Tuesday, October 27, 2015

Fun with IPSec IKEv2 for remote access

The *emerging IKEv2 standard enables roaming clients to finally use ipsec to a full extent and without the hasle of being disconnected or struggling with other finnicky problems.

Microsoft have supported the IKEv2 on client side since 2009 from Windows 7 and onwards, but their half assed implementation is a sad example on how in their typical way like to break good standard with their own interpretation, or the lack of.

Short summary Microsoft as a IKEv2 client:

  • Ignores the (TS) traffic selectors when setting up routes
  • Cannot set local and remote ID
  • Forced dead peer detections
  • Hardcoded rekeying intervals
  • Drops SA_Child when no traffic, 5 minutes hardcoded
  • Uses classfull routing or any traffic via vpn
  • Must add routes after connect for windows 8 and older when not using the brainless microsoft routing defaults
  • Particular regard Diffie Helmann, anything but group 2 and the clients drops sa child when behind NAT and rekeying.
  • +++
In particular the ignoring of the TS sent from server causes a great deal of problems when you do not want to use the default routing decisions which in most cases means any corporate or bigger scale implementations.


Apple as a IKEv2 client:

  • Supports the full implementation, really not much to says
  • Additional setting such as encryption, timeouts etc must be set through a config profile
  • DNS and split DNS setting not supported via ikev2 payload, only through config profile
    • Rumours says that Apple will support the new upcoming rfc for nameresolution/splitdns payload through ikev2



* IKEv2 is indeed not a new standard, been there for years through weel known RFC's. But now Apple have started to support it both on desktop and portable platforms and I think this will open the eyes of many.

Solutions for connecting clients

Microsoft windows 8 and older
Use the dreaded CMAK tool from Microsoft. CMAK is cumbersome, full of bugs and generally sucks.

Microsoft Windows 8.1 and never
Use powershell script to setup proper connection to allow splittunneling of reasons explained earlier.

Apple OS X 10.11
Use the builtin IKEv2 vpn capabillity. Fully supports IKEV2 except for DNS. Need to use configuration profile to support splitdns or dns at all since the current implementation does not install the dns received by ikev2 payload correctly.

Apple OS X 10.10 and older
Use the StrongSWAN native client, this fully supports ikev2, but not splitdns.

Apple IOS 8
Use profile as explained for OS X

Apple IOS 9
Use builtin vpn setup or use configuration profile to acheive split dns.

Android
Use StrongSWAN client downloadable via Google Play



at

1 comment:

Calvin said...

Thanks for writingg

October 18, 2024 at 5:12 PM

Post a Comment

Subscribe to: Post Comments (Atom)

VoWifi leaking IMSI

This is mostly a copy of the working group two blog I worked for when the research was done into the fields of imsi leakage when using voice...

  • StrongSWAN for IPSec IKEv2 remote access server
    Finding the configuration sweetspot to allow any client to connection is a lenghty and tiresome process, must due to the lack of document...
  • Expanding a ZFS pool
    As some users of ZFS come asks - is it possible to expand a pool? The standard answer per zfs manual is to add more devices or vdevs (raidz,...
  • Elasticsearch and stemming
    Main use of Elasticsearch is storing logs, and lot's of them. Searching throught the data suing Kibana frontend is awesome and one usual...