http://www.strongswan.org/ - link to main site.
- Create CA key and cert, self sign
- Create computer certs for each side
- configure /etc/ipsec.conf
- configure /etc/ipsec.secrets
- copy the caCert.pem file, localCert.pem and localKey.pem files to each computer
Firewall rules: open protocol 50, 51, ports UDP/500 and UDP/4500.
https://www.sslshopper.com/article-most-common-openssl-commands.html - useful set of common commands.
Edit the /etc/ssl/openssl.cnf file to add: subjectAltName=email:copy. There is a commented out line for subjectAltName in the openssl.cnf file. This adds the altName attribute to the certificate with the e-mail address. The attribute is used by strongswan to find the right cert. While editing openssl.cnf, make sure all the directories are correct. Under [ca] section, set the default to /etc/ipsec.d You should also make sure the cert and key names are the ones you use below for the self signed CA. (e.g. stu2Key.pem and stu2Cert.pem)
Use a meaningful and unique e-mail addresses when building the cert request. Strongswan uses the e-mail addresses as an index in the altName attribute in the certificate. Match the Org ID with the self signed cert. Fix the database files by: touch index.txt, echo 1000 > serial and chmod 600 for those files.
Create the self signed cert.
# Create self signed CA key and cert openssl req -x509 -days 1460 -newkey rsa:2048 -keyout stu2Key.pem -out stu2Cert.pem
Move stu2Key.pem to /etc/ipsec.d/private and the stu2Cert.pem cert to /etc/ipsec.d/cacerts. These directories have to match what's in /etc/ssl/openssl.cnf.
Create the keys and certs for the server and client.
# For each host # create the request and sign it openssl req -newkey rsa:1024 -keyout electryonKey.pem -out electryonReq.pem # sign using the self signed CA cert openssl ca -in electryonReq.pem -days 730 -out electryonCert.pem
The new version of openssl (version 1) stores keys in the PKCS#8 format. Version 4.5.2 of ipsec requires the old format. You have a choice, update strongswan to 4.6+ which requires buiding from the sources or modify the key file format like this:
openssl rsa -in newkey.pem -out newkey.pem
Note, I had to do this for the keys stored in /etc/ipsec.d/private. It removes the passphrase.
Copy the server key to /etc/ipsec.d/private. Copy the server cert to /etc/ipsec.d/certs. Copy the client cert to /etc/ipsec.d/certs.
SCP the client key, client cert, server cert to the client computer. On the client, the client key goes into /etc/ipsec.d/private. The client and server certs go into /etc/ipsec.d/certs.
Here is the schematic:
A Net - A in IP (host: spike) A out IP - Internet - B out IP (host:charon) B in IP - B Net
On side A, use this file. Note, left side = local node and right side = remote node. The perspective is based on the file you are working on. That is, for host:Spike, left side is A and right side is B. For host:charon, left side is B and right side is A.
# Left End (side A) host:spike config setup conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 conn charon left=<A out IP> leftsubnet=<A Net /mask> leftcert=spikeCert.pem leftid=<A side e-mail address> # has to match subjectAltName in cert in A side cert leftfirewall=yes mobike=no right=<B out IP address> rightsubnet=<dst net/ mask> rightid=<email in cert> type=tunnel auto=add
Now for side B.
# Right end host:charon conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 conn spike left=<B out IP address> leftsubnet=<B Net /mask> leftcert=charonCert.pem #cert of B side leftid=<rightside email address> #email address in B side cert matches subjectAltName leftfirewall=yes type=tunnel mobike=no right=%any rightsubnet=<A NET /mask> auto=add
ipsec listcerts ipsec up charon ipsec status tail -f /var/log/charon.log