Strongswan + FreeRADIUS and Windows 10 clients without internet access

strongswan

I apologise for another query regarding Strongswan. I have created Strongswan server that has on one side multiple networks and on the second side are clients that are authorised via FreeRADIUS EAP-MSCHAPv2. Clients have access rights to specific IP addresses in networks via Class attributes and appropriate connection definitions in ipsec.conf:

config setup
   charondebug="all"
   uniqueids=yes
   strictcrlpolicy=no

conn %default
   keyexchange=ikev2

conn tunnel 
   reauth=no
   rightsendcert=never
   left=87.236.194.XX
   leftsubnet=192.168.80.0/24
   right=%any
   rightsubnet=0.0.0.0/0
   keyingtries=0
   ikelifetime=1h
   lifetime=8h
   dpddelay=30
   dpdtimeout=120
   dpdaction=clear
   authby=secret
   auto=route
   type=tunnel

conn eap-radius
    reauth=no
    rekey=no
    forceencaps=yes
    fragmentation=yes
    left=%defaultroute
    leftauth=pubkey
    leftcert=host-vpn.der
    leftsendcert=always
    leftfirewall=yes
    leftsubnet=0.0.0.0/0
    leftid=@ikev2.domain.cz
    lefthostaccess=yes
    right=%any
    rightsourceip=192.168.80.0/24
    rightdns=8.8.8.8
    rightauth=eap-radius
    rightgroups=Class1
    eap_identity=%identity
    auto=add

conn eap-radius10
    reauth=no
    rekey=no
    forceencaps=yes
    fragmentation=yes
    left=%defaultroute
    leftauth=pubkey
    leftcert=host-vpn.der
    leftsendcert=always
    leftfirewall=yes
    leftsubnet=192.168.10.2/31,192.168.10.4/30,192.168.10.8/29,192.168.10.16/28,192.168.10.32/27,192.168.10.64/26,192.168.10.128/26,192.168.10.192/27,192.168.10.224/28,192.168.10.240/29,192.168.10.248/30,192.168.10.252/31,192.168.10.254/32
    leftid=@ikev2.domain.cz
    lefthostaccess=yes
    right=%any
    rightsourceip=192.168.80.0/24
    rightdns=8.8.8.8
    rightauth=eap-radius
    rightgroups=Class10
    eap_identity=%identity
    auto=add

conn eap-radius20
    reauth=no
    rekey=no
    forceencaps=yes
    fragmentation=yes
    left=%defaultroute
    leftauth=pubkey
    leftcert=host-vpn.der
    leftsendcert=always
    leftfirewall=yes
    leftsubnet=192.168.20.2/31,192.168.20.4/30,192.168.20.8/29,192.168.20.16/28,192.168.20.32/27,192.168.20.64/26,192.168.20.128/26,192.168.20.192/27,192.168.20.224/28,192.168.20.240/29,192.168.20.248/30,192.168.20.252/31,192.168.20.254/32
    leftid=@ikev2.domain.cz
    lefthostaccess=yes
    right=%any
    rightsourceip=192.168.80.0/24
    rightdns=8.8.8.8
    rightauth=eap-radius
    rightgroups=Class20
    eap_identity=%identity
    auto=add

In Debian firewall I have lines:

-A POSTROUTING -s 192.168.80.0/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 192.168.80.0/24 -o eth0 -j MASQUERADE

My problem is that all Android, iOS and Mac OSX clients except Windows 10 ones have access to appropriate specific addresses and also to Internet. Because the VPN connection wizard in past versions of Windows 10 due some Microsoft's bugs in this wizard is not able to create the EAP-MSCHAPv2 IKEv2 VPN connection properly I have copied following rasphone.pbk to the C:\Users\XXXX\AppData\Roaming\Microsoft\Network\Connections\Pbk windows folder

