Iphone/Ipad/Mac OSX IPSEC VPN with Strongswan 5 on Centos/RHEL 6

August 23, 2012 at 10:21 AM | categories: Centos, Mac OS X, Howto, Sysadmin, RHEL, Linux, Tips, Security, IPSEC | View Comments

Introduction

This howto describes setting up an IPSEC VPN for use with the Iphone, Ipad and Mac OSX VPN clients on Centos/RHEL 6. I am using the 5.x branch of Strongswan which is now the mainline actively maintained branch. At the time of writing the 5.x EPEL package was only available in the testing repo.

The configuration should work both with NAT and without NAT on both sides, if you are NATing on the server side make sure your forward UDP 500 and 4500 to the machine running strongswan.

This howto uses example.org and 192.168.1.0/24 and 192.168.2.0/24 networks for illustration purposes, you need to change these to suit your own setup.

Install

To access the EPEL packages you need to enable the EPEL repo. You are then able to install the strongswan package.

yum install --enablerepo=epel-testing strongswan

Create the required configuration directories

mkdir -p /etc/strongswan/ipsec.d/{aacerts,acerts,cacerts,certs,crls,ocspcerts,private}

Configuration

Create a CA

For RSA authentication you need to setup a CA which will issue the certificates to be used by the server and the clients.

cd /etc/pki/tls/misc
./CA -newca
echo 00 > /etc/pki/CA/crlnumber
openssl ca -gencrl -out /etc/pki/CA/crl.pem

Install to strongswan directories

ln -s /etc/pki/CA/cacert.pem /etc/strongswan/ipsec.d/cacerts/
ln -s /etc/pki/CA/crl.pem /etc/strongswan/ipsec.d/crls/

Create the server certificate

Apple clients require that the servers certificate subjectAltName attribute contain either the server IP address or server DNS name. To ensure the server certificate contains the subjectAltName attribute edit the openssl.cnf and set it under the [ usr_cert ] section

For DNS name set it to

subjectAltName=DNS:vpn.example.org

For IP address set it to

subjectAltName=IP:192.168.1.1

Now generate and sign the server certitifcate

./CA -newreq
./CA -sign

Install to strongswan directories.

mv newcert.pem /etc/strongswan/ipsec.d/certs/vpn.example.org.pem
mv newkey.pem /etc/strongswan/ipsec.d/private/vpn.example.org.key

Add the private key password to /etc/strongswan/ipsec.secrets

: RSA vpn.example.org.key "p4ssw0rd"

Create the client certificate

This is the certificate that will be used by you VPN clients ie Ipad/Iphone, edit the openssl.cnf and comment out the subjectAltName attribute setting.

Now generate and sign the client certificate, do this for all the clients you expect to use.

./CA -newreq
./CA -sign
openssl pkcs12 -export -in ipad.example.org.pem -inkey ipad.example.org.key \
 -certfile /etc/pki/CA/cacert.pem -out ipad.p12

You now need to import the CA certificate and the client p12 certificate on to the device. You need to download the Iphone configuration utility and use it to import the certificates to your device.

Iphone configuration utility;

Add the username and password to /etc/strongswan/ipsec.secrets

andrew : XAUTH "5tr0ngp4ss0rd"

Create strongswan configuration

Edit /etc/strongswan/ipsec.conf with the following content.

config setup

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1
        left=%defaultroute
        leftsubnet=192.168.1.0/24
        auto=add

conn rw-xauth
        leftcert=vpn.example.org.pem
        leftid=@vpn.example.org
        leftauth=pubkey
        leftfirewall=yes
        right=%any
        rightauth=pubkey
        rightauth2=xauth
        rightsourceip=192.168.2.0/24

The above setup assumes the network behind the vpn is 192.168.1.0/24 and virtual IP addresses will be assigned to VPN clients from the 192.168.2.0/24 network block.

Enable packet forwarding

If your system is not setup for packet forwarding enable it.

echo 1 > /proc/sys/net/ipv4/ip_forward

Edit /etc/sysctl.conf and set

net.ipv4.ip_forward = 1

Testing

Start strongswan.

service strongswan start

Check /var/log/messages and /var/log/secure for any errors.

Ipad configuration

  • Launch Settings then select General > Network > VPN > Add VPN Configuration
  • Toggle VPN type to IPSec

Set the Fields

Description      Strongswan-IPSEC
Server           vpn.example.org
Account          andrew
Password         5tr0ngp4ss0rd
Use Certificate  ON
Certificate      ipad.example.org

A VPN connection should now be possible by toggling VPN to ON under Settings > VPN.

Related articles


blog comments powered by Disqus