Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:services:vpn:strongswan:roadwarrior [2023/01/19 14:14] – Fix formatting and Windows VPN's cert type notes. lukepicci | docs:guide-user:services:vpn:strongswan:roadwarrior [2023/01/19 15:23] – lukepicci | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== IPsec Modern IKEv2 Road-Warrior Configuration | + | ====== IPsec Modern IKEv2 Road-Warrior Configuration ====== |
| IPsec Road-Warrior Configuration: | IPsec Road-Warrior Configuration: | ||
| Line 165: | Line 165: | ||
| If you want to issue personal certificates to your clients then you should verify the signing CA's identity instead of the client certificates themselves. To achieve this, use the '' | If you want to issue personal certificates to your clients then you should verify the signing CA's identity instead of the client certificates themselves. To achieve this, use the '' | ||
| With the above configuration, | With the above configuration, | ||
| + | |||
| + | ===== / | ||
| + | If you are running Openwrt 22.03+, you probably want this instead of ipsec. We are going to demonstrate setting up a swanctl.conf and corresponding files to a similar configuration as the above ipsec configuration. Please note: we are using " | ||
| + | |||
| + | 0. Certificates (including (.pem) key files). Make them and put them in corresponding directories according to the " | ||
| + | |||
| + | 1. Create a / | ||
| + | < | ||
| + | local_addrs | ||
| + | remote_addrs = 0.0.0.0/ | ||
| + | local { | ||
| + | auth = pubkey | ||
| + | certs = serverCert_myvpnserver.dyndns.org.pem | ||
| + | id = myvpnserver.dyndns.org | ||
| + | } | ||
| + | children { | ||
| + | | ||
| + | local_ts | ||
| + | esp_proposals = default | ||
| + | } | ||
| + | } | ||
| + | pools = strongswanippool | ||
| + | unique = never | ||
| + | version = 2 | ||
| + | proposals = default | ||
| + | </ | ||
| + | |||
| + | 2. Create main settings in Create a / | ||
| + | < | ||
| + | connections { | ||
| + | | ||
| + | include ./ | ||
| + | remote-eapmschapv2 { | ||
| + | auth = eap-mschapv2 | ||
| + | | ||
| + | } | ||
| + | send_certreq = no | ||
| + | send_cert = always | ||
| + | } | ||
| + | | ||
| + | include ./ | ||
| + | remote-eapmschapv2ios { | ||
| + | auth = eap-mschapv2 | ||
| + | | ||
| + | } | ||
| + | send_certreq = no | ||
| + | send_cert = always | ||
| + | } | ||
| + | | ||
| + | include ./ | ||
| + | remote-eaptls { | ||
| + | auth = eap-tls | ||
| + | certs = clientCert_myvpnclient.pem | ||
| + | } | ||
| + | send_certreq = no | ||
| + | } | ||
| + | | ||
| + | include ./ | ||
| + | remote-eaptlsios { | ||
| + | auth = eap-tls | ||
| + | certs = clientCert_myvpnclient.pem | ||
| + | id = myVpnClients | ||
| + | } | ||
| + | send_certreq = no | ||
| + | send_cert = always | ||
| + | } | ||
| + | | ||
| + | include ./ | ||
| + | remote-pubkey { | ||
| + | auth = pubkey | ||
| + | certs = clientCert_myvpnclient.pem | ||
| + | } | ||
| + | send_certreq = no | ||
| + | } | ||
| + | | ||
| + | include ./ | ||
| + | remote-pubkeyios { | ||
| + | auth = pubkey | ||
| + | certs = clientCert_myvpnclient.pem | ||
| + | id = myVpnClients | ||
| + | } | ||
| + | send_certreq = no | ||
| + | send_cert = always | ||
| + | } | ||
| + | } | ||
| + | |||
| + | secrets { | ||
| + | rsa- { | ||
| + | filename=" | ||
| + | } | ||
| + | | ||
| + | id = remoteusername | ||
| + | secret = secretpassword | ||
| + | } | ||
| + | } | ||
| + | |||
| + | pools { | ||
| + | strongswanippool { | ||
| + | addrs = 10.0.1.0/24 | ||
| + | # dns = 8.8.8.8 | ||
| + | } | ||
| + | } | ||
| + | |||
| + | # Include config snippets | ||
| + | include conf.d/ | ||
| + | |||
| + | include / | ||
| + | </ | ||
| + | |||
| + | 3. If you are upgrading from an old router setting (installed strongswan in older OpenWrt versions and did a system upgrade keeping the settings, reinstalled strongswan-full), | ||
| + | < | ||
| + | include / | ||
