Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:services:vpn:strongswan:roadwarrior [2022/10/24 14:22] – Windows EAP-TLS with machine certs lukepicci | docs:guide-user:services:vpn:strongswan:roadwarrior [2023/01/19 15:23] – lukepicci | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== IPsec Modern IKEv2 Road-Warrior Configuration | + | ====== IPsec Modern IKEv2 Road-Warrior Configuration ====== |
| IPsec Road-Warrior Configuration: | IPsec Road-Warrior Configuration: | ||
| Line 165: | Line 165: | ||
| If you want to issue personal certificates to your clients then you should verify the signing CA's identity instead of the client certificates themselves. To achieve this, use the '' | If you want to issue personal certificates to your clients then you should verify the signing CA's identity instead of the client certificates themselves. To achieve this, use the '' | ||
| With the above configuration, | With the above configuration, | ||
| + | |||
| + | ===== / | ||
| + | If you are running Openwrt 22.03+, you probably want this instead of ipsec. We are going to demonstrate setting up a swanctl.conf and corresponding files to a similar configuration as the above ipsec configuration. Please note: we are using " | ||
| + | |||
| + | 0. Certificates (including (.pem) key files). Make them and put them in corresponding directories according to the " | ||
| + | |||
| + | 1. Create a / | ||
| + | < | ||
| + | local_addrs | ||
| + | remote_addrs = 0.0.0.0/ | ||
| + | local { | ||
| + | auth = pubkey | ||
| + | certs = serverCert_myvpnserver.dyndns.org.pem | ||
| + | id = myvpnserver.dyndns.org | ||
| + | } | ||
| + | children { | ||
| + | | ||
| + | local_ts | ||
| + | esp_proposals = default | ||
| + | } | ||
| + | } | ||
| + | pools = strongswanippool | ||
| + | unique = never | ||
| + | version = 2 | ||
| + | proposals = default | ||
| + | </ | ||
| + | |||
| + | 2. Create main settings in Create a / | ||
| + | < | ||
| + | connections { | ||
| + | | ||
| + | include ./ | ||
| + | remote-eapmschapv2 { | ||
| + | auth = eap-mschapv2 | ||
| + | | ||
| + | } | ||
| + | send_certreq = no | ||
| + | send_cert = always | ||
| + | } | ||
| + | | ||
| + | include ./ | ||
| + | remote-eapmschapv2ios { | ||
| + | auth = eap-mschapv2 | ||
| + | | ||
| + | } | ||
| + | send_certreq = no | ||
| + | send_cert = always | ||
| + | } | ||
| + | | ||
| + | include ./ | ||
| + | remote-eaptls { | ||
| + | auth = eap-tls | ||
| + | certs = clientCert_myvpnclient.pem | ||
| + | } | ||
| + | send_certreq = no | ||
| + | } | ||
| + | | ||
| + | include ./ | ||
| + | remote-eaptlsios { | ||
| + | auth = eap-tls | ||
| + | certs = clientCert_myvpnclient.pem | ||
| + | id = myVpnClients | ||
| + | } | ||
| + | send_certreq = no | ||
| + | send_cert = always | ||
| + | } | ||
| + | | ||
| + | include ./ | ||
| + | remote-pubkey { | ||
| + | auth = pubkey | ||
| + | certs = clientCert_myvpnclient.pem | ||
| + | } | ||
| + | send_certreq = no | ||
| + | } | ||
| + | | ||
| + | include ./ | ||
| + | remote-pubkeyios { | ||
| + | auth = pubkey | ||
| + | certs = clientCert_myvpnclient.pem | ||
| + | id = myVpnClients | ||
| + | } | ||
| + | send_certreq = no | ||
| + | send_cert = always | ||
| + | } | ||
| + | } | ||
| + | |||
| + | secrets { | ||
| + | rsa- { | ||
| + | filename=" | ||
| + | } | ||
| + | | ||
| + | id = remoteusername | ||
| + | secret = secretpassword | ||
| + | } | ||
| + | } | ||
| + | |||
| + | pools { | ||
| + | strongswanippool { | ||
| + | addrs = 10.0.1.0/24 | ||
| + | # dns = 8.8.8.8 | ||
| + | } | ||
| + | } | ||
| + | |||
| + | # Include config snippets | ||
| + | include conf.d/ | ||
| + | |||
| + | include / | ||
