User Tools

Site Tools


inbox:strongswan.howto

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Previous revision
inbox:strongswan.howto [2012/11/04 15:39]
inbox:strongswan.howto [2015/06/28 18:11] (current)
jake1981 [Troubleshooting]
Line 1: Line 1:
 +====== install/​configure strongswan for IPhone/IPad ======
  
 +
 +mostly taken from [[https://​forum.openwrt.org/​viewtopic.php?​id=39560]]
 +
 +====== install necessary packages ======
 +
 +        opkg update
 +
 +        opkg install strongswan-default strongswan-mod-dhcp strongswan-mod-af-alg strongswan-mod-gcrypt \ 
 +        strongswan-mod-blowfish strongswan-mod-md4 strongswan-mod-openssl strongswan-mod-pkcs11 \
 +        strongswan-mod-pkcs8 strongswan-mod-test-vectors strongswan-mod-farp
 +
 +
 +====== ipsec config ======
 +===== /​etc/​ipsec.conf =====
 +        # ipsec.conf - strongSwan IPsec configuration file
 +        ​
 +        conn ios
 +                keyexchange=ikev1
 +                authby=xauthrsasig
 +                xauth=server
 +                left=%any
 +                leftsubnet=0.0.0.0/​0
 +                leftfirewall=yes
 +                leftcert=serverCert.pem
 +                right=%any
 +                rightsubnet=192.168.1.0/​24
 +                rightsourceip=%dhcp
 +                rightcert=clientCert.pem
 +                forceencaps=yes
 +                auto=add
 +
 +===== /​etc/​ipsec.secrets =====
 +        # /​etc/​ipsec.secrets - strongSwan IPsec secrets file
 +        ​
 +        : RSA serverKey.pem
 +        anyuser : XAUTH "​anypassword"​
 +
 +===== /​etc/​init.d/​ipsec =====
 +        #!/bin/sh /​etc/​rc.common
 +        # ipsec init script
 +        ​
 +        START=46
 +        STOP=01
 +        ​
 +        start() {
 +        ipsec start
 +        }
 +        ​
 +        stop() {
 +        ipsec stop
 +        }
 +        ​
 +        restart() {
 +        ipsec restart
 +        }
 +        ​
 +        reload() {
 +        ipsec update
 +        }
 +
 +remember to run /​etc/​init.d/​ipsec enable when done to enable startup on boot
 +
 +====== strongswan config ======
 +===== /​etc/​strongswan.conf =====
 +        # strongswan.conf - strongSwan configuration file
 +        ​
 +        charon {
 +        ​
 +                dns1 = 192.168.1.1
 +        ​
 +                threads = 16
 +        ​
 +                plugins {
 +        ​
 +                        dhcp {
 +                                server = 192.168.1.1
 +                        }
 +                }
 +        ​
 +        }
 +        ​
 +        pluto {
 +        ​
 +        }
 +        ​
 +        libstrongswan {
 +        ​
 +                #  set to no, the DH exponent size is optimized
 +                #  dh_exponent_ansi_x9_42 = no
 +        }
 +
 +
 +====== firewall config ======
 +===== /​etc/​firewall.user =====
 +        iptables -I INPUT  -m policy --dir in --pol ipsec --proto esp -j ACCEPT
 +        iptables -I FORWARD ​ -m policy --dir in --pol ipsec --proto esp -j ACCEPT
 +        iptables -I FORWARD ​ -m policy --dir out --pol ipsec --proto esp -j ACCEPT
 +        iptables -I OUTPUT ​  -m policy --dir out --pol ipsec --proto esp -j ACCEPT
 +
 +
 +===== /​etc/​config/​firewall =====
 +        config rule
 +                option '​src'​ '​wan'​
 +                option '​proto'​ '​esp'​
 +                option '​target'​ '​ACCEPT'​
 +        ​
 +        config rule
 +                option '​src'​ '​wan'​
 +                option '​proto'​ '​udp'​
 +                option '​dest_port'​ '​500'​
 +                option '​target'​ '​ACCEPT'​
 +        ​
 +        config rule
 +                option '​src'​ '​wan'​
 +                option '​proto'​ '​udp'​
 +                option '​dest_port'​ '​4500'​
 +                option '​target'​ '​ACCEPT'​
 +        ​
 +        config rule
 +                option '​src'​ '​wan'​
 +                option '​proto'​ '​ah'​
 +                option '​target'​ '​ACCEPT'​
 +
 +next (certificates) is taken from [[http://​wiki.strongswan.org/​projects/​strongswan/​wiki/​IOS_(Apple)]]
 +
 +====== certificates generation ======
 +        ipsec pki --gen --outform pem > caKey.pem
 +        ipsec pki --self --in caKey.pem --dn "C=DE, O=xxx, CN=xxxx"​ --ca --outform pem > caCert.pem
 +
 +        ipsec pki --gen --outform pem > serverKey.pem
 +        ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=DE, O=xxx, CN=xxx.dyndns.org"​ \
 +        --san="​xxx.dyndns.org"​ --flag serverAuth --flag ikeIntermediate --outform pem > serverCert.pem
 +
 +        ipsec pki --gen --outform pem > clientKey.pem
 +        ipsec pki --pub --in clientKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=DE, O=xxx, CN=client"​ --outform pem > clientCert.pem
 +
 +        openssl pkcs12 -export -inkey clientKey.pem -in clientCert.pem -name "​client"​ -certfile caCert.pem -caname "​xxxx"​ -out clientCert.p12
 +
 +====== copy certificates ======
 +        cp caCert.pem /​etc/​ipsec.d/​cacerts/​
 +        cp serverCert.pem /​etc/​ipsec.d/​certs/​
 +        cp serverKey.pem /​etc/​ipsec.d/​private/​
 +
 +        cp clientCert.pem /​etc/​ipsec.d/​certs/​
 +        cp clientKey.pem /​etc/​ipsec.d/​private/​
 +
 +Email caCert.pem and clientCert.p12 to Your IPhone/​IPad,​ import them and You're done.
 +
 +====== Troubleshooting ======
 +If you experience errors, like:
 +        07[KNL] received netlink error: Function not implemented (89)
 +        07[KNL] unable to add SAD entry with SPI ccc321fa
 +        07[KNL] received netlink error: Function not implemented (89)
 +        07[KNL] unable to add SAD entry with SPI 07d0af31
 +        07[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
 +
 +You are most likely missing following packages: ​
 +        strongswan-mod-kernel-libipsec
 +        kmod-tun
 +
 +After these are installed, problem should be fixed.
 +
 +If you have problems with reaching of DHCP.. You probably should install also following modules:
 +        ipset
 +        iptables-mod-filter
 +        iptables-mod-nat-extra
 +        ppp-mod-pppoe