IRCNow

IKEDv2 Windows support

Server side

OpenBSD's default /etc/ssl/openssl.cnf provides a very minimalist approach, especially if you plan to allow users under other Operating Systems to login.

$ cat /etc/ssl/openssl.cnf
 
# Note that you can include other files from the main configuration
# file using the .include directive.
#.include filename
 
# This definition stops the following lines choking if HOME isn't
# defined.
HOME            = .
 
# Extra OBJECT IDENTIFIER info:
#oid_file       = $ENV::HOME/.oid
oid_section     = new_oids
 
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions        =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
 
[ new_oids ]
 
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
 
# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
 
####################################################################
[ ca ]
default_ca  = IRCNow        # The default ca section
 
####################################################################
[ IRCNow ]
 
dir     = /etc/ssl      # Where everything is kept
certs       = $dir/certs        # Where the issued certs are kept
crl_dir     = $dir/crl      # Where the issued crl are kept
database    = $dir/index.txt    # database index file.
#unique_subject = no            # Set to 'no' to allow creation of
                    # several certs with same subject.
new_certs_dir   = $dir/newcerts     # default place for new certs.
 
certificate = $dir/cacert.pem   # The CA certificate
serial      = $dir/serial       # The current serial number
crlnumber   = $dir/crlnumber    # the current crl number
                    # must be commented out to leave a V1 CRL
crl     = $dir/crl.pem      # The current CRL
private_key = $dir/private/cakey.pem# The private key
 
x509_extensions = usr_cert      # The extensions to add to the cert
 
name_opt    = IRCNow        # Subject Name options
cert_opt    = IRCNow        # Certificate field options
default_days    = 365           # how long to certify for
default_crl_days= 365           # how long before next CRL
default_md  = default       # use public key default MD
preserve    = no            # keep passed DN ordering
 
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy      = policy_match
 
# For the CA policy
[ policy_match ]
countryName     = match
stateOrProvinceName = match
organizationName    = match
organizationalUnitName  = optional
commonName      = supplied
emailAddress        = optional
 
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName     = optional
stateOrProvinceName = optional
localityName        = optional
organizationName    = optional
organizationalUnitName  = optional
commonName      = supplied
emailAddress        = optional
 
####################################################################
[ req ]
default_bits        = 2048
default_keyfile     = privkey.pem
distinguished_name  = req_distinguished_name
attributes      = req_attributes
x509_extensions = v3_ca # The extensions to add to the self signed cert
string_mask = utf8only
req_extensions = v3_req
 
[ req_distinguished_name ]
countryName         = TW
countryName_default     = TW
countryName_min         = 2
countryName_max         = 2
 
stateOrProvinceName     = Taiwan
stateOrProvinceName_default = Taiwan
 
localityName            = Taichung
 
0.organizationName      = IRCNow
0.organizationName_default  = IRCNow
 
organizationalUnitName      = Operations
#organizationalUnitName_default =
 
commonName          = vpn.ircnow.org
commonName_max          = 64
 
emailAddress            = pirata@ircnow.org
emailAddress_max        = 64
 
# SET-ex3           = SET extension number 3
 
[ req_attributes ]
challengePassword       = A challenge password
challengePassword_min       = 4
challengePassword_max       = 20
 
unstructuredName        = IRCNow
 
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical, CA:TRUE, pathlen:3
keyUsage = critical, cRLSign, keyCertSign
nsCertType = sslCA, emailCA
 
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
#extendedKeyUsage=serverAuth
subjectAltName = @alt_names
 
[ alt_names ]
DNS.1 = vpn.ircnow.org
DNS.2 = IPv4
DNS.3 = IPv6
 
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment           = "OpenSSL Generated Certificate"
 
[ crl_ext ]
 
authorityKeyIdentifier=keyid:always
 
[ proxy_cert_ext ]
 
basicConstraints=CA:FALSE
nsComment           = "OpenSSL Generated Certificate"
 
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

We had to replicate some part of /etc/ssl/openssl.cnf into local openssl.cfg in order to be able to generate proper keys and certificates.

