[strongSwan] Ikev2 wildcards with MacOs clients

bls s bls3427 at outlook.com
Thu Oct 11 16:34:36 CEST 2018


In the general sense it’s secure, since the connection is validated by the certs. However, in your particular use case, it does seem that a user could change the Remote ID and access the other VPN subnet. I can’t think of a way offhand to use a cert-based implementation to avoid that, other than using two VPNs, one for each subnet group (with each VPN having a separate root CA cert so no crossover is possible).

Even if you went to an id/password-based mechanism, you’ll need some way to distinguish the groups. A connection per user would get you there, but that will dramatically increase management complexity, so two VPN servers might be a more management-efficient approach.

From: Matthieu Nantern<mailto:matthieu.nantern at margo.com>
Sent: Thursday, October 11, 2018 6:47 AM
To: bls3427 at outlook.com<mailto:bls3427 at outlook.com>
Cc: users at lists.strongswan.org<mailto:users at lists.strongswan.org>
Subject: Re: [strongSwan] Ikev2 wildcards with MacOs clients

It's working but I'm wondering if it's really secure ? A user can just change its Remote ID and gain access to the other networks, no ?

I want something that is server side. I can create one connection for each user but it's ugly !

Le lun. 8 oct. 2018 à 21:05, bls s <bls3427 at outlook.com<mailto:bls3427 at outlook.com>> a écrit :
Definitely interested in seeing it replicated. As an aside, I updated my CA management app https://github.com/gitbls/pistrong with more flexibility to generate this type of VPN cert. Unfortunately, it’s fully built around swanctl/systemd, not the legacy ipsec/ipsec.conf/… configuration. But, if you run into any issues, happy to help you wrangle it into debug mode to use that part of the tool.

From: Matthieu Nantern<mailto:matthieu.nantern at margo.com>
Sent: Sunday, October 7, 2018 11:23 PM
To: bls3427 at outlook.com<mailto:bls3427 at outlook.com>
Cc: users at lists.strongswan.org<mailto:users at lists.strongswan.org>
Subject: Re: [strongSwan] Ikev2 wildcards with MacOs clients

Very good idea ! I will try that this week and will let you know if it works !

Thank you !

Le dim. 7 oct. 2018 à 00:17, bls s <bls3427 at outlook.com<mailto:bls3427 at outlook.com>> a écrit :

I just did a quick test using my iPhone, and it appears to work just fine. Using 2 strongSwan profiles, each profile has a different VPN cert, with different altNames in the cert. By changing the Remote ID on iOS I was able to authenticate with each of the 2 profiles.



From: bls s<mailto:bls3427 at outlook.com>
Sent: Friday, October 5, 2018 6:54 AM
To: Matthieu Nantern<mailto:matthieu.nantern at margo.com>
Cc: users at lists.strongswan.org<mailto:users at lists.strongswan.org>
Subject: Re: [strongSwan] Ikev2 wildcards with MacOs clients



I haven't looked into this in detail, but could you use different VPN certs for each subnet? Each VPN cert would be in a different conn section, and they would have different altNames (SAN). If I understand the MacOS VPN config correctly (looks a lot like iOS), when certs are installed onto MacOS, you can specify the Remote ID, which is the SAN that matches that of the VPN cert.

From: Matthieu Nantern <matthieu.nantern at margo.com<mailto:matthieu.nantern at margo.com>>
Sent: Thursday, October 4, 2018 11:31 PM
To: bls3427 at outlook.com<mailto:bls3427 at outlook.com>
Cc: users at lists.strongswan.org<mailto:users at lists.strongswan.org>
Subject: Re: [strongSwan] Ikev2 wildcards with MacOs clients

We are using certificates (one for each client device) but I have 2 networks: n1 and n2. And I want that some users can access n1 and others n1 + n2.


I wanted to make the distinction by using a conf like that:


conn alice
        leftsubnet=10.1.0.10/32<http://10.1.0.10/32>
        right=%any
        rightid="C=CH, O=Linux strongSwan, OU=Research, CN=*"
        auto=add

conn venus
        leftsubnet=10.1.0.20/32<http://10.1.0.20/32>
        right=%any
        rightid="C=CH, O=Linux strongSwan, OU=Accounting, CN=*"
        auto=add
But unfortunately with MacOs client I don't have the Distinguished Names but only the FQDN:


ikev2-pubkey[1216]: ESTABLISHED 2 minutes ago, 10.8.1.113[vpn.test.net<http://vpn.test.net>]...213.41.12.162[firstname.lastname at test.com<mailto:firstname.lastname at test.com>]
ikev2-pubkey{2102}:  INSTALLED, TUNNEL, reqid 325, ESP in UDP SPIs: c4d64307_i 0c4df008_o


And if you compare that with the StrongSwan Android client:


ikev2-pubkey[1217]: ESTABLISHED 4 seconds ago, 10.8.1.113[vpn.test.net<http://vpn.test.net>]...213.41.12.162[C=FR, O=Test, OU=Prod, CN=firstname.lastname at test.com<mailto:firstname.lastname at test.com>]
ikev2-pubkey{2103}:  INSTALLED, TUNNEL, reqid 326, ESP in UDP SPIs: c3b37b06_i be7247e0_o


So I cannot route my users according to their certificates and I was wondering what can I do ?



Le jeu. 4 oct. 2018 à 19:42, bls s <bls3427 at outlook.com<mailto:bls3427 at outlook.com>> a écrit :

Someone will likely explain why using certificates sucks, but if you use certificates (one for each client device) you'll have fine-grained user access control (by revoking/deleting certs), and you don't need to list all the enabled certs anywhere in your config file.
From: Users <users-bounces at lists.strongswan.org<mailto:users-bounces at lists.strongswan.org>> on behalf of Matthieu Nantern <matthieu.nantern at margo.com<mailto:matthieu.nantern at margo.com>>
Sent: Thursday, October 4, 2018 8:41 AM
To: users at lists.strongswan.org<mailto:users at lists.strongswan.org>
Subject: Re: [strongSwan] Ikev2 wildcards with MacOs clients

Is it possible to have multiple email address in the “rightid“ parameter ? Maybe I can list all authorized users for each server instead of relying on Distinguished Names ?



Le mer. 3 oct. 2018 à 08:42, Matthieu Nantern <matthieu.nantern at margo.com<mailto:matthieu.nantern at margo.com>> a écrit :

Hi !


I installed StrongSwan to allow my users (mainly MacOs X clients) to use the native ikev2 authentication. Everything is working fine.


Now I would like to implement something like that : https://www.strongswan.org/testing/testresults/ikev2/wildcards/index.html ; allowing some clients to access some network and not the others.


Unfortunately I didn't see (or understand) the issue on that page (https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile) :


ASN.1 Distinguished Names can't be used as identities because the client currently sends them as identities of type FQDN.


As a result when I put rightid in my configuration it's not working because MacOsX is only sending a fqdn (an email address in my case) and not the Distinguished Name.



My question is how can allow (or deny) some network to some user?



I have a file that associates email address to "role" but I don't know how to use it. Maybe a plugin?


Any ideas/links?


Thank you!

--

Matthieu Nantern


--

Matthieu Nantern
SRE, Margo Bank
+33683148506


--

Matthieu Nantern
SRE, Margo Bank
+33683148506


--

Matthieu Nantern
SRE, Margo Bank
+33683148506


--

Matthieu Nantern
SRE, Margo Bank
+33683148506
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20181011/9904b6d8/attachment-0001.html>


More information about the Users mailing list