StrongSwan

From Stu2
Jump to navigation Jump to search

http://www.strongswan.org/ - link to main site.

Overview

  • Create CA key and cert, self sign
  • Create computer certs for each side
  • configure /etc/ipsec.conf
  • configure /etc/ipsec.secrets
  • copy the caCert.pem file, localCert.pem and localKey.pem files to each computer

Firewall rules: open protocol 50, 51, ports UDP/500 and UDP/4500.

https://www.sslshopper.com/article-most-common-openssl-commands.html - useful set of common commands.

Certs

Edit the /etc/ssl/openssl.cnf file to add: subjectAltName=email:copy. There is a commented out line for subjectAltName in the openssl.cnf file. This adds the altName attribute to the certificate with the e-mail address. The attribute is used by strongswan to find the right cert. While editing openssl.cnf, make sure all the directories are correct. Under [ca] section, set the default to /etc/ipsec.d You should also make sure the cert and key names are the ones you use below for the self signed CA. (e.g. stu2Key.pem and stu2Cert.pem)

Use a meaningful and unique e-mail addresses when building the cert request. Strongswan uses the e-mail addresses as an index in the altName attribute in the certificate. Match the Org ID with the self signed cert. Fix the database files by: touch index.txt, echo 1000 > serial and chmod 600 for those files.

Create the self signed cert.

# Create self signed CA key and cert
openssl req -x509 -days 1460 -newkey rsa:2048 -keyout stu2Key.pem -out stu2Cert.pem

Move stu2Key.pem to /etc/ipsec.d/private and the stu2Cert.pem cert to /etc/ipsec.d/cacerts. These directories have to match what's in /etc/ssl/openssl.cnf.

Create the keys and certs for the server and client.

# For each host
# create the request and sign it
openssl req -newkey rsa:1024 -keyout electryonKey.pem -out electryonReq.pem
# sign using the self signed CA cert
openssl ca -in electryonReq.pem -days 730 -out electryonCert.pem

The new version of openssl (version 1) stores keys in the PKCS#8 format. Version 4.5.2 of ipsec requires the old format. You have a choice, update strongswan to 4.6+ which requires buiding from the sources or modify the key file format like this:

openssl rsa -in newkey.pem -out newkey.pem

Note, I had to do this for the keys stored in /etc/ipsec.d/private. It removes the passphrase.

Copy the server key to /etc/ipsec.d/private. Copy the server cert to /etc/ipsec.d/certs. Copy the client cert to /etc/ipsec.d/certs.

SCP the client key, client cert, server cert to the client computer. On the client, the client key goes into /etc/ipsec.d/private. The client and server certs go into /etc/ipsec.d/certs.

ipsec.conf files

Here is the schematic:

A Net - A in IP (host: spike) A out IP  -  Internet  - B out IP (host:charon) B in IP - B Net

On side A, use this file. Note, left side = local node and right side = remote node. The perspective is based on the file you are working on. That is, for host:Spike, left side is A and right side is B. For host:charon, left side is B and right side is A.

# Left End (side A) host:spike

config setup

conn %default
	ikelifetime=60m
	keylife=20m
	rekeymargin=3m
	keyingtries=1
	keyexchange=ikev2

conn charon
	left=<A out IP>
	leftsubnet=<A Net /mask>
	leftcert=spikeCert.pem
	leftid=<A side e-mail address> # has to match subjectAltName in cert in A side cert
	leftfirewall=yes
	mobike=no
	right=<B out IP address>
	rightsubnet=<dst net/ mask>
	rightid=<email in cert>
	type=tunnel
	auto=add

Now for side B.

# Right end host:charon
conn %default
	ikelifetime=60m
	keylife=20m
	rekeymargin=3m
	keyingtries=1
	keyexchange=ikev2


conn spike
      left=<B out IP address>
      leftsubnet=<B Net /mask>
      leftcert=charonCert.pem  #cert of B side
      leftid=<rightside email address> #email address in B side cert matches subjectAltName
      leftfirewall=yes
      type=tunnel
      mobike=no
      right=%any
      rightsubnet=<A NET /mask>
      auto=add

Now:

ipsec listcerts
ipsec up charon
ipsec status

tail -f /var/log/charon.log