Configuring Roaming IKEv2 tunnel using XCA CA and FreeRadius

Security Gateway Articles and How to's
Post Reply
Peter
Posts: 620
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Configuring Roaming IKEv2 tunnel using XCA CA and FreeRadius

Post by Peter » 17 Feb 2016, 19:42

This How-to applies to:
  • Clavister CorePlus 11.01.00 and up.
Scenario:

This guide will provide a reference guide on how to get IKEv2 working using the program called XCA to generate the needed Certificates and to use FreeRadius as the user authentication database with EAP (Enhanced Authentication Protocol) support.

Note: It is possible to use the Local User Database in cOS Core as well which has support for EAP in newer versions (11.xx).

This is primary intended for internal lab environments when testing IKEv2 as we will not use CRL (Certificate Revocation Lists). It will however provide details on how to configure the Clavister and how to import the Certificates into the correct Certificate store when importing the Certificates in Windows.

This same setup can of course be configured using e.g. Windows 2012 CA and Radius server as well.

XCA

XCA is a Certificate and key management software made by Christian Hohnstädt (christian@hohnstaedt.de) and can be found on the following webpage:

http://xca.sourceforge.net

1. Creating Root Certificate using XCA

When XCA is installed, start the program and create a new Database.
Picture_1.png
Picture_1.png (35.23 KiB) Viewed 7230 times
Select "New Certificate".
Picture_2_NewCert.png
Picture_2_NewCert.png (16.75 KiB) Viewed 7230 times
Select "CA" template and press "Apply All".
Picture_3_Template.png
Picture_3_Template.png (15.4 KiB) Viewed 7230 times
Enter Distinguished name information and create a 4096 bit RSA key.
Picture_4_CertProperties.png
Picture_4_CertProperties.png (101.21 KiB) Viewed 7230 times
Select Certificate Authority as Type, uncheck Critical and Subject Key Identifier. Change the time range validity of the certificate depending on your requirements then input the x509v3 Subject Alternative Name.
Picture_5_CertExtensions.png
Picture_5_CertExtensions.png (93 KiB) Viewed 7230 times
Make sure that “Certificate Sign” and “CRL Sign” is selected.
Picture_6_KeyUsage.png
Picture_6_KeyUsage.png (34.22 KiB) Viewed 7229 times
Export the Certificate as a PEM (.crt) file.
Picture_7_ExportRoot.png
Picture_7_ExportRoot.png (73.2 KiB) Viewed 7229 times
2. Creating the Gateway Certificate.
When creating the Gateway Certificate (the certificate that the Clavister uses to authorize itself towards the connecting client) we will use our previous created Root certificate to sign it. Basically all certificate must be signed by the same CA root server certificate in order to have a valid and intact Certificate chain. We also must select "HTTPS_Server" as the template as we act as a server in this scenario, make sure that you press "apply All" to copy all the template properties to our certificate.
Picture_8_Gateway_Cert.png
Picture_8_Gateway_Cert.png (69.64 KiB) Viewed 7229 times
Enter Distinguished name information and create a 4096 bit RSA key.
Picture_9_Gateway_Cert_Subject.png
Picture_9_Gateway_Cert_Subject.png (107.4 KiB) Viewed 7229 times
Enter a x509v3 Subject Alternative Name using a DNS URL.

IMPORTANT NOTE: This URL must resolve to the IP address that your Clavister Firewall IKEv2 server is configured on. When the client connects, this is the exact DNS name that must be used when configuring which IP/DNS the client should connect to when trying to establish the tunnel. If you for instance type in the IP address directly in the client, it will not work!
Picture_10_Gateway_Cert_Extensions.png
Picture_10_Gateway_Cert_Extensions.png (101.08 KiB) Viewed 7229 times
Make sure that all these Key usage options are selected. Basically these determine what the intended use is for this Certificate.
Picture_11_Gateway_Cert_KeyUsage.png
Picture_11_Gateway_Cert_KeyUsage.png (130.8 KiB) Viewed 7229 times
Export the certificate as a PEM (.crt) file.
Picture_12_Gateway_Cert_Export.png
Picture_12_Gateway_Cert_Export.png (83.43 KiB) Viewed 7229 times
Export this Certificates private key as a “PEM private” (.pem) file as well.
Picture_13_Gateway_Cert_Export_Key.png
Picture_13_Gateway_Cert_Export_Key.png (44.84 KiB) Viewed 7229 times
3. Creating the Remote User (client) Certificate.

Note-1: For Windows & MAC clients this step is not needed, only the root certificate needs to be imported to the Windows client machines.
Note-2: If the MAC client is configured manually, the Local/Remote ID setting on the client must be configured.

The client Certificate is the certificate that is installed on e.g. a Windows machine that attempts to connect to the Security Gateway. The process is very similar to the Gateway Certificate.

