From: Rob Date: Wed, 7 Nov 2018 08:15:33 +0000 (+0800) Subject: ipsec roadwarrior doc v0.1 X-Git-Url: https://robinkrens.nl/gitweb/?a=commitdiff_plain;h=62da952ff19284ffdf28c30118a709ab8b4744b2;p=robinkrens.nl ipsec roadwarrior doc v0.1 --- diff --git a/ikev2-nat-rw.html b/ikev2-nat-rw.html new file mode 100644 index 0000000..e90cce7 --- /dev/null +++ b/ikev2-nat-rw.html @@ -0,0 +1,101 @@ + + + + + + + + +

robinkrens.nl -- Strongswan road warrior setup with Virtual IPs

+ +

strongSwan is an IPsec solution providing encryption and authentication to servers and clients. It can be used to secure communications with remote networks, so that connecting remotely is the same as connecting locally. In this HOWTO, I explain how to setup up a secure connection to your server. In this setup your host will be the gateway, you might have other servers behind this gateway you can then reach securily. In this particular setup we use public key authentication between a roadwarrior and your server. Roadwarriors is the term Strongswan uses for laptops or other mobile devices that connect from a remote location to your network. More on this particular setup can be found here: https://www.strongswan.org/testing/testresults/ikev2/mobike-virtual-ip-nat/index.html +Note: some distributions use ipsec as command, others use strongswan +

+
+ +

Setup a PKI infrastructure

+ +

To set up a public key infrastructure (PKI), we first need to create a self-signed Certificate Authority (CA). We use StrongSwan's built-in command `ipsec pki`. Later on, our CA will issue end-entity certificates. Generate a private key for the CA: +

+

ipsec pki --gen > caKey.der +

+

Now self-sign a CA certificate using the generated key. Adjust the distinguished name (DN) to your needs, it will be included in all issued certificates. +

+

ipsec pki --self --in caKey.der --dn "C=USA, O= , CN=Host CA" --ca > caCert.der +

+

Generate a private key for your host and use your CA to issue a certificate. +

+
+        ipsec pki --gen > hostKey.der`
+        ipsec pki --pub --in hostKey.der | ipsec pki --issue --cacert caCert.der --cakey caKey.der --dn "C=USA, O=  CN=host" > hostCert.der` --san your_IP
+
+

Now place the created files in the following directories of your Host: +

+
+        /etc/ipsec.d/private/hostKey.der
+        /etc/ipsec.d/certs/hostCert.der
+        /etc/ipsec.d/cacerts/caCert.der
+
+

Similar, we can generate a private key and issue a certiciate for our client. +

+
+        ipsec pki --gen > clientKey.der
+        ipsec pki --pub --in clientKey.der | ipsec pki --issue --cacert caCert.der --cakey caKey.der --dn "C=USA, O= , CN=client" > clientCert.der
+
+

On your client you will need the client key and certificate as well as your CA certificate. To make it a bit more convenient, you can wrap these files in one .p12 file using the following command: +

+
+        openssl rsa -inform der -outform pem -in peerKey.der -out peerKey.pem
+        openssl pkcs12 -in clientCert.pem -inkey clientKey.pem -certfile caCert.pem -export -out client.p12`
+
+

Configure strongSwan

+ +

Your /etc/ipsec.conf configuration file on your host should contain the following: +

+

config setup +

+
+        conn %default
+                ikelifetime=60m
+                keylife=20m
+                rekeymargin=3m
+                keyingtries=1
+                keyexchange=ikev2
+
+        conn virtualip
+                leftsubnet=0.0.0.0/0
+                #leftid=alpha
+                #leftauth=pubkey
+                #rightauth=pubkey
+                #leftsendcert=always
+                leftfirewall=yes
+                right=%any
+                rightdns=8.8.8.8,8.8.4.4
+                rightsourceip=172.16.16.0/24
+                auto=add
+
+

Edit your /etc/ipsec.secrets and add the following line: +

+

: RSA hostKey.der +

+

Please note that both sides of the colon ':' need a white-space! +

+

Allow forwarding and configure firewall

+ +

In order to forward traffic to hosts behind the gateway the following +option has to be enabled on your host: +

+
+        sysctl net.ipv4.ip_forward=1
+        sysctl net.ipv6.conf.all.forwarding=1
+
+

