server: ip : 192.168.202.243
virtual ip pool: 172.16.16.0/24
subnet to be routed: 0.0.0.0/0
client: ip : 192.168.202.242
*** server
1- install packages
$ sudo apt-get install strongswan strongswan-plugin-eap-mschapv2
2- generate keys and certificate for ca, client, server,
- ca
$ cd /etc/ipsec.d/
$ ipsec pki --gen --type rsa --size 4096 --outform pem > private/strongswanKey.pem
$ chmod 600 private/strongswanKey.pem
$ ipsec pki --self --ca --lifetime 3650 --in private/strongswanKey.pem --type rsa --dn "C=CH, O=strongSwan, CN=strongSwan Root CA" --outform pem > cacerts/strongswanCert.pem
-server
$ ipsec pki --gen --type rsa --size 2048 --outform pem > private/vpnHostKey.pem
$ chmod 600 private/vpnHostKey.pem
$ ipsec pki --pub --in private/vpnHostKey.pem --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.pem --cakey private/strongswanKey.pem --dn "C=CH, O=strongSwan, CN=vpn.domain1.test" --san vpn.domain1.test --flag serverAuth --flag ikeIntermediate --outform pem > certs/vpnHostCert.pem
-client
$ ipsec pki --gen --type rsa --size 2048 --outform pem > private/client1.pem
$ chmod 600 private/client1.pem
$ ipsec pki --pub --in private/client1.pem --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.pem --cakey private/strongswanKey.pem --dn "C=CH, O=strongSwan,CN=client1@domain1.test" --san client1@domain1.test --outform pem > certs/client1.pem
- export certificate of client to p12 format
$ openssl pkcs12 -export -inkey private/client1.pem -in certs/client1.pem -name "client1 Certificate" -certfile cacerts/strongswanCert.pem -caname "strongSwan Root CA" -out client1.p12
3- setup route policy and iptables
# echo 1 > /proc/sys/net/ipv4/ip_forward
$ sudo iptables -t nat -A POSTROUTING -s 172.16.0.0/16 -o ens33 -j MASQUERADE
$ sudo iptables -t nat -A POSTROUTING -s 172.16.0.0/16 -o ens33 -m policy --dir out --pol ipsec -j ACCEPT
4- configure strongswan/ipsec by modify the following file
- /etc/strongswan.conf
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
filelog {
/var/log/charon.log {
append = no
default = 1
flush_line = yes
}
stderr {
ike = 2
knl = 3
}
}
syslog {
daemon {
}
auth {
default = -1
ike = 0
}
}
}
include strongswan.d/*.conf
- /etc/ipsec.conf
config setup
charondebug="cfg 2, dmn 2, ike 2, net 2"
conn %default
keyexchange=ikev2
ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftsubnet=0.0.0.0/0
leftcert=vpnHostCert.pem
right=%any
rightdns=8.8.8.8,8.8.4.4
rightsourceip=172.16.16.0/24
conn IPSec-IKEv2
keyexchange=ikev2
auto=add
conn IPSec-IKEv2-EAP
also="IPSec-IKEv2"
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
conn CiscoIPSec
keyexchange=ikev1
rightauth=pubkey
rightauth2=xauth
auto=add
5- add username and password to file /etc/ipsec.secrets, so the content will look like below
: RSA vpnHostKey.pem
user1 : EAP "topsecretpassword"
user2 : XAUTH "evenmoretopsecretpassword"
- execute the command below to update the secrete
$ ipsec rereadsecrets
6- finally restart srtongswan and ipsec to finish on server part
$ sudo systemctl restart strongswan
$ sudo ipsec restart
*** client
1- install packages
$ sudo apt-get install strongswan strongswan-plugin-eap-mschapv2
2- there are two method to connect to ipsec server
+ method 1: using username/password
1- copy ca certificate from server to client, both have the same path: /etc/ipsec.d/cacerts/, the host vpn private key, both also have the same path /etc/ipsec.d/private/vpnHostKey.pem
