Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Last revisionBoth sides next revision
strongswan_certificates [2018/10/13 16:35] – [/etc/ipsec.d/mk_server.sh] oskarirautainbox:strongswan_certificates [2019/07/14 16:22] – Link changed from external to internal (internal ones are automatically adjusted when pages are moved, external ones are not) tmomas
Line 1: Line 1:
 ====== IPSec Strongswan IKEv2 using authentication by certificates ====== ====== IPSec Strongswan IKEv2 using authentication by certificates ======
  
-Wiki entry for setting up IPSec iPhone/iPad Configuration is a bit outdated, so I created a new example which provides compatibility with most systems supporting IKEv2. Referencing this [[https://openwrt.org/docs/guide-user/services/vpn/ipsec/strongswan/howto|wiki entry]].+Wiki entry for setting up IPSec iPhone/iPad Configuration is a bit outdated, so I created a new example which provides compatibility with most systems supporting IKEv2. Referencing this [[docs:guide-user:services:vpn:ipsec:strongswan:howto|wiki entry]].
  
 [[https://gist.github.com/karlvr/34f46e1723a2118bb16190c22dbed1cc|This Gist]] was helpful when I built this. [[https://gist.github.com/karlvr/34f46e1723a2118bb16190c22dbed1cc|This Gist]] was helpful when I built this.
  
-====== Read me first ======+===== Read me first =====
  
 This is a tested example which should allow anyone to easily setup a secure and working VPN server. This is a tested example which should allow anyone to easily setup a secure and working VPN server.
  
-In these examples lan is 192.168.0.0/16 and router's IP address is 192.168.1.1.+In these examples lan is 192.168.0.0/16 and router's IP address is 192.168.0.1.
  
 /etc/config/network: /etc/config/network:
Line 39: Line 39:
 Otherwise, you just could copy & paste ;) Otherwise, you just could copy & paste ;)
 Connectivity has been tested on Mac OS X and iPhone, and there should not be any problems with Android and Windows either. Connectivity has been tested on Mac OS X and iPhone, and there should not be any problems with Android and Windows either.
-====== Connectivity issue with dynamic IP address ======+ 
 +===== Connectivity issue with dynamic IP address =====
  
 In case that you have a dynamic IP, you might face some connectivity issues after IP address has changed/updated. A workaround to this is to create a script which updates IP address to your name server, and after successful update, it restarts firewall and ipsec. In case that you have a dynamic IP, you might face some connectivity issues after IP address has changed/updated. A workaround to this is to create a script which updates IP address to your name server, and after successful update, it restarts firewall and ipsec.
  
-====== Packages ======+===== Packages =====
  
 Install necessary packages. Install necessary packages.
  
  opkg update  opkg update
- opkg install strongswan-default strongswan-pki ipset strongswan-mod-openssl strongswan-mod-curl strongswan-mod-dhcp strongswan-mod-eap-tls strongswan-mod-eap-identity strongswan-mod-kernel-libipsec kmod-tun openssl-util strongswan-mod-test-vectors strongswan-mod-farp + opkg install curl strongswan-default strongswan-pki ipset strongswan-mod-openssl strongswan-mod-curl strongswan-mod-dhcp strongswan-mod-eap-tls strongswan-mod-eap-identity strongswan-mod-kernel-libipsec kmod-tun openssl-util strongswan-mod-test-vectors strongswan-mod-farp 
-====== /etc/config/network ======+ 
 +Also, for dynamic DHCP to work, you need to use full version of dnsmasq. 
 + /etc/init.d/dnsmasq stop 
 + opkg remove dnsmasq 
 + opkg install dnsmasq-full 
 + /etc/init.d/dnsmasq start 
 + 
 + 
 +===== /etc/config/network =====
  
 Define ipsec interface Define ipsec interface
Line 59: Line 68:
  option peerdns '0'  option peerdns '0'
  option ipv6 '0'  option ipv6 '0'
-====== /etc/firewall.user ======+ 
 +===== /etc/firewall.user =====
  
 Append policy rules. Append policy rules.
Line 67: Line 77:
  iptables -I FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT  iptables -I FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
  iptables -I OUTPUT  -m policy --dir out --pol ipsec --proto esp -j ACCEPT  iptables -I OUTPUT  -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-====== /etc/config/firewall ======+ 
 +===== /etc/config/firewall =====
  
 Create vpn zone Create vpn zone
Line 139: Line 150:
  option family 'ipv4'  option family 'ipv4'
  option target 'ACCEPT'  option target 'ACCEPT'
-====== /etc/init.d/ipsec ======+ 
 +===== /etc/init.d/ipsec =====
  
 Replace init script contents with following simple script (provided script uses /etc/config/ipsec for configuration, this setup uses ipsec/strongswan files). Replace init script contents with following simple script (provided script uses /etc/config/ipsec for configuration, this setup uses ipsec/strongswan files).
Line 181: Line 193:
  procd_close_instance  procd_close_instance
  }  }
-====== /etc/ipsec.secrets ======+ 
 +===== /etc/ipsec.secrets =====
  
         # /etc/ipsec.secrets - strongSwan IPsec secrets file         # /etc/ipsec.secrets - strongSwan IPsec secrets file
         : RSA host-vpn.der         : RSA host-vpn.der
  
