convert to vimwiki

[robinkrens.nl] / docs / ikev2-nat-rw.txt

Strongswan road warrior setup with Virtual IPs
=======

strongSwan is an IPsec solution providing encryption and authentication to servers and clients. It can be used to secure communications with remote networks, so that connecting remotely is the same as connecting locally. In this HOWTO, I explain how to setup up a secure connection to your server. In this setup your host will be the *gateway*, you might have other servers behind this gateway you can then reach securily. In this particular setup we use public key authentication between a *roadwarrior* and your server. Roadwarriors is the term Strongswan uses for laptops or other mobile devices that connect from a remote location to your network. More on this particular setup can be found here: https://www.strongswan.org/testing/testresults/ikev2/mobike-virtual-ip-nat/index.html
Note: some distributions use *ipsec* as command, others use *strongswan*

----------

Setup a PKI infrastructure 
**********

To set up a public key infrastructure (PKI), we first need to create a self-signed Certificate Authority (CA). We use StrongSwan's built-in command `ipsec pki`. Later on, our CA will issue end-entity certificates. Generate a private key for the CA:

        ipsec pki --gen > caKey.der

Now self-sign a CA certificate using the generated key. Adjust the distinguished name (DN) to your needs, it will be included in all issued certificates.

        ipsec pki --self --in caKey.der --dn "C=USA, O= , CN=Host CA" --ca > caCert.der

Generate a private key for your   host and use your CA to issue a certificate.

        ipsec pki --gen > hostKey.der`
        ipsec pki --pub --in hostKey.der | ipsec pki --issue --cacert caCert.der --cakey caKey.der --dn "C=USA, O=  CN=host" > hostCert.der` --san your_IP

Now place the created files in the following directories of your Host:

        /etc/ipsec.d/private/hostKey.der
        /etc/ipsec.d/certs/hostCert.der
        /etc/ipsec.d/cacerts/caCert.der

Similar, we can generate a private key and issue a certiciate for our client. 

        ipsec pki --gen > clientKey.der
        ipsec pki --pub --in clientKey.der | ipsec pki --issue --cacert caCert.der --cakey caKey.der --dn "C=USA, O= , CN=client" > clientCert.der

On your client you will need the client key and certificate as well as your CA certificate. To make it a bit more convenient, you can wrap these files in one .p12 file using the following command: 

        openssl rsa -inform der -outform pem -in peerKey.der -out peerKey.pem
        openssl pkcs12 -in clientCert.pem -inkey clientKey.pem -certfile caCert.pem -export -out client.p12`

Configure strongSwan
**********

Your /etc/ipsec.conf configuration file on your host should contain the following:

        config setup

        conn %default
                ikelifetime=60m
                keylife=20m
                rekeymargin=3m
                keyingtries=1
                keyexchange=ikev2

        conn virtualip
                leftsubnet=0.0.0.0/0
                #leftid=alpha
                #leftauth=pubkey
                #rightauth=pubkey
                #leftsendcert=always
                leftfirewall=yes
                right=%any
                rightdns=8.8.8.8,8.8.4.4
                rightsourceip=172.16.16.0/24
                auto=add

Edit your /etc/ipsec.secrets and add the following line:

         : RSA hostKey.der

Please note that both sides of the colon ':' need a white-space!

Allow forwarding and configure firewall
************

In order to forward traffic to hosts behind the gateway the following
option has to be enabled on your host:

        sysctl net.ipv4.ip_forward=1
        sysctl net.ipv6.conf.all.forwarding=1

This can be added to /etc/sysctl.conf to enable it permanently.

Makes sure the ports accept traffic and masquerading:
        sudo iptables -A INPUT -p udp -dport 500/4500 -j ACCEPT
        sudo iptables -t nat -A POSTROUTING -s 172.16.16.0/24 -o eth0 -j MASQUERADE