Index menü
Introduction
This guide provides information that can be used to configure OpenSwan to support IPsec VPN client connectivity. The Shrew Soft VPN Client has been reported to inter-operate correctly with OpenSwan.
Overview
The configuration example described below will allow an IPsec VPN client to communicate with a single remote private network. This is often called a
roadwarrior
scenario where a single clients is accessing the company network from different locations. We assume the following network configuration: The pool for theroadwarriors
is192.168.2.0/24
. A single/24 (255.255.255.0)
network. The internal company network is192.168.0.0/24
where all of the servers reside. For example after establishing a vpn connection to our company network, we are able to access the fileserver on192.168.0.15
. We use SSL-certificates to authenticate the users and the server from the roadwarriors point of view. The big advantage of using ssl-certs is to be able to revoke them (declare them as invalid) if a user lost his computer or leave the company. We generate the Certification Authority itself and sign the certs with the CA afterwards. This can also be done by a free Certification Authority like CaCert.Gateway Configuration
This example assumes you have already installed the OpenSwan packages, provided by your distribution vendor. The required package for the Debian operation-system is called openswan and can be installed either by using
apt-get
oraptitude
.OpenSwan Setup
Get root access on the appropriate machine and install the package through the provided mechansim for your operation system. Setup the required certificates for the server, and theroadwarriors
:
Creating the CA (valid for 10 years)openssl req -x509 -days 3650 -newkey rsa:2048 \ -keyout /etc/ipsec.d/private/caKey.pem \ -out /etc/ipsec.d/cacerts/caCert.pem Creating a certification-request for our server or/and client: Openssl is fussy about a directory structure so we create it here:cd /etc/openssl/ mkdir demoCA mkdir demoCA/newcerts mkdir demoCA/private touch demoCA/index.txt echo "01" >> demoCA/serialNow the certification-request for our server:
openssl req -newkey rsa:1024 \ -keyout /etc/ipsec.d/private/serverKey.pem \ -out /etc/ipsec.d/private/serverReq.pem Signing the certification-request with our just created certification-authority (CA) (valid for 2 years)openssl ca -in /etc/ipsec.d/private/serverReq.pem -days 730 \ -out /etc/ipsec.d/private/serverCert.pem -notext \ -cert /etc/ipsec.d/cacerts/caCert.pem \ -keyfile /etc/ipsec.d/private/caKey.pem Creating client-certs
Hint: we create a p12 container which contains nearly all files for the clients: (we assume that you already created a client cert request and signed this by the CA like we explained at point 2.2)openssl pkcs12 -export -inkey roadwarriorKey.pem \ -in raodwarriorCert.pem -certfile /etc/ipsec.d/cacerts/caCert.pem \ -out mikeroadwarrior-rw.p12we got a nice and handy .p12 file which can be integrated in shrew net vpn client for the clients through the import function.
Server Configuration
/etc/ipsec.conf
:
- ipsec.conf
config setup # nat-t activation nat_traversal=yes # Debug activation # plutodebug=control # global settings conn %default # networksettings, timeouts... ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 # roadwarrior part conn roadwarrior # authy by cert authby=rsasig # leftrsasigkey=%cert rightrsasigkey=%cert # leftcert=serverCert.pem auto=add # pfs=no dpddelay=30 dpdtimeout=120 dpdaction=clear # left=%defaultroute # leftsubnet=192.168.0.0/24 # right=%any # rightsubnetwithin=192.168.2.0/24 # keyingtries=3 # Oportunistic Encryption not active include /etc/ipsec.d/examples/no_oe.conf/etc/ipsec.secrets
:
serverKey.pem
and „oursecretpassword
” is the one we have specified at 2.2
RSAserverKey.pem
„oursecretpassword
”Client Configuration
Just take the stanza below and put it into a text file - import it afterwards with the shrew vpn client's import function:
n:network-ike-port:500 n:client-addr-auto:0 n:network-natt-port:4500 n:network-natt-rate:30 n:network-dpd-enable:1 n:network-frag-enable:1 n:network-frag-size:1300 n:client-banner-enable:0 n:network-notify-enable:1 n:client-wins-used:0 n:client-wins-auto:1 n:client-dns-used:0 n:client-dns-auto:1 n:client-splitdns-used:1 n:client-splitdns-auto:1 n:phase1-dhgroup:0 n:phase1-life-secs:86400 n:phase1-life-kbytes:0 n:phase2-life-secs:3600 n:phase2-life-kbytes:0 n:policy-list-auto:0 n:phase1-keylen:0 n:phase2-keylen:0 s:network-natt-enable:enable s:phase2-compress:none s:policy-list-type:include s:policy-entry-network:192.168.2.0 / 255.255.255.0 s:network-host:hostname.of.your.company.vpn.srv s:client-auto-mode:pull s:client-iface:virtual s:client-ip-addr:192.168.2.23 s:client-ip-mask:255.255.255.0 s:network-natt-mode:enable s:network-frag-mode:enable s:client-wins-addr:0.0.0.0 s:client-dns-addr:0.0.0.0 s:auth-method:mutual-rsa s:ident-client-type:asn1dn s:ident-server-type:asn1dn s:ident-client-data:C=DE, ST=Bavaria, O=test,CN=Mike/emailAddress=mike@test.net s:ident-server-data:C=DE, ST=Bavaria, O=test,CN=vpn.test.net/emailAddress=vpn-server@test.net s:auth-server-cert:mikeroadwarrior-rw.p12 s:auth-client-cert:mikeroadwarrior-rw.p12 s:auth-client-key:mikeroadwarrior-rw.p12 s:phase1-exchange:main s:phase1-cipher:3des s:phase1-hash:sha1 s:phase2-transform:esp-aes s:phase2-hmac:sha1 s:ipcomp-transform:disabled n:phase2-pfsgroup:-1 s:policy-list-include:192.168.0.0 / 255.255.255.0As we prepare the client configurations in this example, the client ip is predefined. The network settings can also be assigned by the server using the push/pull method.
Hints
s:ident-server-data
must be the same as the output of:openssl x509 -in /etc/ipsec.d/cacerts/caCert.pem -noout -text |grep SubjectAnd
s:ident-client-data
have to be:openssl x509 -in raodwarriorCert.pem -noout -text | grep Subject