Wiki

User Tools

Site Tools

Trace:
network:vpn_-_strongswan

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
network:vpn_-_strongswan [2016/07/04 09:27] – [Install Strongswan] peternetwork:vpn_-_strongswan [2020/07/23 01:11] (current) – old revision restored (2016/07/04 10:36) 158.69.243.99
Line 114: Line 114:
 </code> </code>
  
-The domain name or IP address of your VPN server, which is later entered in the clients connection properties, MUST be contained either in the subject Distinguished Name (CN) and/or in a subject Alternative Name (--san).  If this does not match the clients will fail to connect.+The domain name or IP address of your VPN server, which is later entered in the clients connection properties, MUST be contained either in the subject Distinguished Name (CN) and/or in a subject Alternative Name (**--san**).  If this does not match the clients will fail to connect.
  
-The built in Windows 7 VPN client needs the serverAuth extended key usage flag in your host certificate as shown above, or the client will refuse to connect.  In addition, OS X 10.7.3 or older requires the ikeIntermediate flag, which we also add here.+The built in Windows 7 VPN client needs the **serverAuth** extended key usage flag in your host certificate as shown above, or the client will refuse to connect.  In addition, OS X 10.7.3 or older requires the **ikeIntermediate** flag, which we also add here.
  
-We add the IP address twice, one with an @ in front so that it gets added as an subjectAltName of the DNSName type and one of the IPAddess type.+We add the IP address twice, one with an **@** in front so that it gets added as an **subjectAltName** of the **DNSName** type and one of the **IPAddess** type.
  
 Let's view the certificate: Let's view the certificate:
Line 179: Line 179:
 </code> </code>
  
-The private key (/etc/ipsec.d/private/strongswanKey.der) of the CA should be moved somewhere safe, possibly to a special signing host without access to the Internet.  Theft of this master signing key would completely compromise your public key infrastructure.  Use it only to generate client certificates when needed.+The private key (**/etc/ipsec.d/private/strongswanKey.der**) of the CA should be moved somewhere safe, possibly to a special signing host without access to the Internet.  Theft of this master signing key would completely compromise your public key infrastructure.  Use it only to generate client certificates when needed.
  
 ===== Client certificate ===== ===== Client certificate =====
Line 215: Line 215:
 </code> </code>
  
-Enter a passphrase twice, then you have a .p12.  You can send John.p12 and its export paraphrase to the person who is going to install it onto the client.  In some cases (iOS for example) you have to separately include the CA certificate cacerts/strongswanCert.pem.+Enter a passphrase twice, then you have a .p12.  You can send **John.p12** and its export paraphrase to the person who is going to install it onto the client.  In some cases (iOS for example) you have to separately include the CA certificate **cacerts/strongswanCert.pem**.
  
-Transport this John.p12 file and the password over seperate channels to a client.+Transport this **John.p12** file and the password over separate channels to a client.
  
 If you need any more user certificates, repeat the above steps with other user data.  You can also do this later on. If you need any more user certificates, repeat the above steps with other user data.  You can also do this later on.
Line 236: Line 236:
 </code> </code>
  
-This generates the new certificate revocation list (CRL) crls/crl.der.  When someone tries to authenticate with the stolen certificate, he'll receive an authentication credentials error message, and your log file will contain something like:+This generates the new certificate revocation list (CRL) **crls/crl.der**.  When someone tries to authenticate with the stolen certificate, he'll receive an authentication credentials error message, and your log file will contain something like:
  
 <code> <code>
Line 262: Line 262:
 ===== IPSEC Configuration ===== ===== IPSEC Configuration =====
  
-The main ipsec configuration file is located in /etc/strongswan.d/ We are going to edit it:+The main **ipsec** configuration file is located in **/etc/strongswan.d/**.  We are going to edit it:
  
 <code bash> <code bash>
Line 297: Line 297:
 </code> </code>
  
-Remove the /etc/ipsec.conf file and create a symlink:+Remove the **/etc/ipsec.conf** file and create a symlink:
  
 <code bash> <code bash>
Line 306: Line 306:
 The configuration has settings for IKEv2 + RSA certificates.  This is, as stated above, the most secure method.  Older tutorials also set up IKEv1 (xauth) and username-password combo, but that is considered insecure. The configuration has settings for IKEv2 + RSA certificates.  This is, as stated above, the most secure method.  Older tutorials also set up IKEv1 (xauth) and username-password combo, but that is considered insecure.
  
-Apple added support for IKEv2 in iOS 8, but it needs to be configured using a custom configuration profile.  OS X 10.9 and lower do not support IKEv2.+Apple added support for IKEv2 in iOS 8, but it needs to be configured using a custom configuration profile [https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile].  OS X 10.9 and lower do not support IKEv2.
  
 Beginning with iOS 9, IKEv2 connections are natively supported.  However, iOS9 only supports the use of certificates or username/password, but not both. Beginning with iOS 9, IKEv2 connections are natively supported.  However, iOS9 only supports the use of certificates or username/password, but not both.
  
-For iOS 9+ and OS X 10.10+ you need to make sure the leftid= is the same as the CN in your certificate.  You also need to enter that on the devices, otherwise you'll get a no matching peer config found log error.+For iOS 9+ and OS X 10.10+ you need to make sure the **leftid=** is the same as the **CN** in your certificate.  You also need to enter that on the devices, otherwise you'll get a **no matching peer config found** log error.
  
 Android 4+ and Windows 7+ support IKEv2. Android 4+ and Windows 7+ support IKEv2.
  
-Clients will get the Google DNS servers and an IP address in the 10.42.42.0/24 range.  We use a strong ciphersuite.+Clients will get the Google DNS servers and an IP address in the **10.42.42.0/24** range.  We use a strong ciphersuite.
  
-The leftcert=vpnHostCert.der expands to the path /etc/ipsec.d/certs/vpnHostCert.der.+The **leftcert=vpnHostCert.der** expands to the path **/etc/ipsec.d/certs/vpnHostCert.der**.
  
  
Line 372: Line 372:
 </code> </code>
  
-Add it before the exit 0 line and replace %SERVERIP% with the external IP of your server.+Add it before the **exit 0** line and replace %SERVERIP% with the external IP of your server.
  
  
Line 444: Line 444:
  
 See the Strongswan Wiki [https://wiki.strongswan.org/projects/strongswan/wiki/Windows7] for guides on configuring Windows and OS X/iOS clients [https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)]. See the Strongswan Wiki [https://wiki.strongswan.org/projects/strongswan/wiki/Windows7] for guides on configuring Windows and OS X/iOS clients [https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)].
 +
 +
 +===== References =====
 +
 +https://raymii.org/s/tutorials/IPSEC_vpn_with_Ubuntu_15.10.html
 +https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/
 +
network/vpn_-_strongswan.1467624465.txt.gz · Last modified: 2020/07/15 09:30 (external edit)
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki