Tag Archives: strongswan

Mikrotik RouterOS 6.38 IKEv2 Strongswan RSA Auth howto

Hi there,

a) setup clock of your routerboard

/system ntp client set primary-ntp=192.168.223.2
/system clock set time-zone-name=Europe/Vienna

b) generate certificates

/certificate add common-name="paranoids.at Root CA" name=ca     
/certificate sign ca ca-crl-host=192.168.223.106
/certificate add common-name=test.paranoids.at subject-alt-name=IP:test.paranoids.at key-usage=tls-server name=server1
/certificate sign server1 ca=ca
/certificate add common-name=client1@test.paranoids.at key-usage=tls-client name=client1
/certificate sign client1 ca=ca

c) configure your server

/export compact                                                      
# jan/06/2017 12:21:49 by RouterOS 6.38
#
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=modp2048
/ip pool
add name=pool1 ranges=192.168.33.0/27
/ip ipsec mode-config
add address-pool=pool1 address-prefix-length=32 name=test
/ip address
add address=192.168.99.1/24 interface=ether2 network=192.168.99.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dns static
add address=192.168.223.106 name=test
/ip ipsec peer
add address=0.0.0.0/0 auth-method=rsa-signature certificate=server1 dh-group=modp2048 enc-algorithm=aes-256 exchange-mode=ike2 generate-policy=port-strict hash-algorithm=sha256 \
    mode-config=test passive=yes
/ip ipsec policy
set 0 dst-address=192.168.33.0/27 src-address=0.0.0.0/0

d) export client certificates

/certificate export-certificate ca
/certificate export-certificate client1 export-passphrase=1234567890

e) import client certificates to strongswan (file ending is important)

 scp admin@192.168.223.106:/cert_export_client1.crt .
 scp admin@192.168.223.106:/cert_export_client1.key .
 scp admin@192.168.223.106:/cert_export_client1.key .
 mv cert_export_ca.crt /etc/ipsec.d/cacerts/cert_export_ca.pem
 mv cert_export_client1.crt /etc/ipsec.d/certs/cert_export_client1.pem
 mv cert_export_client1.key /etc/ipsec.d/private/cert_export_client1.pem

f) configure strongswan properly

/etc/ipsec.conf

conn test
 keyexchange=ikev2
 ike=aes256-sha256-modp2048
 esp=aes256-sha256-modp2048
 ikelifetime = 24h
 lifetime = 30m
 dpddelay = 120s
 left=%defaultroute
 leftsourceip=%config
 leftcert=cert_export_client1.pem
 leftid=client1@test.paranoids.at
 leftfirewall=yes
 right=192.168.223.106
 rightsubnet=192.168.99.0/24
 rightid="CN=test.paranoids.at" 
 auto=add

/etc/ipsec.secrets

: RSA cert_export_client1.pem "1234567890"

g) fire up your vpn

:~# systemctl restart strongswan
:~# ipsec up test

Resources:
https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2Examples
http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Ikev2_Server_Setup

Hint:
For strongswan under Debian Jessie you have to remove the passphrase from the private key!
For Android set Server-Identity: CN=test.paranoids.at!

Have fun!

l2tp ipsec linux client bash script

hi

here is my simple approach of a vpn client via bash
The main script i found https://wiki.archlinux.org/index.php/L2TP/IPsec_VPN_client_setup
I’ve adopted it to my needs.

First we configure strongswan:

/etc/ipsec.conf
conn yourcompany
    keyexchange=ikev1
    authby=secret
    type=transport
    left=%defaultroute
    leftprotoport=17/1701
    right=2.2.2.2
    rightprotoport=17/1701
    auto=add
/etc/ipsec.secrets
2.2.2.2 : PSK "yourpsk"

Now we configure xl2tpd

/etc/xl2tpd/xl2tpd.conf
[lac vpn-connection]
lns = 2.2.2.2
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
/etc/ppp/options.l2tpd.client
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
noccp
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
debug
lock
connect-delay 5000
name yourusername
password yourpassword

Here is my bash script

#!/bin/bash
if [ $# != 1 ] ; then
    echo "Usage: (sudo) sh $0 {start|stop}" 
    exit 1;
fi

