Strongswan 4

I will now go over the steps to configure strongSwan U4.3.2/K2.6.32-35-generic on Ubuntu 10.0.4 for a certificate based IPSec VPN. I was unable to get strongSwan 5.1.2 working and have submitted an issue with them and will update this page when it is resolved. The following procedure will work for Ubuntu 10.04 and 12.04, but 14.04 has the strongSwan 5.1.2 packages and won’t work.

Install strongSwan by using either “sudo apt-get install strongswan” or clicking on the synaptic package manager, searching for VPN, selecting strongswan, clicking “okay” for the dependencies and clicking accept to have it do it. You will also need openssl to extract the keys and that can be done with “sudo apt-get install openssl”. Follow the steps on the Create CA & Certs page first.

Copy the IPCop Certificate Authority certificate file from the USB drive to the location that both Openswan and strongSwan read them from.

# cp crabdance2cacert.pem /etc/ipsec.d/cacerts

Copy the IPCop host certificate to certs folder.

# cp crabdance2hostcert.pem /etc/ipsec.d/certs

For the remote host, IPCop gives you a PKCS12 file, but strongSwan wants separate .PEM certificates The following commands will extract the client secret key and the client certificate from the PKCS12 file. The PKCS12 file also contains the IPCop CA certificate, but we downloaded it from the IPCop VPNs->CA page to the USB drive at the same time that we downloaded the IPCop host certificate, which is not in the pkcs12 file. The following commands will ask for the PKCS12 password you gave above each time you use the PKCS12 file.

# openssl pkcs12 -in test21.p12 -out test21key.pem -nocerts

The following command copies the secret key to the ipsec private folder

# cp test21key.pem /etc/ipsec.d/private

Now extract the client certificate and copy it to the certs folder.

# openssl pkcs12 -in test21.p12 -out test21cert.pem -clcerts -nokeys
# cp test21cert.pem /etc/ipsec.d/certs

Now edit the /etc/ipsec.conf file paying attention to the following:
Blank lines are important in this file to separate the sections, so do not delete them. Conventions are “left” is local to the machine you are on and right is the remote host. Each line of a section begins with a tab character. Even comments within a section must begin with a tab or the section won’t get parsed correctly. Since I only have one VPN on the the laptop, I didn’t worry about the IKEv2 daemon charon. The lines with dashes “-” are only to show the beginning and end of the file and are not part of the file.
————————-ipsec.conf——————-
# ipsec.conf – strongSwan IPsec configuration file

# basic configuration

config setup
plutodebug=all
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
nat_traversal=yes
charonstart=no
plutostart=yes
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1

# Add connections here.
# Give the connection a name.

conn test21
# Use whatever IP address our Internet provider has given us.
left=%defaultroute
# The location of our client certificate
leftcert=/etc/ipsec.d/certs/test21cert.pem
# Our local ID as defined in the certificate and on the configuration
# page of IPCop
leftid=beirne@vpnet.chi.il.us
# The Fully Qualified Domain Name(FQDN) or IP address of the
# remote host. I use the freedns.afraid.org dynamic dns service.
# The dyndns.org was free, but now seems to be a paid service.
right=mgbeirne.crabdance.com
# The remote subnet we need to get to
rightsubnet=192.168.69.0/24
# The remote ID as defined on IPCop
rightid=beirne@limerick.chicago.il.us
# The host certificate of your IPCop box.
rightcert=/etc/ipsec.d/certs/crabdance2hostcert.pem
# add the connection, but don’t automatically start it.
auto=add

————————————————————————
Now edit the /etc/ipsec.secrets file so that pluto can load the secret key to unlock the client certificate. There are really three ways to do this, one is to prompt the user each time the tunnel is brought up, two is to put the password in the file within double quotes in place of the “%prompt” and the third is to specify “-nodes” when you extracted the key from the PKCS12 file above.

————————/etc/ipsec.secrets——————-
# This file holds shared secrets or RSA private keys for
# Inter-Pluto authentication.  See ipsec_pluto(8) manpage, and
# HTML documentation.

# RSA private key for this host, authenticating it to any other
# host which knows the public part.  Suitable public keys, for
# ipsec.conf, DNS, or configuration of other implementations, can
# be extracted conveniently with “ipsec showhostkey”.

#Remote-ID Local-ID a-colon-separated-by-spaces KeyType
# location-of-key Password (all on one line)

beirne@limerick.chicago.il.us beirne@vpnet.chi.il.us : RSA /etc/ipsec.d/private/test21key.pem %prompt

———————————————————————–
The following commands need to be run as root every time you want to
bring up the VPN. Stop and start the ipsec daemons

# ipsec stop
# ipsec start

Reload the configuration files

# ipsec reload

The following command will allow you to enter the password for the client key and may not be necessary if you put the password in the ipsec.secrets file or extracted the key with the “-nodes” option.

# ipsec rereadsecrets

After the key is correctly loaded, then the client certificate can be unlocked and used in the connection. Then bring up the connection.

# ipsec up test21

Test the connection by connecting to one of the hosts on the remote network.

ssh -l beirne 192.168.69.12

When you are all done, then you can stop the VPN with the following command.

# ipsec stop

Donald Trump is an idiot.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.