$ cat openssl.cfg
 
[ vpn.ircnow.org ]
keyUsage = digitalSignature,keyEncipherment
extendedkeyUsge = 1.3.6.1.5.5.8.2.2,serverAuth
subjectAltName = DNS:vpn.ircnow.org
basicConstraints=CA:False
crlDistributionPoints = URI:https://vpn.ircnow.org/ca.crl
 
[ ca ]
default_ca = IRCNow
 
[ IRCNow ]
database = index.txt
default_md      = default
private_key     = ca.key.pem
certificate = ca.pem
x509_extensions = usr_cert
default_days    = 365                  
default_crl_days= 365
 
[ req ]
distinguished_name      = req_distinguished_name
x509_extensions = v3_ca
req_extensions = v3_req
string_mask = utf8only
 
[ v3_ca ]
subjectKeyIdentifier=hashOrdered List Item
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical, CA:TRUE, pathlen:3
keyUsage = critical, cRLSign, keyCertSign
nsCertType = sslCA, emailCA
 
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
#extendedKeyUsage=serverAuth
subjectAltName = @alt_names
 
[ alt_names ]
DNS.1 = vpn.ircnow.org
DNS.2 = IPv4
DNS.3 = IPv6
 
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment                       = "OpenSSL Generated Certificate"
 
[ req_distinguished_name ]
countryName                     = TW
countryName_default             = TW
countryName_min                 = 2
countryName_max                 = 2
 
stateOrProvinceName             = Taiwan
stateOrProvinceName_default     = Taiwan
 
localityName                    = Taichung
 
0.organizationName              = IRCNow
0.organizationName_default      = IRCNow
 
organizationalUnitName          = Operations
 
commonName                      = vpn.ircnow.org
commonName_max                  = 64
 
emailAddress                    = pirata@ircnow.org
emailAddress_max                = 64

After some trial and error, We managed to discover a magical combination of openssl commands that allowed us to generate all certs and keys:

openssl req -new -x509 -subj "/CN=IRCNow" -extensions v3_ca -days 365 -key ca.key.pem -sha256 -out ca.pem -config openssl.cfg
openssl genrsa -out vpnircnow.key.pem 2048
openssl req -subj "/CN=vpnircnow" -extensions v3_req -sha256 -new -key vpnircnow.key.pem -out vpnircnow.csr
openssl x509 -req -extensions v3_req -days 365 -sha256 -in vpnircnow.csr -CA ca.pem -CAkey ca.key.pem -CAcreateserial -out vpnircnow.crt -extfile openssl.cfg
cat vpnircnow.crt ca.pem vpnircnow.key.pem > vpnircnow-ca-full.pem
openssl pkcs12 -export -out vpnircnow.pfx -inkey vpnircnow.key.pem -in vpnircnow.crt -certfile ca.pem
openssl ca -config openssl.cfg -gencrl -out ca.crl

And finally, host ca.crl, ca.crt and vpnIRCNoWin.pfx on httpd so our Windows users can:

Download our certificates

Windows side

  1. Disable Windows extended certificates checks on Windows Registry (Run… > regedit)
    1. Under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\Parameters\ add a DWORD and named it DisableIKENameEkuCheck
    2. Save the changes and import it
  2. Following this excellent guide from strongSwan community and import our ca.crt(direct links above) certificate first and then vpnIRCNoWin.pfx (direct links above)
  3. Make sure:
    1. Both certificates are located under Trusted Root Certification Authorities > Certificates
    2. Password of our private key is gad03efbanxg5yby
  4. Configure an IKEDv2 connection using this guide if you don't know how to do that
  5. Make sure:
    1. Under Security tab, type of VPN is IKEv2
    2. Authentication is EAP + Secure password (EAP-MSCHAPv2)
    3. Under general tab, host name is vpn.ircnow.org

Last thing:

  1. Create a VPN connection under Settings > Network & Internet using this guide
    1. But execute this powershell command instead:
Add-VpnConnection -Name "IRCNow VPN" -ServerAddress "vpn.ircnow.org" -TunnelType "Ikev2" -RememberCredential
  1. The only thing left to do is to input your user and password