Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:services:vpn:strongswan:roadwarrior [2022/10/03 13:03] – sunshinejnjn | docs:guide-user:services:vpn:strongswan:roadwarrior [2023/01/19 15:23] – lukepicci | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== IPsec Modern IKEv2 Road-Warrior Configuration | + | ====== IPsec Modern IKEv2 Road-Warrior Configuration ====== |
| IPsec Road-Warrior Configuration: | IPsec Road-Warrior Configuration: | ||
| Line 165: | Line 165: | ||
| If you want to issue personal certificates to your clients then you should verify the signing CA's identity instead of the client certificates themselves. To achieve this, use the '' | If you want to issue personal certificates to your clients then you should verify the signing CA's identity instead of the client certificates themselves. To achieve this, use the '' | ||
| With the above configuration, | With the above configuration, | ||
| + | |||
| + | ===== / | ||
| + | If you are running Openwrt 22.03+, you probably want this instead of ipsec. We are going to demonstrate setting up a swanctl.conf and corresponding files to a similar configuration as the above ipsec configuration. Please note: we are using " | ||
| + | |||
| + | 0. Certificates (including (.pem) key files). Make them and put them in corresponding directories according to the " | ||
| + | |||
| + | 1. Create a / | ||
| + | < | ||
| + | local_addrs | ||
| + | remote_addrs = 0.0.0.0/ | ||
| + | local { | ||
| + | auth = pubkey | ||
| + | certs = serverCert_myvpnserver.dyndns.org.pem | ||
| + | id = myvpnserver.dyndns.org | ||
| + | } | ||
| + | children { | ||
| + | | ||
| + | local_ts | ||
| + | esp_proposals = default | ||
| + | } | ||
| + | } | ||
| + | pools = strongswanippool | ||
| + | unique = never | ||
| + | version = 2 | ||
| + | proposals = default | ||
| + | </ | ||
| + | |||
| + | 2. Create main settings in Create a / | ||
| + | < | ||
| + | connections { | ||
| + | | ||
| + | include ./ | ||
| + | remote-eapmschapv2 { | ||
| + | auth = eap-mschapv2 | ||
| + | | ||
| + | } | ||
| + | send_certreq = no | ||
| + | send_cert = always | ||
| + | } | ||
| + | | ||
| + | include ./ | ||
| + | remote-eapmschapv2ios { | ||
| + | auth = eap-mschapv2 | ||
| + | | ||
| + | } | ||
| + | send_certreq = no | ||
| + | send_cert = always | ||
| + | } | ||
| + | | ||
| + | include ./ | ||
| + | remote-eaptls { | ||
| + | auth = eap-tls | ||
| + | certs = clientCert_myvpnclient.pem | ||
| + | } | ||
| + | send_certreq = no | ||
| + | } | ||
| + | | ||
| + | include ./ | ||
| + | remote-eaptlsios { | ||
| + | auth = eap-tls | ||
| + | certs = clientCert_myvpnclient.pem | ||
| + | id = myVpnClients | ||
| + | } | ||
| + | send_certreq = no | ||
| + | send_cert = always | ||
| + | } | ||
| + | | ||
| + | include ./ | ||
| + | remote-pubkey { | ||
| + | auth = pubkey | ||
| + | certs = clientCert_myvpnclient.pem | ||
| + | } | ||
| + | send_certreq = no | ||
| + | } | ||
| + | | ||
| + | include ./ | ||
| + | remote-pubkeyios { | ||
| + | auth = pubkey | ||
| + | certs = clientCert_myvpnclient.pem | ||
| + | id = myVpnClients | ||
| + | } | ||
| + | send_certreq = no | ||
| + | send_cert = always | ||
| + | } | ||
| + | } | ||
| + | |||
| + | secrets { | ||
| + | rsa- { | ||
| + | filename=" | ||
| + | } | ||
| + | | ||
| + | id = remoteusername | ||
| + | secret = secretpassword | ||
| + | } | ||
| + | } | ||
| + | |||
| + | pools { | ||
| + | strongswanippool { | ||
| + | addrs = 10.0.1.0/24 | ||
| + | # dns = 8.8.8.8 | ||
| + | } | ||
| + | } | ||
| + | |||
| + | # Include config snippets | ||
| + | include conf.d/ | ||
| + | |||
| + | include / | ||
| + | </ | ||
| + | |||
| + | 3. If you are upgrading from an old router setting (installed strongswan in older OpenWrt versions and did a system upgrade keeping the settings, reinstalled strongswan-full), | ||
| + | < | ||
| + | include / | ||
| + | </ | ||
| + | and / | ||
| + | < | ||
| + | include / | ||
| + | </ | ||
| + | Also, you may want to rename/ | ||
| + | You may want to run / | ||
| + | |||
| + | 4. Check the config | ||
| + | <code bash> | ||
