Hello community,
Here is another thread regarding setting up an edgerouter as an IKEv2 VPN server: After considerable efforts I have a working setup and can connect from windows machines (currently windows 7) to both an edgerouter lite and an edgerouter X, both running the latest 1.10.6 firmware. I assume this setup should also work for other clients (windows 10, osx, etc.).
As the edgeOS currently does not support such a configuration directly I am using the include-ipsec-conf option to include the roadwarrior strongswan configuration. This generally follows the instructions found in other threads on this forum, mainly by cyberjunk here and by dilie here, as well as the strongswan documentation (for example this).
I will detail my configuration and the pitfalls I ran into, hopefully saving others (and myself) from pulling out their hair trying to get this working.
Final Configuration:
/config/user-data/my.ipsec
conn roadwarrior keyexchange=ikev2 ike=aes256-sha256-modp2048,aes256-sha1-modp1024! esp=aes256-sha256,aes256-sha1! dpdaction=clear dpddelay=300s rekey=no left=my.domain.com leftsubnet=0.0.0.0/0 leftcert=my_certificate.crt leftid=@my.domain.com leftfirewall=yes right=%any rightsourceip=192.168.2.100-192.168.2.199 rightdns=192.168.1.1 rightauth=eap-mschapv2 eap_identity=%any auto=add
The my_certificate.crt should be installed under /etc/ipsec.d/certs/. Additionally I also installed my self-signing dummy CA certificate under /etc/ipsec.d/cacerts/ (not sure if this is necessary). More about certificates later.
/config/user-data/my.secrets
: RSA /config/ipsec.d/rsa-keys/my_private.key user1 : EAP "password1"
Note that if the edgerouter is running a vpn ipsec configuration with the private key set using "vpn rsa-keys local-key file /config/ipsec.d/rsa-keys/my_private.key" the first line of the above my.secrets is redundant (as the edgerouter will autogenerate this line in the /etc/ipsec.secrets). My real configuration indeed has site-to-site ipsec with rsa authentication so the private key is set using the "vpn rsa-keys local-key file" configuration option and my.secrets only contains the users and their passwords.
Obviously the private key needs to actually be placed under /config/ipsec.d/rsa-keys/my_private.key.
VPN configuration:
set vpn ipsec include-ipsec-conf /config/user-data/my.ipsec set vpn ipsec include-ipsec-secrets /config/user-data/my.secrets
Firewall configuration:
set firewall name WAN_LOCAL rule 30 action accept set firewall name WAN_LOCAL rule 30 description ike set firewall name WAN_LOCAL rule 30 destination port 500 set firewall name WAN_LOCAL rule 30 log disable set firewall name WAN_LOCAL rule 30 protocol udp set firewall name WAN_LOCAL rule 40 action accept set firewall name WAN_LOCAL rule 40 description esp set firewall name WAN_LOCAL rule 40 log disable set firewall name WAN_LOCAL rule 40 protocol esp set firewall name WAN_LOCAL rule 50 action accept set firewall name WAN_LOCAL rule 50 description nat-t set firewall name WAN_LOCAL rule 50 destination port 4500 set firewall name WAN_LOCAL rule 50 log disable set firewall name WAN_LOCAL rule 50 protocol udp
If access to router itself from the VPN is desirable (for example if using the router as a dns server for VPN clients), we need an additional firewall rule:
set firewall name WAN_LOCAL rule 90 action accept set firewall name WAN_LOCAL rule 90 description "Allow router access from ipsec VPNs" set firewall name WAN_LOCAL rule 90 destination address 192.168.1.0/24 set firewall name WAN_LOCAL rule 90 log disable set firewall name WAN_LOCAL rule 90 ipsec match-ipsec set firewall name WAN_LOCAL rule 90 source address 192.168.0.0/16
This will also allow site-to-site VPN clients access to the router.
And for access to the dnsmasq from the VPN the following configuration is also necessary:
set service dns forwarding options "listen-address=192.168.1.1"
Pitfalls and Comments:
- Forwarding (as opposed to split-tunneling): As explained here you can either forward all traffic from the roadwarrior through the VPN or use split-tunneling to use the VPN only for the VPN side subnet(s). Originally I intended to use split-tunneling.
It turns out that you can not use current edgeOS version for split-tunneling (at least not out-of-the-box), as this requires the strongswan dhcp and farp plugins. Unfortunately, these plugins were removed from recent edgeOS versions. See further information here (again thanks cyberjunk):
https://community.ubnt.com/t5/EdgeRouter/StrongSwan-Plugins-DHCP-FARP-missing-in-FW-1-9-1/td-p/1910015
After finally understanding this, I decided to drop split-tunneling and I forward all traffic through the VPN (notice the rightsourceip in the my.ipsec provides VPN addresses from a different subnet). The client configuration needs to be set appropriately (for windows by leaving the default "use default gateway on remote network" enabled).
For split-tunneling, in addition to installing the missing strongswan plugins, the my.ipsec should probably be more inline with cyberjunk's post. I can not comment further on this as I did not follow this path. - Certificates: At least for now I am using self-signed certificates (I followed the guide here). A few notes that might be obvious (the last one was not obvious to me and cost me some pain...):
- You must install the certificate for your self-signing dummy CA as a trusted root on the client (for windows it can be done as explained here).
- The router's certificate (my_certificate.crt) must be for the domain you are using to connect to the VPN (my.domain.com).
