Contents[hide] |
This guide provides information that can be used to configure OpenSwan to support IPsec VPN clientconnectivity. The Shrew Soft VPN Client has been reported to inter-operate correctly with OpenSwan.
The configuration example described below will allow an IPsec VPN client to communicate with a singleremote private network. This is often called a roadwarrior scenario where a single clients isaccessing the company network from different locations. We assume the following network configuration:
The pool for the roadwarriors is 192.168.2.0/24. A single /24 (255.255.255.0) network.
The internal company network is 192.168.0.0/24 where all of the servers reside. For example after establishing avpn connection to our company network, we are able to access the fileserver on 192.168.0.15.
We use SSL-certificates to authenticate the users and the server from the roadwarriors point of view. The bigadvantage of using ssl-certs is to be able to revoke them (declare them as invalid) if a user lost his computer or leave the company.
We generate the Certification Authority itself and sign the certs with the CA afterwards. This can also be done by a freeCertification Authority like CaCert.
This example assumes you have already installed the OpenSwan packages, provided by your distribution vendor.The required package for the Debian operation-system is called openswan and can be installed either by using apt-get or aptitude.
1. Get root access on the appropriate machine and install the package through the provided mechansim for your operation system.
2. Setup the required certificates for the server, and the roadwarriors:
2.1. Creating the CA (valid for 10 years)
openssl req -x509 -days 3650 -newkey rsa:2048 -keyout /etc/ipsec.d/private/caKey.pem -out /etc/ipsec.d/cacerts/caCert.pem
2.2. Creating a certification-request for our server or/and client:Openssl is fussy about a directory structure so we create it here:
cd /etc/openssl/mkdir demoCAmkdir demoCA/newcertsmkdir demoCA/privatetouch demoCA/index.txtecho "01" >> demoCA/serial
Now the certification-request for our server:
openssl req -newkey rsa:1024 -keyout /etc/ipsec.d/private/serverKey.pem -out /etc/ipsec.d/private/serverReq.pem
2.3. Signing the certification-request with our just createdcertification-authority (CA) (valid for 2 years)
openssl ca -in /etc/ipsec.d/private/serverReq.pem -days 730 -out /etc/ipsec.d/private/serverCert.pem -notext -cert /etc/ipsec.d/cacerts/caCert.pem -keyfile /etc/ipsec.d/private/caKey.pem
2.4. Creating client-certs
Hint: we create a p12 container which contains nearly all files for the clients: (we assume that you already created aclient cert request and signed this by the CA like we explained at point 2.2)
openssl pkcs12 -export -inkey roadwarriorKey.pem -in raodwarriorCert.pem -certfile /etc/ipsec.d/cacerts/caCert.pem -out mikeroadwarrior-rw.p12
we got a nice and handy .p12 file which can be integrated in shrew net vpn client for the clients through the import function.
/etc/ipsec.conf
config setup# nat-t activationnat_traversal=yes# Debug activation# plutodebug=control# global settingsconn %default# networksettings, timeouts...ikelifetime=60mkeylife=20mrekeymargin=3mkeyingtries=1# roadwarrior partconn roadwarrior# authy by certauthby=rsasig#leftrsasigkey=%certrightrsasigkey=%cert#leftcert=serverCert.pemauto=add#pfs=nodpddelay=30dpdtimeout=120dpdaction=clear#left=%defaultroute#leftsubnet=192.168.0.0/24#right=%any#rightsubnetwithin=192.168.2.0/24#keyingtries=3# Oportunistic Encryption not activeinclude /etc/ipsec.d/examples/no_oe.conf
/etc/ipsec.secrets
Just take the stanza below and put it into a text file - import it afterwards with the shrew vpn client's import function:
n:network-ike-port:500n:client-addr-auto:0n:network-natt-port:4500n:network-natt-rate:30n:network-dpd-enable:1n:network-frag-enable:1n:network-frag-size:1300n:client-banner-enable:0n:network-notify-enable:1n:client-wins-used:0n:client-wins-auto:1n:client-dns-used:0n:client-dns-auto:1n:client-splitdns-used:1n:client-splitdns-auto:1n:phase1-dhgroup:0n:phase1-life-secs:86400n:phase1-life-kbytes:0n:phase2-life-secs:3600n:phase2-life-kbytes:0n:policy-list-auto:0n:phase1-keylen:0n:phase2-keylen:0s:network-natt-enable:enables:phase2-compress:nones:policy-list-type:includes:policy-entry-network:192.168.2.0 / 255.255.255.0s:network-host:hostname.of.your.company.vpn.srvs:client-auto-mode:pulls:client-iface:virtuals:client-ip-addr:192.168.2.23s:client-ip-mask:255.255.255.0s:network-natt-mode:enables:network-frag-mode:enables:client-wins-addr:0.0.0.0s:client-dns-addr:0.0.0.0s:auth-method:mutual-rsas:ident-client-type:asn1dns:ident-server-type:asn1dns:ident-client-data:C=DE, ST=Bavaria, O=test,CN=Mike/emailAddress=mike@test.nets:ident-server-data:C=DE, ST=Bavaria, O=test,CN=vpn.test.net/emailAddress=vpn-server@test.nets:auth-server-cert:mikeroadwarrior-rw.p12s:auth-client-cert:mikeroadwarrior-rw.p12s:auth-client-key:mikeroadwarrior-rw.p12s:phase1-exchange:mains:phase1-cipher:3dess:phase1-hash:sha1s:phase2-transform:esp-aess:phase2-hmac:sha1s:ipcomp-transform:disabledn:phase2-pfsgroup:-1s:policy-list-include:192.168.0.0 / 255.255.255.0
As we prepare the client configurations in this example, the client ip is predefined. The network settings can also be assigned by theserver using the push/pull method.
s:ident-server-data must be the same as the output of:
openssl x509 -in /etc/ipsec.d/cacerts/caCert.pem -noout -text |grep Subject
And s:ident-client-data have to be:
openssl x509 -in raodwarriorCert.pem -noout -text |grep Subject
联系客服
