Tips: Networking
IPSec IKEv2 VPN Road Warrior
This setup on the server side will be performed on Ubuntu 14.04 LTS trusty with Strongswan. After setup you should be able to use many platforms to connect from the client side. We will be making the server side with concentration on security while still working on platforms like Android, Windows, iPhone/iOS and most all UN*X flavors including Linux.
Lets get right into it. First start with a Linux install of Ubuntu 14.04, using 64bit here.
Install Strongswan server software.
become root or use sudo for these.
apt-get install strongswan apt-get install iptables iptables-persistent
With your favorite editor we will be editing these files. I will use vi. Just replace the command with your editor.
- /etc/strongswan.conf
- /etc/ipsec.conf
- /etc/ipsec.secrets
- /etc/sysctl.conf
- /etc/iptables/rules.v4
Now lets change them.
vi /etc/strongswan.conf charon { load_modular = yes install_virtual_ip = yes dns1 = 8.8.8.8 dns2 = 8.8.4.4 plugins { include strongswan.d/charon/*.conf } } include strongswan.d/*.conf
The above uses Google’s public dns servers as a example. You can use your own. Just replace the dns1= and dns2= with your own.
vi /etc/ipsec.conf config setup # strictcrlpolicy=yes # uniqueids = no conn %default keyexchange=ikev2 ike=aes256-sha1-modp1024! esp=aes256-sha1! leftcert=server_cert.pem auto=add dpdaction=clear dpddelay=300s dpdtimeout=1h conn rw leftfirewall=yes leftsubnet=0.0.0.0/0 right=%any rightsourceip=10.0.0.0/24
vi /etc/ipsec.secrets : RSA server_key.pem
Now we will enable forwarding in our network ipv4 stack.
vi /etc/sysctl.conf ... net.ipv4.ip_forward = 1 ...
The next file will be our firewall setup.
vi /etc/iptables/rules.v4 # RAMNIC's iptables setup for Strongswan VPN RW *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE COMMIT *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p udp -m udp --dport 500 -j ACCEPT -A INPUT -p udp -m udp --dport 4500 -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -p esp -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 127.0.0.0/24 -d 127.0.0.0/24 -j ACCEPT -A INPUT -p tcp -j REJECT --reject-with tcp-reset -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable -A INPUT -j REJECT --reject-with icmp-proto-unreachable COMMIT
This should be all the file edits we have. The rest will be the certificate creations and installing them. Create this script and run it. You will end up with the certs installed and a tar bzip2 file with all the created certs in your home directory.
vi mkipsec_certs.sh #!/bin/sh ROOTCA_O="RAMNIC" ROOTCA_CN="RAMNIC CA" SERVER_O="RAMNIC" SERVER_CN="vpn.ramnic.net" CLIENT_O="RAMNIC" ODIR="`mktemp -d`" UTIME="`date +%s`" cd "${ODIR}" # the root ca ipsec pki --gen --outform pem > ca_key.pem ipsec pki --self --in ca_key.pem --dn "C=CN, O=${ROOT_O}, CN=${ROOT_CN}" --ca --outform pem > ca_cert.pem # the server ipsec pki --gen --outform pem > server_key.pem ipsec pki --pub --in server_key.pem | ipsec pki --issue --cacert ca_cert.pem --cakey ca_key.pem --dn "C=CN, O=${SERVER_O}, CN=${SERVER_CN}" --san="${SERVER_CN}" --outform pem > server_cert.pem # the client ipsec pki --gen --outform pem > client_key.pem ipsec pki --pub --in client_key.pem | ipsec pki --issue --cacert ca_cert.pem --cakey ca_key.pem --dn "C=CN, O=${CLIENT_O}, CN=client" --outform pem > client_cert.pem ### implement ca sudo cp ca_cert.pem /etc/ipsec.d/cacerts/ sudo cp server_cert.pem /etc/ipsec.d/certs/ sudo cp server_key.pem /etc/ipsec.d/private/ tar jcvf ~/ipsec_certs-${UTIME}.tar.bz2 *.pem cd ~/ rm -rf "$ODIR" exit
You can now run this script.
chmod +x mkipsec_certs.sh ./mkipsec_certs.sh
Now we can reboot.
sudo shutdown -r now
The files needed from your tar bzip2 file for the client will be.
- ca_cert.pem
- client_cert.pem
- client_key.pem
You will will probably need to convert these files to another format depending on the client software you use. We will show some client setup in the next posts.
Use the contact form on the right side of the page to report any changes or comments. Thank you.