IKEv2 partial split tunneling with Windows and local user database (Simplified).

Security Gateway Articles and How to's
Post Reply
Anton
Posts: 24
Joined: 16 Jun 2016, 18:50
Location: Clavister HQ - Örnsköldsvik

IKEv2 partial split tunneling with Windows and local user database (Simplified).

Post by Anton » 20 Jun 2017, 15:00

This how-to applies to:

• Clavister cOS core 12.x

This how-to assumes that you have a working Gateway certificate and root certificate. For information and guides on how to generate certificates please see one of the following articles:

XCA:
viewtopic.php?f=8&t=5447
Windows 2008 R2:
viewtopic.php?f=8&t=3990
Windows 2012:
viewtopic.php?f=8&t=5838

Topics covered in this how-to:

• Explanation how the partial split tunneling works with Windows.
• Preparing and configuring the IKEv2 Tunnel.
• IP Policies for IKEv2 Roaming Tunnel.
• Configuring the Windows built-in VPN client.

Explanation how the partial split tunneling works:

The default behavior in Windows is to route all traffic over the IKEv2 tunnel but this can changed based on a behavior in Windows where it tries to estimate the network size based on the IP address the client gets form the IKEv2 server.

Example:
If IKEv2 client gets an IP address in the 192.168.x.x. range, Windows assumes a /24 network size.
If IKEv2 client gets an IP address in the 172.16.x.x range, Windows assumes a /16 network size.
If IKEv2 client gets an IP address in the 10.x.x.x range, Windows assumes a /8 network size.

Preparing the IKEv2 tunnel:

Before we start setting up the tunnel we need to add two objects in the Address book and create the local user database.

First we will add a new Local user database for our VPN users. Creating/adding a new local user database is done under System->Local User Database.

Once the database has been created it will look as follows:
localuDB.png
localuDB.png (4.85 KiB) Viewed 2029 times
In this database we add the users we want to use for our IKEv2 solution as shown below:
users.png
users.png (6.73 KiB) Viewed 2029 times
Now we need to create two IPv4 object, the first object will be the IP Pool from where the VPN clients will be assigned an IP and the second object the DNS server that will be assigned to the connecting clients.
IP_Pool.png
IP_Pool.png (4.12 KiB) Viewed 2029 times
In this example we will use 192.168.1.10-192.168.1.20, which means that the 192.168.1.0/24 network will be routed over the IKEv2 tunnel as explained earlier.

Note: One thing to consider is that the DNS requests are not going to be sent over the IKEv2 unless the DNS server is on the same subnet (192.168.1.0/24). One way to get around this is to assign the client a “Fake” DNS for example a core route IP in the same network range (192.168.1.0/24) and then use a SAT or NAT/SAT IP Policy to forward the traffic to the correct IP.

Example IP Policy here the IKEv2 client will be assigned the core routed IP 192.168.1.1 as DNS server:
sat_dns.png
sat_dns.png (9.12 KiB) Viewed 2029 times
The configuration used in the Clavister Next Generation Firewall:

In this example we will use the Simplified VPN Client object which simplifies roaming client setup. In order to create a VPN Clients object go to Network -> interface and VPN ->VPN and Tunnels ->IPsec click add and add a new “VPN Clients (Simplified)”
IKEv2_Tunnel.png
IKEv2_Tunnel.png (59.89 KiB) Viewed 2029 times
1. Give your tunnel a suitable name.
2. Select the previously created IKEv2_IP_Pool . Clients connecting to the tunnel will be assigned an IP from the Pool.
3. Assignee a DNS to be handed out if needed.
4. Select your gateway certificate. As previously mentioned this is explained further in viewtopic.php?f=8&t=5447
5. Select your Root certificate. As previously mentioned this is explained further in viewtopic.php?f=8&t=5447
6. Set the authentication source to “Local”. You can also choose radius authentication if needed.
7. Select the local user DB with your VPN users, in our case “VPN_Users”

The “VPN clients” object will create an EAP authentication rule in the background. One thing we need to do in order for this to work is to add a new route and proxy ARP the IKEv2_IP_Pool on the internal interface (GESW in this example).

To add a route go to network -> Routing -> Static Routes -> Routing Tables –> main and click add route:
Route_1.png
Route_1.png (15.83 KiB) Viewed 2029 times
1. The interface should be the IKEv2 tunnel.
2. Assign the network parameter the IKEv2_IP_Pool.

Under the Proxy ARP tab add the internal interface as shown below:
Route_2.png
Route_2.png (12.07 KiB) Viewed 2029 times
Important: We need to add this route in order for the clients on the inside to know where to send the return traffic.

When clients connect, cOS Core will setup a single-host route for the IP the client receives from the IP pool but since the Proxy ARP and the routes are using separate sub-processes they are looked at separately. So even though the Proxy ARP route does not primary match (as it is bigger than the single-host route), it will still respond to the ARP query and the scenario will start to work.

IP Policies for IKEv2 Roaming Tunnel:

We only need one IP Policy since we have configured partial split tunneling and we only want to allow access to a specific internal network.
IP_Policy.png
IP_Policy.png (6.92 KiB) Viewed 2029 times
One thing to have in mind here is that the IKEv2_IP_Pool is on the same /24 network as the internal_net so the IKEv2_IP_Pool IPs need to be reserved for the IKEv2 clients.

Configuring the Windows built-in VPN client:

First of all we need to create the new VPN connection as shown by the following picture:
windows_client_1.png
windows_client_1.png (25.83 KiB) Viewed 2029 times
In order to achieve split tunneling we need to disable “Use default gateway on remote network” on the VPN NIC which can be found under Properties -> networking -> Properties if you right click on the NIC. If you don’t want to enable Split tunneling you can skip the rest of the steps.
windows_client_2.png
windows_client_2.png (39.18 KiB) Viewed 2029 times
windows_client_3.png
windows_client_3.png (16.13 KiB) Viewed 2029 times
Windows_client_4.png
Windows_client_4.png (29.7 KiB) Viewed 2029 times
Now we are done and the only traffic that should be routed over the IKEv2 tunnel is now the 192.168.1.0/24 network, everything else will use the normal internet route on the client.

Post Reply