StrongSwan
StrongSwan requires access to signing certificate
nano /etc/letsencrypt/cli.ini
deploy-hook = "service dumbproxy restart ; service nginx restart; wget https://letsencrypt.org/certs/isrgrootx1.pem -O /etc/swanctl/x509ca/isrgrootx1.pem; wget https://letsencrypt.org/certs/lets-encrypt-r3.pem -O /etc/swanctl/x509ca/lets-encrypt-r3.pem; service strongswan restart"
This will also grub root and intermediate certificate for service that requires access to them for its own certificate verification.
Prerequisites:
-
Valid certificate
- Please see Let's Encrypt
-
Port open for incoming connection:
- 500/UDP
- 4500/UDP
- protocol ESP
-
EAP-MSCHAPv2 authentication
- eap-mschapv2 plugin
- eap-identity plugin
- openssl plugin
EAP-MSCHAPv2 authentication:
In order to prevent man-in-the-middle attacks the strongSwan VPN gateway always authenticates itself with an X.509 certificate using a strong RSA/ECDSA signature. After a secure communication channel has been set up by the IKEv2 protocol, the Windows clients authenticate themselves using the EAP-MSCHAPv2 protocol based on user name, optional windows domain and user password. As an EAP identity exchange is needed for this to work, make sure to have the eap-identity plugin loaded.
EAP-MSCHAPv2 requires MD4 to generate the NT-Hashes, so either the md4 plugin or one of the crypto library plugins (openssl or gcrypt) is required. This is not needed if the authentication is delegated to an AAA server via the eap-radius plugin.
Some Windows clients will always send a domain part in the user name field (e.g. Windows Phone\User). Depending on the backend used to authenticate the users, the domain part may have to be stripped away or be included when defining the credentials (e.g. in the secrets section of swanctl.conf).
- Install StrongSwan
apt install strongswan libcharon-extra-plugins libstrongswan-extra-plugins strongswan-swanctl strongswan-pki charon-systemd
- Config files
cp /etc/strongswan.d/swanctl.conf /etc/strongswan.d/swanctl.conf.13-08-22.backup
cp /etc/strongswan.conf /etc/strongswan.conf.13-08-22.backup
cp /etc/swanctl/swanctl.conf /etc/swanctl/swanctl.conf.13-08-22.backup
- /etc/swanctl/swanctl.conf
swanctl {
load = pem pkcs1 x509 revocation constraints pubkey openssl pkcs8 random
}
connections {
eap {
local {
auth = pubkey
certs = fullchain.pem
id = vpn.company.com
}
remote {
auth = eap-mschapv2
eap_id = %any
}
children {
eap {
local_ts = 0.0.0.0/0
start_action = start
}
}
unique = never
version = 2
dpd_delay = 30s
send_cert = always
proposals=aes128-aes192-aes256-sha1-sha256-sha384-modp1024,default
pools = ipv4
}
}
pools {
ipv4 {
addrs = 10.90.1.0/24
dns = 94.140.14.14
}
}
secrets {
private {
file=privkey.pem
}
eap-vpnusername {
id = vpnusername
secret = "vpnuserpassword"
}
}
-
You can make split-tunel configuration by changing
local_ts
to10.90.1.0/24, <subnet1 to push to the tunnel>, <subnet2 to push to the tunnel>
. -
SystemD service unit /etc/systemd/system/strongswan-swanctl.service
[Unit]
Description=strongSwan IPsec IKEv1/IKEv2 daemon using swanctl
After=network-online.target
[Service]
Type=notify
ExecStart=/usr/sbin/charon-systemd
ExecStartPost=/usr/sbin/swanctl --load-all --noprompt
ExecReload=/usr/sbin/swanctl --reload
ExecReload=/usr/sbin/swanctl --load-all --noprompt
Restart=on-abnormal
[Install]
WantedBy=multi-user.target
Alias=strongswan-swanctl.service
- SystemD service unit /etc/systemd/system/multi-user.target.wants/strongswan.service
[Unit]
Description=strongSwan IPsec IKEv1/IKEv2 daemon using swanctl
After=network-online.target
[Service]
Type=notify
ExecStart=/usr/sbin/charon-systemd
ExecStartPost=/usr/sbin/swanctl --load-all --noprompt
ExecReload=/usr/sbin/swanctl --reload
ExecReload=/usr/sbin/swanctl --load-all --noprompt
Restart=on-abnormal
[Install]
WantedBy=multi-user.target
Alias=strongswan-swanctl.service
-
Certificate and private key for StrongSwan server
-
Got from Let's Encrypt
/etc/swanctl/x509/fullchain.pem -> /etc/letsencrypt/live/vpn.company.com/fullchain.pem
/etc/swanctl/private/privkey.pem -> /etc/letsencrypt/live/vpn.company.com/privkey.pem
- CA certificates from Let's Encrypt
/etc/swanctl/x509ca/isrgrootx1.pem
/etc/swanctl/x509ca/lets-encrypt-r3.pem
You could download Let's Encrypt root certificates here
- User should have the following name:
eap-<username>
or it fails with error:
ignoring unsupported secret 'user'
- Load config
swanctl --load-all
- iptables
iptables --append INPUT --protocol udp --destination-port 500 --jump ACCEPT
iptables --append INPUT --protocol udp --destination-port 4500 --jump ACCEPT
iptables --append INPUT --protocol esp --jump ACCEPT
iptables -t nat -A POSTROUTING -s 10.90.1.0/24 -o ens3 -m policy --dir out --pol ipsec -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.90.1.0/24 -o ens3 -j MASQUERADE
- Other iptables commands (not used in this setup)
#iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j MASQUERADE
#
#iptables -t nat -A POSTROUTING -j SNAT --to-source 178.62.195.248 -o ens3
#iptables -t mangle -I FORWARD -p tcp -m policy --pol ipsec --dir in --syn -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
#iptables -t mangle -I FORWARD -p tcp -m policy --pol ipsec --dir out --syn -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
- /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
- Make certs available for StrongSwan
# Certificate with CA cert
ln -s /etc/letsencrypt/live/vpn.example.com/fullchain.pem /etc/swanctl/x509/fullchain.pem
# Private key (might require AppArmor disable)
ln -s /etc/letsencrypt/live/vpn.example.com/privkey.pem /etc/swanctl/private/privkey.pem
# Let's Encrtyp root certificates in PEM format from https://letsencrypt.org/certificates/
/etc/swanctl/x509ca
For authentication to be successful, at least the server side has to have the complete chain from the root certificate to its own certificate.