[radius]
Encoding=1
PBVersion=4
Type=2
AutoLogon=0
UseRasCredentials=1
LowDateTime=-1192997568
HighDateTime=30663332
DialParamsUID=191937
Guid=2F7BD8C93E1B8E4885FD6AB316030199
VpnStrategy=7
ExcludedProtocols=0
LcpExtensions=1
DataEncryption=8
SwCompression=0
NegotiateMultilinkAlways=0
SkipDoubleDialDialog=0
DialMode=0
OverridePref=15
RedialAttempts=3
RedialSeconds=60
IdleDisconnectSeconds=0
RedialOnLinkFailure=1
CallbackMode=0
CustomDialDll=
CustomDialFunc=
CustomRasDialDll=
ForceSecureCompartment=0
DisableIKENameEkuCheck=0
AuthenticateServer=0
ShareMsFilePrint=1
BindMsNetClient=1
SharedPhoneNumbers=0
GlobalDeviceSettings=0
PrerequisiteEntry=
PrerequisitePbk=
PreferredPort=VPN2-0
PreferredDevice=WAN Miniport (IKEv2)
PreferredBps=0
PreferredHwFlow=1
PreferredProtocol=1
PreferredCompression=1
PreferredSpeaker=1
PreferredMdmProtocol=0
PreviewUserPw=0
PreviewDomain=0
PreviewPhoneNumber=0
ShowDialingProgress=0
ShowMonitorIconInTaskBar=0
CustomAuthKey=26
CustomAuthData=314442431A00000008000000010000000000000000000000
AuthRestrictions=128
IpPrioritizeRemote=1
IpInterfaceMetric=0
IpHeaderCompression=0
IpAddress=0.0.0.0
IpDnsAddress=0.0.0.0
IpDns2Address=0.0.0.0
IpWinsAddress=0.0.0.0
IpWins2Address=0.0.0.0
IpAssign=1
IpNameAssign=1
IpDnsFlags=0
IpNBTFlags=1
TcpWindowSize=0
UseFlags=2
IpSecFlags=0
IpDnsSuffix=
Ipv6Assign=1
Ipv6Address=::
Ipv6PrefixLength=0
Ipv6PrioritizeRemote=1
Ipv6InterfaceMetric=0
Ipv6NameAssign=1
Ipv6DnsAddress=::
Ipv6Dns2Address=::
Ipv6Prefix=0000000000000000
Ipv6InterfaceId=0000000000000000
DisableClassBasedDefaultRoute=0
DisableMobility=0
NetworkOutageTime=0
ProvisionType=0
PreSharedKey=
CacheCredentials=1
NumCustomPolicy=0
NumEku=0
UseMachineRootCert=0
NumServers=0
RouteVersion=1
NumRoutes=0
NumNrptRules=0
AutoTiggerCapable=0
NumAppIds=0
NumClassicAppIds=0
SecurityDescriptor=
ApnInfoProviderId=
ApnInfoUsername=
ApnInfoPassword=
ApnInfoAccessPoint=
ApnInfoAuthentication=1
ApnInfoCompression=0
DeviceComplianceEnabled=0
DeviceComplianceSsoEnabled=0
DeviceComplianceSsoEku=
DeviceComplianceSsoIssuer=
FlagsSet=0
Options=0
DisableDefaultDnsSuffixes=0
NumTrustedNetworks=0
NumDnsSearchSuffixes=0
PowershellCreatedProfile=0
ProxyFlags=0
ProxySettingsModified=0
ProvisioningAuthority=
AuthTypeOTP=0
GREKeyDefined=0
NumPerAppTrafficFilters=0
AlwaysOnCapable=0
PrivateNetwork=0

NETCOMPONENTS=
ms_msclient=1
ms_server=1

MEDIA=rastapi
Port=VPN2-0
Device=WAN Miniport (IKEv2)

DEVICE=vpn
PhoneNumber=ikev2.domain.cz
AreaCode=
CountryCode=0
CountryID=0
UseDialingRules=0
Comment=
FriendlyName=
LastSelectedPhone=0
PromoteAlternates=0
TryNextAlternateOnFail=1

Such Windows VPN client is able to connect properly to the appropriate IPs in remote networks but has no access to internet with one exception – internet access works when is via RADIUS selected connection definition with leftsubnet=0.0.0.0/0. When the Use default gateway on remote network option in the Advanced TCP/IP settings of the VPN connection is enabled (IpPrioritizeRemote=1) client has access to remote networks but not to internet and if this option is disabled the client has access to internet but not to any of remote networks.

