Tips: Networking
IPSec IKEv2 VPN Road Warrior
This setup on the server side will be performed on Ubuntu 14.04 LTS trusty with Strongswan. After setup you should be able to use many platforms to connect from the client side. We will be making the server side with concentration on security while still working on platforms like Android, Windows, iPhone/iOS and most all UN*X flavors including Linux.
Lets get right into it. First start with a Linux install of Ubuntu 14.04, using 64bit here.
Install Strongswan server software.
become root or use sudo for these.
apt-get install strongswan apt-get install iptables iptables-persistent
With your favorite editor we will be editing these files. I will use vi. Just replace the command with your editor.
- /etc/strongswan.conf
- /etc/ipsec.conf
- /etc/ipsec.secrets
- /etc/sysctl.conf
- /etc/iptables/rules.v4
Now lets change them.
vi /etc/strongswan.conf
charon {
load_modular = yes
install_virtual_ip = yes
dns1 = 8.8.8.8
dns2 = 8.8.4.4
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf
The above uses Google’s public dns servers as a example. You can use your own. Just replace the dns1= and dns2= with your own.
vi /etc/ipsec.conf
config setup
# strictcrlpolicy=yes
# uniqueids = no
conn %default
keyexchange=ikev2
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
leftcert=server_cert.pem
auto=add
dpdaction=clear
dpddelay=300s
dpdtimeout=1h
conn rw
leftfirewall=yes
leftsubnet=0.0.0.0/0
right=%any
rightsourceip=10.0.0.0/24
vi /etc/ipsec.secrets : RSA server_key.pem
Now we will enable forwarding in our network ipv4 stack.
vi /etc/sysctl.conf ... net.ipv4.ip_forward = 1 ...
The next file will be our firewall setup.
vi /etc/iptables/rules.v4 # RAMNIC's iptables setup for Strongswan VPN RW *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE COMMIT *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p udp -m udp --dport 500 -j ACCEPT -A INPUT -p udp -m udp --dport 4500 -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -p esp -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 127.0.0.0/24 -d 127.0.0.0/24 -j ACCEPT -A INPUT -p tcp -j REJECT --reject-with tcp-reset -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable -A INPUT -j REJECT --reject-with icmp-proto-unreachable COMMIT
This should be all the file edits we have. The rest will be the certificate creations and installing them. Create this script and run it. You will end up with the certs installed and a tar bzip2 file with all the created certs in your home directory.
vi mkipsec_certs.sh
#!/bin/sh
ROOTCA_O="RAMNIC"
ROOTCA_CN="RAMNIC CA"
SERVER_O="RAMNIC"
SERVER_CN="vpn.ramnic.net"
CLIENT_O="RAMNIC"
ODIR="`mktemp -d`"
UTIME="`date +%s`"
cd "${ODIR}"
# the root ca
ipsec pki --gen --outform pem > ca_key.pem
ipsec pki --self --in ca_key.pem --dn "C=CN, O=${ROOT_O}, CN=${ROOT_CN}" --ca --outform pem > ca_cert.pem
# the server
ipsec pki --gen --outform pem > server_key.pem
ipsec pki --pub --in server_key.pem | ipsec pki --issue --cacert ca_cert.pem --cakey ca_key.pem --dn "C=CN, O=${SERVER_O}, CN=${SERVER_CN}" --san="${SERVER_CN}" --outform pem > server_cert.pem
# the client
ipsec pki --gen --outform pem > client_key.pem
ipsec pki --pub --in client_key.pem | ipsec pki --issue --cacert ca_cert.pem --cakey ca_key.pem --dn "C=CN, O=${CLIENT_O}, CN=client" --outform pem > client_cert.pem
### implement ca
sudo cp ca_cert.pem /etc/ipsec.d/cacerts/
sudo cp server_cert.pem /etc/ipsec.d/certs/
sudo cp server_key.pem /etc/ipsec.d/private/
tar jcvf ~/ipsec_certs-${UTIME}.tar.bz2 *.pem
cd ~/
rm -rf "$ODIR"
exit
You can now run this script.
chmod +x mkipsec_certs.sh ./mkipsec_certs.sh
Now we can reboot.
sudo shutdown -r now
The files needed from your tar bzip2 file for the client will be.
- ca_cert.pem
- client_cert.pem
- client_key.pem
You will will probably need to convert these files to another format depending on the client software you use. We will show some client setup in the next posts.
Use the contact form on the right side of the page to report any changes or comments. Thank you.