Differences

This shows you the differences between two versions of the page.

inbox:strongswan.howto [2012/11/04 15:39] (current)
Line 1: Line 1:
 +====== install/configure strongswan for IPhone/IPad ======
 +
 +mostly taken from [[https://forum.openwrt.org/viewtopic.php?id=39560]]
 +
 +====== install necessary packages ======
 +
 +        opkg update
 +
 +        opkg install strongswan-default strongswan-mod-dhcp strongswan-mod-af-alg strongswan-mod-gcrypt \
 +        strongswan-mod-blowfish strongswan-mod-md4 strongswan-mod-openssl strongswan-mod-pkcs11 \
 +        strongswan-mod-pkcs8 strongswan-mod-test-vectors strongswan-mod-farp
 +
 +
 +====== ipsec config ======
 +===== /etc/ipsec.conf =====
 +        # ipsec.conf - strongSwan IPsec configuration file
 +       
 +        conn ios
 +                keyexchange=ikev1
 +                authby=xauthrsasig
 +                xauth=server
 +                left=%any
 +                leftsubnet=0.0.0.0/0
 +                leftfirewall=yes
 +                leftcert=serverCert.pem
 +                right=%any
 +                rightsubnet=192.168.1.0/24
 +                rightsourceip=%dhcp
 +                rightcert=clientCert.pem
 +                forceencaps=yes
 +                auto=add
 +
 +===== /etc/ipsec.secrets =====
 +        # /etc/ipsec.secrets - strongSwan IPsec secrets file
 +       
 +        : RSA serverKey.pem
 +        anyuser : XAUTH "anypassword"
 +
 +===== /etc/init.d/ipsec =====
 +        #!/bin/sh /etc/rc.common
 +        # ipsec init script
 +       
 +        START=46
 +        STOP=01
 +       
 +        start() {
 +        ipsec start
 +        }
 +       
 +        stop() {
 +        ipsec stop
 +        }
 +       
 +        restart() {
 +        ipsec restart
 +        }
 +       
 +        reload() {
 +        ipsec update
 +        }
 +
 +remember to run /etc/init.d/ipsec enable when done to enable startup on boot
 +
 +====== strongswan config ======
 +===== /etc/strongswan.conf =====
 +        # strongswan.conf - strongSwan configuration file
 +       
 +        charon {
 +       
 +                dns1 = 192.168.1.1
 +       
 +                threads = 16
 +       
 +                plugins {
 +       
 +                        dhcp {
 +                                server = 192.168.1.1
 +                        }
 +                }
 +       
 +        }
 +       
 +        pluto {
 +       
 +        }
 +       
 +        libstrongswan {
 +       
 +                #  set to no, the DH exponent size is optimized
 +                #  dh_exponent_ansi_x9_42 = no
 +        }
 +
 +
 +====== firewall config ======
 +===== /etc/firewall.user =====
 +        iptables -I INPUT  -m policy --dir in --pol ipsec --proto esp -j ACCEPT
 +        iptables -I FORWARD  -m policy --dir in --pol ipsec --proto esp -j ACCEPT
 +        iptables -I FORWARD  -m policy --dir out --pol ipsec --proto esp -j ACCEPT
 +        iptables -I OUTPUT  -m policy --dir out --pol ipsec --proto esp -j ACCEPT
 +
 +
 +===== /etc/config/firewall =====
 +        config rule
 +                option 'src' 'wan'
 +                option 'proto' 'esp'
 +                option 'target' 'ACCEPT'
 +       
 +        config rule
 +                option 'src' 'wan'
 +                option 'proto' 'udp'
 +                option 'dest_port' '500'
 +                option 'target' 'ACCEPT'
 +       
 +        config rule
 +                option 'src' 'wan'
 +                option 'proto' 'udp'
 +                option 'dest_port' '4500'
 +                option 'target' 'ACCEPT'
 +       
 +        config rule
 +                option 'src' 'wan'
 +                option 'proto' 'ah'
 +                option 'target' 'ACCEPT'
 +
 +next (certificates) is taken from [[http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)]]
 +
 +====== certificates generation ======
 +        ipsec pki --gen --outform pem > caKey.pem
 +        ipsec pki --self --in caKey.pem --dn "C=DE, O=xxx, CN=xxxx" --ca --outform pem > caCert.pem
 +
 +        ipsec pki --gen --outform pem > serverKey.pem
 +        ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=DE, O=xxx, CN=xxx.dyndns.org" \
 +        --san="xxx.dyndns.org" --flag serverAuth --flag ikeIntermediate --outform pem > serverCert.pem
 +
 +        ipsec pki --gen --outform pem > clientKey.pem
 +        ipsec pki --pub --in clientKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=DE, O=xxx, CN=client" --outform pem > clientCert.pem
 +
 +        openssl pkcs12 -export -inkey clientKey.pem -in clientCert.pem -name "client" -certfile caCert.pem -caname "xxxx" -out clientCert.p12
 +
 +====== copy certificates ======
 +        cp caCert.pem /etc/ipsec.d/cacerts/
 +        cp serverCert.pem /etc/ipsec.d/certs/
 +        cp serverKey.pem /etc/ipsec.d/private/
 +
 +        cp clientCert.pem /etc/ipsec.d/certs/
 +        cp clientKey.pem /etc/ipsec.d/private/
 +
 +Email caCert.pem and clientCert.p12 to Your IPhone/IPad, import them and You're done.

Back to top

inbox/strongswan.howto.txt · Last modified: 2012/11/04 15:39 (external edit)