StrongSwan. Remote Access VPN Using MSCHAPv2-EAP
- Tutorial
What will it be about?
In this article, I will talk about how to configure StrongSwan daemon on a Linux server to connect remote users (Remote Access VPN) via IPSEC IKEv2, and the MSCHAPv2-EAP bundle will be used as a client authentication protocol.
Solution Description
In this implementation of Remote Access VPN, the EAP protocol (RFC 3748) is used together with Microsoft CHAP version 2 for authentication to connect to a client gateway.
This protocol is used in the VPN client of Windows 7 Agile. In addition to identifying IKEv2 by IP address, the client uses EAP authentication by the name and password defined on the gateway.
The gateway authenticates with the client using an RSA certificate.
Scheme of my stand and solutions in the figure below.
Virtual IP interface - a virtual address that is assigned to the client by the gateway. Configurable in StrongSwan configuration files.
The main advantage of this solution with respect to VPN on certificates is that you do not need to import each certificate to a client, you only need to know the login and password. An additional advantage is the use of the IKEv2 protocol connection to establish IPSEC, which has several advantages over IKEv1. Description of the benefits of successfully googling.
Certificate Generation
Generation of certificates is the most critical part and the most difficult, it is the function of our IPSEC = tunnel that will depend on it.
Certificates were generated using OPENSSL.
First, configure OPENSSL:
vi /usr/lib/ssl/openssl.cnf
[ CA_default ]
dir = /etc/ipsec.d # Основная директория, в ней будут храниться все сертификаты
certificate = $dir/cacerts/strongswanCert.pem # Здесь у нас будет лежать CA сертификат
private_key = $dir/private/strongswanKey.pem # А здесь закрытый ключ CA сертификата
Create a directory for new certificates and a file with a serial for OPENSSL
cd /etc/ipsec.d
mkdir newcerts
touch index.txt
echo “00” > serial
We generate a CA certificate.
Create a CA certificate.
openssl req -x509 -days 3650 -newkey rsa:2048 -keyout private/strongswanKey.pem -out cacerts/strongswanCert.pem
We convert the CA certificate in the form p.12, which is understood by Windows and most clients so that there are no problems with import
openssl pkcs12 -export -inkey private/strongswanKey.pem -in certs/strongswanCert.pem -name "host" -certfile cacerts/strongswanCert.pem -caname "strongSwan Root CA" -out CAcert.p12
We generate the certificate for the server.
Create a certificate request.
openssl req -newkey rsa:1024 -keyout private/serverkey.pem -out reqs/serverreq.pem
We request a certificate from CA using a previously created request.
openssl ca -in reqs/serverreq.pem -days 730 -out certs/servercert.pem -notext
When generating a certificate, you must set the subjectAltName = IP parameter for the server certificate in openssl.cnf:
Configuring the StrongSwan daemon
Installing StrongSwan easily comes from the repository, or from the source.
This is what the /etc/strongswan.conf file should look like:
charon {
load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown eap-identity
}
The main settings should be made in the /etc/ipsec.conf file
The config setup section, which defines the basic parameters:
config setup
strictpolicy=no
charonstart=yes
plutostart=no
charondebug="ike 2, knl 3, cfg 0"
The conn section in which connections are configured
conn %default / определяет базовые параметры всех IPSEC-соединений
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
dpdaction=restart
dpdelay=30s
dpdtimeout=180s
conn rw / название IPSEC-соединения
left= / адрес внешнего интерфейса
leftsubnet= / подсеть, к которой мы даем доступ
leftid=
leftcert=/etc/ipsec.d/certs/servercert.pem / говорим какой сертификат использовать для установки IKE SA
leftauth=pubkey / говорим, что мы авторизуемся у клиента с помощью сертификата RSA
right=%any / к нам можно подключиться с любого IP
rightauth=eap-mschapv2
rightsendcert=never
rightsourceip= / из этой подсети будет выдаваться IP-адрес для клиента
auto=add / подключение будет инициироваться клиентом
keyexhcnage=ikev2
type=tunnel
We also need to specify in the /etc/ipsec.secrets file the public key file for the gateway certificate and accounting for EAP users
: RSA /etc/ipsec.d/private/serverkey.pem "password"
ivan : EAP "pass1"
max : EAP "pass2"
The above settings are stored in /etc/ipsec.conf
Client setup
As a client, you can use Windows 7 or any device running Android with the StrongSwan VPN Client application installed. Client
setup consists of the following items:
For Android, in general, everything is the same.
Conclusion
After you have configured the client and the server, you can restart StrongSwan on the server, this is done with the ipsec restart command and try to connect with the client. If the gateway succeeds when the ipsec statusall command is issued, the connection status will be established and the pings between the client and server will have fun running.
I almost forgot that the client had access to local resources from the subnet that is defined in the leftsubnet parameter, you will need to configure the routing accordingly and the firewall rules (iptables).
It is also possible to use StrongSwan to implement L2TP over IPSEC (IKEv1), I will probably write about this later.