StrongSwan. Remote Access VPN using MSCHAPv2-EAP

What are we talking about?

In this article, I will talk about how to configure the StrongSwan daemon on a Linux server to connect remote users (Remote Access VPN) using IPSEC IKEv2, and the client authentication protocol will be a combination of MSCHAPv2-EAP.

Solution Description

In this implementation, Remote Access VPN uses the EAP protocol (RFC 3748) along with Microsoft CHAP version 2 for authentication to connect to the client gateway.
This protocol is used in the Windows 7 Agile VPN client. In addition to IKEv2 authentication by IP address, the client uses EAP authentication using the name and password defined on the gateway.
The gateway authenticates to the client using an RSA certificate.
The diagram of my stand and the solution in the figure below.

Virtual IP interface - a virtual address that is assigned to the client by the gateway. Configured in StrongSwan configuration files.
The main advantage of this solution in relation to VPN on certificates is that you do not need to import each certificate to a client, all you need is to know only the login and password. An additional advantage is the use of the IKEv2 protocol for IPSEC connections, which has several advantages over IKEv1. Description of benefits successfully google.

Certificate Generation

The generation of certificates is the most crucial part and the most difficult, it is from it that the performance of our IPSEC = tunnel will depend.
Certificates were generated using OPENSSL.
First, configure OPENSSL:

vi /usr/lib/ssl/openssl.cnf [ CA_default ] dir = /etc/ipsec.d #  ,       certificate = $dir/cacerts/strongswanCert.pem #      CA  private_key = $dir/private/strongswanKey.pem #     CA  

Create a directory for new certificates and a serial file for OPENSSL

 cd /etc/ipsec.d mkdir newcerts touch index.txt echo “00” > serial 

We generate a CA certificate.

Create a CA certificate.

 openssl req -x509 -days 3650 -newkey rsa:2048 -keyout private/strongswanKey.pem -out cacerts/strongswanCert.pem 

We convert CA certificate in the form p.12, which Windows understands and most of the clients so that there are no problems with import

 openssl pkcs12 -export -inkey private/strongswanKey.pem -in certs/strongswanCert.pem -name "host" -certfile cacerts/strongswanCert.pem -caname "strongSwan Root CA" -out CAcert.p12 

We generate a certificate for the server.

Create a certificate request.

 openssl req -newkey rsa:1024 -keyout private/serverkey.pem -out reqs/serverreq.pem 

We request a certificate from the CA, using the previously created request.

 openssl ca -in reqs/serverreq.pem -days 730 -out certs/servercert.pem -notext 

When generating a certificate, you must set the subjectAltName = IP parameter for the server certificate in openssl.cnf: <external_IP>

Configure the StrongSwan daemon

Installing StrongSwan easily comes from a repository, or from sources.
This is how the /etc/strongswan.conf file should look like:

 charon { load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown eap-identity } 

Basic settings should be made in the /etc/ipsec.conf file
The config setup section, which defines the basic parameters:

 config setup strictpolicy=no charonstart=yes plutostart=no charondebug="ike 2, knl 3, cfg 0" 

Section conn in which connections are configured

 conn %default /     IPSEC- ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 dpdaction=restart dpdelay=30s dpdtimeout=180s conn rw /  IPSEC- left=<external_IP> /    leftsubnet=<subnet/prefix> / ,      leftid=<external_IP> leftcert=/etc/ipsec.d/certs/servercert.pem /       IKE SA leftauth=pubkey / ,         RSA right=%any /       IP rightauth=eap-mschapv2 rightsendcert=never rightsourceip=<subnet/prefix> /      IP-   auto=add /     keyexhcnage=ikev2 type=tunnel 

')
We also need to specify in the /etc/ipsec.secrets file the public key file for the gateway certificate and account for EAP users

 : RSA /etc/ipsec.d/private/serverkey.pem "password" ivan : EAP "pass1" max : EAP "pass2" 

The above settings are stored in the /etc/ipsec.conf file

Client setup

As a client, you can use Windows 7 or any device running Android OS with the installed StrongSwan VPN Client application
Client setup consists of the following items:

1. Import CA certificate to client
2. Client setup
3. Client launch

For Android, in general, all the same.

Conclusion

After you have configured the client and server, you can restart StrongSwan on the server, this is done with the ipsec restart command and try to connect with the client. If the gateway succeeds at the output of the ipsec statusall command, the connection status will be in the established state and pings between the client and the server will be fun to run.
I almost forgot that the client had access to local resources from the subnet that is defined in the leftsubnet parameter, you will need to configure the routing accordingly and the firewall rules (iptables).
It is also possible to use StrongSwan to implement L2TP over IPSEC (IKEv1), I will probably write about this later.