Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:vpn:strongswan:roadwarrior [2023/01/19 14:14] – Fix formatting and Windows VPN's cert type notes. lukepiccidocs:guide-user:services:vpn:strongswan:roadwarrior [2023/01/19 15:23] lukepicci
Line 1: Line 1:
-====== IPsec Modern IKEv2 Road-Warrior Configuration (ipsec / swanctl)======+====== IPsec Modern IKEv2 Road-Warrior Configuration ======
 IPsec Road-Warrior Configuration: Android (app), Windows 7+ (native), iOS9+ (native) BB10 (native), PlayBook, Dtek mobile devices. IPsec Road-Warrior Configuration: Android (app), Windows 7+ (native), iOS9+ (native) BB10 (native), PlayBook, Dtek mobile devices.
  
Line 165: Line 165:
 If you want to issue personal certificates to your clients then you should verify the signing CA's identity instead of the client certificates themselves. To achieve this, use the ''rightca="C=US, O=yyy, CN=xxxx"'' directive instead of ''rightcert'', where ''yyy'' and ''xxxx'' are what you choose in the next steps at Making Keys. More information on this: [[http://wiki.strongswan.org/projects/strongswan/wiki/ConnSection|strongSwan documentation]]  If you want to issue personal certificates to your clients then you should verify the signing CA's identity instead of the client certificates themselves. To achieve this, use the ''rightca="C=US, O=yyy, CN=xxxx"'' directive instead of ''rightcert'', where ''yyy'' and ''xxxx'' are what you choose in the next steps at Making Keys. More information on this: [[http://wiki.strongswan.org/projects/strongswan/wiki/ConnSection|strongSwan documentation]] 
 With the above configuration, you will need to also install caCert.pem on your clients in addition to the client cert - see the 'Making Keys' section below. With the above configuration, you will need to also install caCert.pem on your clients in addition to the client cert - see the 'Making Keys' section below.
 +
 +===== /etc/swanctl/* for swanctl-style config =====
 +If you are running Openwrt 22.03+, you probably want this instead of ipsec. We are going to demonstrate setting up a swanctl.conf and corresponding files to a similar configuration as the above ipsec configuration. Please note: we are using "default" proposals provided by strongswan here as the test shows they work well with present clients (apps/oses' default settings).
 +
 +0. Certificates (including (.pem) key files). Make them and put them in corresponding directories according to the "making of certificate/key files" section above. If you are migrating from ipsec config, move the files in swanctl directory: /etc/ipsec.d/cacerts/* --> /etc/swanctl/x509ca/* ; /etc/ipsec.d/private/* --> /etc/swanctl/private/* ; /etc/ipsec.d/certs/* --> /etc/swanctl/x509/
 +
 +1. Create a /etc/swanctl/common.conf file as a counterpart of conn %default settings in ipsec.conf as swanctl.conf does not have such %default part but needs to use "include" to do so.
