IKE2 Remote Access

Hi

I tried to configure IKE2 remote access, however, it didn’t work from Windows 10 and the error message was ‘Policy match error’.

Anyone can help me on this issue? As I have no idea how to debug the error, no matter in VyOS or Windows… Is there a debug like commands in VyOS? Thanks!

I found this connection error in Windows Event Viewer, but no details provided. I read from Microsoft website:

It seems that all IKE/IPSec parameters configured are supported by Windows 10…

VyOS I used is VyOS 1.4-rolling-202202150317

Here are configurations:

generate pki ca install R1_C3_CA_ROOT
generate pki certificate sign R1_C3_CA_ROOT install R1_RWU_CERT

set vpn ipsec esp-group ESP-RWU compression ‘disable’
set vpn ipsec esp-group ESP-RWU lifetime ‘3600’
set vpn ipsec esp-group ESP-RWU pfs ‘disable’
set vpn ipsec esp-group ESP-RWU proposal 10 encryption ‘aes128gcm128’
set vpn ipsec esp-group ESP-RWU proposal 10 hash ‘sha256’

set vpn ipsec ike-group IKE-RWU key-exchange ‘ikev2’
set vpn ipsec ike-group IKE-RWU lifetime ‘7200’
set vpn ipsec ike-group IKE-RWU mobike ‘enable’
set vpn ipsec ike-group IKE-RWU proposal 10 dh-group ‘14’
set vpn ipsec ike-group IKE-RWU proposal 10 encryption ‘aes128gcm128’
set vpn ipsec ike-group IKE-RWU proposal 10 hash ‘sha256’

set vpn ipsec remote-access pool ra-rwu-ipv4 name-server ‘8.8.8.8’
set vpn ipsec remote-access pool ra-rwu-ipv4 prefix ‘172.16.101.0/24’

set vpn ipsec remote-access connection rwu authentication id ‘172.16.101.1’
set vpn ipsec remote-access connection rwu authentication server-mode ‘x509’
set vpn ipsec remote-access connection rwu authentication x509 ca-certificate ‘R1_C3_CA_ROOT’
set vpn ipsec remote-access connection rwu authentication x509 certificate ‘R1_RWU_CERT’
set vpn ipsec remote-access connection rwu esp-group ‘ESP-RWU’
set vpn ipsec remote-access connection rwu ike-group ‘IKE-RWU’
set vpn ipsec remote-access connection rwu local-address ‘172.16.101.1’
set vpn ipsec remote-access connection rwu pool ‘ra-rwu-ipv4’

set vpn ipsec remote-access connection rwu authentication client-mode ‘eap-mschapv2’
set vpn ipsec remote-access connection rwu authentication local-users username vyos password ‘vyos’

generate ipsec profile windows-remote-access rwu remote “r1.my_domain.com”
==== ====
Add-VpnConnection -Name “VyOS IKEv2 VPN” -ServerAddress “r1.my_domain.com” -TunnelType “Ikev2”
Set-VpnConnectionIPsecConfiguration -ConnectionName “VyOS IKEv2 VPN” -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod GCMAES128 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup “Group14” -PassThru -Force
==== ====

Also, ipv4 address to FQDN entry are added to “hosts” file in Windows 10, as it is recommended in " VyOS Platform Blog - PKI and IPSec IKEv2 remote-access VPN".

Hope that someone can point out what mistake(s) I made on this configuration, thanks!

more information, the ca certificate “R1_C3_CA_ROOT” was imported to Windows under “Trusted Root Certification Authorities”…

Firewall rules added for IKE/IPsec
set firewall name OUTSIDE-LOCAL rule 30 description ‘allow IPSEC’
set firewall name OUTSIDE-LOCAL rule 30 action ‘accept’
set firewall name OUTSIDE-LOCAL rule 30 destination port ‘500’
set firewall name OUTSIDE-LOCAL rule 30 protocol ‘udp’
set firewall name OUTSIDE-LOCAL rule 40 description ‘allow IKE2’
set firewall name OUTSIDE-LOCAL rule 40 action ‘accept’
set firewall name OUTSIDE-LOCAL rule 40 destination port ‘4500’
set firewall name OUTSIDE-LOCAL rule 40 protocol ‘udp’
set firewall name OUTSIDE-LOCAL rule 50 description ‘allow ESP’
set firewall name OUTSIDE-LOCAL rule 50 action ‘accept’
set firewall name OUTSIDE-LOCAL rule 50 protocol ‘esp’

Hi,
Did you make sure that the EKU (Extended Key Usage) in the Certificate had the “Server Authentication” and “Client Authentication” attributes?

Hi joolli

I didn’t know about EKU, let me re-generate the certificate and try again. The EKU attributes only required on server certificate (in my case, the R1_RWU_CERT), right?

Anyway, thanks a lot for your advise.

I tried to capture the process from Windows, there were two ISAKMP messages only. The first one was Windows sent out ‘Initiator Request’, second one was responded by VyOS, however, the server responded ‘NO_PROPOSAL_CHOSEN’.

Is it possible to troubleshoot this issue in VyOS…?

it seems that you proposal not match with its VyOS’s configuration .

Set-VpnConnectionIPsecConfiguration -ConnectionName “VyOS IKEv2 VPN” -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod GCMAES128 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup “Group14” -PassThru -Force
==== ====

you have a different configuration in your current proposal , If you want to have a debug session on Vyos run the following command:

generate ipsec debug-archive

also there is a post in our forum for linux , but it can be useful .

Thanks Fernando,

The problem was found in journal log.

I misunderstood the command ‘set vpn ipsec remote-access connection “name” local-address “ip”’. “ip” shall be the ip address of outside interface.

After this amendment, the ike2 remote access configuration works… Thanks all…

To whom read this post:

After completed the above steps, ike2/ipsec can be established with VyOS. But, the vpn clients cannot communicates to hosts in inside network…

It should be due to NAT happens before IPSec. The below firewall rules are used to stop NAT happens when the traffic is destination to vpn clients.

set firewall name INSIDE-IN default-action ‘accept’
set firewall name INSIDE-IN rule 10 action ‘drop’
set firewall name INSIDE-IN rule 10 destination address ‘172.16.101.0/24’
set firewall name INSIDE-IN rule 10 protocol ‘ip’
set interfaces ethernet eth1 firewall in name ‘INSIDE-IN’

After these firewall rules applied to the inside interface, the ike2/ipsec configuration seems work as expected.