IPsec Legacy IKEv1 Configuration

mostly taken from https://forum.openwrt.org/viewtopic.php?id=39560

This IPsec IKEv1 (+xauth) howto was written for old Apple iOS “IPsec” clients. The same kind of setup could be found on some commercial gateways (Netgear, AVM FritzBox, etc.) and third-party IPsec VPN softwares like TheGreenBow or ShrewSoft. For modern deployments, look for IPsec IKEv2 instead.

install necessary packages

      opkg update
      opkg install strongswan-default strongswan-mod-dhcp strongswan-mod-af-alg strongswan-mod-gcrypt \ 
      strongswan-mod-blowfish strongswan-mod-md4 strongswan-mod-openssl strongswan-mod-pkcs11 \
      strongswan-mod-pkcs8 strongswan-mod-test-vectors strongswan-mod-farp

ipsec config

      # ipsec.conf - strongSwan IPsec configuration file
      
      conn ios
              keyexchange=ikev1
              authby=xauthrsasig
              xauth=server
              left=%any
              leftsubnet=0.0.0.0/0
              leftfirewall=yes
              leftcert=serverCert.pem
              right=%any
              rightsubnet=192.168.1.0/24
              rightsourceip=%dhcp
              rightcert=clientCert.pem
              forceencaps=yes
              auto=add
      # /etc/ipsec.secrets - strongSwan IPsec secrets file
      
      : RSA serverKey.pem
      anyuser : XAUTH "anypassword"
      #!/bin/sh /etc/rc.common
      # ipsec init script
      
      START=46
      STOP=01
      
      start() {
      ipsec start
      }
      
      stop() {
      ipsec stop
      }
      
      restart() {
      ipsec restart
      }
      
      reload() {
      ipsec update
      }

remember to run /etc/init.d/ipsec enable when done to enable startup on boot

strongswan config

      # strongswan.conf - strongSwan configuration file
      
      charon {
      
              dns1 = 192.168.1.1
      
              threads = 16
      
              plugins {
      
                      dhcp {
                              server = 192.168.1.1
                      }
              }
      
      }
      
      pluto {
      
      }
      
      libstrongswan {
      
              #  set to no, the DH exponent size is optimized
              #  dh_exponent_ansi_x9_42 = no
      }

firewall config

      iptables -I INPUT  -m policy --dir in --pol ipsec --proto esp -j ACCEPT
      iptables -I FORWARD  -m policy --dir in --pol ipsec --proto esp -j ACCEPT
      iptables -I FORWARD  -m policy --dir out --pol ipsec --proto esp -j ACCEPT
      iptables -I OUTPUT   -m policy --dir out --pol ipsec --proto esp -j ACCEPT
      config rule
              option 'src' 'wan'
              option 'proto' 'esp'
              option 'target' 'ACCEPT'
      
      config rule
              option 'src' 'wan'
              option 'proto' 'udp'
              option 'dest_port' '500'
              option 'target' 'ACCEPT'
      
      config rule
              option 'src' 'wan'
              option 'proto' 'udp'
              option 'dest_port' '4500'
              option 'target' 'ACCEPT'
      
      config rule
              option 'src' 'wan'
              option 'proto' 'ah'
              option 'target' 'ACCEPT'

next (certificates) is taken from http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)

certificates generation

      ipsec pki --gen --outform pem > caKey.pem
      ipsec pki --self --in caKey.pem --dn "C=DE, O=xxx, CN=xxxx" --ca --outform pem > caCert.pem
      ipsec pki --gen --outform pem > serverKey.pem
      ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=DE, O=xxx, CN=xxx.dyndns.org" \
      --san="xxx.dyndns.org" --flag serverAuth --flag ikeIntermediate --outform pem > serverCert.pem
      ipsec pki --gen --outform pem > clientKey.pem
      ipsec pki --pub --in clientKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=DE, O=xxx, CN=client" --outform pem > clientCert.pem
      openssl pkcs12 -export -inkey clientKey.pem -in clientCert.pem -name "client" -certfile caCert.pem -caname "xxxx" -out clientCert.p12

Replace xxx.dyndns.org with the hostname or IP adress which is used to contact the VPN server.

copy certificates

      cp caCert.pem /etc/ipsec.d/cacerts/
      cp serverCert.pem /etc/ipsec.d/certs/
      cp serverKey.pem /etc/ipsec.d/private/
      cp clientCert.pem /etc/ipsec.d/certs/
      cp clientKey.pem /etc/ipsec.d/private/

Email caCert.pem and clientCert.p12 to Your IPhone/IPad and import them. Create an IPSec VPN Connection from the settings app and use the client certificated and the credentials added to /etc/ipsec.secrets ... and you're done.

Troubleshooting

If you experience errors, like:

      07[KNL] received netlink error: Function not implemented (89)
      07[KNL] unable to add SAD entry with SPI ccc321fa
      07[KNL] received netlink error: Function not implemented (89)
      07[KNL] unable to add SAD entry with SPI 07d0af31
      07[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel

You are most likely missing following packages:

      strongswan-mod-kernel-libipsec
      kmod-tun

After these are installed, problem should be fixed.

If you have problems with reaching of DHCP.. You probably should install also following modules:

      ipset
      iptables-mod-filter
      iptables-mod-nat-extra
      ppp-mod-pppoe
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2020/10/05 21:16
  • by tmomas