note to myself:
Also keeping an eye on this for EAP-TLS
https://forum.opnsense.org/index.php?topic=44061.msg219658#msg219658

ios18.1:

https://forum.opnsense.org/index.php?topic=43766.0;topicseen

@Monviech Monviech changed the title Suggest to use Add-VpnConnectionRoute with Windows native IPSec VPN vpn/ipsec: Add additional information to swanctl roadwarrior docs Nov 22, 2024
@Monviech Monviech added the feature Adding new functionality label Nov 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cleanup Low impact changes feature Adding new functionality
Development

No branches or pull requests

2 participants