Select the “HTTPS_client” template and press “Apply all”. Make sure to sign it using the “TestCA” certificate.
Picture_14_Client_Cert.png
Picture_14_Client_Cert.png (69.77 KiB) Viewed 7228 times
Enter Distinguished name information and create a 4096 bit RSA key.
Picture_15_Client_Subject.png
Picture_15_Client_Subject.png (103.52 KiB) Viewed 7228 times
Change Type to be End Entity (as it is not part of a Certificate chain), input an X509v3 Subject Alternative Name.
Picture_16_Client_Extensions.png
Picture_16_Client_Extensions.png (73.44 KiB) Viewed 7228 times
Export the certificate as a PKCS #12 chain (.p12). Both the Client Certificate and it's private key will be exported in this step, so there is no need to export the private separately as with the gateway Certificate/key.
Picture_17_Client_Export.png
Picture_17_Client_Export.png (118.47 KiB) Viewed 7228 times
4. Configuring IKEv2 in Clavister cOS Core
The first step we need to perform before we add the IKEv2 tunnel interface itself is to import the CA servers (XCA) Root Certificate along with the Gateway Certificate + it's private key. All Screenshots are based on the WebUI from cOS Core version 11.01.00.

Go to Objects->Key Ring and Add->Certificate. Select the TestCA.crf file we exported from XCA earlier. Also make sure that CRL (Certificate Revocation List) is disabled as we do not have any connection towards the XCA program for CRL checks. If you are using e.g. a Microsoft CA server this will most likely be something you want to enable as it can be very handy to be able to revoke a Certificate from the CA server itself.
Picture_18_ImportRootCert.png
Picture_18_ImportRootCert.png (54.53 KiB) Viewed 7228 times
Repeat the process for the Gateway Certificate along with it's private key.
Picture_19_ImportGatewayCert.png
Picture_19_ImportGatewayCert.png (39.83 KiB) Viewed 7228 times
Private and Public key's : More information about the public and private keys can be found on the following webpage: https://www.comodo.com/resources/small- ... cates2.php

Next we need to configure an IKE Config Mode IP pool. This object will contain the IP addresses the Security Gateway will hand out to the connecting clients. Config Mode pool objects are added under Objects->VPN Objects->IKE Config Mode Pool. You can use a pre-defined or static IP pool, we will use Static IP pool in this example.
Picture_20_CreatingCfgModePool.png
Picture_20_CreatingCfgModePool.png (45.78 KiB) Viewed 7228 times
Note about the subnets option: Even though there is an option to specify a subnet on the Cfg Mode pool, this sub network option can only be pushed out to clients that support this Cfg Mode option. Windows does unfortunately not support this option so it is not possible to use split-tunneling when using Windows as a client. You can however still achieve "Partial split tunnelling" similar as what is documented in the following forum post, Partial Split tunneling.
Once the Cfg Mode Pool object has been created we now need to create new proposal lists for IKE and IPsec. This is done under Objects->VPN Objects and "IKE Algorithms and IPSec Algorithms. Select AES as Encryption and SHA1 as Integrity algorithm.
Picture_21_CreatingIKEIPsecPropList.png
Picture_21_CreatingIKEIPsecPropList.png (49.89 KiB) Viewed 7227 times
Repeat the procedure for an IPsec algorithm as well using AES and SHA1.

Creating and configuring the IKEv2 interface
Now we come to configuring the IKEv2 interface itself in cOS Core. This is done under Network->Interfaces and VPN->VPN and tunnels->IPsec. Add a new IPsec interface. Since we are going to use IKEv2 the first thing we need to change is the IKE version, go to the IKE Settings tab and change IKE version from default IKEv1 to IKEv2.
Picture_22_ChangingIKEVersion.png
Picture_22_ChangingIKEVersion.png (21.55 KiB) Viewed 7227 times
Back to the general tab we change local and remote network to be all-nets, the remote network can most likely be restricted based on what kind of client that is used. Windows however by default sends "all-nets" as both local and remote network.

The Remote endpoint is all-nets as we do not know where the client(s) are connecting from, we select the IKE Config Mode pool object we created earlier and the same with the IKE and IPSec proposal lists.
Picture_23_GeneralSettings.png
Picture_23_GeneralSettings.png (63.16 KiB) Viewed 7227 times
On the IKE Settings tab regarding settings for IKE DH group and PFS DH group we leave all settings to their defaults (except IKE version which we changed earlier).

We now come to the "Authentication" tab, here we select the Gateway Certificate and also add the TestCA Certificate as Root Certificates using the Certificates we imported earlier.

Tip: Make sure that when importing the Certificates that they get tagged as the correct type. A Certificate that has a private key becomes tagged as "local" and a Certificate without a private key (such as the CA root certificate) becomes "Remote". Only a Local type certificate can be chosen as the gateway certificate.