- The certificate must have "extendedKeyUsage = serverAuth,clientAuth" otherwise at least windows 7 refuses to connect. - A different way to go about all this (which I did not even attempt), is to use the "IKEv2 VPN Remote Access Server" by TriJetScud:
https://community.ubnt.com/t5/EdgeRouter-Beta/1-8-0-IKEv2-VPN-Remote-Access-Server/td-p/1360103
Troubleshooting
On the edgerouter's side the main troubleshooting method is running:
sudo swanctl --log
On the windows side the main thing I found useful is looking up the windows error codes here:
https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/
Performance
Testing performance was done with iperf3 between a VPN connected machine and a machine on the edgerouter's local network. The machine connecting to the VPN was connected directly to the edgerouter's WAN port (connected to the same switch as the WAN port of the edgerouter to be precise). Similar speeds were also observed copying files between the machines.
NAT and IPsec hardware offloading are enabled on both routers (notice that IPsec offloading is disabled by default on the ERX).
Upload to ERX vpn server around 150Mbit/s:
[ 4] 0.00-1.01 sec 19.6 MBytes 162 Mbits/sec
[ 4] 1.01-2.01 sec 18.5 MBytes 155 Mbits/sec
[ 4] 2.01-3.01 sec 19.1 MBytes 161 Mbits/sec
[ 4] 3.01-4.01 sec 18.5 MBytes 155 Mbits/sec
[ 4] 4.01-5.01 sec 19.2 MBytes 162 Mbits/sec
[ 4] 5.01-6.01 sec 19.1 MBytes 161 Mbits/sec
[ 4] 6.01-7.00 sec 18.5 MBytes 155 Mbits/sec
[ 4] 7.00-8.00 sec 19.1 MBytes 161 Mbits/sec
[ 4] 8.00-9.00 sec 19.1 MBytes 161 Mbits/sec
[ 4] 9.00-10.02 sec 19.5 MBytes 161 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-10.02 sec 190 MBytes 159 Mbits/sec sender
[ 4] 0.00-10.02 sec 190 MBytes 159 Mbits/sec receiver
Download from ERX vpn server around 200 Mbit/s:
[ 4] 0.00-1.01 sec 29.5 MBytes 244 Mbits/sec
[ 4] 1.01-2.01 sec 28.7 MBytes 241 Mbits/sec
[ 4] 2.01-3.01 sec 28.6 MBytes 241 Mbits/sec
[ 4] 3.01-4.01 sec 28.7 MBytes 241 Mbits/sec
[ 4] 4.01-5.01 sec 28.8 MBytes 242 Mbits/sec
[ 4] 5.01-6.01 sec 28.2 MBytes 237 Mbits/sec
[ 4] 6.01-7.00 sec 13.8 MBytes 116 Mbits/sec
[ 4] 7.00-8.00 sec 27.7 MBytes 233 Mbits/sec
[ 4] 8.00-9.00 sec 28.1 MBytes 237 Mbits/sec
[ 4] 9.00-10.02 sec 28.7 MBytes 237 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-10.02 sec 271 MBytes 227 Mbits/sec sender
[ 4] 0.00-10.02 sec 271 MBytes 227 Mbits/sec receiver
Upload to ERLite vpn server around 75 Mbit/s:
[ 4] 0.00-1.01 sec 9.50 MBytes 78.6 Mbits/sec
[ 4] 1.01-2.01 sec 9.25 MBytes 77.7 Mbits/sec
[ 4] 2.01-3.01 sec 9.38 MBytes 78.8 Mbits/sec
[ 4] 3.01-4.01 sec 9.25 MBytes 77.7 Mbits/sec
[ 4] 4.01-5.01 sec 9.50 MBytes 79.8 Mbits/sec
[ 4] 5.01-6.01 sec 9.25 MBytes 77.7 Mbits/sec
[ 4] 6.01-7.00 sec 9.12 MBytes 76.7 Mbits/sec
[ 4] 7.00-8.00 sec 9.50 MBytes 79.8 Mbits/sec
[ 4] 8.00-9.00 sec 9.38 MBytes 78.8 Mbits/sec
[ 4] 9.00-10.02 sec 9.75 MBytes 80.7 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-10.02 sec 93.9 MBytes 78.6 Mbits/sec sender
[ 4] 0.00-10.02 sec 93.7 MBytes 78.5 Mbits/sec receiver
Download from ERLite vpn server around 90 Mbit/s:
[ 4] 0.00-1.01 sec 11.5 MBytes 95.0 Mbits/sec
[ 4] 1.01-2.01 sec 10.8 MBytes 90.5 Mbits/sec
[ 4] 2.01-3.01 sec 10.9 MBytes 91.4 Mbits/sec
[ 4] 3.01-4.01 sec 11.1 MBytes 93.2 Mbits/sec
[ 4] 4.01-5.01 sec 11.2 MBytes 93.9 Mbits/sec
[ 4] 5.01-6.01 sec 11.1 MBytes 93.3 Mbits/sec
[ 4] 6.01-7.00 sec 11.1 MBytes 93.0 Mbits/sec
[ 4] 7.00-8.00 sec 10.9 MBytes 92.0 Mbits/sec
[ 4] 8.00-9.00 sec 11.1 MBytes 93.0 Mbits/sec
[ 4] 9.00-10.02 sec 11.2 MBytes 92.4 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-10.02 sec 111 MBytes 92.9 Mbits/sec sender
[ 4] 0.00-10.02 sec 111 MBytes 92.9 Mbits/sec receiver
I find it odd that the ERX is much faster than the ERLite, if anything I expected the ERLite to be faster. Does anyone have an explanation for this?