wiki.ipfire.org

The community-maintained documentation platform of IPFire

User Tools

Site Tools


configuration:services:ipsec:example_configuration-_roadwarrior_with_macos

Example Configuration - Roadwarrior with MacOS

  • This configuration should work with MacOS 10.12 (Sierra) or newer, perhaps “El Capitan” as well. Older versions do not support strong cryptography and should be avoided as insecure. Using a third-party VPN client may resolve this issue.

The server's host certificate must have a Subject Alt Name that is the same as the server's hostname. If you previously created your server's certificates and did not add a Subject Alt Name when you created them, then you will need to delete them (and any connections using them) and re-create them.

Step 1 - Global IPSec Settings

  • Go to “Services > IPSec”
  • Edit the “Global Settings”
    • “Public IP or FQDN”:
      • If you have a static IP: Enter your public domain name or IP.
      • If you have a dynamic IP: Enter “%defaultroute”.
    • “Host-to-Net Virtual Private Network (RoadWarrior)”
      • Enter the IP range that clients from which clients should receive an IP.
      • Make sure that this range does not conflict with your LAN DHCP scope.
      • I generally use a subset of the Green network, such as 192.168.0.0/28. This includes the addresses 192.168.0.240-254.
    • Check “Enabled”
    • Click “Save”

Step 2 - Generate Server Certificates

This step assumes that you have not already created your server's certificates. If you have already created your host's certificates, remember that the server certificate must have the hostname as the Subject Alt Name. You might have to recreate your server's certificates.

  • Click “Generate root/host certificates”
    • Fill in the form to generate the certificates
      • “Organization Name”: Choose a name
      • “IPFire's Hostname”: DNS-Name of the IPFire device
      • Complete “Your e-Mail Address”, “Your Department”, “City”, “State”, and “Country” with your information.
      • “Subject Alt Name”: Enter “DNS:” and the IPFire hostname. i.e.: “DNS:myhost.mydomain.dom”
      • Click “Generate root/host certificate”

Step 3 - Create the Connection on IPFire

  • “Connection Status and -Control”
    • Click “Add” and choose “Host-to-Net Virtual Private Network (RoadWarrior)”

  • “Name”: Enter a descriptive name for this connection (no spaces allowed).
  • “Local Subnet”: enter “0.0.0.0/0”
  • “Local ID”: Enter the hostname of the IPFire host. This must match what you entered when generating the root/host certificates above. You can use the IP Address, too, but this must match the certificate.
  • “Remote ID”: Enter an e-mail address for the user. You will use this below when creating the certificate, and it does not need to be a valid e-mail address.
  • Check the “Edit advanced settings when done.” checkbox.
  • Choose “Generate a certificate”
  • “User's full name or system hostname”: Enter the name you chose above for the connection name.
  • “User's E-mail address”: Enter the e-mail address you used for “Remote ID”, above.
  • Provide your information for Department, Organization, City, State, and Country.
  • “Subject Alt Name”: enter “email:” followed by the e-mail address you used above and as the remoteID.
  • Enter an export password. You will need this when importing the certificate on the client.
  • Click “Save”

  • Edit the connection's advanced settings

}

  • “Keyexchange”: Select “IKEv2”
  • “Encryption”: Select “256 bit AES-CBC”
  • “Integrity”: Select “SHA2 384 bit” and “SHA2 256 bit”
  • “Grouptype”: Select “ECP-384 (NIST)” and “ECP-256 (NIST)”
  • In the “Connection Status and -Control” click the “Download PKCS12 file” (diskette) icon and download the certificates to your local PC. You will need to copy that file to the client PC.

Step 4 - Modify the Configuration created by IPFire

Unfortunately, the Roadwarrior configuration generated by IPFire will not work out of the box with modern Mac Clients. You must manually edit configuration files to get a working configuration.

  • Connect to the IPFire via SSH (Putty) or the local console
  • Add the following to /etc/ipsec.user.conf (“leftsendcert” is required for Macs, “leftallowany” will allow the client to also access the Internet when connected (This needs to be confirmed, it does not seem accurate); Setting “rekey” and “reauth” to no prevents problems where the IPsec-daemon would try to connect to the client (which would probably fail as most roadwarriors are behind NAT))
  • “CONNECTION_NAME” should be replaced with the name you chose for the connection above.
conn CONNECTION_NAME
      leftsendcert=always
      leftallowany=yes
      rightdns=10.100.2.1
      rekey=no
      reauth=no
  • Restart the ipsec daemon, type ipsec restart - !! This will drop any active connections !!

Step 5 - Install the certificate on the Mac

  • Import the certificates
    • Open Applications:Utilities:Keychain Access
    • Select the “System” keychain.
    • From the File menu, select “Import Items…”
    • Browse to the downloaded PKCS12 file and click “Open”.
    • Enter your MacOS password when prompted.
    • Enter the password for the PKCS12 certificate file (the one you input when creating the tunnel).
  • Trust the CA Certificate
    • Locate the CA Certificate in the list, right-click, and choose “Get Info”
    • Expand the “Trust” section (above “Details”)
    • Change the setting for “When using this certificate:” to “Always Trust”.
    • Enter your MacOS password when prompted.
  • Allow access to the private key
    • Locate the private key in the list, right-click, and choose “Get Info”.
    • Select “Access Control” at the top.
    • Enter your MacOS password when prompted.
    • Select the “Allow all applications to access this item:”
    • This step is optional, but it avoids your having to type your MacOS username and password every time you connect the VPN.

Step 6 - Create the connection on the Mac

  • Open System Preferences:Network.
  • Click the “+” icon to add a new connection.
    • Interface: “VPN”
    • VPN Type: “IKEv2
    • Service Name: Choose a descriptive name for this connection
  • Configure the connection settings.
    • Server Address: Enter the IP Address or Hostname of the IPFire host.
    • Remote ID: Enter the hostname of the IPFire host. This must match what you entered when creating the root/host certificates, and also the “Local ID” field you entered in IPFire when you configured the tunnel.
    • Local ID: Enter the e-mail you used as the “Remote ID” when configuring the tunnel on IPFire.
    • Click on “Authentication Settings”.
      • Choose “None” from the first drop-down menu.
      • Select the “Certificate” radio button.
      • Click “Select” and choose the certificate you imported earlier. The name should be the same as what you specified when creating the certificate/tunnel.
      • Click “OK” and then “Apply”
configuration/services/ipsec/example_configuration-_roadwarrior_with_macos.txt · Last modified: 2018/12/10 01:07 by Tom Rymes