2- add username and password to file /etc/ipsec.secrets, so the content will look like below
: RSA vpnHostKey.pem
user1 : EAP "topsecretpassword"
3- configure the ipsec configuration file /etc/ipsec.conf with the following content
conn ikev2-rw
right=192.168.202.243
rightid=%any
rightsubnet=0.0.0.0/0
rightauth=pubkey
leftsourceip=192.168.202.242
leftauth=eap-mschapv2
eap_identity=user1
auto=add
4- restart ipsec and connect to ipsec server (ikev2-rw got from configuration above)
$ sudo ipsec restart
$ sudo ipsec up ikev2-rw
$ ipsec status
Security Associations (1 up, 0 connecting):
ikev2-rw[2]: ESTABLISHED 33 minutes ago, 192.168.202.242[192.168.202.242]...192.168.202.243[C=CH, O=strongSwan, CN=vpn.domain1.test]
ikev2-rw{2}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c979fe46_i cc2e8667_o
ikev2-rw{2}: 172.16.16.1/32 === 0.0.0.0/0
- snapshot of traceroute, the default gateway is pointing to 192.168.202.1, but when we traceroute to 8.8.8.8, the traffic redirect to ipsec server 192.168.202.243
+ method2: using public and private keys
1- copy ca certificate from server to client, both have the same path: /etc/ipsec.d/cacerts/, client1 certicate and private keys to the following directory respectively, /etc/ipsec.d/certs, /etc/ipsec.d/private
2- up the secret file, /etc/ipsec.secrets, so the content will look like below
: RSA client1.pem
3- configure the ipsec configuration file /etc/ipsec.conf with the following content
conn ikev2-rw
right=192.168.202.243
rightid=%any
rightsubnet=0.0.0.0/0
rightauth=pubkey
leftsourceip=192.168.202.242
leftauth=pubkey
leftcert=client1.pem
auto=add
4- restart ipsec and connect to ipsec server (ikev2-rw got from configuration above)
$ sudo ipsec restart
$ sudo ipsec up ikev2-rw
$ ipsec status
Security Associations (1 up, 0 connecting):
ikev2-rw[1]: ESTABLISHED 6 minutes ago, 192.168.202.242[C=CH, O=strongSwan, CN=client1@domain1.test]...192.168.202.243[C=CH, O=strongSwan, CN=vpn.domain1.test]
ikev2-rw{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cd768228_i ca4e2147_o
ikev2-rw{1}: 172.16.16.2/32 === 0.0.0.0/0
***tips
- command to list certicates
$ ipsec listcerts
List of X.509 End Entity Certificates:
altNames: client1@domain1.test
subject: "C=CH, O=strongSwan, CN=client1@domain1.test"
issuer: "C=CH, O=strongSwan, CN=strongSwan Root CA"
serial: 34:45:98:ca:c5:82:3f:e7
validity: not before Oct 02 11:12:19 2016, ok
not after Oct 02 11:12:19 2018, ok
pubkey: RSA 2048 bits, has private key
keyid: b2:8f:78:be:77:46:a8:06:f1:8f:34:aa:2a:e4:1e:4c:1b:88:f9:52
subjkey: 48:ed:07:a2:22:df:7c:6a:10:03:fc:7f:5b:b1:c4:06:31:81:00:5a
authkey: 1a:f4:a5:bb:ac:53:d7:d2:93:ca:ca:a3:2d:f8:0c:66:d9:54:f6:4f
altNames: vpn.domain1.test
subject: "C=CH, O=strongSwan, CN=vpn.domain1.test"
issuer: "C=CH, O=strongSwan, CN=strongSwan Root CA"
serial: 08:0a:fa:bc:8c:be:84:ae
validity: not before Oct 02 08:57:22 2016, ok
not after Oct 02 08:57:22 2018, ok
pubkey: RSA 2048 bits
keyid: f5:ab:ae:8a:ff:90:47:0c:20:a5:e5:23:44:d9:74:d6:07:9f:fc:d0
subjkey: a3:8c:ae:1d:7d:42:8c:b4:80:17:58:18:d0:38:39:7a:db:3d:b8:e6
authkey: 1a:f4:a5:bb:ac:53:d7:d2:93:ca:ca:a3:2d:f8:0c:66:d9:54:f6:4f
- revoke a certificate if you longer want that certificate to authenticate any more
$ ipsec pki --signcrl --reason key-compromise --cacert cacerts/strongswanCert.pem --cakey private/strongswanKey.pem --cert certs/client1.pem --outform pem > crls/crl.pem
No comments:
Post a Comment