Dynamic S2S VPNs


Task:

Create site-to-site (S2S) interfaces for dynamic IKEv2 VPN clients (e.g., iPhones).  Assign different cryptographic algorithms to each S2S interface.

What are dynamic S2S VPNs?

 S2S VPNs usually support static VPN endpoints.  For example, a dedicated (i.e., always-on) VPN that connects a branch office to its HQ office.  However, S2S VPNs can also connect mobile clients for dynamic connections.   This hybrid approach is for special circumstances.

Why use dynamic S2S VPNs?

Most folks should stick with the default RRAS dial-up VPN server.  It provides better management and reporting tools.  However, dynamic S2S VPNs support configuration features that are unavailable with the standard RRAS client VPNs.

For example, dial-up IKEv2 VPNs may authenticate any certificate issued from one of its trusted root certificates.  S2S VPNs can limit authentication to specific client certificates.  The best part, IMHO,  is the ability to apply unique cipher suites per S2S interface.  For example, we can create separate S2S interfaces for each client -including unique cipher suite standards.

How do we implement dynamic S2S VPNs?

PowerShell offers a straight-forward method to implement S2S VPNs.  However, consider using a GUI-Powershell hybrid approach that supports additional client management features.

Dynamic S2S via PowerShell:

The following example creates a new S2S interface with strong security targets:
• Certificate authentication
• IKEv2 Protocol
• Main Mode:   AES128-SHA256-DHGroup14
• Quick Mode:   AES256-SHA256

Add-VpnS2SInterface -name smj@stevenjordan.net -CustomPolicy -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod aes128 -IntegrityCheckMethod SHA256 -Destination 0.0.0.0 -Protocol IKEv2 -AuthenticationMethod MachineCertificates -ResponderAuthenticationMethod MachineCertificates -EncryptionType RequireEncryption

The interface name always matches the authentication certificate's subject name.  Some clients (e.g., iPhone) require a matching subject common name and matching subject alternative name (SAN) DNS name.  This attribute associates the authentication certificate with the S2S interface.  The destination flag is set to accept connection requests from any IP (i.e., it's dynamic).

Don't forget to lock down the VPN server.  Enforcing subject names does not secure the server.  Recall, Windows VPN server leaves its front door wide open -by default.  Windows VPN security requires manual changes:  http://www.stevenjordan.net/2016/10/door-wide-open-on-win-ikev2.html

Managing S2S connections via PowerShell:

Managing client connections is cumbersome compared to traditional RRAS client VPN tools.  For example, RRAS and Remote Access Management provide simple GUI tools to manage dial-up connections (Figure 1).  However, Remote Access Clients does not display S2S connections.  Additionally, RRAS Network Interfaces does display S2S interfaces by deafult.

Figure 1.  RRAS Client Connections.
The RRAS management GUI does not play well with dynamic S2S connections.  The Remote Access Clients tab does not display active connections.  However, the GUI will display active IKEv2 WAN Miniports:

Figure 2.  Active WAN Miniports.  Good enough.
PowerShell provides a better method to view active S2S connections:
PS C:\Users\SMJ> Get-VpnS2SInterface
RoutingDomain Name Destination AdminStatus ConnectionState
------ ------- ----------- ----------- ---------------
XXXXXX-XXXX-SMJ {0.0.0.0} True Connected

Dynamic S2S GUI-Powershell Hybrid

Alternately, create dynamic S2S interfaces with the RRAS GUI.  This approach offers some S2S client management benefits.  Keep in mind, these S2S interfaces use default cryptographic algorithms.  We'll need to modify S2S security targets with PowerShell:

Step 1.  RRAS → VNS server → Right-click Network Inerfaces → New Demand-Dial Interface:

• Interface Name:  Certificate's subject common name.
• Connection Type:  VPN → Next
• VPN Type:  IKEv2 → Next
• Hostname:  None (leave blank) → Next
• Protocols & Security:  Route IP packets on this interface → Next
• Static Routes:  None (or add based on your organization's needs).
• Dial-Out Credentials:  None → Next → Finish.

Step 2:  Edit S2S interface properties → Options tab.
• Connection type:  Persistent connection →  OK.

Step 3:  Edit security targets for S2S interface in PowerShell.
PS C:\Users\SMJ> Set-VpnS2SInterface -name xxxx-xxxx-SMJ -CustomPolicy -CipherTransformConstants AES256 -DHGroup Group14 -EncryptionMethod aes256 -IntegrityCheckMethod SHA256 -EncryptionType RequireEncryption

WARNING: VPN site-to-site adapter xxxx-xxxx-SMJ will be modified and the parameters 
other than IPv4Subnet/IPv6Subnet will be applicable next time the connection is dialed.

Check Hybrid S2S Connection from GUI:

 RRAS → VNS server → Network Interfaces:  Connection Status


Figure 3.  S2S connection status via RRAS GUI.

The RRAS Network Interface GUI now includes a list of S2S interfaces and connection status.  It also provides a simple method to disconnect or disable client connections.

Troubleshoot:

Use PowerShell to check server IPsec crypto-sets:
• Get-NetIPsecMainModeCryptoSet
• Get-NetIPsecQuickModeCryptoSet


Confirm server-client security targets work as intended:
• Get-VPNS2SInterface
• Get-NetIPsecMainModeSA
• Get-NetIPsecQuickModeSA

I also recommend using the Best Practice Analyzer (BPA) to check for any obvious S2S security warnings.
https://technet.microsoft.com/en-us/library/ee922676(v=ws.10).aspx


That's It!

4 Comments

  1. How can I configure client to connect to this type of VPN?

    ReplyDelete
    Replies
    1. It depends on your client. Native Android clients connect fine. Windows clients require matching cryptographic algorithms:

      http://www.stevenjordan.net/2016/11/android-ikev2-client-setup.html?showComment=1479772603458#c348327656175934951

      http://www.stevenjordan.net/2016/09/secure-ikev2-win-10.html

      Good luck!

      Delete
  2. But I should use separate network adapter and DNS name?

    ReplyDelete
    Replies
    1. In regard to RRAS, it’s best practice to use a two server NIC configuration. However, RRAS VPNs can work with only one server NIC. However, I suspect your question is in regard to S2S interfaces. If that’s the case then I recommend a 1:1 S2S-to-client ratio. In other words, dedicate one S2S interface per S2S client. If it helps, try to think of each S2S client as a separate branch office.

      Delete

My Instagram