This post will cover the topic of how to setup an IKEv2 VPN Server with an Edgerouter for dialing back home.
In this scenario we will essentially route all traffic over it (tunnel). You can change that however if you like.
What do you need:
- ROOT CA installed on the client (in my case my laptop)
- Server End Entity Certificate on the Edgerouter (basically a signed certificate from the ROOT CA) including it's private key (the certificate needs also the external DNS record as subject alternative name).
- a DNS A-Record pointing to your Edgerouters static ip (if you use a dynamic allocated one by your ISP, check this post regarding Dynamic DNS)
- Admin access on the laptop / device
The first thing you want to do is to create the config files on the Edgerouter. They will be located in
/config/user-data and will store our good stuff. The files we need are:
ki-vpn.ipsec- Stores the general configuration of the VPN server
ki-vpn.secrets- Is the user database and stores also the location to the private key of the certificate
You can name the files different if you like. But remember the name, we will need it for sourcing the specific config file.
Open the default ipsec.conf:
sudo vi /etc/ipsec.conf then change the file to look like this and save it:
Do the same for the ipsec.secrets
sudo vi /etc/ipsec.secrets then change the file to look like this and save it:
Remember to change filenames where needed.
Now let's move on to the actual config itself:
Here make sure to adapt line 12, 17 and 18 to fit your setup.
Line 12 is the location path of your Server End Entity Certificate.
Line 17 is the address range your VPN clients will recieve.
Line 18 is your default dns server the vpn will use.
This file as said stores the user accounts + credentials as well as the location of the certificate private key. Adapt line 1 to your private key file. For the user credentials you have several options.
Since my laptop is a Windows machine joined to my domain I have entered the login in the form of Active Directory:
KI\alexp : EAP "Password" so I can make use of the auto domain account login
If you don't use a domain at all or want to manually login just specify your login like this:
alexp : EAP "Password"
Of course make sure to change the username to match your desired ;)
The final step, after all is saved, is to restart the starter service to load the new config. Simply do a
sudo ipsec restart and the service will restart. After we need to configure the usage of higher CIPHERS for Windows.
The reason behind this is that by default the Windows Agile VPN Client only offers AES-128-CBC, AES-192-CBC, AES-256-CBC, 3DES, SHA-1,SHA-256, SHA-384 and MODP-1024. Follow this link for a detailed explanation and fix.
In my case since I'm runnig my own domain I ship this via GPO in mode 1. Which means Windows will make use of the feature but does not enforce it. This way I still have options available.
Also make sure that the ROOT CA is installed in the
Thrusted Root Certification Authorities
Once done you can setup a new VPN as per your Operating Systems manual and connect to your new VPN. For Windows the following settings are required:
General Tab Hostname: dns-record.domain.com
Security Tab Type of VPN: IKEv2 // Data encryption: Maximum strength encryption // Authentication: Microsoft: Secured password (EAP-MSCHAP v2)
Sample using powershell to set this up right away:
That's it, you're done.
Over and Out,