| + | </ | ||
| + | and / | ||
| + | < | ||
| + | include / | ||
| + | </ | ||
| + | Also, you may want to rename/ | ||
| + | You may want to run / | ||
| + | |||
| + | 4. Check the config | ||
| + | <code bash> | ||
| + | swanctl --load-all | ||
| + | </ | ||
| + | You'll see 6 connections loaded successfully if everything goes well. Otherwise, check the prompts to see what went wrong. | ||
| ===== ipsec.secrets ===== | ===== ipsec.secrets ===== | ||
| Line 335: | Line 460: | ||
| Explication: | Explication: | ||
| - | |||
| - | ===== / | ||
| - | If you are running Openwrt 22.03+, you probably want this instead of ipsec. We are going to demonstrate setting up a swanctl.conf and corresponding files to a similar configuration as the above ipsec configuration. Please note: we are using " | ||
| - | |||
| - | 0. Certificates (including (.pem) key files). Make them and put them in corresponding directories according to the " | ||
| - | |||
| - | 1. Create a / | ||
| - | < | ||
| - | local_addrs | ||
| - | remote_addrs = 0.0.0.0/ | ||
| - | local { | ||
| - | auth = pubkey | ||
| - | certs = serverCert_myvpnserver.dyndns.org.pem | ||
| - | id = myvpnserver.dyndns.org | ||
| - | } | ||
| - | children { | ||
| - | | ||
| - | local_ts | ||
| - | esp_proposals = default | ||
| - | } | ||
| - | } | ||
| - | pools = strongswanippool | ||
| - | unique = never | ||
| - | version = 2 | ||
| - | proposals = default | ||
| - | </ | ||
| - | |||
| - | 2. Create main settings in Create a / | ||
| - | < | ||
| - | connections { | ||
| - | | ||
| - | include ./ | ||
| - | remote-eapmschapv2 { | ||
| - | auth = eap-mschapv2 | ||
| - | | ||
| - | } | ||
| - | send_certreq = no | ||
| - | send_cert = always | ||
| - | } | ||
| - | | ||
| - | include ./ | ||
| - | remote-eapmschapv2ios { | ||
| - | auth = eap-mschapv2 | ||
| - | | ||
| - | } | ||
| - | send_certreq = no | ||
| - | send_cert = always | ||
| - | } | ||
| - | | ||
| - | include ./ | ||
| - | remote-eaptls { | ||
| - | auth = eap-tls | ||
| - | certs = clientCert_myvpnclient.pem | ||
| - | } | ||
| - | send_certreq = no | ||
| - | } | ||
| - | | ||
| - | include ./ | ||
| - | remote-eaptlsios { | ||
| - | auth = eap-tls | ||
| - | certs = clientCert_myvpnclient.pem | ||
| - | id = myVpnClients | ||
| - | } | ||
| - | send_certreq = no | ||
| - | send_cert = always | ||
| - | } | ||
| - | | ||
| - | include ./ | ||
| - | remote-pubkey { | ||
| - | auth = pubkey | ||
| - | certs = clientCert_myvpnclient.pem | ||
| - | } | ||
| - | send_certreq = no | ||
| - | } | ||
| - | | ||
| - | include ./ | ||
| - | remote-pubkeyios { | ||
| - | auth = pubkey | ||
| - | certs = clientCert_myvpnclient.pem | ||
| - | id = myVpnClients | ||
| - | } | ||
| - | send_certreq = no | ||
| - | send_cert = always | ||
| - | } | ||
| - | } | ||
| - | |||
| - | secrets { | ||
| - | rsa- { | ||
| - | filename=" | ||
| - | } | ||
| - | | ||
| - | id = remoteusername | ||
| - | secret = secretpassword | ||
| - | } | ||
| - | } | ||
| - | |||
| - | pools { | ||
| - | strongswanippool { | ||
| - | addrs = 10.0.1.0/24 | ||
| - | # dns = 8.8.8.8 | ||
| - | } | ||
| - | } | ||
| - | |||
| - | # Include config snippets | ||
| - | include conf.d/ | ||
| - | |||
| - | include / | ||
| - | </ | ||
| - | |||
| - | 3. If you are upgrading from an old router setting (installed strongswan in older OpenWrt versions and did a system upgrade keeping the settings, reinstalled strongswan-full), | ||
| - | < | ||
| - | include / | ||
| - | </ | ||
| - | and / | ||
| - | < | ||
| - | include / | ||
| - | </ | ||
| - | Also, you may want to rename/ | ||
| - | You may want to run / | ||
| - | |||
| - | 4. Check the config | ||
| - | <code bash> | ||
| - | swanctl --load-all | ||
| - | </ | ||
| - | You'll see 6 connections loaded successfully if everything goes well. Otherwise, check the prompts to see what went wrong. | ||
| ==== For BlackBerry Clients ==== | ==== For BlackBerry Clients ==== | ||