This guide provides information that can be used to configure OpenSwan to support IPsec VPN client connectivity. The Shrew Soft VPN Client has been reported to inter-operate correctly with OpenSwan.
The configuration example described below will allow an IPsec VPN client to communicate with a single remote private network. This is often called a roadwarrior scenario where a single clients is accessing the company network from different locations. We assume the following network configuration:
The pool for the roadwarriors is 192.168.2.0/24. A single /24 (255.255.255.0) network.
The internal company network is 192.168.0.0/24 where all of the servers reside. For example after establishing a vpn connection to our company network, we are able to access the fileserver on 192.168.0.15.
We use SSL-certificates to authenticate the users and the server from the roadwarriors point of view. The big advantage of using ssl-certs is to be able to revoke them (declare them as invalid) if a user lost his computer or leave the company.
We generate the Certification Authority itself and sign the certs with the CA afterwards. This can also be done by a free Certification Authority like CaCert.
This example assumes you have already installed the OpenSwan packages, provided by your distribution vendor. The required package for the Debian operation-system is called openswan and can be installed either by using apt-get or aptitude.
1. Get root access on the appropriate machine and install the package through the provided mechansim for your operation system.
2. Setup the required certificates for the server, and the roadwarriors:
2.1. Creating the CA (valid for 10 years)
openssl req -x509 -days 3650 -newkey rsa:2048 \ -keyout /etc/ipsec.d/private/caKey.pem \ -out /etc/ipsec.d/cacerts/caCert.pem
2.2. Creating a certification-request for our server or/and client: Openssl is fussy about a directory structure so we create it here:
cd /etc/openssl/ mkdir demoCA mkdir demoCA/newcerts mkdir demoCA/private touch demoCA/index.txt echo "01" >> demoCA/serial
Now the certification-request for our server:
openssl req -newkey rsa:1024 \ -keyout /etc/ipsec.d/private/serverKey.pem \ -out /etc/ipsec.d/private/serverReq.pem
2.3. Signing the certification-request with our just created certification-authority (CA) (valid for 2 years)
openssl ca -in /etc/ipsec.d/private/serverReq.pem -days 730 \ -out /etc/ipsec.d/private/serverCert.pem -notext \ -cert /etc/ipsec.d/cacerts/caCert.pem \ -keyfile /etc/ipsec.d/private/caKey.pem
2.4. Creating client-certs
Hint: we create a p12 container which contains nearly all files for the clients: (we assume that you already created a client cert request and signed this by the CA like we explained at point 2.2)
openssl pkcs12 -export -inkey roadwarriorKey.pem \ -in raodwarriorCert.pem -certfile /etc/ipsec.d/cacerts/caCert.pem \ -out mikeroadwarrior-rw.p12
we got a nice and handy .p12 file which can be integrated in shrew net vpn client for the clients through the import function.
config setup # nat-t activation nat_traversal=yes # Debug activation # plutodebug=control # global settings conn %default # networksettings, timeouts... ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 # roadwarrior part conn roadwarrior # authy by cert authby=rsasig # leftrsasigkey=%cert rightrsasigkey=%cert # leftcert=serverCert.pem auto=add # pfs=no dpddelay=30 dpdtimeout=120 dpdaction=clear # left=%defaultroute # leftsubnet=192.168.0.0/24 # right=%any # rightsubnetwithin=192.168.2.0/24 # keyingtries=3 # Oportunistic Encryption not active include /etc/ipsec.d/examples/no_oe.conf
- serverKey.pem and oursecretpassword is the one we have specified at 2.2
- RSA serverKey.pem "oursecretpassword"
Just take the stanza below and put it into a text file - import it afterwards with the shrew vpn client's import function:
n:network-ike-port:500 n:client-addr-auto:0 n:network-natt-port:4500 n:network-natt-rate:30 n:network-dpd-enable:1 n:network-frag-enable:1 n:network-frag-size:1300 n:client-banner-enable:0 n:network-notify-enable:1 n:client-wins-used:0 n:client-wins-auto:1 n:client-dns-used:0 n:client-dns-auto:1 n:client-splitdns-used:1 n:client-splitdns-auto:1 n:phase1-dhgroup:0 n:phase1-life-secs:86400 n:phase1-life-kbytes:0 n:phase2-life-secs:3600 n:phase2-life-kbytes:0 n:policy-list-auto:0 n:phase1-keylen:0 n:phase2-keylen:0 s:network-natt-enable:enable s:phase2-compress:none s:policy-list-type:include s:policy-entry-network:192.168.2.0 / 255.255.255.0 s:network-host:hostname.of.your.company.vpn.srv s:client-auto-mode:pull s:client-iface:virtual s:client-ip-addr:192.168.2.23 s:client-ip-mask:255.255.255.0 s:network-natt-mode:enable s:network-frag-mode:enable s:client-wins-addr:0.0.0.0 s:client-dns-addr:0.0.0.0 s:auth-method:mutual-rsa s:ident-client-type:asn1dn s:ident-server-type:asn1dn s:ident-client-data:C=DE, ST=Bavaria, O=test,CN=Mike/emailAddressemail@example.com s:ident-server-data:C=DE, ST=Bavaria, O=test,CN=vpn.test.net/emailAddressfirstname.lastname@example.org s:auth-server-cert:mikeroadwarrior-rw.p12 s:auth-client-cert:mikeroadwarrior-rw.p12 s:auth-client-key:mikeroadwarrior-rw.p12 s:phase1-exchange:main s:phase1-cipher:3des s:phase1-hash:sha1 s:phase2-transform:esp-aes s:phase2-hmac:sha1 s:ipcomp-transform:disabled n:phase2-pfsgroup:-1 s:policy-list-include:192.168.0.0 / 255.255.255.0
As we prepare the client configurations in this example, the client ip is predefined. The network settings can also be assigned by the server using the push/pull method.
s:ident-server-data must be the same as the output of:
openssl x509 -in /etc/ipsec.d/cacerts/caCert.pem -noout -text |grep Subject
And s:ident-client-data have to be:
openssl x509 -in raodwarriorCert.pem -noout -text |grep Subject