You could test if server trusts its own certificate with the command:
# ipsec pki --verify --in /etc/swanctl/x509/fullchain.pem
no issuer certificate found for "CN=..."
- Download Let's Encrypt Root and Subordinate certificates:
wget --quiet https://letsencrypt.org/certs/isrgrootx1.pem -O /etc/swanctl/x509ca/isrgrootx1.pem
wget --quiet https://letsencrypt.org/certs/isrg-root-x2.pem -O /etc/swanctl/x509ca/isrg-root-x2.pem
wget --quiet https://letsencrypt.org/certs/2024/e5.pem -O /etc/swanctl/x509ca/e5.pem
wget --quiet https://letsencrypt.org/certs/2024/e6.pem -O /etc/swanctl/x509ca/e6.pem
wget --quiet https://letsencrypt.org/certs/2024/r10.pem -O /etc/swanctl/x509ca/r10.pem
wget --quiet https://letsencrypt.org/certs/2024/r11.pem -O /etc/swanctl/x509ca/r11.pem
# Just in case ipsec old directories are
wget https://letsencrypt.org/certs/isrgrootx1.pem -O /etc/ipsec.d/cacerts/isrgrootx1.pem
wget https://letsencrypt.org/certs/lets-encrypt-r3.pem -O /etc/ipsec.d/cacerts/lets-encrypt-r3.pem
- Check StrongSwan certificates:
ipsec listcacerts
ipsec listcerts
swanctl --list-certs
ipsec rereadall
ipsec pki --verify --in /etc/swanctl/x509/fullchain.pem --cacert /etc/swanctl/x509ca
https://wiki.strongswan.org/issues/2812
- Delete AppArmor profiles because they break certificate work:
mv /etc/apparmor.d/local/usr.lib.ipsec.charon /home/user/etc/apparmor.d/local/usr.lib.ipsec.charon
mv /etc/apparmor.d/local/usr.lib.ipsec.lookip /home/user/etc/apparmor.d/local/usr.lib.ipsec.lookip
mv /etc/apparmor.d/local/usr.lib.ipsec.stroke /home/user/etc/apparmor.d/local/usr.lib.ipsec.stroke
mv /etc/apparmor.d/local/usr.sbin.swanctl /home/user/etc/apparmor.d/local/usr.sbin.swanctl
mv /etc/apparmor.d/local/usr.sbin.charon-systemd /home/user/etc/apparmor.d/local/usr.sbin.charon-systemd
mv /etc/apparmor.d/usr.lib.ipsec.charon /home/user/etc/apparmor.d/usr.lib.ipsec.charon
mv /etc/apparmor.d/usr.lib.ipsec.lookip /home/user/etc/apparmor.d/usr.lib.ipsec.lookip
mv /etc/apparmor.d/usr.lib.ipsec.stroke /home/user/etc/apparmor.d/usr.lib.ipsec.stroke
systemctl restart apparmor.service
mv /etc/apparmor.d/usr.sbin.swanctl /home/user/etc/apparmor.d/usr.sbin.swanctl
mv /etc/apparmor.d/usr.sbin.charon-systemd /home/user/etc/apparmor.d/usr.sbin.charon-systemd
systemctl restart apparmor.service
- If that didn't work
Allow charon AppArmor to read certs
/etc/apparmor.d/local/usr.lib.ipsec.charon
#include <abstractions/ssl_keys>
apparmor_parser -rTW /etc/apparmor.d/usr.lib.ipsec.charon
systemctl restart strongswan-starter
https://lists.strongswan.org/pipermail/users/2017-February/010537.html https://www.mail-archive.com/users@lists.strongswan.org/msg16454.html
- Status
ipsec statusall
swanctl --list-conns
- Start service
systemctl start strongswan
- Enable service to boot
systemctl enable strongswan
- List logs
journalctl -u strongswan-starter
- Android install certificate chain TODO: check on another phone if works without install CA root https://knowledgebase.geolantis.com/HOW%20TO/how-to-install-root-certificate-on-android-6-0-device/