Let me share with everyone the step-by-step guide (recipe) that I used to configure Strongswan (ipsec)
Version History
- 20180409 Revised: Added additional bookmarks (configuring for iOS)
- 20160325 Revised: Added section on opkg packages to install
- 20160226 Revised : (1) Added list of blog posts/references related to ipsec/openwrt that were consulted, (2) added - mobike=yes - to ipsec.conf
- 20170225 Initial blog post
Notes:
- My Turris is set to create a LAN with an IP address of 192.168.3.1 (which is different than the 192.168.1.1 default ). Adjust the IP address below accordingly.
- I have confirmed a working install on both MacOS Sierra (10.12.3 ) and iOS (10.2.1)
- Make sure to Import the CA certificate to iOS
Install the required packages
opkg update
opkg install strongswan-full strongswan-default strongswan-mod-kernel-libipsec iptables-mod-filter iptables-mod-nat-extra
Generate the Certificate Authority (CA)
cd /etc/ipsec.d/
ipsec pki --gen --type rsa --size 4096 --outform pem \
> private/strongswan-key.pem
chmod 600 private/strongswan-key.pem
ipsec pki --self --ca \
--lifetime 3650 \
--in private/strongswan-key.pem \
--type rsa \
--dn "C=CA, ST=Ontario, L=Toronto, O=Privaterra, CN=Turris Root CA" \
--outform pem \
> cacerts/strongswan-certificate.pem
To verify the certificate
ipsec pki --print --in cacerts/strongswan-certificate.pem
To generate the VPN Host Certificate
cd /etc/ipsec.d/
ipsec pki --gen --type rsa --size 4096 --outform pem \
> private/vpn-host-key.pem
chmod 600 private/vpn-host-key.pem
ipsec pki --pub --in private/vpn-host-key.pem --type rsa | \
ipsec pki --issue --lifetime 1825 \
--cacert cacerts/strongswan-certificate.pem \
--cakey private/strongswan-key.pem \
--dn "C=CA, ST=Ontario, L=Toronto, O=Privaterra, CN=vpn.privaterra.info" \
--san "vpn.privaterra.info" \
--flag serverAuth --flag ikeIntermediate \
--outform pem > certs/vpn-host-certificate.pem
To verify the host certificate
ipsec pki --print --in certs/vpn-host-certificate.pem
To generate the Client Certificate
cd /etc/ipsec.d/
ipsec pki --gen --type rsa --size 2048 --outform pem \
> private/rguerra-key.pem
chmod 600 private/rguerra-key.pem
ipsec pki --pub --in private/rguerra-key.pem --type rsa | \
ipsec pki --issue --lifetime 1825 \
--cacert cacerts/strongswan-certificate.pem \
--cakey private/strongswan-key.pem \
--dn "C=CA, ST=Ontario, L=Toronto, O=Privaterra, CN=rguerra@privaterra.org" \
--san "rguerra@privaterra.org" \
--outform pem > certs/rguerra-certificate.pem
To verify the client certificate:
ipsec pki --print --in certs/rguerra-certificate.pem
To export the Client Certificate
cd /etc/ipsec.d/
openssl pkcs12 -export -inkey private/rguerra-key.pem \
-in certs/rguerra-certificate.pem \
-name "Robert's VPN Certificate" \
-certfile cacerts/strongswan-certificate.pem \
-caname "Turris Root CA" \
-out certs/rguerra.p12
Command to import keys into OS X user login keychain
security import rguerra.p12 -P <export password> -k ~/Library/Keychains/login.keychain
Import the CA certificate. As of iOS 9.2.1, a reboot is apparently necessary for the certificate import to take effect.
Copy the certificates in place
cp /etc/ipsec.d/cacerts/strongswan-certificate.pem ~/.
cp /etc/ipsec.d/certs/rguerra.p12 ~/.
