February 14, 2013 at 20:44

Configure IPSec VPN server through strongSwan and On-Demand on iOS

  • Tutorial
How did this message bother me?

It all started with the need to protect user data transmitted to the server. And it was necessary to do so in order not to bother users of corporate iPads. I could not come up with anything smarter how to use IPSe x c and On-Demand VPN on iOS. And I decided to raise it through strongSwan.

How did I torment myself with this ... How did I hate this message in the picture above ... The Internet is full of articles and ready-made examples, but they all use authorization by login and password.
And now I want to save time for those who dare to go through this thorny path.



The beginning of the way


Determine what should get the output:
  • configured VPN server
  • client certificates that we install on iOS

How it should work:
VPN should turn on on the iPad itself as soon as we turn to a specific host, for example, “ya.ru”. However, without asking for a password from the user.
What we will use:
  • Ubuntu
  • strongSwan 5.0.3

What do we do:
  • Snegery keys
  • We pump from the git repository and collect strongSwan with our hands
  • Let's configure configs

First blood


As it turned out, RSA authentication in strongSwan was done through xauth. And this same xauth, in addition to the certificate, also requires a login with a password. Here is such an implementation. StrongSwan has a pretty decent description of how to get IPSec VPN to work with iOS. But the problem here is exactly in the password request. Therefore, this option does not suit us.

But it is not all that bad! Tobias Brunner and his commit will save us ! Just without this commit, we would not have succeeded. Thank you very much. This code is a xauth plugin that does not require additional user login and password authentication. Those. only RSA authentication by keys occurs. What we needed!

Certifications


I will not talk about how to generate keys. This is described in great detail in the tutorial from strongSwan . I just want to draw attention to several important points of the tutorial:
  1. The value of the common name (CN) field of the certificate must exactly match the ip or domain name of the VPN server. In the case of Amazon EC2, it will be something like "ecX-XX-XXX-XX-XX.eu-west-1.compute.amazonaws.com".
  2. When installing certificates on the iPad, you need to remember to install the root one besides the client PKCS # 12 (* .p12). In the tutorial, it is called caCert.pem.


Let's get started


Before installing, it is recommended that you read and heed the hacking guidelines . More specifically, the assembly of the package from the repository.

After installing all the necessary libraries and tools, let's move on to the assembly:
  1. We deflate branch with the magic plugin: git clone git: //git.strongswan.org/strongswan.git xauth-noauth strongswan-git-xauth-noauth /
  2. Create configuration scripts: ./autogen.sh
  3. Configure: ./configure --prefix = / usr --sysconfdir = / etc --enable-xauth-noauth
  4. Let's build the package: sudo checkinstall -D --install = no
  5. And finally, install it: dpkg -i strongswan-git-xauth_5.0.3-xauth-noauth-1_amd64.deb

Do not forget to open 500 and 4500 UDP ports on the firewall, as IPSec works through them.
Let packet forwarding through NAT:
iptables --table nat --append POSTROUTING --jump MASQUERADE
echo 1> / proc / sys / net / ipv4 / ip_forward
for each in / proc / sys / net / ipv4 / conf / *
do
    echo 0> $ each / accept_redirects
    echo 0> $ each / send_redirects
done

Finally, we can proceed with the configuration.

/etc/ipsec.conf

version 2.0 # conforms to second version of ipsec.conf specification
config setup
conn ios
      keyexchange = ikev1
      xauth = server
      leftauth = rsa
      rightauth = rsa
      rightauth2 = xauth-noauth
      left =% defaultroute
      leftsubnet = 0.0.0.0 / 0
      leftfirewall = yes
      leftcert = serverCert.pem
      right =% any
      rightsubnet = 10.0.0.0 / 24
      rightsourceip = 10.0.0.0 / 24
      rightcert = clientCert.pem
      auto = add


/etc/ipsec.secrets

: RSA serverKey.pem


/etc/strongswan.conf

charon {
        # number of worker threads in charon
        threads = 16
        dns1 = 8.8.8.8
        plugins {
        }
}
libstrongswan {
}

Init.d script is too long. He can be picked up here .

Install certificates on iOS


There are several ways to install certificates (clientCert.p12 and caCert.pem):
  • Using iPhone Configuration Utility
  • By sending certificates to yourself in the mail. And get on from the iPad.
  • By downloading them using Safari directly on the device itself.

Personally, I recommend using the iPhone Configuration Utility, as only there you can set the domains for which On-Demand VPN should be.

Questions, comments, criticism are welcome.
Thanks for attention.
Tags:

Also popular now: