Tag: rsa

IPSec Road Warrior Strongswan 5.8 IKEv2 swanctl Mikrotik RSA Auth

paranoids

Hi,
here my Strongswan road-warrior config using Archlinux

/etc/swanctl/conf.d/somename.conf

connections {	
	somename {
		local_addrs  = %any
		remote_addrs = gw.domain.tld
		vips = %any
		version = 2
		proposals = aes256-sha256-modp2048
		dpd_timeout=120s
		rekey_time=1d
      
		local {
			auth = pubkey
			certs = cert_export_work_crt.pem
			id = "work@gw.domain.tld"
		}
		remote {
			auth = pubkey
			id = "CN=gw.domain.tld"
		}
		children {
			somename {
				#start_action = start
				remote_ts = 192.168.223.0/24
				esp_proposals = aes256-sha256-modp2048
				dpd_action=start
				life_time=8h
			}
		}
	}
}

secrets {
	rsa-somename {
		file = cert_export_work_private.pem
	}
}

Save your private key to

/etc/swanctl/private/cert_export_work_private.pem

Save your certificate to

/etc/swanctl/x509/cert_export_work_crt.pem

Save your ca-certificate to

/etc/swanctl/x509ca/cert_export_ca.pem

Start and stop your vpn connection via

systemctl restart strongswan

swanctl --initiate --child somename

swanctl --terminate --child somename

Have fun!

Mikrotik RouterOS 6.38 IKEv2 Strongswan RSA Auth howto

paranoids

Hi there,

a) setup clock of your routerboard

/system ntp client set primary-ntp=192.168.223.2
/system clock set time-zone-name=Europe/Vienna

b) generate certificates

/certificate add common-name="paranoids.at Root CA" name=ca     
/certificate sign ca ca-crl-host=192.168.223.106
/certificate add common-name=test.paranoids.at subject-alt-name=IP:test.paranoids.at key-usage=tls-server name=server1
/certificate sign server1 ca=ca
/certificate add common-name=client1@test.paranoids.at key-usage=tls-client name=client1
/certificate sign client1 ca=ca

c) configure your server

/export compact                                                      
# jan/06/2017 12:21:49 by RouterOS 6.38
#
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=modp2048
/ip pool
add name=pool1 ranges=192.168.33.0/27
/ip ipsec mode-config
add address-pool=pool1 address-prefix-length=32 name=test
/ip address
add address=192.168.99.1/24 interface=ether2 network=192.168.99.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dns static
add address=192.168.223.106 name=test
/ip ipsec peer
add address=0.0.0.0/0 auth-method=rsa-signature certificate=server1 dh-group=modp2048 enc-algorithm=aes-256 exchange-mode=ike2 generate-policy=port-strict hash-algorithm=sha256 \
    mode-config=test passive=yes
/ip ipsec policy
set 0 dst-address=192.168.33.0/27 src-address=0.0.0.0/0

d) export client certificates

/certificate export-certificate ca
/certificate export-certificate client1 export-passphrase=1234567890

e) import client certificates to strongswan (file ending is important)

 scp admin@192.168.223.106:/cert_export_client1.crt .
 scp admin@192.168.223.106:/cert_export_client1.key .
 scp admin@192.168.223.106:/cert_export_client1.key .
 mv cert_export_ca.crt /etc/ipsec.d/cacerts/cert_export_ca.pem
 mv cert_export_client1.crt /etc/ipsec.d/certs/cert_export_client1.pem
 mv cert_export_client1.key /etc/ipsec.d/private/cert_export_client1.pem

f) configure strongswan properly

/etc/ipsec.conf

conn test
 keyexchange=ikev2
 ike=aes256-sha256-modp2048
 esp=aes256-sha256-modp2048
 ikelifetime = 24h
 lifetime = 30m
 dpddelay = 120s
 left=%defaultroute
 leftsourceip=%config
 leftcert=cert_export_client1.pem
 leftid=client1@test.paranoids.at
 leftfirewall=yes
 right=192.168.223.106
 rightsubnet=192.168.99.0/24
 rightid="CN=test.paranoids.at" 
 auto=add

/etc/ipsec.secrets

: RSA cert_export_client1.pem "1234567890"

g) fire up your vpn

:~# systemctl restart strongswan
:~# ipsec up test

Resources:
https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2Examples
http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Ikev2_Server_Setup

Hint:
For strongswan under Debian Jessie you have to remove the passphrase from the private key!
For Android set Server-Identity: CN=test.paranoids.at!

Have fun!

dkim postfix howto

paranoids

Hi

Here some nice howto to setup opendkim with postfix

Install and configure opendkim:

aptitude install opendkim
mkdir -p /etc/opendkim/keys/yourdomain.tld
cd /etc/opendkim/keys/yourdomain.tld
opendkim-genkey -r -d yourdomin.tld
vim /etc/opendkim.conf
AutoRestart             Yes
AutoRestartRate         10/1h
Syslog                  yes
LogWhy                  yes
SyslogSuccess           yes
UMask                   002
Socket                  inet:8891@localhost
KeyTable                refile:/etc/opendkim/keytable
SigningTable            refile:/etc/opendkim/signingtable
vim /etc/opendkim/keytable
default._domainkey.yourdomain.tld yourdomain.tld:default:/etc/opendkim/keys/yourdomain.tld/default.private
vim /etc/opendkim/signingtable
*@yourdomain.tld default._domainkey.yourdomain.tld
vim /etc/postfix/master.cf
smtp      inet  n       -       -       -       -       smtpd
        -o smtpd_milters=inet:127.0.0.1:8891
smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_milters=inet:127.0.0.1:8891
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
/etc/init.d/postfix restart
/etc/init.d/opendkim restart
cat /etc/opendkim/keys/yourdomain.tld/default.txt
add this record to your dns zone of yourdomain.tld

Hint: In ubuntu 12.04 opendkim-genkey has a bug which generates an invalid dkim public key in the default.txt. Here the example:

default._domainkey IN TXT "v=DKIM1;=rsa; p=MIGfMA0GC .... Q7GWwsbQIDAQAB" WRONG
default._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GC .... Q7GWwsbQIDAQAB" RIGHT

You can also install a ubuntu backport which does not have the problem
https://bugs.launchpad.net/ubuntu/+source/opendkim/+bug/1083503

Hint:
To verify your dkim install you can use any gmail account.
Here Gmails help for this http://support.google.com/mail/bin/answer.py?hl=en&answer=180707

“mailed-by yourdomain.tld” -> Means your SPF Record is valid
“signed-by yourdomain.tld” -> Means your DKIM Setup is valid

Have fun!