| + | </ | ||
| + | |||
| + | 3. If you are upgrading from an old router setting (installed strongswan in older OpenWrt versions and did a system upgrade keeping the settings, reinstalled strongswan-full), | ||
| + | < | ||
| + | include / | ||
| + | </ | ||
| + | and / | ||
| + | < | ||
| + | include / | ||
| + | </ | ||
| + | Also, you may want to rename/ | ||
| + | You may want to run / | ||
| + | |||
| + | 4. Check the config | ||
| + | <code bash> | ||
| + | swanctl --load-all | ||
| + | </ | ||
| + | You'll see 6 connections loaded successfully if everything goes well. Otherwise, check the prompts to see what went wrong. | ||
| ===== ipsec.secrets ===== | ===== ipsec.secrets ===== | ||
| Line 335: | Line 460: | ||
| Explication: | Explication: | ||
| - | |||
| - | ===== / | ||
| - | If you are running Openwrt 22.03+, you probably want this instead of ipsec. We are going to demonstrate setting up a swanctl.conf and corresponding files to a similar configuration as the above ipsec configuration. Please note: we are using " | ||
| - | |||
| - | 0. Certificates (including (.pem) key files). Make them and put them in corresponding directories according to the " | ||
| - | |||
| - | 1. Create a / | ||
| - | < | ||
| - | local_addrs | ||
| - | remote_addrs = 0.0.0.0/ | ||
| - | local { | ||
| - | auth = pubkey | ||
| - | certs = serverCert_myvpnserver.dyndns.org.pem | ||
| - | id = myvpnserver.dyndns.org | ||
| - | } | ||
| - | children { | ||
| - | | ||
| - | local_ts | ||
| - | esp_proposals = default | ||
| - | } | ||
| - | } | ||
| - | pools = strongswanippool | ||
| - | unique = never | ||
| - | version = 2 | ||
| - | proposals = default | ||
| - | </ | ||
| - | |||
| - | 2. Create main settings in Create a / | ||
| - | < | ||
| - | connections { | ||
| - | | ||
| - | include ./ | ||
| - | remote-eapmschapv2 { | ||
| - | auth = eap-mschapv2 | ||
| - | | ||
| - | } | ||
| - | send_certreq = no | ||
| - | send_cert = always | ||
| - | } | ||
| - | | ||
| - | include ./ | ||
| - | remote-eapmschapv2ios { | ||
| - | auth = eap-mschapv2 | ||
| - | | ||
| - | } | ||
| - | send_certreq = no | ||
| - | send_cert = always | ||
| - | } | ||
| - | | ||
| - | include ./ | ||
| - | remote-eaptls { | ||
| - | auth = eap-tls | ||
| - | certs = clientCert_myvpnclient.pem | ||
| - | } | ||
| - | send_certreq = no | ||
| - | } | ||
| - | | ||
| - | include ./ | ||
| - | remote-eaptlsios { | ||
| - | auth = eap-tls | ||
| - | certs = clientCert_myvpnclient.pem | ||
| - | id = myVpnClients | ||
| - | } | ||
| - | send_certreq = no | ||
| - | send_cert = always | ||
| - | } | ||
| - | | ||
| - | include ./ | ||
| - | remote-pubkey { | ||
| - | auth = pubkey | ||
| - | certs = clientCert_myvpnclient.pem | ||
| - | } | ||
| - | send_certreq = no | ||
| - | } | ||
| - | | ||
| - | include ./ | ||
| - | remote-pubkeyios { | ||
| - | auth = pubkey | ||
| - | certs = clientCert_myvpnclient.pem | ||
| - | id = myVpnClients | ||
| - | } | ||
| - | send_certreq = no | ||
| - | send_cert = always | ||
| - | } | ||
| - | } | ||
| - | |||
| - | secrets { | ||
| - | rsa- { | ||
| - | filename=" | ||
| - | } | ||
| - | | ||
| - | id = remoteusername | ||
| - | secret = secretpassword | ||
| - | } | ||
| - | } | ||
| - | |||
| - | pools { | ||
| - | strongswanippool { | ||
| - | addrs = 10.0.1.0/24 | ||
| - | # dns = 8.8.8.8 | ||
| - | } | ||
| - | } | ||
| - | |||
| - | # Include config snippets | ||
| - | include conf.d/ | ||
| - | |||
| - | include / | ||
| - | </ | ||
| - | |||
| - | 3. If you are upgrading from an old router setting (installed strongswan in older OpenWrt versions and did a system upgrade keeping the settings, reinstalled strongswan-full), | ||