I am not experienced in routing but I suppose it should be possible to configure the windows VPN connection to behave just like the Android, iOS and OSX connections that are working properly and have except access to specific IP addresses also access to internet.

For any help thank you in advance

Best Answer

ecdsa thank you for point me the right direction. The solution was finally quite simple. From PowerShell as administrator I created the new connection:

 Add-VpnConnection -Name "radius" -ServerAddress "ikev2.domain.cz" –TunnelType IKEv2 -EncryptionLevel Required -AuthenticationMethod EAP -SplitTunneling –AllUserConnection

and then I added routes:

Add-VpnConnectionRoute -ConnectionName "radius" -DestinationPrefix 192.168.10.0/24 -PassThru
Add-VpnConnectionRoute -ConnectionName "radius" -DestinationPrefix 192.168.20.0/24 -PassThru

Now windows clients are working like a charm and they have access to the appropriate IPs and internet too.

Related Solutions

Strongswan: clients can connect to server but no internet access

Finally I found the problem. adding FORWARD rule to iptables solved my problem.

Strongswan clients access rights

A possible way to do this is using EAP-RADIUS. The radius server can return Class attributes that can be matched against configs (rightgroups in ipsec.conf, or groups in swanctl.conf). Then you can define different local traffic selectors for each of these groups. The ikev2/rw-eap-md5-class-radius strongSwan test scenario illustrates this.

If you don't want to or can't use EAP-RADIUS there is a way to match individual EAP identities but it's a bit tricky because strongSwan does not fully support connection switching based on such identities. To do this a dummy connection with a fake group has to be used. This is how it could look like in ipsec.conf:

conn eap-shared
   # options shared by all clients e.g.
   leftcert=...
   # or
   rightsourceip=...
   # or
   rightauth=eap-mschapv2

conn eap-init
   also=eap-shared
   # this config is used to do the EAP-Identity exchange and the
   # authentication of client and server
   eap_identity=%identity
   # the following is used to force a connection switch after
   # the authentication completed
   rightgroups=<any string that is not used as group/class>
   auto=add

conn eap-bob
   also=eap-shared
   eap_identity=bob@strongswan.org
   # any options that only apply to this user follow here e.g.
   leftsubnet=192.168.20.0/24
   auto=add

conn eap-alice
   also=eap-shared
   eap_identity=alice@strongswan.org
   # any options that only apply to this user follow here e.g.
   # (note that ipsec.conf does not support ranges, and most kernel
   #  interfaces do neither, so a range might be converted to a larger
   #  subnet when installing IPsec policies, so deaggregating the range
   #  is the most accurate way to do this currently)
   leftsubnet=192.168.20.100/30,192.168.20.104/29,192.168.20.112/28,192.168.20.128/28,192.168.20.144/30,192.168.20.148/31,192.168.20.150/32
   auto=add

conn eap-john
   also=eap-shared
   eap_identity=john@strongswan.org
   # any options that only apply to this user follow here e.g.
   # (see above)
   leftsubnet=192.168.30.10/31,192.168.30.12/30,192.168.30.16/28,192.168.30.32/28,192.168.30.48/31,192.168.30.50/32,192.168.10.150/31,192.168.10.152/29,192.168.10.160/27,192.168.10.192/29,192.168.10.200/32,192.168.20.44/32
   auto=add

With EAP-RADIUS the config would look quite similarly but you wouldn't need the eap-init connection (instead you'd add eap_identity=%identity to eap-shared) and instead of defining eap_identity in each individual connection you'd set rightgroups to the groups (i.e. EAP-RADIUS Class attribute values) for which that connection should be used (i.e. this allows using the same conn section for multiple users).

Best Answer

Related Solutions

Strongswan: clients can connect to server but no internet access

Strongswan clients access rights

Related Topic