 +<code>
 +      local_addrs  = 0.0.0.0/0,::/0
 +      remote_addrs = 0.0.0.0/0,::/0
 +      local {
 +         auth = pubkey
 +         certs = serverCert_myvpnserver.dyndns.org.pem
 +         id = myvpnserver.dyndns.org
 +      }
 +      children {
 +         ikev2clients {
 +            local_ts  = 0.0.0.0/0;::/0
 +            esp_proposals = default
 +         }
 +      }
 +      pools = strongswanippool 
 +      unique = never
 +      version = 2
 +      proposals = default
 +</code>
 +
 +2. Create main settings in Create a /etc/swanctl/swanctl.conf
 +<code>
 +connections {
 +   rw-eapmschapv2 {
 +      include ./common.conf
 +      remote-eapmschapv2 {
 +         auth = eap-mschapv2
 +         eap_id = %any
 +      }
 +      send_certreq = no
 +      send_cert = always
 +   }
 +   rw-eapmschapv2ios {
 +      include ./common.conf
 +      remote-eapmschapv2ios {
 +         auth = eap-mschapv2
 +         eap_id = %any
 +      }
 +      send_certreq = no
 +      send_cert = always
 +   }
 +   rw-eaptls {
 +      include ./common.conf
 +      remote-eaptls {
 +         auth = eap-tls
 +         certs = clientCert_myvpnclient.pem
 +      }
 +      send_certreq = no
 +   }
 +   rw-eaptlsios {
 +      include ./common.conf
 +      remote-eaptlsios {
 +         auth = eap-tls
 +         certs = clientCert_myvpnclient.pem
 +         id = myVpnClients
 +      }
 +      send_certreq = no
 +      send_cert = always
 +   }
 +   rw-pubkey {
 +      include ./common.conf
 +      remote-pubkey {
 +         auth = pubkey
 +         certs = clientCert_myvpnclient.pem
 +      }
 +      send_certreq = no
 +   }
 +   rw-pubkeyios {
 +      include ./common.conf
 +      remote-pubkeyios {
 +         auth = pubkey
 +         certs = clientCert_myvpnclient.pem
 +         id = myVpnClients
 +      }
 +      send_certreq = no
 +      send_cert = always
 +   }
 +}
 +
 +secrets {
 +   rsa- {
 +      filename="serverKey_myvpnserver.dyndns.org.pem"
 +   }
 +   eap-remoteuser {
 +      id = remoteusername 
 +      secret = secretpassword
 +   }
 +}
 +
 +pools {
 +    strongswanippool {
 +        addrs = 10.0.1.0/24
 + # dns = 8.8.8.8
 +    }
 +}
 +
 +# Include config snippets
 +include conf.d/*.conf
 +
 +include /var/swanctl/swanctl.conf
 +</code>
 +
 +3. If you are upgrading from an old router setting (installed strongswan in older OpenWrt versions and did a system upgrade keeping the settings, reinstalled strongswan-full), you may want to make sure you have the newly added (as you may find in .conf-opkg files) second "include" part in /etc/swanctl/swanctl.conf 
 +<code>
 +include /var/swanctl/swanctl.conf
 +</code>
 +and /etc/strongswan.conf
 +<code>
 +include /var/ipsec/strongswan.conf
 +</code>
 +Also, you may want to rename/remove all /etc/ipsec.* files to keep strongswan from using them.
 +You may want to run /etc/init.d/ipsec disable (as well as /etc/init.d/ipsec stop)
 +
 +4. Check the config
 +<code bash>
 +swanctl --load-all
 +</code>
 +You'll see 6 connections loaded successfully if everything goes well. Otherwise, check the prompts to see what went wrong.
  
 ===== ipsec.secrets ===== ===== ipsec.secrets =====
Line 335: Line 460:
  
 Explication: "-m policy" uses the iptables policy module, and matching on the "--pol none" means no policy. To match on traffic that came from IPSEC, it would have been "--pol ipsec". The reason this is needed is IPSEC in the kernel shows as coming from the WAN interface even after it's decrypted (rather than from, say, a special virtual IPSEC interface). Explication: "-m policy" uses the iptables policy module, and matching on the "--pol none" means no policy. To match on traffic that came from IPSEC, it would have been "--pol ipsec". The reason this is needed is IPSEC in the kernel shows as coming from the WAN interface even after it's decrypted (rather than from, say, a special virtual IPSEC interface).
- 
-===== /etc/swanctl/* for swanctl config ===== 
-If you are running Openwrt 22.03+, you probably want this instead of ipsec. We are going to demonstrate setting up a swanctl.conf and corresponding files to a similar configuration as the above ipsec configuration. Please note: we are using "default" proposals provided by strongswan here as the test shows they work well with present clients (apps/oses' default settings). 
- 
-0. Certificates (including (.pem) key files). Make them and put them in corresponding directories according to the "making of certificate/key files" section above. If you are migrating from ipsec config, move the files in swanctl directory: /etc/ipsec.d/cacerts/* --> /etc/swanctl/x509ca/* ; /etc/ipsec.d/private/* --> /etc/swanctl/private/* ; /etc/ipsec.d/certs/* --> /etc/swanctl/x509/ 
- 
-1. Create a /etc/swanctl/common.conf file as a counterpart of conn %default settings in ipsec.conf as swanctl.conf does not have such %default part but needs to use "include" to do so. 