This can be added to /etc/sysctl.conf to enable it permanently. +

+

Makes sure the ports accept traffic and masquerading: +

+        sudo iptables -A INPUT -p udp -dport 500/4500 -j ACCEPT
+        sudo iptables -t nat -A POSTROUTING -s 172.16.16.0/24 -o eth0 -j MASQUERADE
+
+ + diff --git a/ikev2-nat-rw.txt b/ikev2-nat-rw.txt new file mode 100644 index 0000000..9f12244 --- /dev/null +++ b/ikev2-nat-rw.txt @@ -0,0 +1,87 @@ +robinkrens.nl -- Strongswan road warrior setup with Virtual IPs +======= + +strongSwan is an IPsec solution providing encryption and authentication to servers and clients. It can be used to secure communications with remote networks, so that connecting remotely is the same as connecting locally. In this HOWTO, I explain how to setup up a secure connection to your server. In this setup your host will be the *gateway*, you might have other servers behind this gateway you can then reach securily. In this particular setup we use public key authentication between a *roadwarrior* and your server. Roadwarriors is the term Strongswan uses for laptops or other mobile devices that connect from a remote location to your network. More on this particular setup can be found here: https://www.strongswan.org/testing/testresults/ikev2/mobike-virtual-ip-nat/index.html +Note: some distributions use *ipsec* as command, others use *strongswan* + +---------- + +Setup a PKI infrastructure +********** + +To set up a public key infrastructure (PKI), we first need to create a self-signed Certificate Authority (CA). We use StrongSwan's built-in command `ipsec pki`. Later on, our CA will issue end-entity certificates. Generate a private key for the CA: + + ipsec pki --gen > caKey.der + +Now self-sign a CA certificate using the generated key. Adjust the distinguished name (DN) to your needs, it will be included in all issued certificates. + + ipsec pki --self --in caKey.der --dn "C=USA, O= , CN=Host CA" --ca > caCert.der + +Generate a private key for your host and use your CA to issue a certificate. + + ipsec pki --gen > hostKey.der` + ipsec pki --pub --in hostKey.der | ipsec pki --issue --cacert caCert.der --cakey caKey.der --dn "C=USA, O= CN=host" > hostCert.der` --san your_IP + +Now place the created files in the following directories of your Host: + + /etc/ipsec.d/private/hostKey.der + /etc/ipsec.d/certs/hostCert.der + /etc/ipsec.d/cacerts/caCert.der + +Similar, we can generate a private key and issue a certiciate for our client. + + ipsec pki --gen > clientKey.der + ipsec pki --pub --in clientKey.der | ipsec pki --issue --cacert caCert.der --cakey caKey.der --dn "C=USA, O= , CN=client" > clientCert.der + +On your client you will need the client key and certificate as well as your CA certificate. To make it a bit more convenient, you can wrap these files in one .p12 file using the following command: + + openssl rsa -inform der -outform pem -in peerKey.der -out peerKey.pem + openssl pkcs12 -in clientCert.pem -inkey clientKey.pem -certfile caCert.pem -export -out client.p12` + +Configure strongSwan +********** + +Your /etc/ipsec.conf configuration file on your host should contain the following: + + config setup + + conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + + conn virtualip + leftsubnet=0.0.0.0/0 + #leftid=alpha + #leftauth=pubkey + #rightauth=pubkey + #leftsendcert=always + leftfirewall=yes + right=%any + rightdns=8.8.8.8,8.8.4.4 + rightsourceip=172.16.16.0/24 + auto=add + +Edit your /etc/ipsec.secrets and add the following line: + + : RSA hostKey.der + +Please note that both sides of the colon ':' need a white-space! + +Allow forwarding and configure firewall +************ + +In order to forward traffic to hosts behind the gateway the following +option has to be enabled on your host: + + sysctl net.ipv4.ip_forward=1 + sysctl net.ipv6.conf.all.forwarding=1 + +This can be added to /etc/sysctl.conf to enable it permanently. + +Makes sure the ports accept traffic and masquerading: + sudo iptables -A INPUT -p udp -dport 500/4500 -j ACCEPT + sudo iptables -t nat -A POSTROUTING -s 172.16.16.0/24 -o eth0 -j MASQUERADE +