IPSEC daemon overview StrongSwan

Introduction

On Habré, there are many articles about setting up IPSEC on different devices, but relatively few about Linux, and StrongSwan is presented superficially with just one article.

In my review I will address the following questions:

• Overview of the demon StrongSwan;
• Configure Remote Access VPN on certificates.

About IPSEC protocol and features of the IKEv2 implementation, you can read information on the Internet, in this article they will not be discussed. All information relating to the description of the daemon can be found on strongswan.org. I used StrongSwan version 4.6.4, but from the point of view of the considered configuration there are no differences with the later versions, including the fifth one.

I used Debian 6.0 as the operating system for the booth (2.6.32-5-686)

Overview of the StrongSwan Daemon

StrongSwan is an IPSEC daemon that supports IKEv1 and IKEv2. At the moment it is a developing product. The StrongSwan installation can be done from source or repository. Installation from source is described on the StrongSwan website.

Installation from the repository takes place without any problems with the command:

apt-get install strongswan 

The default configuration files are stored in the / etc / directory and have the following names:

• ipsec.conf - defines the parameters of IPSEC connections and connection parameters in general;
• ipsec.secrets - serves to store references to certificates and authentication keys;
• strongswan.conf - for connecting cryptographic algorithms and additional functions.

In addition, during the installation of the software for storing certificates and CRL files used by the pluto and charon daemons, the directory /etc/ipsec.d is created, which contains the following directories:

• private - contains the private keys RSA and ECDSA;
• certs - contains X.509 and PGP certificates;
• crls - stores the list of withdrawn sertiyfkatov;
• cacerts - stores trusted CA certificates;
• ocspcerts - contains OCSP-signed certificates;
• reqs - contains requests for certificates in the format PKCS # 10.

The /etc/ipsec.secrets file contains an unlimited number of the following types of keys (passwords):

• RSA to determine the password to the public key certificate;
• ECDS to determine the password to the public key certificate;
• PSK to determine the pre-shared key;
• EAP for EAP accounts;
• NTLM for NTLM accounts;
• XAUTH for XAUTH accounts;
• PIN for PIN code of smart cards.

Accordingly, all types of authentication are supported.

The main parameters of the ipsec command that manages StrongSwan connections are:

• start | restart | stop;
• ipsec status | statusall - to view the status of IPSEC connections;
• up | down | route | unroute - to manage IPSEC connections.

Logs are stored in /var/log/auth.log and /var/log/daemon.log.

Configure Remote Access VPN on certificates

')

Certificate Generation

The generation of certificates is the most crucial part and the most difficult, it is from it that the performance of our IPSEC = tunnel will depend.

Certificates were generated using OPENSSL.

First, configure OPENSSL:

 nano -w /usr/lib/ssl/openssl.cnf [ CA_default ] dir = /etc/ipsec.d #  ,       certificate = $dir/cacerts/strongswanCert.pem #      CA  private_key = $dir/private/strongswanKey.pem #     CA  

Create a directory for new certificates and a serial file for OPENSSL

 cd /etc/ipsec.d mkdir newcerts touch index.txt echo “00” > serial 

We generate a CA certificate:

 openssl req -x509 -days 3650 -newkey rsa:2048 -keyout private/strongswanKey.pem -out cacerts/strongswanCert.pem openssl pkcs12 -export -inkey private/strongswanKey.pem -in certs/strongswanCert.pem -name "host" -certfile cacerts/strongswanCert.pem -caname "strongSwan Root CA" -out CAcert.p12 /*        ( Windows 7) 

We generate a certificate for the server:

 openssl req -newkey rsa:1024 -keyout private/serverkey.pem -out reqs/serverreq.pem openssl ca -in reqs/serverreq.pem -days 730 -out certs/servercert.pem -notext 

When generating a certificate, you must set the subjectAltName = IP parameter for the server certificate in openssl.cnf: <external_IP>

We generate a certificate for the client:

 openssl req -newkey rsa:1024 -keyout private/hostKey.pem -out reqs/hostReq.pem openssl ca -in reqs/hostReq.pem -days 730 -out certs/hostCert.pem -notext openssl pkcs12 -export -inkey private/hostKey.pem -in certs/hostCert.pem -name "host" -certfile cacerts/strongswanCert.pem -caname "strongSwan Root CA" -out host.p12 /*          CA  

StrongSwan setup

File strongswan.conf

 charon { load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown eap-identity } 

The main configuration files are etc / ipsec.conf and ipsec.secrets.

Let's start with ipsec.conf

 config setup /      strictpolicy=no charonstart=yes plutostart=no / ..    IKEv1 charondebug="ike 2, knl 3, cfg 0" conn %default /     IPSEC- ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 dpdaction=restart dpdelay=30s dpdtimeout=180s conn rw /  IPSEC- left=<external_IP> /    leftsubnet=<subnet/prefix> / ,      leftid=<external_IP> leftcert=/etc/ipsec.d/certs/servercert.pem /       IKE SA leftauth=pubkey / ,         RSA right=%any /       IP rightauth=pubkey /       RSA rightsourceip=<subnet/prefix> /      IP-   auto=add /     keyexhcnage=ikev2 type=tunnel 

Ipsec.secrets file

 : RSA /etc/ipsec.d/private/serverkey.pem "password" 

More information about the directives of this file can be on the link .



Configure IPSEC connections for Win7 and import certificates .



Then you can connect with the client and check the status of the connection with the ipsec statusall command and by viewing the logs, well, in Windows, the VPN connection must be successfully connected and the pings will run.

Conclusion

In my article, I gave a brief overview of the StrongSwan daemon and gave an example of setting up IPSEC IKEv2 on certificates for connecting clients (Windows 7). Also StrongSwan has its own client for Android, which will also work with the specified settings, the main thing is to make a certificate for it. As can be seen from the configuration I proposed, it differs somewhat from the one that strongswan proposes to use in her examples and much attention is paid to generating certificates.

In addition, site-to-site IPSEC and Remote Access work remarkably well using the MSCHAPv2-EAP authentication protocols, as well as L2TP over IPSEC (IKEv1), if you're interested, I can tell you how to configure them.