| + | swanctl --load-all | ||
| + | </ | ||
| + | You'll see 6 connections loaded successfully if everything goes well. Otherwise, check the prompts to see what went wrong. | ||
| ===== ipsec.secrets ===== | ===== ipsec.secrets ===== | ||
| Line 290: | Line 415: | ||
| option target ' | option target ' | ||
| </ | </ | ||
| + | |||
| + | for swanctl config, you probably want to add this too: | ||
| + | |||
| + | < | ||
| + | config rule | ||
| + | option name ' | ||
| + | list proto ' | ||
| + | option src ' | ||
| + | option dest ' | ||
| + | option target ' | ||
| + | </ | ||
| + | |||
| Explanation: | Explanation: | ||
| - | Basically, you're opening up the ports/ | + | Basically, you're opening up the ports/ |
| + | |||
| + | For swanctl part, as we used a policy-based VPN, your virtual IPs would be installed on the " | ||
| You will also need additional rules in ''/ | You will also need additional rules in ''/ | ||
| Line 321: | Line 460: | ||
| Explication: | Explication: | ||
| - | |||
| - | ===== Testing ===== | ||
| - | For testing, I used a Blackberry Z10 with NATIVE Ikev2 support (LOVE your Blackberry), | ||
| - | |||
| - | You can email client.p12 (and caCert, if needed) to the mobile clients. | ||
| - | |||
| - | |||
| - | ===== / | ||
| - | If you are running Openwrt 22.03+, you probably want this instead of ipsec. We are going to demonstrate setting up a swanctl.conf and corresponding files to a similar configuration as the above ipsec configuration. Please note: we are using " | ||
| - | |||
| - | 0. Certificates (including (.pem) key files). Make them and put them in corresponding directories according to the " | ||
| - | |||
| - | 1. Create a / | ||
| - | < | ||
| - | local_addrs | ||
| - | remote_addrs = 0.0.0.0/ | ||
| - | local { | ||
| - | auth = pubkey | ||
| - | certs = serverCert_myvpnserver.dyndns.org.pem | ||
| - | id = myvpnserver.dyndns.org | ||
| - | } | ||
| - | children { | ||
| - | | ||
| - | local_ts | ||
| - | esp_proposals = default | ||
| - | } | ||
| - | } | ||
| - | pools = strongswanippool | ||
| - | unique = never | ||
| - | version = 2 | ||
| - | proposals = default | ||
| - | </ | ||
| - | |||
| - | 2. Create main settings in Create a / | ||
| - | < | ||
| - | connections { | ||
| - | | ||
| - | include ./ | ||
| - | remote-eapmschapv2 { | ||
| - | auth = eap-mschapv2 | ||
| - | | ||
| - | } | ||
| - | send_certreq = no | ||
| - | send_cert = always | ||
| - | } | ||
| - | | ||
| - | include ./ | ||
| - | remote-eapmschapv2ios { | ||
| - | auth = eap-mschapv2 | ||
| - | | ||
| - | } | ||
| - | send_certreq = no | ||
| - | send_cert = always | ||
| - | } | ||
| - | | ||
| - | include ./ | ||
| - | remote-eaptls { | ||
| - | auth = eap-tls | ||
| - | certs = clientCert_myvpnclient.pem | ||
| - | } | ||
| - | send_certreq = no | ||
| - | } | ||
| - | | ||
| - | include ./ | ||
| - | remote-eaptlsios { | ||
| - | auth = eap-tls | ||
| - | certs = clientCert_myvpnclient.pem | ||
| - | id = myVpnClients | ||
| - | } | ||
| - | send_certreq = no | ||
| - | send_cert = always | ||
| - | } | ||
| - | | ||
| - | include ./ | ||
| - | remote-pubkey { | ||
| - | auth = pubkey | ||
| - | certs = clientCert_myvpnclient.pem | ||
| - | } | ||
| - | send_certreq = no | ||
| - | } | ||
| - | | ||
| - | include ./ | ||
| - | remote-pubkeyios { | ||
| - | auth = pubkey | ||
| - | certs = clientCert_myvpnclient.pem | ||
| - | id = myVpnClients | ||
| - | } | ||
| - | send_certreq = no | ||
| - | send_cert = always | ||
| - | } | ||
| - | } | ||
| - | |||
| - | secrets { | ||
| - | rsa- { | ||
| - | filename=" | ||
| - | } | ||
| - | | ||
| - | id = remoteusername | ||
| - | secret = secretpassword | ||
| - | } | ||
| - | } | ||
| - | |||
| - | pools { | ||
| - | strongswanippool { | ||
| - | addrs = 10.0.1.0/24 | ||
| - | # dns = 8.8.8.8 | ||
| - | } | ||
| - | } | ||
| - | |||
| - | # Include config snippets | ||
| - | include conf.d/ | ||
| - | |||
| - | include / | ||
| - | </ | ||
| - | |||
| - | 3. If you are upgrading from an old router setting (installed strongswan in older OpenWrt versions and did a system upgrade keeping the settings, reinstalled strongswan-full), | ||