Certificate Summary
/etc/ipsec.d/private/strongswan-key.pem # CA private key
/etc/ipsec.d/cacerts/strongswan-certificate.pem # CA certificate
/etc/ipsec.d/private/vpn-host-key.pem # VPN host private key
/etc/ipsec.d/certs/vpn-host-certificate.pem # VPN host certificate
/etc/ipsec.d/private/rguerra-key.pem # Client "Robert" private key
/etc/ipsec.d/certs/rguerra-certificate.pem # Client "Robert" certificate
Strongswan configuration
strongswan.conf - strongSwan configuration file
nano /etc/strongswan.conf
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
dns1 = 192.168.3.1
load_modular = yes
threads = 16
plugins {
include strongswan.d/charon/*.conf
dhcp {
force_server_address = yes
server = 192.168.3.1
identity_lease = yes
}
}
}
ipsec.conf configuration
nano /etc/ipsec.conf
config setup
# charondebug="cfg 2, dmn 2, ike 2, net 2"
strictcrlpolicy=no
uniqueids=no
conn %default
dpdaction=clear
dpddelay=35s
dpdtimeout=2000s
keyexchange=ikev2
auto=add
rekey=no
reauth=no
fragmentation=yes
mobike=yes
# Left
left=%any
leftcert=vpn-host-certificate.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
lefthostaccess=yes
leftfirewall=yes
# Right
right=%any
eap_identity=%identity
rightsourceip=%dhcp
rightdns=192.168.3.1
# type=tunnel
ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
conn IPSec-IKEv2-EAP
leftid=vpn.privaterra.info
rightauth=eap-mschapv2
Configure Secrets file
nano /etc/ipsec.secrets
# /etc/ipsec.secrets - strongSwan IPsec secrets file
vpn.privaterra.info : RSA vpn-host-key.pem
username : EAP "secret key phrase"
Add additional usernames & related secrets as needed.
To reload the secrets file
ipsec rereadsecrets
IPsec IKE Testing
Now stop the IPsec IKE daemon and restart it in foreground, so that we can immediately see its log messages on the ssh console:
ipsec stop
ipsec start --nofork
After testing is done, interrupt the “ipsec start –nofork” command by pressing Ctrl-C and start ipsec again by typing the following command:
ipsec start
We can check the detailed information about established and configured connections by typing the ipsec status and statusall commands.
ipsec status
ipsec statusall
Add the following to /etc/config/network
config interface 'ipsec'
option proto 'none'
option ifname 'ipsec0'
option auto '1'
Add the following to /etc/config/firewall
config zone
option forward 'REJECT'
option name 'vpn'
option output 'ACCEPT'
option network 'ipsec'
option input 'ACCEPT'
config rule
option src 'wan'
option proto 'esp'
option target 'ACCEPT'
config rule
option src 'wan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'udp'
option dest_port '4500'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'ah'
config forwarding
option dest 'lan'
option src 'vpn'
config forwarding
option dest 'wan'
option src 'vpn'
config forwarding
option dest 'vpn'
option src 'lan'
Activating the changes
After the network firewall settings have been saved, the network settings need to be reloaded
/etc/init.d/network reload
/etc/init.d/firewall reload
MAC OS Configuration
- System configuration (control panel)
- Network
- Create a new service
- Interface type - VPN -
- VPN type - IKEv2 -
- Service Name : Turris VPN
Turris VPN Settings
- server address: vpn.privaterra.info
- Remote ID: vpn.privaterra.info
- Select Authentication settings: Set to username, and enter the username/password combination specified in the /etc/ipsec.secrets file
- Apply settings
- Connect to test
References & sources of information consulted for this blog post
-
OpenWrt: IPSec Road Warrior Configuration: Android, Windows 7, BB10, PlayBook Clients
-
How to do VPN on Demand for iOS at zero cost despite Apple’s best efforts to prevent this
-
How to Set Up an IKEv2 VPN Server with StrongSwan on Ubuntu 16.04
-
pfSense IKEv2 for iOS/macOS - Part 1 (Certificate Configuration), Part 2 (VPN Configuration), Part 3 (Mobile Profile), Part 4 (On Demand VPN)