1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml">
6 <meta name="generator" content="HTML::TextToHTML v2.51"/>
7 <link rel="stylesheet" type="text/css" href="../files/style.css"/>
10 <h1><a name="section_1">Strongswan road warrior setup with Virtual IPs</a></h1>
12 <p>strongSwan is an IPsec solution providing encryption and authentication to servers and clients. It can be used to secure communications with remote networks, so that connecting remotely is the same as connecting locally. In this HOWTO, I explain how to setup up a secure connection to your server. In this setup your host will be the <em>gateway</em>, you might have other servers behind this gateway you can then reach securily. In this particular setup we use public key authentication between a <em>roadwarrior</em> and your server. Roadwarriors is the term Strongswan uses for laptops or other mobile devices that connect from a remote location to your network. More on this particular setup can be found here: <a href="https://www.strongswan.org/testing/testresults/ikev2/mobike-virtual-ip-nat/index.html">https://www.strongswan.org/testing/testresults/ikev2/mobike-virtual-ip-nat/index.html</a>
13 Note: some distributions use <em>ipsec</em> as command, others use <em>strongswan</em>
17 <h2><a name="section_1_1">Setup a PKI infrastructure </a></h2>
19 <p>To set up a public key infrastructure (PKI), we first need to create a self-signed Certificate Authority (CA). We use StrongSwan's built-in command `ipsec pki`. Later on, our CA will issue end-entity certificates. Generate a private key for the CA:
21 <p> ipsec pki --gen > caKey.der
23 <p>Now self-sign a CA certificate using the generated key. Adjust the distinguished name (DN) to your needs, it will be included in all issued certificates.
25 <p> ipsec pki --self --in caKey.der --dn "C=USA, O= , CN=Host CA" --ca > caCert.der
27 <p>Generate a private key for your host and use your CA to issue a certificate.
30 ipsec pki --gen > hostKey.der`
31 ipsec pki --pub --in hostKey.der | ipsec pki --issue --cacert caCert.der --cakey caKey.der --dn "C=USA, O= CN=host" > hostCert.der` --san your_IP
33 <p>Now place the created files in the following directories of your Host:
36 /etc/ipsec.d/private/hostKey.der
37 /etc/ipsec.d/certs/hostCert.der
38 /etc/ipsec.d/cacerts/caCert.der
40 <p>Similar, we can generate a private key and issue a certiciate for our client.
43 ipsec pki --gen > clientKey.der
44 ipsec pki --pub --in clientKey.der | ipsec pki --issue --cacert caCert.der --cakey caKey.der --dn "C=USA, O= , CN=client" > clientCert.der
46 <p>On your client you will need the client key and certificate as well as your CA certificate. To make it a bit more convenient, you can wrap these files in one .p12 file using the following command:
49 openssl rsa -inform der -outform pem -in peerKey.der -out peerKey.pem
50 openssl pkcs12 -in clientCert.pem -inkey clientKey.pem -certfile caCert.pem -export -out client.p12`
52 <h2><a name="section_1_2">Configure strongSwan</a></h2>
54 <p>Your /etc/ipsec.conf configuration file on your host should contain the following:
74 rightdns=8.8.8.8,8.8.4.4
75 rightsourceip=172.16.16.0/24
78 <p>Edit your /etc/ipsec.secrets and add the following line:
82 <p>Please note that both sides of the colon ':' need a white-space!
84 <h2><a name="section_1_3">Allow forwarding and configure firewall</a></h2>
86 <p>In order to forward traffic to hosts behind the gateway the following
87 option has to be enabled on your host:
90 sysctl net.ipv4.ip_forward=1
91 sysctl net.ipv6.conf.all.forwarding=1
93 <p>This can be added to /etc/sysctl.conf to enable it permanently.
95 <p>Makes sure the ports accept traffic and masquerading:
97 sudo iptables -A INPUT -p udp -dport 500/4500 -j ACCEPT
98 sudo iptables -t nat -A POSTROUTING -s 172.16.16.0/24 -o eth0 -j MASQUERADE
projects / robinkrens.nl / blob