| - | < | ||
| - | include / | ||
| - | </ | ||
| - | and / | ||
| - | < | ||
| - | include / | ||
| - | </ | ||
| - | Also, you may want to rename/ | ||
| - | You may want to run / | ||
| - | |||
| - | 4. Check the config | ||
| - | <code bash> | ||
| - | swanctl --load-all | ||
| - | </ | ||
| - | You'll see 6 connections loaded successfully if everything goes well. Otherwise, check the prompts to see what went wrong. | ||
| ==== For BlackBerry Clients ==== | ==== For BlackBerry Clients ==== | ||
| Line 487: | Line 495: | ||
| openssl x509 -in / | openssl x509 -in / | ||
| </ | </ | ||
| + | |||
| + | ===== Road-Warriors configuration ===== | ||
| + | For testing, the original author of this page used a Blackberry Z10 with NATIVE Ikev2 support (LOVE your Blackberry), | ||
| + | |||
| + | Hint: you can easily email client certs .p12 bundles (and caCert, if needed) to the mobile device users. | ||
| ==== For Windows Clients ==== | ==== For Windows Clients ==== | ||
| Line 498: | Line 511: | ||
| You will need administrative rights to set up this kind of VPN connection. Only traditional desktop editions are supported. | You will need administrative rights to set up this kind of VPN connection. Only traditional desktop editions are supported. | ||
| - | In windows, import your client and CA certificates into **Local Machine** storage, not Current User. If you followed this tutorial the CA certificate is already in a bundle with the client cert into the client.p12 package, just take care of importing, again, into Local Machine and keep selecting the option to automatically choose the appropriate certificate store. At the end of the import, you should have the CA in " | + | In windows, import your client and CA certificates into **Local Machine** storage, not Current User. If you followed this tutorial the CA certificate is already in a bundle with the client cert into the client.p12 package, just take care of importing, again, into **Local Machine** and keep selecting the option to automatically choose the appropriate certificate store. At the end of the import, you should have the CA in " |
| Follow these instructions to set up the Windows VPN connection for using Machine Certificates: | Follow these instructions to set up the Windows VPN connection for using Machine Certificates: | ||
| + | |||
| + | Please note: this Machine Certificates setup uses Device certificate/ | ||
| === as EAPTLS roadwarriors === | === as EAPTLS roadwarriors === | ||
| - | You don't need administrative rights to set up this kind of VPN connection. Modern WinRT-based editions are also supported (including WP8+ mobile editions). | + | You don't need administrative rights to set up this kind of VPN connection, but you still need to be an admin in order to import the CA cert only. Modern WinRT-based editions are also supported (including WP8+ mobile editions). |
| - | In Windows, import your client and CA certificate into **Current User**, not Local Machine. If you followed this tutorial the CA certificate is already in a bundle with the client cert into the client.p12 package, just take care of importing, again, into Current User and keep selecting the option to automatically choose the appropriate certificate store. At the end of the import, you should have the CA in " | + | In Windows, import your client and CA certificate into **Current User**, not Local Machine. If you followed this tutorial the CA certificate is already in a bundle with the client cert into the client.p12 package, just take care of importing, again, into **Current User** and keep selecting the option to automatically choose the appropriate certificate store. At the end of the import, you should have the CA in " |
| Create a new VPN connection from the wizard, choose IKEv2 as the type, and select " | Create a new VPN connection from the wizard, choose IKEv2 as the type, and select " | ||
| + | |||
| + | Please note: this EAP-TLS setup uses User certificate/ | ||
| ==== For Android Clients ==== | ==== For Android Clients ==== | ||