| - | < | ||
| - | include / | ||
| - | </ | ||
| - | and / | ||
| - | < | ||
| - | include / | ||
| - | </ | ||
| - | Also, you may want to rename/ | ||
| - | You may want to run / | ||
| - | |||
| - | 4. Check the config | ||
| - | <code bash> | ||
| - | swanctl --load-all | ||
| - | </ | ||
| - | You'll see 6 connections loaded successfully if everything goes well. Otherwise, check the prompts to see what went wrong. | ||
| ==== For BlackBerry Clients ==== | ==== For BlackBerry Clients ==== | ||
| Line 511: | Line 511: | ||
| You will need administrative rights to set up this kind of VPN connection. Only traditional desktop editions are supported. | You will need administrative rights to set up this kind of VPN connection. Only traditional desktop editions are supported. | ||
| - | In windows, import your client and CA certificates into **Local Machine** storage, not Current User. If you followed this tutorial the CA certificate is already in a bundle with the client cert into the client.p12 package, just take care of importing, again, into Local Machine and keep selecting the option to automatically choose the appropriate certificate store. At the end of the import, you should have the CA in " | + | In windows, import your client and CA certificates into **Local Machine** storage, not Current User. If you followed this tutorial the CA certificate is already in a bundle with the client cert into the client.p12 package, just take care of importing, again, into **Local Machine** and keep selecting the option to automatically choose the appropriate certificate store. At the end of the import, you should have the CA in " |
| Follow these instructions to set up the Windows VPN connection for using Machine Certificates: | Follow these instructions to set up the Windows VPN connection for using Machine Certificates: | ||
| + | |||
| + | Please note: this Machine Certificates setup uses Device certificate/ | ||
| === as EAPTLS roadwarriors === | === as EAPTLS roadwarriors === | ||
| You don't need administrative rights to set up this kind of VPN connection, but you still need to be an admin in order to import the CA cert only. Modern WinRT-based editions are also supported (including WP8+ mobile editions). | You don't need administrative rights to set up this kind of VPN connection, but you still need to be an admin in order to import the CA cert only. Modern WinRT-based editions are also supported (including WP8+ mobile editions). | ||
| - | In Windows, import your client and CA certificate into **Current User**, not Local Machine. If you followed this tutorial the CA certificate is already in a bundle with the client cert into the client.p12 package, just take care of importing, again, into Current User and keep selecting the option to automatically choose the appropriate certificate store. At the end of the import, you should have the CA in " | + | In Windows, import your client and CA certificate into **Current User**, not Local Machine. If you followed this tutorial the CA certificate is already in a bundle with the client cert into the client.p12 package, just take care of importing, again, into **Current User** and keep selecting the option to automatically choose the appropriate certificate store. At the end of the import, you should have the CA in " |
| Create a new VPN connection from the wizard, choose IKEv2 as the type, and select " | Create a new VPN connection from the wizard, choose IKEv2 as the type, and select " | ||
| - | Please note: this EAP-TLS setup uses **Current User** | + | Please note: this EAP-TLS setup uses User certificate/ |
| ==== For Android Clients ==== | ==== For Android Clients ==== | ||