UBUNTU IKEv2: STRONGSWAN + RADIUS + AD + LETSENCRYPT + IPTABLES

On domain controllers:
Install Network Policy Server
Create Radius client
Open NPS and right click on “NPS (local)” and click on “Register server in Active directory”
Go to Policies – Connection Request Policies – New and enter:
-Name: NAME
-Type: Unspecified
-Conditions: Client IPv4 Address – enter RADIUS client IP
Go to Policies – Network Policies – New and enter:
-Name: NAME
-Type: Unspecified
-Conditions: User Groups – add AD groups you want to allow connection to
-EAP Types: MSCHAP2 and EAP
-add EAP-MSCHAP v2 add EAP
-Settings – delete PPP and Framed, add Service-Type: Administrative
Right mouse click on policy and move policy to TOP (move UP)

For auto-create VPN connection for users, in GPO:
create script:
users_vpn.ps.1

# Define variables
$VPNName = "VPN-IKEv2"
$ServerAddress = "myikev2.server.com"

# Create VPN connection using Windows logon credentials
Add-VpnConnection -Name $VPNName -ServerAddress $ServerAddress -TunnelType Ikev2 -AuthenticationMethod eap -RememberCredential
$EapConfigXmlStream = '<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://www.microsoft.com/provisioning/EapCommon">26</Type><VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId><VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType><AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId></EapMethod><Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>26</Type><EapType xmlns="http://www.microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1"><UseWinLogonCredentials>true</UseWinLogonCredentials></EapType></Eap></Config></EapHostConfig>'
Set-VpnConnection -Name $VPNName -EapConfigXmlStream $EapConfigXmlStream

add script to GPO:
-User configuration
-Policies
-Windows Settings
-Scripts — Logon — PowerShell — add

On Linux servers:

apt-get update
apt-get upgrade
apt-get install -y strongswan libcharon-extra-plugins certbot iptables-persistent software-properties-common net-tools

Get certificate using certbot. Link the cert files so that they can be used in StrongSwan:

certbot certonly --non-interactive --agree-tos --standalone --preferred-challenges http --email your@email.com -d your.domain.com

ln -s /etc/letsencrypt/live/YOUR_DOMAIN_NAME/fullchain.pem /etc/ipsec.d/certs/fullchain.pem
ln -s /etc/letsencrypt/live/YOUR_DOMAIN_NAME/chain.pem /etc/ipsec.d/cacerts/chain.pem
cp /etc/letsencrypt/archive/YOUR_DOMAIN_NAME/privatkey1.pem /etc/ipsec.d/private/privkey.pem

aa-status --enabled && invoke-rc.d apparmor reload

Setup WAN interface:
Go to /etc/netplan
Create 99_config.yaml

network:
  version: 2
  renderer: networkd
  ethernets:
    ens192:
      addresses:
        - 1.10.50.1/29
      routes:
        - to: default
          via: 1.10.50.142
          metric: 90
      nameservers:
          search: [mydomain, otherdomain]
          addresses: [10.0.1.100, 8.8.8.8]

netplan apply

Setup Iptables:

cd /etc
touch my_iptables.sh
chmod 700 /etc/my_iptables.sh

Copy iptables settings to /etc/iptables.sh

#!/bin/bash

export IPT="iptables"
export WAN=ens192
export LAN=ens160
export LAN_IP_RANGE=10.0.1.0/24

$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X

$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -i $LAN -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A OUTPUT -o $LAN -j ACCEPT

# --- IKEv2
$IPT -A INPUT -p udp --dport  500 -j ACCEPT
$IPT -A INPUT -p udp --dport 4500 -j ACCEPT
# forward VPN traffic anywhere
$IPT -A FORWARD --match policy --pol ipsec --dir in  --proto esp -s $LAN_IP_RANGE -j ACCEPT
$IPT -A FORWARD --match policy --pol ipsec --dir out --proto esp -d $LAN_IP_RANGE -j ACCEPT
# reduce MTU/MSS values for dumb VPN clients
$IPT -t mangle -A FORWARD --match policy --pol ipsec --dir in -s $LAN_IP_RANGE -o $LAN -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
# masquerade VPN traffic over WAN etc.
$IPT -t nat -A POSTROUTING -s $LAN_IP_RANGE -o $WAN -m policy --pol ipsec --dir out -j ACCEPT  # exempt IPsec traffic from masquerading
$IPT -t nat -A POSTROUTING -s $LAN_IP_RANGE -o $WAN -j MASQUERADE
# ---

$IPT -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

$IPT -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT

$IPT -A OUTPUT -o $WAN -j ACCEPT
$IPT -A INPUT -i $WAN -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $WAN -p all -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -A FORWARD -m state --state INVALID -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

$IPT -A FORWARD -i $WAN -o $LAN -j REJECT

/sbin/iptables-save > /etc/iptables/rules.v4

#iptables -L --line-numbers -v -n

./iptables.sh

Enable forwarding:
Edit /etc/sysctl.conf and put to end

# vpnforward
net.ipv4.ip_forward = 1
net.ipv4.ip_no_pmtu_disc = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv6.conf.all.disable_ipv6 = 1

sysctl -p

Edit /etc/strongswan.d/charon/attr.conf, enter DNS addresses:

dns = YOUR_DNS1, YOUR_DNS2

Edit /etc/strongswan.d/charon/eap-radius.conf and enter NPS servers addresses:

servers {
 primary {
 address = DomainController_IP_or_FQDN
 secret = strongpassword
 }

Edit /etc/ipsec.conf, define connections:

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
	# strictcrlpolicy=yes
	# uniqueids = no

# Add connections here.
conn vpn-ikev2
 ike=aes256-aes128-sha256-sha1-modp3072-modp2048-modp1024
 esp=aes256-sha256
 keyexchange=ikev2
 #--- left - server configuration
 left=%any
 leftid=@YOUR_DOMAIN_NAME
 leftsubnet=0.0.0.0/0
 leftauth=pubkey
 leftcert=/etc/ipsec.d/certs/fullchain.pem
 #--- right - client confguration
 right=%any
# take ip from AD user Dial-UP settings 
rightsourceip=%radius
# take ip from IP pool
# rightsourceip=10.0.1.200/27
# take IP from DHCP server
# rightdhcp=%dhcp
 rightauth=eap-radius
 rightsendcert=never
 eap_identity=%any
 auto=add
 dpdaction=clear

Edit /etc/ipsec.secrets private key for cert:

 : RSA privkey.pem

Run and status IPsec:

/etc/init.d/ipsec start
/etc/init.d/ipsec status
/etc/init.d/ipsec restart

UBUNTU IKEv2: STRONGSWAN + RADIUS + AD + LETSENCRYPT + IPTABLES

Оставить комментарий Отменить ответ