-<code> 
-      local_addrs  = 0.0.0.0/0,::/0 
-      remote_addrs = 0.0.0.0/0,::/0 
-      local { 
-         auth = pubkey 
-         certs = serverCert_myvpnserver.dyndns.org.pem 
-         id = myvpnserver.dyndns.org 
-      } 
-      children { 
-         ikev2clients { 
-            local_ts  = 0.0.0.0/0;::/0 
-            esp_proposals = default 
-         } 
-      } 
-      pools = strongswanippool  
-      unique = never 
-      version = 2 
-      proposals = default 
-</code> 
- 
-2. Create main settings in Create a /etc/swanctl/swanctl.conf 
-<code> 
-connections { 
-   rw-eapmschapv2 { 
-      include ./common.conf 
-      remote-eapmschapv2 { 
-         auth = eap-mschapv2 
-         eap_id = %any 
-      } 
-      send_certreq = no 
-      send_cert = always 
-   } 
-   rw-eapmschapv2ios { 
-      include ./common.conf 
-      remote-eapmschapv2ios { 
-         auth = eap-mschapv2 
-         eap_id = %any 
-      } 
-      send_certreq = no 
-      send_cert = always 
-   } 
-   rw-eaptls { 
-      include ./common.conf 
-      remote-eaptls { 
-         auth = eap-tls 
-         certs = clientCert_myvpnclient.pem 
-      } 
-      send_certreq = no 
-   } 
-   rw-eaptlsios { 
-      include ./common.conf 
-      remote-eaptlsios { 
-         auth = eap-tls 
-         certs = clientCert_myvpnclient.pem 
-         id = myVpnClients 
-      } 
-      send_certreq = no 
-      send_cert = always 
-   } 
-   rw-pubkey { 
-      include ./common.conf 
-      remote-pubkey { 
-         auth = pubkey 
-         certs = clientCert_myvpnclient.pem 
-      } 
-      send_certreq = no 
-   } 
-   rw-pubkeyios { 
-      include ./common.conf 
-      remote-pubkeyios { 
-         auth = pubkey 
-         certs = clientCert_myvpnclient.pem 
-         id = myVpnClients 
-      } 
-      send_certreq = no 
-      send_cert = always 
-   } 
-} 
- 
-secrets { 
-   rsa- { 
-      filename="serverKey_myvpnserver.dyndns.org.pem" 
-   } 
-   eap-remoteuser { 
-      id = remoteusername  
-      secret = secretpassword 
-   } 
-} 
- 
-pools { 
-    strongswanippool { 
-        addrs = 10.0.1.0/24 
- # dns = 8.8.8.8 
-    } 
-} 
- 
-# Include config snippets 
-include conf.d/*.conf 
- 
-include /var/swanctl/swanctl.conf 
-</code> 
- 
-3. If you are upgrading from an old router setting (installed strongswan in older OpenWrt versions and did a system upgrade keeping the settings, reinstalled strongswan-full), you may want to make sure you have the newly added (as you may find in .conf-opkg files) second "include" part in /etc/swanctl/swanctl.conf  
-<code> 
-include /var/swanctl/swanctl.conf 
-</code> 
-and /etc/strongswan.conf 
-<code> 
-include /var/ipsec/strongswan.conf 
-</code> 
-Also, you may want to rename/remove all /etc/ipsec.* files to keep strongswan from using them. 
-You may want to run /etc/init.d/ipsec disable (as well as /etc/init.d/ipsec stop) 
- 
-4. Check the config 
-<code bash> 
-swanctl --load-all 
-</code> 
-You'll see 6 connections loaded successfully if everything goes well. Otherwise, check the prompts to see what went wrong. 
  
 ==== For BlackBerry Clients ==== ==== For BlackBerry Clients ====
  • Last modified: 2024/03/29 03:47
  • by zetago