====== OpenSwan ====== * https://help.ubuntu.com/community/L2TPServer
**Introduction** This guide provides information that can be used to configure OpenSwan to support IPsec VPN client connectivity. The Shrew Soft VPN Client has been reported to inter-operate correctly with OpenSwan. **Overview** The configuration example described below will allow an IPsec VPN client to communicate with a single remote private network. This is often called a ''roadwarrior'' scenario where a single clients is accessing the company network from different locations. We assume the following network configuration: The pool for the ''roadwarriors'' is ''192.168.2.0/24''. A single ''/24 (255.255.255.0)'' network. The internal company network is ''192.168.0.0/24'' where all of the servers reside. For example after establishing a vpn connection to our company network, we are able to access the fileserver on ''192.168.0.15''. We use SSL-certificates to authenticate the users and the server from the roadwarriors point of view. The big advantage of using ssl-certs is to be able to revoke them (declare them as invalid) if a user lost his computer or leave the company. We generate the Certification Authority itself and sign the certs with the CA afterwards. This can also be done by a free Certification Authority like CaCert. **Gateway Configuration** This example assumes you have already installed the OpenSwan packages, provided by your distribution vendor. The required package for the Debian operation-system is called openswan and can be installed either by using ''apt-get'' or ''aptitude''. **OpenSwan Setup** - Get root access on the appropriate machine and install the package through the provided mechansim for your operation system. - Setup the required certificates for the server, and the ''roadwarriors'': - Creating the CA (valid for 10 years) openssl req -x509 -days 3650 -newkey rsa:2048 \ -keyout /etc/ipsec.d/private/caKey.pem \ -out /etc/ipsec.d/cacerts/caCert.pem - Creating a certification-request for our server or/and client: Openssl is fussy about a directory structure so we create it here: cd /etc/openssl/ mkdir demoCA mkdir demoCA/newcerts mkdir demoCA/private touch demoCA/index.txt echo "01" >> demoCA/serial Now the certification-request for our server: openssl req -newkey rsa:1024 \ -keyout /etc/ipsec.d/private/serverKey.pem \ -out /etc/ipsec.d/private/serverReq.pem - Signing the certification-request with our just created certification-authority (CA) (valid for 2 years) openssl ca -in /etc/ipsec.d/private/serverReq.pem -days 730 \ -out /etc/ipsec.d/private/serverCert.pem -notext \ -cert /etc/ipsec.d/cacerts/caCert.pem \ -keyfile /etc/ipsec.d/private/caKey.pem - Creating client-certs\\ //Hint: we create a p12 container which contains nearly all files for the clients: (we assume that you already created a client cert request and signed this by the CA like we explained at point 2.2)// openssl pkcs12 -export -inkey roadwarriorKey.pem \ -in raodwarriorCert.pem -certfile /etc/ipsec.d/cacerts/caCert.pem \ -out mikeroadwarrior-rw.p12 we got a nice and handy .p12 file which can be integrated in shrew net vpn client for the clients through the import function. **Server Configuration** * ''/etc/ipsec.conf'': config setup # nat-t activation nat_traversal=yes # Debug activation # plutodebug=control # global settings conn %default # networksettings, timeouts... ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 # roadwarrior part conn roadwarrior # authy by cert authby=rsasig # leftrsasigkey=%cert rightrsasigkey=%cert # leftcert=serverCert.pem auto=add # pfs=no dpddelay=30 dpdtimeout=120 dpdaction=clear # left=%defaultroute # leftsubnet=192.168.0.0/24 # right=%any # rightsubnetwithin=192.168.2.0/24 # keyingtries=3 # Oportunistic Encryption not active include /etc/ipsec.d/examples/no_oe.conf * ''/etc/ipsec.secrets'': - ''serverKey.pem'' and "''oursecretpassword''" is the one we have specified at 2.2\\ RSA ''serverKey.pem'' "''oursecretpassword''" **Client Configuration** Just take the stanza below and put it into a text file - import it afterwards with the shrew vpn client's import function: n:network-ike-port:500 n:client-addr-auto:0 n:network-natt-port:4500 n:network-natt-rate:30 n:network-dpd-enable:1 n:network-frag-enable:1 n:network-frag-size:1300 n:client-banner-enable:0 n:network-notify-enable:1 n:client-wins-used:0 n:client-wins-auto:1 n:client-dns-used:0 n:client-dns-auto:1 n:client-splitdns-used:1 n:client-splitdns-auto:1 n:phase1-dhgroup:0 n:phase1-life-secs:86400 n:phase1-life-kbytes:0 n:phase2-life-secs:3600 n:phase2-life-kbytes:0 n:policy-list-auto:0 n:phase1-keylen:0 n:phase2-keylen:0 s:network-natt-enable:enable s:phase2-compress:none s:policy-list-type:include s:policy-entry-network:192.168.2.0 / 255.255.255.0 s:network-host:hostname.of.your.company.vpn.srv s:client-auto-mode:pull s:client-iface:virtual s:client-ip-addr:192.168.2.23 s:client-ip-mask:255.255.255.0 s:network-natt-mode:enable s:network-frag-mode:enable s:client-wins-addr:0.0.0.0 s:client-dns-addr:0.0.0.0 s:auth-method:mutual-rsa s:ident-client-type:asn1dn s:ident-server-type:asn1dn s:ident-client-data:C=DE, ST=Bavaria, O=test,CN=Mike/emailAddress=mike@test.net s:ident-server-data:C=DE, ST=Bavaria, O=test,CN=vpn.test.net/emailAddress=vpn-server@test.net s:auth-server-cert:mikeroadwarrior-rw.p12 s:auth-client-cert:mikeroadwarrior-rw.p12 s:auth-client-key:mikeroadwarrior-rw.p12 s:phase1-exchange:main s:phase1-cipher:3des s:phase1-hash:sha1 s:phase2-transform:esp-aes s:phase2-hmac:sha1 s:ipcomp-transform:disabled n:phase2-pfsgroup:-1 s:policy-list-include:192.168.0.0 / 255.255.255.0 As we prepare the client configurations in this example, the client ip is predefined. The network settings can also be assigned by the server using the push/pull method. **Hints** ''s:ident-server-data'' must be the same as the output of: openssl x509 -in /etc/ipsec.d/cacerts/caCert.pem -noout -text |grep Subject And ''s:ident-client-data'' have to be: openssl x509 -in raodwarriorCert.pem -noout -text | grep Subject https://www.shrew.net/support/Howto_OpenSWAN
{{tag>vpn}}\\