Sunday, October 2, 2016

configure ipsec remote access with strongswan

*** setup information
server: ip : 192.168.202.243
             virtual ip pool:  172.16.16.0/24
             subnet to be routed: 0.0.0.0/0
client: ip : 192.168.202.242

*** server
1- install packages
$ sudo apt-get install strongswan strongswan-plugin-eap-mschapv2

2- generate keys and certificate for ca, client, server,

- ca
$ cd /etc/ipsec.d/
$ ipsec pki --gen --type rsa --size 4096 --outform pem > private/strongswanKey.pem
$ chmod 600 private/strongswanKey.pem
$ ipsec pki --self --ca --lifetime 3650 --in private/strongswanKey.pem --type rsa --dn "C=CH, O=strongSwan, CN=strongSwan Root CA" --outform pem > cacerts/strongswanCert.pem


-server
$ ipsec pki --gen --type rsa --size 2048 --outform pem > private/vpnHostKey.pem
$ chmod 600 private/vpnHostKey.pem
$ ipsec pki --pub --in private/vpnHostKey.pem --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.pem --cakey private/strongswanKey.pem --dn "C=CH, O=strongSwan, CN=vpn.domain1.test"     --san vpn.domain1.test --flag serverAuth --flag ikeIntermediate --outform pem > certs/vpnHostCert.pem


-client
$ ipsec pki --gen --type rsa --size 2048 --outform pem > private/client1.pem
$ chmod 600 private/client1.pem
$ ipsec pki --pub --in private/client1.pem --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.pem --cakey private/strongswanKey.pem --dn "C=CH, O=strongSwan,CN=client1@domain1.test" --san client1@domain1.test --outform pem > certs/client1.pem


- export certificate of client to p12 format
$ openssl pkcs12 -export -inkey private/client1.pem -in certs/client1.pem -name "client1 Certificate" -certfile cacerts/strongswanCert.pem -caname "strongSwan Root CA" -out client1.p12

3- setup route policy and iptables
# echo 1 > /proc/sys/net/ipv4/ip_forward
$ sudo iptables -t nat -A POSTROUTING -s 172.16.0.0/16 -o ens33 -j MASQUERADE
$ sudo  iptables -t nat -A POSTROUTING -s 172.16.0.0/16 -o ens33 -m policy --dir out --pol ipsec -j ACCEPT


4- configure strongswan/ipsec by modify the following file
- /etc/strongswan.conf
charon {
    load_modular = yes
    plugins {
        include strongswan.d/charon/*.conf
    }
filelog {
            /var/log/charon.log {
                append = no
                default = 1
                flush_line = yes
            }
            stderr {
                ike = 2
                knl = 3
            }
        }
         syslog {
            daemon {
            }
            auth {
                default = -1
                ike = 0
                }
        }
}
include strongswan.d/*.conf




- /etc/ipsec.conf
config setup
    charondebug="cfg 2, dmn 2, ike 2, net 2"
conn %default
    keyexchange=ikev2
    ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
    esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftsubnet=0.0.0.0/0
    leftcert=vpnHostCert.pem
    right=%any
    rightdns=8.8.8.8,8.8.4.4
    rightsourceip=172.16.16.0/24
conn IPSec-IKEv2
    keyexchange=ikev2
    auto=add
conn IPSec-IKEv2-EAP
    also="IPSec-IKEv2"
    rightauth=eap-mschapv2
    rightsendcert=never
    eap_identity=%any
conn CiscoIPSec
    keyexchange=ikev1
    rightauth=pubkey
    rightauth2=xauth
    auto=add





5- add username and password to file /etc/ipsec.secrets, so the content will look like below
: RSA vpnHostKey.pem
user1 : EAP "topsecretpassword"
user2 : XAUTH "evenmoretopsecretpassword"


- execute the command below to update the secrete
$ ipsec rereadsecrets

6- finally restart srtongswan and ipsec to finish on server part
$ sudo systemctl restart strongswan
$ sudo ipsec restart


***  client
1- install packages
$ sudo apt-get install strongswan strongswan-plugin-eap-mschapv2

2- there are two method to connect to ipsec server

+ method 1: using username/password

1- copy ca certificate from server to client, both have the same path: /etc/ipsec.d/cacerts/, the host vpn private key, both also have the same path /etc/ipsec.d/private/vpnHostKey.pem

2- add username and password to file /etc/ipsec.secrets, so the content will look like below
: RSA vpnHostKey.pem
user1 : EAP "topsecretpassword"