IKEv2 tunnels also requires the use of EAP, simply enable the two checkbox for EAP as shown in the below screenshot.
Picture_24_TunnelAuthenticationTab.png
Picture_24_TunnelAuthenticationTab.png (55.61 KiB) Viewed 7227 times
Lastly we need to go to the Advanced tab and uncheck the checkbox for "Add route Statically" and enable the "Add route Dynamically" option. This is very important! If the static route option is enabled it could cause a routing conflict with the external internet access route causing internet access disruptions when deploying the configuration!
Picture_25_TunnelRoutes.png
Picture_25_TunnelRoutes.png (3.85 KiB) Viewed 7224 times
Adding the Radius server object in Clavister cOS Core

As we will be authenticating our users towards a Radius server we need to create a Radius server object which we later can use in our User authentication rules. To create the Radius server object we go to Policies->User Authentication->User Directories->Radius and add a new Radius server object.
Picture_26_EAP_Radius.png
Picture_26_EAP_Radius.png (37.04 KiB) Viewed 7224 times
We now come to the User Authentication rule, this is configured under Policies->User Authentication->Rules->Authentication Rules. Create a new rule with the properties shown in the screenshot. The interface is the IPsec interface we created earlier.
Picture_27_UserAuthRule.png
Picture_27_UserAuthRule.png (43.98 KiB) Viewed 7224 times
And finally, select the Radius server we defined earlier.
Picture_28_UserAuthRule_Options.png
Picture_28_UserAuthRule_Options.png (40.47 KiB) Viewed 7224 times
The only thing left to do in cOS Core is to create one or more IP rules/policies to determine what the IKEv2 users should be allowed to access. Since this is very individual we will not go into details about those rules.

5. Installing FreeRadius on Ubuntu

This is a short guide on how to install FreeRadius on Ubuntu, the exact steps may vary depending on version and potential changes that may occur in the future. The bracket # means that its is a CLI command.

1.- Install freeradius:

Code: Select all

# apt-get install freeradius
2.- Edit EAP method:

Code: Select all

# nano /etc/freeradius/eap.conf:
default_eap_type = peap
3.- Adding new users :

Code: Select all

# vi /etc/freeradius/users
 
tuxuser Cleartext-Password := "P@sswd4Tux"
tuxadmin Cleartext-Password := "P@sswrd4Admin"
4.- Enabling and configuring mschap-v2 protocol:

Code: Select all

# vi /etc/freeradius/modules/mschap
 
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
5.- Reloading new libraries:

Code: Select all

# ldconfig
6.- Add new radius clients (Access point):

Code: Select all

# vi /etc/freeradius/clients.conf
 
client 192.168.1.1/24 {
secret = abc123!
shortname = Clavister-IKEv2-Demo
}
7.- Restarting service and testing radius authentication:

Code: Select all

# service freeradius restart
# radtest tuxuser P@sswd4Tux 192.168.1.10 1812 0peN2d0!
6. Importing the Certificates & Configuring the IKEv2 tunnel in Windows 10.

Import a CA certificate for the Computer account by Microsoft Management Console(MMC).

1. Move the cursor to the right corner of your screen and click Search the Web and Windows.
2. Open Microsoft Management Console(MMC) by entering "mmc" into the search box.
3. On the File menu, point to Add/Remove Snap-in, and open the Add or Remove Snap-ins dialog.
4. Click the certificates under Available snap-ins and push Add.
5. Select the Computer account and push Next.
6. Select the Local computer and push Finish.
7. Push OK on Add or Remove Snap-ins dialog and close it.
8. Click the folder Certificates(Local Computer) / Personal / Certificates folder, click the Actionmenu, point to All Tasks, and then click Import.
9. Click Next and follow the instructions.
- An imported PKCS#12 file: remotehost1.p12
10. If a CA's certificate (TestCA) is extracted into Certificates(Local Computer) / Personal / Certificates folder, move it to Certificates(Local Computer) / Trusted Root Certification Authorities / Certificates folder by dragging and dropping the certificate's icon.

Setting up the VPN connection:

Set up a VPN connection.

1. Move the cursor to the right corner of your screen and click Search the Web and Windows.
2. Open Network and sharing center by entering Network and sharing center into the search box and then click Set up a new connection or network.
3. Click Connect to a workplace and push Next.
4. If you are asked "Do you want to use a connection that you already have?", select "No, create a new connection" and then push Next.
5. Click Use my Internet connection (VPN).
6. Click I'll set up an Internet connection later..
7. Enter gateway1.clavister.com (Clavister IKEv2 Server hostname) into Internet Address and Example VPN into Destination name and push Create.
8. Open Network and sharing center again and click Change adapter settings.
9. Open the properties dialog of Example VPN adapter and show Security tab.
10. Enter the following:
- Type of VPN: IKEv2
- Data encryption: Require encryption (disconnect if server declines)
- Authentication: Use Extensible Authentication Protocol(EAP) and EAP-MSCHAPv2
11. Push OK.

- Edit the hosts file if DNS service is not available for gateway1.clavister.com.

1. Open "C:Windows/System32/drivers/etc/hosts" by notepad as an administrator. If you can't find these folders, please see Show hidden files.
2. Add the following line into this hosts file.

Code: Select all

10.0.0.1   gateway1.clavister.com   # (Example VPN) 
3. Save and close the file.

Troubleshooting tips:

If you experience problems here are a few troubleshooting tips:

1. Make sure that the DNS or IP address you are attempting to connect to using the client is what is defined in the gateway certificate. If you for instance type in IP 1.2.3.4 instead of what is defined in the certificate (in our example gateway1.clavister.com) the connection attempt will fail.
2. Here is a Microsoft article that gives some IKEv2 troubleshooting tips: Troubleshooting IKEv2

Post Reply