strongSwan is an IPsec solution providing encryption and authentication to servers and clients. It can be used to secure communications with remote networks, so that connecting remotely is the same as connecting locally. In this HOWTO, I explain how to setup up a secure connection to your server. In this setup your host will be the gateway, you might have other servers behind this gateway you can then reach securily. In this particular setup we use public key authentication between a roadwarrior and your server. Roadwarriors is the term Strongswan uses for laptops or other mobile devices that connect from a remote location to your network. More on this particular setup can be found here: https://www.strongswan.org/testing/testresults/ikev2/mobike-virtual-ip-nat/index.html Note: some distributions use ipsec as command, others use strongswan
To set up a public key infrastructure (PKI), we first need to create a self-signed Certificate Authority (CA). We use StrongSwan's built-in command `ipsec pki`. Later on, our CA will issue end-entity certificates. Generate a private key for the CA:
ipsec pki --gen > caKey.der
Now self-sign a CA certificate using the generated key. Adjust the distinguished name (DN) to your needs, it will be included in all issued certificates.
ipsec pki --self --in caKey.der --dn "C=USA, O= , CN=Host CA" --ca > caCert.der
Generate a private key for your host and use your CA to issue a certificate.
ipsec pki --gen > hostKey.der` ipsec pki --pub --in hostKey.der | ipsec pki --issue --cacert caCert.der --cakey caKey.der --dn "C=USA, O= CN=host" > hostCert.der` --san your_IP
Now place the created files in the following directories of your Host:
/etc/ipsec.d/private/hostKey.der /etc/ipsec.d/certs/hostCert.der /etc/ipsec.d/cacerts/caCert.der
Similar, we can generate a private key and issue a certiciate for our client.
ipsec pki --gen > clientKey.der ipsec pki --pub --in clientKey.der | ipsec pki --issue --cacert caCert.der --cakey caKey.der --dn "C=USA, O= , CN=client" > clientCert.der
On your client you will need the client key and certificate as well as your CA certificate. To make it a bit more convenient, you can wrap these files in one .p12 file using the following command:
openssl rsa -inform der -outform pem -in peerKey.der -out peerKey.pem openssl pkcs12 -in clientCert.pem -inkey clientKey.pem -certfile caCert.pem -export -out client.p12`
Your /etc/ipsec.conf configuration file on your host should contain the following:
config setup
conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 conn virtualip leftsubnet=0.0.0.0/0 #leftid=alpha #leftauth=pubkey #rightauth=pubkey #leftsendcert=always leftfirewall=yes right=%any rightdns=8.8.8.8,8.8.4.4 rightsourceip=172.16.16.0/24 auto=add
Edit your /etc/ipsec.secrets and add the following line:
: RSA hostKey.der
Please note that both sides of the colon ':' need a white-space!
In order to forward traffic to hosts behind the gateway the following option has to be enabled on your host:
sysctl net.ipv4.ip_forward=1 sysctl net.ipv6.conf.all.forwarding=1
This can be added to /etc/sysctl.conf to enable it permanently.
Makes sure the ports accept traffic and masquerading:
sudo iptables -A INPUT -p udp -dport 500/4500 -j ACCEPT sudo iptables -t nat -A POSTROUTING -s 172.16.16.0/24 -o eth0 -j MASQUERADE