STEP 1
Install Strongswan
sudo apt-get install strongswan strongswan-plugin-af-alg strongswan-plugin-agent strongswan-plugin-certexpire strongswan-plugin-coupling strongswan-plugin-curl strongswan-plugin-dhcp strongswan-plugin-duplicheck strongswan-plugin-eap-aka strongswan-plugin-eap-aka-3gpp2 strongswan-plugin-eap-dynamic strongswan-plugin-eap-gtc strongswan-plugin-eap-mschapv2 strongswan-plugin-eap-peap strongswan-plugin-eap-radius strongswan-plugin-eap-tls strongswan-plugin-eap-ttls strongswan-plugin-error-notify strongswan-plugin-farp strongswan-plugin-fips-prf strongswan-plugin-gcrypt strongswan-plugin-gmp strongswan-plugin-ipseckey strongswan-plugin-kernel-libipsec strongswan-plugin-ldap strongswan-plugin-led strongswan-plugin-load-tester strongswan-plugin-lookip strongswan-plugin-ntru strongswan-plugin-pgp strongswan-plugin-pkcs11 strongswan-plugin-pubkey strongswan-plugin-radattr strongswan-plugin-sshkey strongswan-plugin-systime-fix strongswan-plugin-whitelist strongswan-plugin-xauth-eap strongswan-plugin-xauth-generic strongswan-plugin-xauth-noauth strongswan-plugin-xauth-pam
STEP 2
Setup Certificates
haveged to speed up the key generation process:
sudo apt-get install haveged
sudo systemctl enable haveged
sudo systemctl start haveged
Create a self signed root CA private key:
cd /etc/ipsec.d/
mkdir p12
ipsec pki --gen --type rsa --size 4096 --outform der > private/strongswanKey.der
chmod 600 private/strongswanKey.der
STEP 3
Generate a self signed root CA certificate of the above private key:
ipsec pki --self --ca --lifetime 3650 --in private/strongswanKey.der --type rsa --dn "C=Kim, O=Kim, CN=Kim Root CA" --outform der > cacerts/strongswanCert.der
View the certificate properties
ipsec pki --print --in cacerts/strongswanCert.der
STEP 4
Generate private key for this VPN host server
ipsec pki --gen --type rsa --size 4096 --outform der > private/vpnHostKey.der
chmod 600 private/vpnHostKey.der
Generate Cert for this VPN host server using earlier created root CA
ipsec pki --pub --in private/vpnHostKey.der --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.der --cakey private/strongswanKey.der --dn "C=Kim, O=Kim, CN=vpn.example.com.sg" --san vpn.example.com.sg --san vpn2.example.com.sg --san xx.xxx.xxx.xxx --san @xx.xxx.xxx.xxx --flag serverAuth --flag ikeIntermediate --outform der > certs/vpnHostCert.der
View the certificate:
ipsec pki --print --in certs/vpnHostCert.der
or
openssl x509 -inform DER -in certs/vpnHostCert.der -noout -text
STEP 5
The private key /etc/ipsec.d/private/strongswanKey.der
must be kept safely. Use only to generate client certificates when required.
This key needs to be added into /etc/ipsec.secrets
for StrongSwan to function properly.
sudo nano /etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
: RSA vpnHostKey.der
Check if StrongSwan has the private key available
sudo ipsec listcerts
STEP 6 Client certificate
Genrate Private key for client
cd /etc/ipsec.d
ipsec pki --gen --type rsa --size 2048 --outform der > private/KimKey.der
chmod 600 private/KimKey.der
Generate Cert for client, signed by our root ca
ipsec pki --pub --in private/KimKey.der --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.der --cakey private/strongswanKey.der --dn "C=Kim, O=Kim, CN=kim@example.com" --san "kim@example.org" --san "kim@example.net" --san "kim@xxx.xx.xx.xx" --outform der > certs/KimCert.der
Convert the required keys to PEM formt
openssl rsa -inform DER -in private/KimKey.der -out private/KimKey.pem -outform PEM
openssl x509 -inform DER -in certs/KimCert.der -out certs/KimCert.pem -outform PEM
#Requires only once for vpn host server
openssl x509 -inform DER -in cacerts/strongswanCert.der -out cacerts/strongswanCert.pem -outform PEM
Construct the .p12:
openssl pkcs12 -export -inkey private/KimKey.pem -in certs/KimCert.pem -name "Kim's VPN Certificate" -certfile cacerts/strongswanCert.pem -caname "strongSwan Root CA" -out p12/Kim.p12
Repeat STEP 6 for another client
STEP 7
Revoking a certificate if a certificate is lost or stolen
cd /etc/ipsec.d/
ipsec pki --signcrl --reason key-compromise --cacert cacerts/strongswanCert.der --cakey private/strongswanKey.der --cert certs/KimCert.der --outform der > crls/crl.der
ipsec restart
This generates the new certificate revocation list (CRL) crls/crl.der
STEP 8
IPSEC Configuration
sudo nano /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
conn %default
keyexchange=ikev2
ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!
dpdaction=clear
dpddelay=300s
authby=pubkey
left=%any
leftid=vpn.example.org
leftsubnet=0.0.0.0/0
leftcert=vpnHostCert.der
leftsendcert=always
right=%any
rightsourceip=10.42.42.0/24,2002:25f7:7489:3::/112
rightdns=8.8.8.8,2001:4860:4860::8888
conn IPSec-IKEv2
keyexchange=ikev2
auto=add
STEP 9
Enable packet routing
echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.send_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.rp_filter = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.accept_source_route = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.send_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" | tee -a /etc/sysctl.conf
sysctl -p
STEP 10
systemctl enable strongswan
systemctl start strongswan
Troubleshooting
ipsec up CONN_NAME
ipsec down CONN_NAME
ipsec status
ipsec statusall
ipsec restart
shows the policies and states of IPsec tunnel
ip xfrm state
ip xfrm policy
Thank you for this procedure, but I seem to be stuck on step 5, the “ipsec listcerts” comes up empty. Am I missing something?