-====== /etc/ipsec.conf ======+===== /etc/ipsec.conf =====
  
  # ipsec.conf - strongSwan IPsec configuration file  # ipsec.conf - strongSwan IPsec configuration file
Line 219: Line 232:
  forceencaps = yes  forceencaps = yes
  auto = add  auto = add
-====== /etc/strongswan.conf ======+ 
 +===== /etc/strongswan.conf =====
  
  # strongswan.conf - strongSwan configuration file  # strongswan.conf - strongSwan configuration file
Line 234: Line 248:
  dhcp {  dhcp {
  force_server_address = yes  force_server_address = yes
 +                          #use_server_port = yes
 +                          # uncomment the line above if log shows that DHCP 
 +                          # offer can't be accepted  
  identity_lease = yes  identity_lease = yes
  server = 192.168.255.255  server = 192.168.255.255
Line 255: Line 272:
   
  include strongswan.d/*.conf  include strongswan.d/*.conf
-====== Tools for certificates ======+ 
 +===== Tools for certificates =====
  
 Following scripts are provided for certificate operations: Following scripts are provided for certificate operations:
Line 264: Line 282:
 After generating server certificates, you should disable mk_server.sh script, because if you re-create certificates, you client certificates no longer match. **Also** changes to these scripts allow changing certificate's validity time. After generating server certificates, you should disable mk_server.sh script, because if you re-create certificates, you client certificates no longer match. **Also** changes to these scripts allow changing certificate's validity time.
  
-====== /etc/ipsec.d/clean.sh ======+===== /etc/ipsec.d/clean.sh =====
  
  #!/bin/sh  #!/bin/sh
  rm /etc/ipsec.d/*/*.* 2> /dev/null  rm /etc/ipsec.d/*/*.* 2> /dev/null
-====== /etc/ipsec.d/mk_server.sh ======+ 
 +===== /etc/ipsec.d/mk_server.sh =====
  
  #!/bin/sh  #!/bin/sh
Line 279: Line 298:
  COUNTRY="FI"  COUNTRY="FI"
  ORG="VpnTest"  ORG="VpnTest"
 +  #Change above to your org and country code
   
  VALIDDAYS="3650"  VALIDDAYS="3650"
Line 296: Line 316:
  ipsec pki --pub --in private/host-vpn.der --type rsa | ipsec pki --issue --lifetime $LIFETIME --cacert cacerts/strongswan.der --cakey private/strongswan.der --dn "C=$COUNTRY, O=$ORG, CN=$SRVNAME" --san=$SRVNAME --san $IPADDR --san @$IPADDR --flag serverAuth --flag ikeIntermediate --outform der > certs/host-vpn.der  ipsec pki --pub --in private/host-vpn.der --type rsa | ipsec pki --issue --lifetime $LIFETIME --cacert cacerts/strongswan.der --cakey private/strongswan.der --dn "C=$COUNTRY, O=$ORG, CN=$SRVNAME" --san=$SRVNAME --san $IPADDR --san @$IPADDR --flag serverAuth --flag ikeIntermediate --outform der > certs/host-vpn.der
  ipsec pki --print --in certs/host-vpn.der  ipsec pki --print --in certs/host-vpn.der
-====== /etc/ipsec.d/mk_user.sh ======+ 
 +===== /etc/ipsec.d/mk_user.sh =====
  
  #!/bin/sh  #!/bin/sh
Line 302: Line 323:
  COUNTRY="FI"  COUNTRY="FI"
  ORG="VpnTest"  ORG="VpnTest"
 +
  LIFETIME="730"  LIFETIME="730"
   
Line 330: Line 352:
  openssl x509 -inform DER -in certs/$USERID.der -out certs/$USERID.pem -outform PEM  openssl x509 -inform DER -in certs/$USERID.der -out certs/$USERID.pem -outform PEM
  openssl pkcs12 -export -inkey private/$USERID.pem -in certs/$USERID.pem -name "$NAME's VPN Certificate" -certfile cacerts/strongswan.pem -caname "$ORG Root CA" -out p12/$USERID.p12  openssl pkcs12 -export -inkey private/$USERID.pem -in certs/$USERID.pem -name "$NAME's VPN Certificate" -certfile cacerts/strongswan.pem -caname "$ORG Root CA" -out p12/$USERID.p12
-====== Client configuration ======+ 
 +===== Client configuration =====
  
 Create client certificate with client.sh ( or manually if you want to.. ). Needed certificates: Create client certificate with client.sh ( or manually if you want to.. ). Needed certificates:
Line 336: Line 359:
  - p12/USERID.p12  - p12/USERID.p12
  
-Where USERID is what you entered when using **mk-client.sh**+Send both certificates to your device. If you have a Mac, the easiest way to send them is through AirDrop. Send **strongswan.pem** first, install it Settings / General / Profiles. Then send the USERID.p12 and install it in the same way.   
 + 
 +Where SRVNAME is what was used on **mk-server.sh**, "vpntest.lan" if you didn't change the script, and USERID is what you entered when running **mk-client.sh**
  
 Copy these certificates to client device somehow (mail them, scp them, etc..) and install them (as trusted). Copy these certificates to client device somehow (mail them, scp them, etc..) and install them (as trusted).
Line 342: Line 367:
  
  VPN Type: IKEv2  VPN Type: IKEv2
- Server Address: server ip/domain + Server Address: server ip address or url 
- Remote ID: server domain+ Remote ID: SRVNAME
  Local ID: USERID  Local ID: USERID
   
  • Last modified: 2020/10/05 21:16
  • by tmomas