IKEv2

From securityrouter.org, an OpenBSD-based firewall
Jump to: navigation, search

We generally recommend L2TP for client and IKE for site-to-site VPN, because they are mature OpenBSD projects. However, recent versions include IKEv2 support implemented by iked and configurable in the "ipsec" plain-text configuration file scope. Current limitations are:

  • No web administration interface
  • Cannot be used together with IKEv1 or L2TP, and is difficult to use with manual key IPsec because it flushes the flows and SAs on startup

Gateway to gateway

You can use either PKI or pre-shared keys to setup authentication.

ikev2 active esp from 10.0.5.0/30 to 10.0.5.4/30 peer 192.168.1.2 srcid myname dstid yourname psk "badsecret"

Client VPN

Windows 7, iOS 9 and OS X 10.11[1] or newer support IKEv2, which is compatible with a simple IKEv2 configuration such as

ipsec {
   ikev2 "win" esp from 192.168.55.0/24 to 1.2.3.0/24 local any peer any srcid 10.2.6.200 config address 192.168.55.2
   ...

where 192.168.55.0/24 is the office network, 10.2.6.200 is the VPN router IP and 192.168.55.2 is the client's IP address. To generate certificates compatible with Windows, the most convenient way is to enable root access, install Perl, then install ZIP on the system (because it allows the export command to produce Windows-friendly files)

# mount -uw /
# pkg_add zip

and finally generate the certificates with

# ikectl ca vpn create
# ikectl ca vpn install 
# ikectl ca vpn certificate 10.2.6.200 create
# ikectl ca vpn certificate 10.2.6.200 install
# ikectl ca vpn certificate client.example.com create 
# ikectl ca vpn certificate client.example.com export

and copy the client.example.com.zip to the Windows computer where you import "ca" to the "Trusted Root Certification Authorities" and "client.example.com" to the "Personal" local machine certificate MMC. As in the example above, "10.2.6.200" is the VPN router IP and "client.example.com" is the Windows client.