VPN_ADDR=2.2.2.2

function getIP(){
    /sbin/ifconfig $1 | grep "inet "| awk '{print $2}'
}

function getGateWay(){
    /sbin/route -n | grep -m 1 "^0\.0\.0\.0" | awk '{print $2}'
}

function getVPNGateWay(){
    /sbin/route -n | grep -m 1 "$VPN_ADDR" | awk '{print $2}'
}

function saveInterface() {
    echo $(/sbin/route -n | grep -m 1 "^0\.0\.0\.0" | awk '{print $8}') > /tmp/interface.txt
}

function getInterface(){
    cat /tmp/interface.txt
}

GW_ADDR=$(getGateWay)  

function start(){
    saveInterface
    ipsec up youconnectioname
    sleep 2    #delay to ensure that IPsec is started before overlaying L2TP

    systemctl start xl2tpd
    sleep 2
    /bin/echo "c vpn-connection" > /var/run/xl2tpd/l2tp-control     
    sleep 2    #delay again to make that the PPP connection is up.

    route add $VPN_ADDR gw $GW_ADDR $(getInterface)
    route add default gw $(getIP ppp0)
    route delete default gw $GW_ADDR
}

function stop(){
    ipsec down yourconnectioname
    /bin/echo "d vpn-connection" > /var/run/xl2tpd/l2tp-control
    systemctl stop xl2tpd
    
    VPN_GW=$(getVPNGateWay)
    route delete $VPN_ADDR gw $VPN_GW $(getInterface)
    route add default gw $VPN_GW
}
$1
exit 0

strongswan ipsec xauth howto

hi

I want to setup a ipsec tunnel from my desktop pc to one of my root servers to change my official ip address. I’m using ubuntu 14.04 on server and client.

on the root server you need following:
1) firewall with nat enabled
change tcp mss (might not be neccessary)
2) ip forwarding enabled
3) configure strongswan on your root server
4) configure strongswan on your client (ubuntu and android 4.4)

1) firewall:

#accept ipsec
iptables -A INPUT -p UDP --dport 500 -j ACCEPT
iptables -A INPUT -p UDP --dport 4500 -j ACCEPT
#activate nat
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/16 -j MASQUERADE
#change tcp mss to avoid mtu problems with https websites
iptables -t mangle -A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360

2) ip forwarding:

vim /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

3) config of my strongswan server:

aptitude install strongswan strongswan-plugin-xauth-generic

vim /etc/ipsec.conf
conn yourconnectionname
 keyexchange=ikev1
 authby=xauthpsk
 xauth=server
 left=%defaultroute
 leftsubnet=0.0.0.0/0
 leftfirewall=yes
 right=%any
 rightsubnet=192.168.201.0/24
 rightsourceip=192.168.201.1/24
 rightdns=8.8.8.8
 auto=add
vim /etc/ipsec.secrets
ipofyourserver %any : PSK "yourpassword"
yourusername : XAUTH "yourxauthpassword"

now enable ip-forwarding and restart strongswan:

echo 1 > /proc/sys/net/ipv4/ip_forward
service strongswan restart

4) config of my desktop pc:

vim /etc/ipsec.conf
conn yourconnectionname
 keyexchange=ikev1
 left=%defaultroute
 leftsourceip=%config
 leftfirewall=yes
 leftauth=psk
 leftauth2=xauth
 leftid=yourusername
 right=ipofyourserver
 rightsubnet=0.0.0.0/0
 rightauth=psk
 auto=add
vim /etc/ipsec.secrets
: PSK "yourpassword"
yourusername : XAUTH "yourxauthpassword"

now restart strongswan on your desktop pc:

service strongswan restart

and start the vpn tunnel manually via:

ipsec up yourconnectionname

You are also able to use your android phone to connect via ipsec-xauth-psk:
Just go to: Settings -> Wireless & Networks -> More -> VPN -> +

Name: yourconnectionname
Type: IPSec Xauth PSK
Serveraddress: yourservername or ip address
IPSec-Key: yourpassword (PSK)

Afterwords you have to open the new VPN connection where you get asked about the user password credentials.

Hint: On CM12 with my Samsung Galaxy S4 mini. The phone reboots with ipsec xauth. Seems to be a bug. L2TP IPSec works perfect with CM12 and Samsung Galaxy S4 mini.

Hint2: On Archlinux suddenly rightsubnet=0.0.0.0/0 stopped to work as client. (No outbound ipsec traffic) I’ve simply added a route to my netctl config. Routes=(‘IpOfVpnGateway via YourDefaultGateway table 220’)
Seems the vpn gateway is getting tunnled also.

Have fun!