3- configure the ipsec configuration file /etc/ipsec.conf with the following content
conn ikev2-rw
    right=192.168.202.243
    rightid=%any
    rightsubnet=0.0.0.0/0
    rightauth=pubkey
    leftsourceip=192.168.202.242
    leftauth=eap-mschapv2
    eap_identity=user1
    auto=add

4- restart ipsec and connect to ipsec server (ikev2-rw got from configuration above)
$ sudo ipsec restart
$ sudo ipsec up ikev2-rw
$ ipsec status
Security Associations (1 up, 0 connecting):
    ikev2-rw[2]: ESTABLISHED 33 minutes ago, 192.168.202.242[192.168.202.242]...192.168.202.243[C=CH, O=strongSwan, CN=vpn.domain1.test]
    ikev2-rw{2}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c979fe46_i cc2e8667_o
    ikev2-rw{2}:   172.16.16.1/32 === 0.0.0.0/0


- snapshot of traceroute, the default gateway is pointing to 192.168.202.1, but when we traceroute to 8.8.8.8, the traffic redirect to ipsec server 192.168.202.243



+ method2: using public and private keys
1- copy ca certificate from server to client, both have the same path: /etc/ipsec.d/cacerts/, client1 certicate and private keys to the following directory respectively, /etc/ipsec.d/certs, /etc/ipsec.d/private

2- up the secret file, /etc/ipsec.secrets, so the content will look like below
: RSA client1.pem

3- configure the ipsec configuration file /etc/ipsec.conf with the following content

conn ikev2-rw
    right=192.168.202.243
    rightid=%any
    rightsubnet=0.0.0.0/0
    rightauth=pubkey
    leftsourceip=192.168.202.242
    leftauth=pubkey
    leftcert=client1.pem
    auto=add



4- restart ipsec and connect to ipsec server (ikev2-rw got from configuration above)
$ sudo ipsec restart
$ sudo ipsec up ikev2-rw
$ ipsec status
Security Associations (1 up, 0 connecting):
    ikev2-rw[1]: ESTABLISHED 6 minutes ago, 192.168.202.242[C=CH, O=strongSwan, CN=client1@domain1.test]...192.168.202.243[C=CH, O=strongSwan, CN=vpn.domain1.test]
    ikev2-rw{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cd768228_i ca4e2147_o
    ikev2-rw{1}:   172.16.16.2/32 === 0.0.0.0/0





***tips
- command to list certicates
$ ipsec listcerts
List of X.509 End Entity Certificates:

  altNames:  client1@domain1.test
  subject:  "C=CH, O=strongSwan, CN=client1@domain1.test"
  issuer:   "C=CH, O=strongSwan, CN=strongSwan Root CA"
  serial:    34:45:98:ca:c5:82:3f:e7
  validity:  not before Oct 02 11:12:19 2016, ok
             not after  Oct 02 11:12:19 2018, ok
  pubkey:    RSA 2048 bits, has private key
  keyid:     b2:8f:78:be:77:46:a8:06:f1:8f:34:aa:2a:e4:1e:4c:1b:88:f9:52
  subjkey:   48:ed:07:a2:22:df:7c:6a:10:03:fc:7f:5b:b1:c4:06:31:81:00:5a
  authkey:   1a:f4:a5:bb:ac:53:d7:d2:93:ca:ca:a3:2d:f8:0c:66:d9:54:f6:4f

  altNames:  vpn.domain1.test
  subject:  "C=CH, O=strongSwan, CN=vpn.domain1.test"
  issuer:   "C=CH, O=strongSwan, CN=strongSwan Root CA"
  serial:    08:0a:fa:bc:8c:be:84:ae
  validity:  not before Oct 02 08:57:22 2016, ok
             not after  Oct 02 08:57:22 2018, ok
  pubkey:    RSA 2048 bits
  keyid:     f5:ab:ae:8a:ff:90:47:0c:20:a5:e5:23:44:d9:74:d6:07:9f:fc:d0
  subjkey:   a3:8c:ae:1d:7d:42:8c:b4:80:17:58:18:d0:38:39:7a:db:3d:b8:e6
  authkey:   1a:f4:a5:bb:ac:53:d7:d2:93:ca:ca:a3:2d:f8:0c:66:d9:54:f6:4f





- revoke a certificate if you longer want that certificate to authenticate any more
$ ipsec pki --signcrl --reason key-compromise --cacert cacerts/strongswanCert.pem --cakey private/strongswanKey.pem --cert certs/client1.pem --outform pem > crls/crl.pem

No comments:

Post a Comment